Wireless Security Product Transferred Passwords Without Encryption, Leaving Consumers Susceptible To Hacking And Theft

First-Of-Its-Kind Settlement Requires Safetech Products LLC To Reform Data Security Practices And Implement A Comprehensive Security Program

Schneiderman: Companies Providing Wireless Security Have A Legal Obligation To Protect Consumers’ Personal Information And Assets– And My Office Will Make Sure Of It

Attorney General Eric T. Schneiderman recently announced that his office has reached a settlement with Safetech Products LLC and its owner Ryan Hyde over the sale of insecure wireless door and padlocks. The company, based in Lehi, Utah, sells Bluetooth-enabled door and padlocks via Amazon and the company’s online retail site and claims to guarantee users the ability to protect personal belongings inside the home by turning doors and closets into secure areas. However, last year, a group of independent security researchers discovered that Safetech’s locks failed to secure passwords and other security information required for operation—leaving consumers susceptible to hacking and theft. After an investigation and settlement with the Office of the Attorney General, Safetech has agreed to encrypt all passwords, electronic keys or other credentials in its locks and other Bluetooth-enabled devices, prompt users to change the default password upon initial setup of wireless communication, and establish a comprehensive security program.

“Today’s settlement with Safetech marks the first time an Attorneys General’s Office has taken legal action against a wireless security company for failing to protect their customer’s personal and private information,” said Attorney General Schneiderman. “Companies employing new technologies must implement and promote good security practices and ensure that their products are secure, including through the use of encryption. Together, with the help of companies like Safetech, we can safeguard against breaches and illegal intrusions on our private data.”

In August 2016, a group of independent security researchers reported that Safetech’s Bluetooth-enabled locks transmitted passwords between the locks and the user’s smartphone in plain text and without encryption, allowing potential perpetrators to intercept the passwords and proceed to undo the locks (see figures 1,2, and 3). The researchers also reported that the locks contained weak default passwords that were not secure and could be easily solved or discovered through brute force attacks of automated software used to generate a large number of consecutive guesses.

Figure 1: Quicklock App

Figure 2: Quicklock Padlock Diagram

In October 2016, the NYAG contacted Safetech about the researchers’ findings and the security of the locks. Just prior to being contacted by the NYAG, Safetech placed the following warning on their website:

SECURITY WARNING...Bluetooth keys for the hardware are passed “unencrypted” on all current products.

We also strongly recommend the default password be changed at initial setup. Please read “Security Risks Explained.”

Upon clicking the “Security Risks Explained” hyperlink, the user was taken to a webpage that explains the risks identified above.

Bluetooth is a wireless technology standard for exchanging data over short distances. It uses short-wavelength radio waves between 2.4 to 2.485 GHz. Safetech’s locks limited the Bluetooth range to approximately 50 feet (see figures 3 and 4). Thus, a wrongdoer would need to be in close proximity to the lock to intercept the Bluetooth passwords. Additionally, the locks shutdown for two minutes after two failed password attempts, providing some protection from brute force attacks.

Figure 3: Quicklock Doorlock Demonstration

Figure 4: Quicklock Padlock Demonstration

According to the agreement, Safetech must encrypt all passwords, electronic keys or other security credentials in their locks and other Bluetooth-enabled devices, as well as prompt users to change the default password upon the customer’s initial setup of wireless communication.

Additionally, Safetech agreed to establish and implement a written comprehensive security program that is reasonably designed to (1) address security risks related to the development and management of new and existing devices that use security information, and (2) protect the privacy, security, confidentiality, and integrity of security information, including:

1. The designation of an employee or employees to coordinate and be accountable for the security program;
2. The identification of material internal and external risks to (1) the security of the devices that could result in unauthorized access to or unauthorized modification of the device and (2) the privacy, security, confidentiality, and integrity of security information;
3. The risk assessments required by subpart b must include consideration of risks in each area of relevant operation, including, but not limited to: (1) employee training and management, including secure engineering and defensive programming; (2) product design, development, and research; (3) secure software design, development, and testing; (4) review, assessment, and response to third party security vulnerability reports, and (5) prevention, detection, and response to attacks, intrusions, or systems failures;
4. The design and implementation of reasonable safeguards to control the risks identified through risk assessment;
5. Regular testing or monitoring of the effectiveness of the safeguards’ key controls, systems, and procedures including reasonable and appropriate security testing techniques such as vulnerability and penetration testing, security architecture reviews and code reviews;
6. The development and use of reasonable steps to select and retain service providers (if any are hired) capable of maintaining security practices consistent with the agreement, and requiring service providers by contract to implement and maintain appropriate safeguards consistent with the agreement; and
7. The evaluation and adjustment of Safetech’s security program in light of the results of the testing and monitoring required by the agreement.

This case was handled by Bureau of Internet and Technology Deputy Bureau Chief Clark Russell under the supervision of Bureau Chief Kathleen McGee. The Bureau of Internet and Technology is overseen by Executive Deputy Attorney General for Economic Justice Manisha M. Sheth.