August 1st Generation
August 1st Generation
Smart locks are designed to keep your homes safe from those with ill intentions, but do they actually leave you open to attack? We conducted a comprehensive security assessment on a popular smart-locking device. The innovative Bluetooth door lock attaches to a deadbolt and offers convenience and functionality to its customers. The wireless product relies on various access control mechanisms based on predefined user privileges. Once installed, users can unlock their front door using their smartphone, and grant OWNER or GUEST access to others.
The smart lock classifies users into the two types: OWNER and GUEST. An OWNER user is assumed to be a resident of the house and is effectively an administrator of the system. OWNER level access implies a very high degree of trust, and would typically be granted only to a spouse or a co-owner of the property. A GUEST user is assumed to be someone the OWNER wants to grant temporary house access to.
Any user who is not a resident of the house or someone a resident wants to grant access to falls outside of these two groups and should not have any of the permissions of the OWNER or the GUEST.
August requires users to go through a simple password verification process when accessing the mobile application for the first time. The password complexity policy requires the use of at least eight characters, one uppercase letter, one lowercase letter, one numeric symbol, and one special character. After a successful login, the active user session never expires automatically, which is considered a bad security practice. This can potentially pose a risk if an attacker has physical access to the victim’s device.
The mobile application does not require old password verification prior to a password change, which is considered a poor practice from a security standpoint. In this case, our ethical hacking team was able to change the current user password. However, this attack failed when we tried to log in as the user on another device because the application requires email/SMS verification of the new host machine. A single-use code is sent to the real user’s phone or email account, so a malicious actor without access to at least one of these will not be able to login. The email/SMS message, however, only includes the verification code with no other information. The message does not suggest to the user that an attacker may be attempting to access their account. This is low risk vulnerability and is not considered to be a direct threat to the users.
Owner-Level Access Not Revoked
Through our investigation, we discovered that owners could still communicate with the lock while offline. This poses a threat in a scenario such as the following:
- Anna gives Mike OWNER-level access.
- Anna gets out of Bluetooth range of the smart lock.
- Mike maliciously puts his phone in airplane mode, preventing it from communicating with the smart lock servers, but leaving Bluetooth enabled.
- Anna revokes Mike’s access.
In this case, Anna is unable to communicate with the lock because she is out of Bluetooth range. She is also unable to communicate with Mike’s phone because he has disabled Internet connectivity. Therefore, neither the smart device nor Mike’s mobile application will receive the revoking message. Mike can then continue locking and unlocking the door as though his access had not been discontinued. Mike’s access cannot be revoked until Anna communicates with the lock.
If this wasn’t scary enough, it seems that there is a bug in the lock’s logging code and the log files will not properly report Mike’s access during this period. This means that if Mike did access the house in this time while he is offline, Anna would have no way of knowing that he has entered. The above listed issue can be considered as a low risk level vulnerability and it is not considered a direct threat to users.
- Set a complex lock code (passcode, password, passphrase, etc.) for all your personal electronic devices.
- Do not leave your personal electronic devices unattended in public places.
- Avoid assigning OWNER privileges to multiple users and follow the principle of “least privilege” - giving a user account only those privileges, which are essential to perform its intended function.
- Make sure your smart lock access list is up-to-date before you leave home.
- Avoid using “smart only” locking devices to prevent unauthorized remote control over your protected assets.
- Always perform an open source research through reliable search engines (e.g. Google, Bing, etc.) on possible vulnerabilities identified for the smart device you are interested in.
- Buy your smart gadget from an officially certified source.
- Be aware of any signs for physical intervention with the product.
- Stay up-to-date with the latest news around your device.
- Directly address the seller if you or someone else has identified any major misconfiguration.