The security industry is pretty good at coining new words to describe various methods of attack. Phishing, spear phishing, whaling and others have a piscatorial flavaour while wardriving sounds more combative. Well, there’s a new term coming through – screwdriving.
Screwdriving is like wardrving but it has an IoT focus. It’s all about discovering Bluetooth Low Energy (BLE) devices. But it’s not about finding all sorts of devices – it focuses on one class of gadget.
Screwdriving is about finding connected sex toys.
According to security researcher Alex Lomas of Pentest Partners, many of these devices are basically wide open. He pointed the finger at the recently released Lovense Hush connected butt plug (a phrase I never expected to type in my life!) as well as others.
Lomas said communications between the apps and the toys were sent unencrypted and could easily be intercepted with a packet capture tool. Then they could be replayed by a threat actor without a PIN giving attacker complete access.
The IoT world has a security issue. And Lomas’ research shows the security challenges go deeper than many people expected.