Smart Locks: Dumb Security

the demo I just saw it so you're gonna you're gonna like this saying that good yes so our last speaker of the day we wanted we know you're tired and appreciate that everybody's still you know coming back and seating yourselves and respecting the speaker's here today it's a fantastic atmosphere so really appreciated by everybody I'm sure up here but we wanted something fun for the last talk and when we were going through the the selection committee was going through the CFP submissions ii-i'll auld at this guy's because one of the lines in the description of his talk was hitting it with a hammer so I mean what else could we do we we had to

have something a little exciting for the end here so our second speaker of the day and our second Dave from the Commonwealth IOT shenanigans take it away Dave can you hear me oh that's loud right hello oh I'm Dave I you may have seen me on Twitter occasionally I do this sort of thing I mainly hack stuff if you see my Twitter you'll see my avatar a lot that's a burning Furby it was a barbecue we were drunk what else you gonna do I normally mess around well I've I've been in InfoSec for 20 years and I do a lot of stuff but nowadays recently been messing around with a lot of hardware and IOT because

it's interesting so you know I don't always stick my hand up an IOT device but that was me when I had more hair so one thing I'm gonna start with is talking about vectors an attack expression in the physical world so just an example I was walking up to my kids go wander and they'd redone everything and they put up these brand fancy new fences to replace the hedges that they previously had can they we see the floor in that anybody from the floor let me just zoom in a bit they've put the bolts on the wrong side a few seconds with a drill on unscrewed and the right screw a bit I'll be in

there found this on a walk in fairness I don't I think it was just cheaper to use a padlock instead of a chain bit but so on so it's one of the things that we see in IOT that people don't get is what is an attack surface what are the vectors of attack as a sort of thought process a thought experiment when I moved into my first house 20 years ago I discovered that the previous owners had locked the shed and then never less the locks behind so that isn't the shared that's my current shed just as a sort of thought process how would you get in there any ideas break the window that's a good one anything else

hinges yep brilliant idea no it isn't the the the rather excellent roofing you see is a result of me and a couple of mates replacing the roof and having a few beers so that's why it's a bit shoddy so we can go for the lock we can how use lock picks we can use a hacksaw which is what I did in the end it takes 20 minutes to soar through a shackle we can use the hinges we could throw a brick through the window or we can get a bunch of mates to lift off the roof because mow sheds the roof isn't actually attached it's just held on there by gravity but I'm gonna delve in

a bit this has just been to demonstrate vectors specifically I'm going to go into smart locks which we're seeing more and more nowadays here was one that was reported a couple of weeks ago where people started we're seeing on Airbnb we're seeing in tenant houses that landlords are going we must have smart locks because it allows us to get in and it allows us to control so we just give access to the app no keys sounds great and personally I'm for smart locks I don't know about some of you but I'm reaching the age where I occasionally walk out my front door and go did I lock that door in fact I did that when on my way here

to yesterday when I went to the airport and I got about 5 miles then I went [ __ ] and had to turn around oh sorry thanks you just making me feel young and just as a traditional I had to do with a giggle thing as we can see on there you type in Bluetooth locks and we see hacked unhackable now that to be fair there was a presentation in Def Con in 2016 on some of the first generation of Bluetooth locks and a lot of them are rubbish what we're sort of seeing nowadays is Chinese ium locks if you search an Amazon eBay any anywhere that you go in you'll see a lot of these

Bluetooth locks for well in my terms 20 pounds or whatever that is in knock I'm not certain but they're relatively cheap you can buy them for pretty much what you'd expect to buy a bit about double the price for an old padlock they sound great don't like oh what's the matter I was looking through to gather more ones and I went to Amazon and I found this brilliant Photoshop I'm not certain what exactly that locks meant to attach to but and by the way that lock looks really big and strong doesn't it here it is I was quite disappointed when that arrived so going back to my initial point about attack vectors and attack surface sorry vectors intact surface

with a traditional lock we have a number of attack vectors we have the shackle the latch the body and the lock all of these have different weaknesses that can be got if we go into the world at wonderful world of smart locks we had a load of new ones we have a motor something has to you know open that lock it can be a solenoid solenoids have their own different attacks but I'm not going to go into those because they're quite rare we have an unlocking sensor normally it's Bluetooth Low Energy and but there are fingerprint locks I've got one here which is exclusively fingerprint oops try not to knock everything everywhere that's exclusively fingerprint lock yeah I want to use that

one I could probably bite through that chuckle and there's a charging point cuz a lot of them if they have batteries they want to charge for us because everyone's got probably USB they don't always disable the usb on it so you can occasionally just actually get data through there but also we have the mobile app how he talks the internet and an API these are all possible attack vectors that we can use so let's look at body attacks I stole this from Wikipedia because I'm lazy and there's some important things most modern locks are built using nerd alloy called zamak 3 it's relatively it's non-magnetic and it's relatively hard wearing and best thing GLaDOS is very cheap to cast so

