Insecure IoT

Vulnerabilities in Brink’s Smart Safe

This is far from shocking to anyone who has studied infosec. More of a total yawn, actually. Clueless people racing to claim market segments are naturally going to trip over complex things like security. Anything meant to be secure only has a chance of being such if the only way to change configuration is to properly authenticate. Customers hate that, though, because when they forget their password then they have an expensive brick on their hands. I experienced that myself: I bought a solid state computer I was intending at the time to use for hosting my web sites (my provider, at the time, was being incredibly unresponsive to my complaints). I chose a password that would be trivial to remember so naturally didn’t write it down. Over a year later I remember the thing is sitting in the basement and lo and behold, I have no idea what the damn password is. I believe I was eventually able to reset the box and get back onto it (I can’t remember, it was many months ago when I tried for a couple of days), but anyone else who had physical possession of the box could also do that. I quite doubt that the drive was encrypted such that it became a incomprehensible mess upon reset, I expect all the data would be there plain as day. Since I only paid a couple of hundred for the box I was frustrated, but it wasn’t a big deal. What if you had paid 100’s of thousands or millions? In that case you would demand that there be a back door (but only a ‘secure one’, whatever the hell that means!) so if the gewgaw was unable to be reached for some reason you could get around it and still get your money’s worth.

Real security is expensive and hard and is still steeped with vulnerabilities. Anything else is just window dressing advertising to a credulous customer designed to improve profit margins at the expense of ignorance.

Author: Tfoui

He who spews forth data that could be construed as information...

Leave a Reply