I am back with a another blog after a long time. I have been buying lot of random things from aliexpress/banggood and smart locks are one of them. With the recent finding on tapplock by @cybergibbons and @slawomir, which inspired me to do some more research on the smart lock and show how vulnerable they are.
Table of Contents
Toggle
Disclaimer: The smart lock which i got is pretty common and it is even available in amazon. Several thousands devices are already in the market, I have changed the name of the brand to something imaginary – “*unhackable*” Smart Lock.
Smart Lock:
The lock which i got is from a company called as *unhackable*, which is a chinese company . You also get the same lock locally from amazon. So people do use these devices. The specifications are good too.
Now with Bluetooth comes a responsible mobile app which connects to a remote server to save your lock password and share the lock with others.
I will start by listing all the findings.
No HTTPS for communicating with the mobile app/server.
The connection from the mobile app and the server is using HTTP and it is prone to sniffing and other trivial attacks. An attacker can reverse engineer the communication to exploit the server.
User Database Download.
The API call endpoint is being identified by intercepting the android app. Attacker can bruteforce the userid to get device user information like name, email address and lock password and mac address.
This is nothing fancy, Just send a GET request to the same endpoint without any parameter and you get the whole database in json and some php info.
Database contains around 7500+ smartlock mac address, lock password and email address.
Backdoor password
It was identified on analysing the apk at “com.”unhackable”-lock.base_blelock.fragment”. Hard coded password was identified and it was used in reset password otp.
Which means you have a backdoor access to all the users in their device. You can get all the email address from the previous vulnerability and reset the password for all the user and gain access to the lock.
These vulnerabilities have been reported to the vendor and there has been no response from them.
I have checked on the bluetooth and hardware part of the smartlock, I will post a new blog on the same after a while.