Smart locks opened with nothing more than a MAC address
AsmartlocksoldbymajorUSretailerscouldbeopenedwithnomorethanaMACaddress,researcherssay.
Smartlockshaveslowlybeenadoptedasanintelligent,InternetofThings(IoT)alternativetotraditionallock-and-keymethodstosecuringaproperty.
ComplementingotherIoTdevicesincludingwirelessdoorbells,smartlocksanddeadboltsareusedbythegeneralpublictosecuretheirhomes,andtheyalsohavebusinessusecases--suchaswhenpropertiesarelistedonAirbnb,astheycanberemotelymanagedbyhostswhodonothavetoorganizeakeyhandoveron-sitetoguests.
Whileconvenienceisking,suchconnectivitycanalsocreateanewsetofsecurityproblems.Severalyearsago,forexample,abotchedfirmwareupdatecausedchaosforLockStatecustomerswhotooktoTwitterintheirdrovestocomplaintheywereunabletoremotelycontroltheirsmartlocks--and,therefore,accesstheirproperties.
Now,lockpicksarebeingreplacedwithnetworksniffersandvulnerabilityexploits,andinthecaseoftheU-TecUltraLoq,Tripwireresearchershavedisclosedamisconfigurationerrorandothersecurityissues,nowresolved,thatleakeddataandallowedattackerstostealunlocktokenswithnothingmorethanaMACaddress.
SoldbyretailersincludingAmazon,Walmart,andHomeDepot,U-Tec's$139.99UltraLoqismarketedasa"secureandversatilesmartdeadboltthatofferskeylessentryviayourBluetooth-enabledsmartphoneandcode."
Userscansharetemporarycodesand'Ekeys'tofriendsandguestsforscheduledaccess,butaccordingtoTripwireresearcherCraigYoung,ahackerabletosniffoutthedevice'sMACaddresscanhelpthemselvestoanaccesskey,too.
YoungfirststartedbyscouringtheIoTsearchengineShodanforanyentriesrelatedtoU-Tecandthevendor'suseofMQTT,apublish-subscribeprotocolfoundinIoTdevicestoexchangedatabetweennodes.Forexample,asmartthermostat'ssensorscouldtransferdatarelatingtoheatinginaparticularroom--orasmartlockcoulduseMQTTtorecordusersandtheiraccessactivities.
MQTTrecordsthesedetailsundertopicnames.Theresearcher'squeriesrevealedanAmazon-hostedbrokercontainingUltraLoqtopicnames,includingcustomerPIIsuchasemailaddresses.
TheresearcherthenexaminedtheUltraLoqdeviceitself,whichpairswithabridgedeviceconnectedtoWi-FiviaBluetooth.Youngfounda"repeatingmessageflowontheunlockprocess"ofinterest,andafterknockingupaPythonscripttoreplaymessages,workedoutthatthemessagescouldbeusedtoopenthelock.
AllittookwastherightMACaddress--convenientlyleakedviatheMQTTdata,andalsomadeavailableviaradiobroadcasttoanyonewithinrange.
Seealso:BlackHat:Howyourpacemakercouldbecomeaninsiderthreattonationalsecurity
Youngsaysthatthissecurityissuemadeiteasytostealunlocktokenseitherinbulkorfromspecificdevices.
"TheMQTTdatacorrelatesemailaddresses,localMACaddresses,andpublicIPaddressessuitableforgeolocation,"theresearchersays."AnanonymousattackerwouldbeabletocollectidentifyingdetailsofanyactiveU-Teccustomersincludingtheiremailaddress,IPaddress,andwirelessMACaddresses."
YoungreachedouttoU-TeconNovember10,2019,withhisfindings.ThecompanytoldYoungnottoworryinthebeginning,claimingthat"unauthorizeduserswillnotbeabletoopenthedoor."
CNET:Trumpadministrationcallsforbroadbanon'untrusted'ChineseappslikeTikTok
ThecybersecurityresearcherthenprovidedthemwithascreenshotoftheShodanscrape,revealingactivecustomeremailaddressesleakedintheformofMQTTtopicnames.
Withinaday,theU-Tecteammadeafewchanges,includingtheclosureofanopenport,addingrulestopreventnon-authenticatedusersfromsubscribingtoservices,and"turningoffnon-authenticateduseraccess."
Whileanimprovement,thisdidnotresolveeverything.
"Thekeyproblemhereisthattheyfocusedonuserauthenticationbutfailedtoimplementuser-levelaccesscontrols,"Youngcommented."Idemonstratedthatanyfree/anonymousaccountcouldconnectandinteractwithdevicesfromanyotheruser.AllthatwasnecessaryistosnifftheMQTTtrafficgeneratedbytheapptorecoveradevice-specificusernameandanMD5digestwhichactsasapassword."
Afterbeingpushedfurther,U-Tecspentthenextfewdaysimplementinguserisolationprotocols,resolvingeveryissuereportedbyTripwirewithinaweek.
TechRepublic:COVID-19highlightsneedforbusinessandsecurityleaderstoworktogethertopreventcyberattacks
"Evenwithsafety-criticalsystemslikelocksandfurnaces,thereislittleinthewayofrequirementstomaketheproductssecure,andthereisevenlesssecurityoversight,"Youngsaid."Aswe'veseenwithMiraiandotherIoTbotnets,devicesontheInternetdonotevenneedtobesafetycriticaltowreakhavocwhentheyfail."
Tripwire'sfindingsbuilduponaslewofcriticalissuesdiscoveredintheUltraLoqbyPenTestPartners.InJune2019,thepenetrationtestingcompanydisclosedmobileappAPIsecurityfailuresleadingtouserinformationexposure,aswellasthemeanstoresetlockPINs,therebypotentiallylockingavictimoutoftheirownproperty--orgrantingattackersaccess.ItwasalsopossibletopickthelocklocallyoverBluetoothinwhattheresearcherscalleda"trivial"attack.
Update14.02pmBST:U-TechaspublishedasecurityguideinresponsetoTripwire'sresearch.Thevendorsaysthat128-bitAESencryptionisimplementedandadynamickeycode--ECDH--israndomizedforeachdatatransfer.
"Ourcustomers'securityisourtoppriority;that'swhywestrivetohavethelatesttechnologytomaintaintheirdataprotected,"thecompanysays."Weregularlyupdateoursoftwareandhardwareforsecurityandperformancetoavoidanythreat."
Haveatip?GetintouchsecurelyviaWhatsApp|Signalat+447713025499,oroveratKeybase:charlie0
