True 🔒

I’m still not entirely convinced that certain IoT devices are better than the mechanical alternatives (and things like security cameras don’t even have mechanical alternatives). Is there any research to suggest that houses with IoT locks, or IoT anything, have a higher break in rate? If someone really wants into to your house, they will break in regardless.

With things like a thermostat I’d agree, things like that don’t need an internet connection, but in the future even your toaster will have an internet connection!

Nah I'm not a paranoid tin foil hat wearing "muh dataa reeeee" screaming person.

However, it's partially correct: A smart toaster us fucking stupid. Smart thermostats are 50/50. Smart fridges is 100% stupid. Smart locks are a no go.

Smart lights, plugs, speakers, etc are all ok bc they genuinely do make life more convenient.

Real security !

@52cal future? Yesterday a salesman wanted to talk me into buying a laundry machine that could display its status on a dishwasher, fridge and thermostat.

It's all fine. A good laundry machine should last between 10-15 years. The average Linux kernel/distro is supported for three. It's all fine.

Seriously, if you buy IoT fridges, ovens, toasters, what not: you deserve the shit that you're getting from it 5 years from now.

There was also third category: Security Technicians: *takes a deep swig of whiskey* I wish I had been born in the neolithic. https://twitter.com/juliagalef/...

@Stuxnet It's not necessarily about 'muh data'.

Mirai botnet and stuff like this looks like a future problem for me https://bbc.com/news/...

also "IoT is when your toaster mines bitcoins to pay off its gambling debts to the fridge" https://twitter.com/socrates1024/...

@qwwerty Did you miss the part where I said most of the devices were stupid? It's in there somewhere.

As someone who works security and specifically pentesting, mechanical locks are the worst thing to still be used. It's baffling how easy they are to pick, bump or shim.

Unfortunately I rent, so no matter how advanced I try to make it, my front door still has to have a physical key. So I'm not gonna increase my attack surface more! But if I could REPLACE keys with digital locks? Yup.

"But IoT devices are the end if the world!" Yup. I said digital. Internet connected front door deadbolt? Fuck no! NFC/Bluetooth? Hell yeah. At that point you still need to be within Bluetooth range of my house (usually 30-90 ft.) There's still vulnerabilities of course. But the barrier for entry into unlocking a Bluetooth lock is a lot higher than a 10$ pick set. At that point the wooden door is the issue.

Software has problems. Zero days happen. And we're all doomed. But let's not pretend that mechanical is better.

@Nanos depends what you mean by combination locks? Like master lock dials? Again back to easy to shim. Or most of them have a keyhole on the back, which come back around to picking. (Although I've never actually tried that come to think of it)

Personally, there are instances where it is worth it to have the Internet connected device, and there are times where it its more likely to be a detractor.

Internet enabled thermostat saves me money, doesn’t really cost any more money (bought mine for $75 and it’s great), and is super convenient.

Do I want my refrigerator connected to the Internet though? Not really, because if it breaks I will be staring at some broken screen or feature on a fridge that could last 20 years. There are some interesting applications, but just not worth it to me.

I am both a tech enthusiast and work in IT. I’m not overly optimistic or pessimistic about my IoT choices, I am pragmatic. There is no reason it has to be a black white thing.

@feature I can kind of see that? I can imagine how convenient having a thermostat on my lan would be. I've even thought about getting one.... But what does internet connected really add? On the lan I could control it from upstairs or in bed or anywhere within WiFi range. What more could you want?

Reposted so many times I can’t count.

@Nanos so the important things to note there: look at the sides of the keys? Those black marks? It's the paint coming off. Unless it's really high end, those style of locks usually have issues where the button paint wears down over time. Notably more so on the buttons in the combo, reducing the keyspace.

Other issues present in those styles but not all of them:

Cheaper ones don't discern order. 3781 and 1783 are the same combo. What's important is that all the correct ones are pushed, and all the wrong ones aren't. This is not super common anymore with that style, mostly because with the previous issue, you might as well not even lock it.

Some cheap ones also may give away which ones are right based on click feel if you can't tell by paint.

In all my experience with that style, you can't push the same key twice, so a 4 digit PIN is not 10**4, it's 10*9*8*7 which is definitely smaller. Almost half.

@Nanos

I'm by no means an expert. And I've never personally opened one of those types, but I've heard enough stories and seen enough talks and whitepapers to know that style is bad news.

Maybe something like this is a more secure example?

@Nanos yes. And I believe this specific one is NFC and BLE enabled which kind of defeats my point.

But some of the "less advanced" electronic ones are based on something like an atmega. No wireless connections, no smart features. Just a conductive keypad. But it's still better than mechanical because it allows for repeat numbers (fun fact: repeat numbers make PINs more secure within reason), ensures order matters, avoids wear marks (material depending. Also fingerprints may give it away), and a lower amount of moving parts prevents shims and bypass tools.

@Nanos if you're looking for good information on locks, and in depth security issues that most people don't touch, watch talks by deviant ollam. He does a lot about physical security.

We talk so much about how good is open source. Why a life can't be it? I mean, why do we have to keep secrets?

For online shopping I use temporary cards; I don't do anything that I think it's wrong and, if in the future I regret, I just know that is normal to make mistakes.

I suppose You just fear these types of things if you don't behave correctly, but if someone thinks differently, just say it.

If only mechanical locks were secure. :/