I missed the first part of this story last week, but I caught the second part when it came across the Hacker News Twitter feed.
There is a company called Tapplock that makes a $99 “smart” padlock. No, this isn’t the same company that makes a “smart” padlock that’s “completely invincible” to anybody that doesn’t have a screwdriver. Different company, different lock.
But it does have a fingerprint scanner and Bluetooth.
Part 1:
Among other features, you can set up multiple fingerprint profiles, so you can enable multiple people to unlock the padlock with their fingerprints.
Except: their protocol doesn’t gracefully handle revocation. The lock communicates over HTTP: there’s no encryption, and…
I could see that a string of “random” looking data was sent to the lock over BLE each time I connected to it. Without this data, the lock would not respond to commands.
But it was also noted that this data did not change, no matter how many times I connected. A couple of lines of commands in gatttool and it was apparent that the lock was vulnerable to trivial replay attacks…
…I shared the lock with another user, and sniffed the BLE data. It was identical to the normal unlocking data. Even if you revoke permissions, you have already given the other user all the information they need to authenticate with the lock, in perpetuity.
But wait, there’s more! It turns out that that random data, that unique key…is derived directly from the lock’s MAC address! The one that’s constantly broadcast by the lock so you can access it over Bluetooth!
Part 2:
But wait, there’s more! Another security researcher, who didn’t have a Tapplock (“I am out of IoT budget for this month as my wife has -kindly- informed me”), decided to play around with the Tapplock’s cloud based admin tools…
…and discovered that, once you logged in with a valid account, you could access any other account simply by incrementing the account ID.
As a result, Stykas could not only add himself as an authorised user to anyone else’s lock, but also read out personal information from that person’s account, including the last location (if known) where the Tapplock was opened.
Incredibly, Tapplock’s back-end system would not only let him open other people’s locks using the official app, but also tell him where to find the locks he could now open!
References:
The Pen Test Partners initial attack.