More Website Templates at Website Template

Smart locks opened with nothing more than a MAC address

Smart locks opened with nothing more than a MAC address

AsmartlocksoldbymajorUSretailerscouldbeopenedwithnomorethanaMACaddress,researcherssay.

Smartlockshaveslowlybeenadoptedasanintelligent,InternetofThings(IoT)alternativetotraditionallock-and-keymethodstosecuringaproperty.

ComplementingotherIoTdevicesincludingwirelessdoorbells,smartlocksanddeadboltsareusedbythegeneralpublictosecuretheirhomes,andtheyalsohavebusinessusecases--suchaswhenpropertiesarelistedonAirbnb,astheycanberemotelymanagedbyhostswhodonothavetoorganizeakeyhandoveron-sitetoguests.

Whileconvenienceisking,suchconnectivitycanalsocreateanewsetofsecurityproblems.Severalyearsago,forexample,abotchedfirmwareupdatecausedchaosforLockStatecustomerswhotooktoTwitterintheirdrovestocomplaintheywereunabletoremotelycontroltheirsmartlocks--and,therefore,accesstheirproperties.

Now,lockpicksarebeingreplacedwithnetworksniffersandvulnerabilityexploits,andinthecaseoftheU-TecUltraLoq,Tripwireresearchershavedisclosedamisconfigurationerrorandothersecurityissues,nowresolved,thatleakeddataandallowedattackerstostealunlocktokenswithnothingmorethanaMACaddress.

SoldbyretailersincludingAmazon,Walmart,andHomeDepot,U-Tec's$139.99UltraLoqismarketedasa"secureandversatilesmartdeadboltthatofferskeylessentryviayourBluetooth-enabledsmartphoneandcode."

Userscansharetemporarycodesand'Ekeys'tofriendsandguestsforscheduledaccess,butaccordingtoTripwireresearcherCraigYoung,ahackerabletosniffoutthedevice'sMACaddresscanhelpthemselvestoanaccesskey,too.

YoungfirststartedbyscouringtheIoTsearchengineShodanforanyentriesrelatedtoU-Tecandthevendor'suseofMQTT,apublish-subscribeprotocolfoundinIoTdevicestoexchangedatabetweennodes.Forexample,asmartthermostat'ssensorscouldtransferdatarelatingtoheatinginaparticularroom--orasmartlockcoulduseMQTTtorecordusersandtheiraccessactivities.

MQTTrecordsthesedetailsundertopicnames.Theresearcher'squeriesrevealedanAmazon-hostedbrokercontainingUltraLoqtopicnames,includingcustomerPIIsuchasemailaddresses.

TheresearcherthenexaminedtheUltraLoqdeviceitself,whichpairswithabridgedeviceconnectedtoWi-FiviaBluetooth.Youngfounda"repeatingmessageflowontheunlockprocess"ofinterest,andafterknockingupaPythonscripttoreplaymessages,workedoutthatthemessagescouldbeusedtoopenthelock.

AllittookwastherightMACaddress--convenientlyleakedviatheMQTTdata,andalsomadeavailableviaradiobroadcasttoanyonewithinrange.

Smart locks opened with nothing more than a MAC address

Seealso:BlackHat:Howyourpacemakercouldbecomeaninsiderthreattonationalsecurity

Youngsaysthatthissecurityissuemadeiteasytostealunlocktokenseitherinbulkorfromspecificdevices.

"TheMQTTdatacorrelatesemailaddresses,localMACaddresses,andpublicIPaddressessuitableforgeolocation,"theresearchersays."AnanonymousattackerwouldbeabletocollectidentifyingdetailsofanyactiveU-Teccustomersincludingtheiremailaddress,IPaddress,andwirelessMACaddresses."

YoungreachedouttoU-TeconNovember10,2019,withhisfindings.ThecompanytoldYoungnottoworryinthebeginning,claimingthat"unauthorizeduserswillnotbeabletoopenthedoor."

CNET:Trumpadministrationcallsforbroadbanon'untrusted'ChineseappslikeTikTok

ThecybersecurityresearcherthenprovidedthemwithascreenshotoftheShodanscrape,revealingactivecustomeremailaddressesleakedintheformofMQTTtopicnames.

Withinaday,theU-Tecteammadeafewchanges,includingtheclosureofanopenport,addingrulestopreventnon-authenticatedusersfromsubscribingtoservices,and"turningoffnon-authenticateduseraccess."

Whileanimprovement,thisdidnotresolveeverything.

"Thekeyproblemhereisthattheyfocusedonuserauthenticationbutfailedtoimplementuser-levelaccesscontrols,"Youngcommented."Idemonstratedthatanyfree/anonymousaccountcouldconnectandinteractwithdevicesfromanyotheruser.AllthatwasnecessaryistosnifftheMQTTtrafficgeneratedbytheapptorecoveradevice-specificusernameandanMD5digestwhichactsasapassword."

Afterbeingpushedfurther,U-Tecspentthenextfewdaysimplementinguserisolationprotocols,resolvingeveryissuereportedbyTripwirewithinaweek.

TechRepublic:COVID-19highlightsneedforbusinessandsecurityleaderstoworktogethertopreventcyberattacks

"Evenwithsafety-criticalsystemslikelocksandfurnaces,thereislittleinthewayofrequirementstomaketheproductssecure,andthereisevenlesssecurityoversight,"Youngsaid."Aswe'veseenwithMiraiandotherIoTbotnets,devicesontheInternetdonotevenneedtobesafetycriticaltowreakhavocwhentheyfail."

Tripwire'sfindingsbuilduponaslewofcriticalissuesdiscoveredintheUltraLoqbyPenTestPartners.InJune2019,thepenetrationtestingcompanydisclosedmobileappAPIsecurityfailuresleadingtouserinformationexposure,aswellasthemeanstoresetlockPINs,therebypotentiallylockingavictimoutoftheirownproperty--orgrantingattackersaccess.ItwasalsopossibletopickthelocklocallyoverBluetoothinwhattheresearcherscalleda"trivial"attack.

Update14.02pmBST:U-TechaspublishedasecurityguideinresponsetoTripwire'sresearch.Thevendorsaysthat128-bitAESencryptionisimplementedandadynamickeycode--ECDH--israndomizedforeachdatatransfer.

"Ourcustomers'securityisourtoppriority;that'swhywestrivetohavethelatesttechnologytomaintaintheirdataprotected,"thecompanysays."Weregularlyupdateoursoftwareandhardwareforsecurityandperformancetoavoidanythreat."


Haveatip?GetintouchsecurelyviaWhatsApp|Signalat+447713025499,oroveratKeybase:charlie0


Tags: