Why it matters to you
Are your passwords safe? This settlement shows government officials are starting to take passwords and online security more seriously.
These days, we have a login and password for just about everything, ranging from our online bank accounts to Amazon to our smartphone apps. The average person has 27 discrete online logins, according to a 2016 poll by Intel Security, and we protect them with passwords. But are these passwords safe? For the first time in history, an attorney general’s office took legal action against a wireless security company for failing to protect its customer’s security.
New York Attorney General Eric Schneiderman’s office recently settled with Safetech Products LLC, maker of Bluetooth-enabled door locks and pad locks marketed under the name Quicklock. The locks are designed to turn doors and closets into secure areas, protecting you and your belongings. Schneiderman began investigating Safetech when a group of independent security researchers found that the Bluetooth-enabled locks transmitted unencrypted passwords between the lock and the user’s smartphone in plain text, allowing a potential hacker or thief to intercept the password and open up the lock. The researchers also found that the default passwords on the locks were very weak, and could easily be discovered through a brute force attack.
Although Safetech’s locks limit the Bluetooth range to around 50 feet and have a built in safeguard where they shut down for two minutes after two failed login attempts, the settlement agreement between the Schneiderman’s office and Safetech calls for increased security to protect consumers.
The settlement agreement says Safetech must encrypt all passwords, security keys, or other security credentials in their locks. Safetech will also have to prompt users to change the default password during setup. In addition to securing user passwords, Safetech agreed to put a comprehensive written security program in place to address any potential future security risks.
“Today’s settlement with Safetech marks the first time an attorneys general’s office has taken legal action against a wireless security company for failing to protect their customer’s personal and private information,” Schneiderman said in a statement. “Companies employing new technologies must implement and promote good security practices and ensure that their products are secure, including through the use of encryption. Together, with the help of companies like Safetech, we can safeguard against breaches and illegal intrusions on our private data.”