Smart locks have recently become an intelligent alternative to the conventional lock. They are mainly used to secure people’s property and offer a lot of convenience, much like most of the Internet of Things (IoT) solutions that are gaining popularity now.
For instance, smart locks can be remotely managed which can definitely be very handy. Yet, with this level of convenience, there is always room for security issues and vulnerability exploits.
A discovery made by researchers from Tripwire has demonstrated how a simple misconfiguration error and a few other security issues can lead to data leakage and can allow hackers to steal E-keys and Smart Locks unlock codes with just a single MAC address. During their investigation, the researchers have detected disturbing security issues with an UltraLoq device made by the company U-Tec.
The UltraLoq device is sold by Amazon, Walmart, Home Depot and other retailers and is generally promoted as secure and versatile smart deadbolt. Its developers claim that it allows for key-less entry through the Bluetooth of your smartphone and a code. Users can exchange codes and “E-keys” for temporary access with their friends and visitors which seems convenient. However, Tripwire researchers have found that a hacker can easily get an access key through sniffing out the device’s MAC address.
Sourcing out information from the web about the U-Tec company and the use of MQTT (a protocol for IoT devices used for data exchange) by vendors, the researchers found that an Amazon vendor contains UltraLoq topic names and customer e-mail addresses. The further examination of the UltraLoq device itself revealed that it pairs with a bridge device connected to Wi-Fi via Bluetooth and there is an odd “repeating message flow on the unlock process”.
Tripwire professionals noticed that the message could be used to open the lock after a Python script is used. Everything it required is the correct MAC address which can be leaked from the MQTT data and delivered to everyone in the area by radio broadcast.
Tripwire researcher Craig Young explained that it is easy to steal unlock tokens from specific devices through this security issue since the MQTT data contains public IP addresses, e-mail and local MAC addresses, which an anonymous attacker could collect and use against any active U-Tec user.
Young contacted U-Tec with his discovery in Novemeber 2019. At first, the company said that it would not be possible for unauthorized users to unlock the locker but when the researcher pushed them further with more demonstrations on the possible exploitation of the detected issues, the U-Tec team made improvements that involved closing an open port, implementing rules to prohibit unauthenticated users from subscribing and blocking unauthenticated users from access. Within a week, the company addressed every issue reported by Tripwire’s team.
The findings of Tripwire point out that companies need to have a close cooperation with security researchers when it comes to detecting and addressing product vulnerabilities, otherwise this may lead to trivial attacks, more so with the mass implementation of IoT solutions, such as the Smart Locks. Security weaknesses, misconfigurations in the code, and API vulnerabilities can cause the exposure of user information, thereby enabling attackers to gain unauthorized access.