I missed these the first time around, but the Hacker News Twitter linked to them a couple of days ago. I thought I’d blog them for the benefit of all my lock/computer security/Internet of Broken Things fans.
There’s a type of lock called the FB50 smart lock. It’s manufactured by a Chinese company, and sold “under multiple brands across many ecommerce sites”. As you might guess, it has Bluetooth and an app.
And, of course, it’s vulnerable. Once you get the lock’s MAC address (which, you know, you can get just by looking for Bluetooth devices in the area), you can use a series of HTTP requests to get the lock ID and the user ID, and then disassociate the user from the lock and associate yourself.
Discussion and proof of concept code here.
And the footnotes on that led me to another Pen Test Partners lock exploit (these are the folks who brought you the Tapplock one). This time the target is something called the Nokelock, which is apparently popular on Amazon (“…they do a number of different formats in a number of different body types, sometimes with other unlocking devices, such as a fingerprint sensors. There are other brand names they get repackaged as, such as Micalock.”)
So the Bluetooth packets are encrypted. But…
And:
…all traffic, including the user’s traffic is sent via the unencrypted HTTP protocol.
And there’s no authorization for API calls. All you need is a token, which (as noted above) you can get with an email address. Once you’ve got a token, you can grab the information about any lock, “including email address, password hash and the GPS location of a lock”.
And the password hash is unsalted MD5. “This is a cryptographically weak hash type that can be run through very quickly.”
Extra bonus points: the footnotes for the Pen Test Partners entry point to yet another lock exploit, this one for something called the Klic Lock.
I don’t think I can put it any better than icyphox did:
DO NOT. Ever. Buy. A smart lock. You’re better off with the “dumb” ones with keys.