Abusing the Internet of Things

(Rick Simeone) #1

FIGURE 2-8. Kevo account lockout after six incorrect attempts


A user who has forgotten her password must provide a correct answer to one of the secu-
rity questions associated with the account (Figure 2-9). These questions are selected by the
Kevo app, which prompts the user to answer them when creating the account.
If a malicious person has temporarily gained access to the user’s email account, that
entity can attempt to guess the answer or obtain it by social engineering the target via phish-
ing attacks. While the Kevo app has done a good job with respect to requiring password com-
plexity, implementing a lockout, and requiring a secret answer to a question, users should be
aware that this type of information can and is routinely stolen by means of phishing attacks
and malware.
The lock also implements a mechanism that allows users to send others electronic keys.
All you have to do is provide the individual’s email address and that person will receive an
email from Kevo, as shown in Figure 2-10. To unlock the lock, the target individual must first
set up an account with the Kevo iPhone app and verify his email address.


CHAPTER 2: ELECTRONIC LOCK PICKING—ABUSING DOOR LOCKS TO COMPROMISE

(^52) PHYSICAL SECURITY

Free download pdf