you can just put the internal workings of the lock and build them however you want inside it it's a couple of problems with zamak 3 first one is the melting temperature which is nearly 40 degrees Celsius one problem without a plumber's blowtorch goes to about a thousand so if I use a blowtorch about two minutes it takes and it's all nicely melts off and I can just get into it the second one is hardness which is measured in something called brittle go to Wikipedia if you want more details about that but I'm 97 you can just use a dremel here's one I did earlier as you can see that's one I dremeled and a money through it throughout and

the motherboard out of it are the ones a youtuber called Jerry rigged everything had a look at on something called a tap lock and they found a problem with this locking pin here where occasionally it wouldn't engage so you could literally just wrote the back and it will pop open gets worse so sorry it's a back door yes very good um it gets worse this is one of the Chinese and ones I don't have it with me because out to it leave a few of them at home I do apologize as well it with someone I took this those are my short though those are my legs in shorts try not to see them you will be seeing them

now you can see that little rubber bung you've got just remove that rubber bung what's that it an out here and now we have access to well it's not much but there's a just seemed up version here you can see a battery cell which is just three point seven line cell these are just two wires which go to the motor once I've got access to those I can spike the motor directly I can send current to it another one we got I'm gonna need two hands for this is I've done this so many times I can do this to my fingers they see something called a mica lock originally reviewed by somebody called lock-picking lawyer

who's on a YouTube and Twitter and you can see I can just pop the front open originally I had to use a screwdriver to do that but now it can disturb your fingernails here's a zoomed in version what we can see is we can see debugging pads so it's potentially this American tax older and wise to or just free even simpler I can go directly to the motor contacts and I can just spike current through them I will be demoing that later if it works a little word of warning is the demo gods hate me okay things generally don't work even though I've just tried them again they will not work and I've been cursed today thank

you one of one just to find one on the body is something called the ears the Tron I probably mispronounced that which was found out there which had a little interesting little floor let me do zoom in what can you see there it's another screwed what the best bit about this was this was disclosed to the [ __ ] to the customer sorry no curse mother to the company and they sent an email back for a quality statement today I'm going to read this one out literally we designed this fingerprint lock for the purpose of against in theft however the lock is invincible to the people who do not have a screwdriver

onto the shackle or the loopy bit as I like to call it so attack vector consists a hacksaw takes a V but you can do it you got shims so you these are thin bits volume in I'll argue Mini aluminium but you can wrap around the shackle and disengage the latch and you can use bolt cutters so I'm going to demo this in a second so I've locked up my bag here just because I'm stupid here's the keys anybody want some keys [Music] right I don't know whether anyways actually ever tried this has anybody ever seen a technique for opening is it directly so one of the things about zips is you can AXI for something between the

teeth I'm gonna have to put the microphone down for this this will never work now now good on the audience and what you can do is an acci force the zip open both times I did this in tests actually work perfectly there we are so you actually open the bag directly and the best bit about this as you can see it's open is you can just the zip is self repairing though it is when I can do it properly ah and you can just force it together unfortunately it's not gonna work now da it's mostly done so that's one of things but personally I like to treat to cheat I am actually surprised they let these

would let me carry these through customs

so I love Bob chris is there great takes a few seconds locks easy to remove and apparently you can take them through customs so you can actually get very silly bebop cutter so those are just a cheap pair they cost twenty dollars or equivalent 20 year Oakland but one of my colleagues got a pair of four-foot one so that's I can't remember what that is in centimeters somebody will have to convert 120 centimeters and we tried those what can you do a little can you do any further

no normally that's not a normal attack thing but some of these that definitely could go through probably this one you could go through and probably even up to that so just be careful you know things can happen obviously carrying 120 centimeter bolt cutters around is a bit of a giveaway so onto the latch now there's some mechanism so here's this sort of cut up of one of the latches I think that's of the Eva Tron those attack vectors on there we have magnets so this bit here is a magnet you can often just pull the magnet across and drag it across a lot of the internal cabins are not magnetic so sometimes you work sometimes it

doesn't shims again the hammer you can often just force him open often you can just bash against your palm so weak enough brute force this one I could probably pull open if I tried an earlier version of it when my first one actually killed because I did actually force it open by hand and one of my colleagues but was testing another lock and he put it on his washing machine whilst he was making a coffee the washing machine went it is spin and it popped open so here's another one this is the my clock again this was found by lockpick and lawyer again so there's a rubber bung up at the top which you can pop out and you can

get a thin shim in that little hole there which can allows you to pop round and actually disengage the latch motor attacks so this is the internal Cubbins so you can make what's called a spike tool quite easy this is my spike tool it's made from those three components which is a battery some hits some jumpers and some electrical tape and here's a quick how-to I'm not giving any secrets here I won't you hack into the Penghu Pentagon this way but you never know so I'm going to attempt to transport a spike this it may work sorry one of the worst bits actually getting the orientation right so there's a couple of wires here and in theory this

normally works throughout two times in every three no rock won't lock again though the charge port as I said a lot of modern ones use USB now because it's a simple way of charging the cell there's enough secretary although it's dirt cheap I don't see how most of these ones are charged by USB I've got one lock which does an axial charge port if it dies you're buggered you can't open the lock or anything I have seen them before this is a dump from Juanito new mate is a cd-rom drive I'm not certain what that is and to be honest I haven't investigated further and this is the one which is the majority of the bit is the

