I missed these the first time around, but the Hacker News Twitter linked to them a couple of days ago. I thought I’d blog them for the benefit of all my lock/computer security/Internet of Broken Things fans.
There’s a type of lock called the FB50 smart lock. It’s manufactured by a Chinese company, and sold “under multiple brands across many ecommerce sites”. As you might guess, it has Bluetooth and an app.
And, of course, it’s vulnerable. Once you get the lock’s MAC address (which, you know, you can get just by looking for Bluetooth devices in the area), you can use a series of HTTP requests to get the lock ID and the user ID, and then disassociate the user from the lock and associate yourself.
Discussion and proof of concept code here.
And the footnotes on that led me to another Pen Test Partners lock exploit (these are the folks who brought you the Tapplock one). This time the target is something called the Nokelock, which is apparently popular on Amazon (“…they do a number of different formats in a number of different body types, sometimes with other unlocking devices, such as a fingerprint sensors. There are other brand names they get repackaged as, such as Micalock.”)
So the Bluetooth packets are encrypted. But…
…the key can be obtained from the API by two methods. All the API requests need a valid API token, which can be obtained by simply creating a user with a throw away email address.
And:
…all traffic, including the user’s traffic is sent via the unencrypted HTTP protocol.
And there’s no authorization for API calls. All you need is a token, which (as noted above) you can get with an email address. Once you’ve got a token, you can grab the information about any lock, “including email address, password hash and the GPS location of a lock”.
And the password hash is unsalted MD5. “This is a cryptographically weak hash type that can be run through very quickly.”
Extra bonus points: the footnotes for the Pen Test Partners entry point to yet another lock exploit, this one for something called the Klic Lock.
An authentication bypass in website post requests in the Tzumi Electronics Klic Lock application 1.0.9 for mobile devices allows attackers to access resources (that are not otherwise accessible without proper authentication) via capture-replay. Physically proximate attackers can use this information to unlock unauthorized Tzumi Electronics Klic Smart Padlock Model 5686 Firmware 6.2
I don’t think I can put it any better than icyphox did:
DO NOT. Ever. Buy. A smart lock. You’re better off with the “dumb” ones with keys.