Another case of a Vulnerable Smart Lock

    Arun-Magesh
    22/10/2018

Another case of a Vulnerable Smart Lock

I am back with a another blog after a long time. I have been buying lot of random things from aliexpress/banggood and smart locks are one of them. With the recent finding on tapplock by @cybergibbons and @slawomir, which inspired me to do some more research on the smart lock and show how vulnerable they are.

 

Disclaimer: The smart lock which i got is pretty common and it is even available in amazon. Several thousands devices are already in the market, I have changed the name of the brand to something imaginary – “*unhackable*” Smart Lock.  

 

Smart Lock:

The lock which i got is from a company called as *unhackable*, which is a chinese company . You also get the same lock locally from amazon. So people do use these devices. The specifications are good too.

 

Now with Bluetooth comes a responsible mobile app which connects to a remote server to save your lock password and share the lock with others.

I will start by listing all the findings.

No HTTPS for communicating with the mobile app/server.

The connection from the mobile app and the server is using HTTP and it is prone to sniffing and other trivial attacks. An attacker can reverse engineer the communication to exploit the server.

User Database Download.

The API call endpoint is being identified by intercepting the android app. Attacker can bruteforce the userid to get device user information like name, email address and lock password and mac address.

This is nothing fancy,  Just send a GET request to the same endpoint without any parameter and you get the whole database in json and some php info.

Database contains around 7500+ smartlock mac address, lock password and email address.

Backdoor password

It was identified on analysing the apk at “com.”unhackable”-lock.base_blelock.fragment”. Hard coded password was identified and it was used in reset password otp.

Which means you have a backdoor access to all the users in their device. You can get all the email address from the previous vulnerability and reset the password for all the user and gain access to the lock.

These vulnerabilities have been reported to the vendor and there has been no response from them.

I have checked on the bluetooth and hardware part of the smartlock, I will post a new blog on the same after a while.

Get to know more about our process, methodology & team!

Close the overlay

I am looking for
Please click one!

Latest news See all news

11-July-2020
Webinar, Online

Visit

Munawwar will give security professionals a comprehensive understanding of the ARM Architecture, reversing ARM binaries, exploiting vulnerabilities and the nuances of ARM shellcoding.

21-May-2020
Webinar, Online

Visit

Arun Magesh will be delivering a webinar on <em>Introduction to IoT Reversing Firmware</em> and discussing how to get started with IoT pentesting with hands-on.

25-April-2020
Workshop, Online

Visit

Ashfaq Ansari is conducting a workshop to get you started with kernel vulnerability analysis and exploitation in the Android platform.