Researchers uncover smart padlock’s dumb security

guest · May 30, 2019

Researchers uncover smart padlock’s dumb security
May 29, 2019
https://nakedsecurity.sophos.com/2019/05/29/researchers-uncover-smart-padlocks-dumb-security/

A few months on and the researchers behind that exposé, Pen Test Partners, have turned their attention to another incarnation of the same IoT theme in the form of the ‘smart’ Bluetooth padlock made by a Chinese company Nokelock.
Unfortunately, says Pen Test Partners, the Nokelock and its API also come with some major security flaws that prospective owners might like to know about before they stump up their cash.

Such as the ability to:
• Unlock the Nokelock within a range of 10m without needing to know anything about the registered account. • Discover the owner’s information from the Nokelock database, including the email address and password hash.
• Assign the lock to another account, locking owners out of their Nokelock. [...]
Click to expand...

Wall of silence
When Pen Test Partners tried to disclose these weaknesses to Nokelock, it was met with… no response at all
That’s damning because it suggests that the company is unable or unwilling to fix the problems in its products despite them being on sale.
Click to expand...

guest · Jun 28, 2019

The not so ultra lock
June 27, 2019
https://www.pentestpartners.com/security-blog/the-not-so-ultra-lock/

I became aware of the Ultraloq from U-tec a few months ago. For a room door lock it has a range of what look like really good features.
[...] possible to attempt a brute force attack against the lock through the BLE interface.
API auth? Nope
API has no authentication at all. The data is obfuscated by being base64 twice but decoding it exposes that the server side has no authentication or authorization logic. This leads to an attacker being able to get data and impersonate all the users. This leads to a full compromise of all the locks that are connected to the cloud service.
Unencrypted storage
If access can be gained to the back (“secure side”) of the device, then it can be taken apart in a matter of minutes and access can be gained to an external SPI flash chip.
Conclusion
While U-tec did eventually fix the API, they have still not addressed the BLE issue to prevent brute forcing, and nor have they warned customers of the risk of bypassing the mechanical back up lock.
Click to expand...

guest · Aug 6, 2020

mood said: ↑

The not so ultra lock June 27, 2019
Click to expand...

Smart locks can be opened with nothing more than a MAC address
Researchers demonstrated how remote attackers can steal UltraLoq digital keys with minimal effort
August 6, 2020
https://www.zdnet.com/article/smart-locks-can-be-opened-with-nothing-more-than-a-mac-address/

A smart lock sold by major US retailers could be opened with no more than a MAC address, researchers say.

Now, lockpicks are being replaced with network sniffers and vulnerability exploits, and in the case of the U-Tec UltraLoq, Tripwire researchers have disclosed a misconfiguration error and other security issues that leaked data and allowed attackers to steal unlock tokens with nothing more than a MAC address.
Click to expand...

Sold by retailers including Amazon, Walmart, and Home Depot, U-Tec's $139.99 UltraLoq is marketed as a "secure and versatile smart deadbolt that offers keyless entry via your Bluetooth-enabled smartphone and code."
Users can share temporary codes and 'Ekeys' to friends and guests for scheduled access, but according to Tripwire researcher Craig Young, a hacker able to sniff out the device's MAC address can help themselves to an access key, too.

All it took was the right MAC address -- conveniently leaked via the MQTT data, and also made available via radio broadcast to anyone within range.
Click to expand...

Tripwire: Tripwire Research: IoT Smart Lock Vulnerability Spotlights Bigger Issues

guest · Aug 20, 2020

Smart-Lock Hacks Point to Larger IoT Problems
August 20, 2020
https://www.darkreading.com/vulnera...s-point-to-larger-iot-problems/d/d-id/1338715

According to Grand View Research, the global smart-lock market size was valued at $1.2 billion in 2019, with over 7 million devices sold that year alone. It is further projected to register a CAGR of 18.5% from 2020 to 2027.

But two recently published reports on smart-lock vulnerabilities should make consumers and vendors alike think carefully about how these devices are deployed and implemented.
U-tec Ultraloq
Reporting on a flaw he found with the U-tec Ultraloq [...]
As Young explains in his research: "The risk of using MQTT arises when it is deployed without proper authentication and authorization schemes. Without this, anyone who can connect to the broker can leak sensitive data and potentially influence kinetic systems.
Click to expand...

August Smart Lock
In another report, cybersecurity firm Bitdefender detailed a vulnerability it discovered with the August Smart Lock, also in late 2019, as part of an ongoing partnership with PCMag through which they evaluate smart device security.

In exploring this product, the Bitdefender team says it discovered that while the device's communication with the smartphone app is encrypted, the encryption key itself is hardcoded into the app, allowing an attacker within range to eavesdrop and intercept the Wi-Fi password.
When Bitdefender published its paper exposing the flaw this month, August resurfaced to say the company was issuing a fix, but Bitdefender could not confirm its success.
Click to expand...

A Larger Problem with IoT
Both Young and Balan express that the problem has less to do with smart locks and more with the ways that IoT devices are developed and deployed, as well as with a lack of best practices and due diligence by both vendors and consumers.
He recommends consumers get their products from companies that have visible vulnerability and disclosure programs.

According to Aamir Lakhani, cybersecurity researcher and practitioner at FortiGuard Labs, vulnerabilities are common with smart locks and other IoT products because of the difficulty balancing security with ease of use.
Click to expand...

Log in or Sign up

Researchers uncover smart padlock’s dumb security

guest Guest

guest Guest

guest Guest

guest Guest

Log in or Sign up

Researchers uncover smart padlock’s dumb security

guest Guest

guest Guest

guest Guest

guest Guest

Useful Searches