iank.org says they have serious flaws specifically the Loftie alarm clock
This is apparently in the alarm clock file structure:
$ strings config.arm64_v8a.apk
...
assets/icons/clock.svg
_setClient@91206165
_TapStatusTrackerMixin@113288344
https://fwbek2lb0a213kbewqoit.byloftie.com/Loftie_EVT.bin # <-------
get:digitMatcher
ListTileThemeData
get:endOfFrame
_drawPicture@15065589
...If you notice the weird address in the file: fwbek2lb0a213kbewqoit.byloftie.com
This kind of programming is not a good idea. her continues to unwrap the information in the firmware (just as a hacker would do either ethical or criminal hackers. As you see below these are the “interesting” comments:
It’s important to emphasize here that the certificates and key shown above have not been dumped from my clock specifically, they are from the firmware image on Loftie’s web server. The certificates and key are shared by all clocks and are publicly-available.
This also means that there is no per-device access control to specific MQTT topics. In other words, if a clock can subscribe to /devices/lABCDEF123456/state, it can subscribe to the wildcard topic /devices/+/state and receive status updates from every clock. These status updates aren’t incredibly interesting, but they do leak information that some might consider sensitive. In particular, alarm settings and the BSSID of the WiFi network the clock is connected to (ie, a pattern of life and a specific location).
Eventually he tries to contact the company (Loftie) and they do not understand at first? eventually they respond but do not understand the ramifications of this issue (a possible security problem in the clock software)
Wouldn’t it be nice to see companies focus on security before they get hacked? Before the lawsuits? Maybe as CISA suggests – Secure By Design!
Contact me to help make this happen:
What it Means to Be Secure by Design
Products designed with Secure by Design principles prioritize the security of customers as a core business requirement, rather than merely treating it as a technical feature. During the design phase of a product’s development lifecycle, companies should implement Secure by Design principles to significantly decrease the number of exploitable flaws before introducing them to the market for widespread use or consumption. Out-of-the-box, products should be secure with additional security features such as multi-factor authentication (MFA), logging, and single sign-on (SSO) available at no extra cost.
Also use NIST Cybersecurity framework is also a good idea to make sure products are tested and developed securely from the beginning. (An older post is linked) I have written about this framework several times.
