A new report published this week sheds light on a vulnerability in smart lock models that hackers could exploit to crack them open remotely.
Not only that, the attackers could see the exact timestamps indicating when a door had been “locked” and “unlocked” by the user. Further, the revealed information contained the user’s IP address and device MAC address information, which are fairly unique identifiers.
The specific model of the smartlock impacted by this flaw is U-Tec UltraLoq
U-Tec smart locks use what’s called MQTT, “publish-subscribe” protocol which runs over TCP/IP.
With MQTT protocol, a smartphone app, for example, can seamlessly monitor multiple actuators, such as temperature controls in HVAC systems in real-time.
Further, the “publish-subscribe” architecture makes it easier to adjust settings on a per device basis in connected homes and offices.
“The risk of using MQTT arises when it is deployed without proper authentication and authorization schemes. Without this, anyone who can connect to the broker can leak sensitive data and potentially influence kinetic systems,” states the report released by Tripwire.
Shodan exposed smart locks
IoT search engines like Shodan regularly sweep the web for internet-exposed devices. A researcher recently came across such IoTs that appeared to be doorlocks.
“I tested various MQTT search terms to see how many hits they yield One server in particular caught my attention because it had pages and pages of MQTT topic names and repeatedly came up in searches including references to ‘lock’ and free email providers like ‘gmail.com,’” states a computer security researcher, Craig Young at Tripwire.
The researcher was able to access this MQTT device via simple Linux CLI tools, such as mosquitto_sub.
View IPs, MACs, usernames…
The data returned by the device confirmed researcher’s suspicion that it was a smart lock device. Among the fields returned, Young saw sensitive information exposed, including IP addresses, usernames, and a record of when the device was locked and unlocked with timestamps.
“The data included email and IP addresses associated with locks and timestamped records of when the locks [were] opened and closed, among other things,” said Young.
He further explained, “This means that an anonymous attacker would also be able to collect identifying details of any active U-Tec customers including their email address, IP address, and wireless MAC addresses.”
“This is enough to identify a specific person along with their household address. If the person ever unlocks their door with the U-Tec app, the attacker will also now have a token to unlock the door at a time of their choosing.”
“Unlock” doors remotely
To add misery to an already unfortunate situation, the device allowed “replaying” of these requests without any authentication mechanism in place.
This means, an attacker who could intercept these messages was able to “replay” them at will to lock or unlock the smart device at his pleasure.
Moreover, an adversary who could sniff the MQTT traffic for some time could eventually retrieve the MD5 password hash, along with the usernames.
On finding these flaws, the researcher reported them U-Tec on November 10, 2019. But, the company had initially dismissed his report stating:
“We have token authorize on the devices, Unauthorized users will not be able to open the door, please don’t worry.“
After a few more exchanges between the researcher and U-Tec, the company ultimately patched the security flaws.
“U-Tec’s engineers went quiet for a few days but then came back to announce that user isolation had been implemented. I confirmed that I could no longer publish messages across accounts and promptly disconnected the lock and packed it away in the basement,” the researcher stated.
The researcher’s complete investigation and recommendations are shared in Tripwire’s report.