Security

Smart lock bug could let hackers locate you and unlock your door, remotely

A new report published this week sheds light on a vulnerability in smart lock models that hackers could exploit to crack them open remotely.

Not only that, the attackers could see the exact timestamps indicating when a door had been “locked” and “unlocked” by the user. Further, the revealed information contained the user’s IP address and device MAC address information, which are fairly unique identifiers.

The specific model of the smartlock impacted by this flaw is U-Tec UltraLoq

U-Tec smart locks use what’s called MQTT, “publish-subscribe” protocol which runs over TCP/IP.

With MQTT protocol, a smartphone app, for example, can seamlessly monitor multiple actuators, such as temperature controls in HVAC systems in real-time.

Further, the “publish-subscribe” architecture makes it easier to adjust settings on a per device basis in connected homes and offices.

“The risk of using MQTT arises when it is deployed without proper authentication and authorization schemes. Without this, anyone who can connect to the broker can leak sensitive data and potentially influence kinetic systems,” states the report released by Tripwire.

Shodan exposed smart locks

A sample smart device found on Shodan with MQTT requests exposed
Source: Tripwire

IoT search engines like Shodan regularly sweep the web for internet-exposed devices. A researcher recently came across such IoTs that appeared to be doorlocks.

“I tested various MQTT search terms to see how many hits they yield One server in particular caught my attention because it had pages and pages of MQTT topic names and repeatedly came up in searches including references to ‘lock’ and free email providers like ‘gmail.com,’” states a computer security researcher, Craig Young at Tripwire.

The researcher was able to access this MQTT device via simple Linux CLI tools, such as mosquitto_sub.

View IPs, MACs, usernames…

The data returned by the device confirmed researcher’s suspicion that it was a smart lock device. Among the fields returned, Young saw sensitive information exposed, including IP addresses, usernames, and a record of when the device was locked and unlocked with timestamps.

“The data included email and IP addresses associated with locks and timestamped records of when the locks [were] opened and closed, among other things,” said Young.

He further explained, “This means that an anonymous attacker would also be able to collect identifying details of any active U-Tec customers including their email address, IP address, and wireless MAC addresses.”

“This is enough to identify a specific person along with their household address. If the person ever unlocks their door with the U-Tec app, the attacker will also now have a token to unlock the door at a time of their choosing.”

“Unlock” doors remotely

To add misery to an already unfortunate situation, the device allowed “replaying” of these requests without any authentication mechanism in place.

This means, an attacker who could intercept these messages was able to “replay” them at will to lock or unlock the smart device at his pleasure.

Moreover, an adversary who could sniff the MQTT traffic for some time could eventually retrieve the MD5 password hash, along with the usernames.

On finding these flaws, the researcher reported them U-Tec on November 10, 2019. But, the company had initially dismissed his report stating:

We have token authorize on the devices, Unauthorized users will not be able to open the door, please don’t worry.

After a few more exchanges between the researcher and U-Tec, the company ultimately patched the security flaws.

“U-Tec’s engineers went quiet for a few days but then came back to announce that user isolation had been implemented. I confirmed that I could no longer publish messages across accounts and promptly disconnected the lock and packed it away in the basement,” the researcher stated.

The researcher’s complete investigation and recommendations are shared in Tripwire’s report.

Ax Sharma

Ax Sharma is an Indian-origin British security researcher, journalist and TV subject matter expert with a focus on malware analysis and cybercrime investigations. His areas of interest include open source software security, threat intel analysis, and reverse engineering. Frequently featured by leading media outlets like the BBC, Channel 5, Fortune, WIRED, The Register, among others, Ax is an active community member of the OWASP Foundation and the British Association of Journalists (BAJ).

Recent Posts

Sea Turtle Cyber Espionage Campaign Targets Telecommunication and IT Companies in the Netherlands

Telecommunication, media, internet service providers (ISPs), information technology (IT)-service providers, and Kurdish websites in the…

10 months ago

Rogue WordPress plugin: Threat hunters uncover credit card skimming campaign targeting e-commerce sites

Rogue WordPress Plugin Found to Steal Credit Card Information in Magecart Campaign Threat hunters have…

11 months ago

Albanian Parliament and telco ‘One Albania’ suffer cyber attacks

The Assembly of the Republic of Albania and telecom company One Albania have recently fallen…

11 months ago

Carbanak Banking Malware Resurfaces with Updated Tactics in Ransomware Attacks

The banking malware Carbanak has resurfaced with updated tactics, incorporating attack vendors and techniques to…

11 months ago

Theme park giant Parques Reunidos hit by a ransomware cyber attack

One of the world's largest theme park operators, Parques Reunidos has disclosed a cybersecurity incident.…

2 years ago

Phishing kit screenshots your email domain on the fly to appear real

Phishing kit used by multiple hacked sites generates a log in page on the fly…

2 years ago

This website uses cookies.