Bluetooth sensor now I like hacking Bluetooth it's just one of the things I do because I quite like bluetooth and also it's easy imagine Bluetooth low-energy which is most of the Bluetooth you get it's like a big spreadsheet so it's relatively easy to do things like this so there's a tack vector specifically for Bluetooth you can sniff them that's a new boot easily you can get it one for about 20 euros you can get cheaper ones but the uber tooth works the best you can do replay attacks Bluetooth Low Energy is generally not encrypted so you can replay stuff and you can just play stuff it so you can just programmatically mangle stuff with the cheap USB dongle

this cost me about five euros is one I use just to show you suits and ones this is a tap lock which my colleague Andrew managed to crack open so bluetooth uses a sort of address it uses a MAC address so instead of an IP address is pretty much looks like a MAC address six octet so the tap lock uses a command byte and then it uses bits of the MAC address to make an md5 the MAC address which it broadcasts out so if you want to unlock it you just have to listen to the lock listen out replay those map those market those bits in the MAC address the body's PUD padlock which is a quality name

which is less little thing only work this out last week it's a bit more complicated has a password the password is six digits of one to four which if you work out is four thousand 4096 possible combinations which means you can brute-force this it takes a bit of a while because Bluetooth is not it's a bit like UDP the packet goes out it may get though it may not so I've got a little demo of this can you see that now you can't

right I can't actually see the screen so right here's a padlock come on sorry one of the problems is the padlock SCOTUS I just found it well one of the problems is the padlocks go to sleep because they try and reduce battery usage so I just pressing the button there to start it up hurry up so he's found the lock he's trying to guess the password and it's unlocked now now I've got to admit I shortened that deliberately now it's locked in the position that is now locked in the wrong position so I shortened up because I knew what the password was because there was it would take about an hour OOP wrong screen okay I don't know what

I've done there give me a second yep right so that's better so now I'm going on to the final one for these is the no clock not the no key which is an early one and it's done by an American company and AXI runs a proper bug bounty and has been pried up by many people and failed this is an o clock it's a cheap [ __ ] iam lock like this one which I accidentally unlocked earlier and the my clock is a clone of it the majority of ones you'll see on Amazon are these all clones of them now - Drac C hat this one I had I found the easiest way was to reverse the android

apk does anybody here developed an Android yeah or reverse Android so if you have or you haven't this is a rough guide to how Android apps gets written you have a language like Java or Kotlin it goes into the Android studio may go through pro golfer obfuscation then comes out as an apk the event about this is you can reverse it so when it compiles it compiles into a bytecode that can easily be reversed so the reversing one is you take your Android up pass it through in this case I used a Dex as a decompiler you may occasionally obfuscate he turns into Java so I'm gonna cut this bit down so originally when I did this there was

about 15 slides of me going through the process and to be honest I bored myself and so I cut it down to 3 so when trying to find something you write righted Semyon bluetooth is right into something called a characteristic so you can search from characteristic and see where that is written to you can see it up there if you've got really good eyesight you can see where it says right characteristic and then searching back through every single call leads to how the packets made up which of these three blocks is boxes here which is a command to find a load of random data to stop replay and then something else which I couldn't work for ages which

result the next call that was used in was something that wasn't decompiled so Android apps are written in a byte code called dalvik which I had to then manually reverse and my scribbles and that's the reverse one which then goes into yet another set of decompile stuff and finally gets to what's call where we get some get a notification request way it takes them in from the device itself so basically we can see that it's made of a command byte a client token and some random padding so the client token comes from the device itself one of the easiest way to decoding this on android is you can do a hasty item which will actually tell you everything that we've

gone through Bluetooth I can just load that up in Y shark I can see what the contents that dump is and here it is all decoded see a little pattern here the token that comes through and a bit of memory leakage here because you know who once sanitized that their memory there's one final bit of a mentioned you know all that gets encrypted through AES quite strong dust quite strong AES is you know hard to work reverse but there's one little tip when the whole thing comes it comes with this little QR code and you're enrolling your app on the QR code which sends this message to the API which returns this response with this key so if you can get

hold of the QR code you can get rid of the key and you can you know get it to work but one times if we don't have the QR code well we found there's another call as I said it sends out two MAC address and everything on Bluetooth works on a MAC address there is this call here wait where you can find the item bye-bye MAC address and there's a key and so I made a flowchart I don't do flowcharts I'm not a developer really so I'm gonna do another demo now and again I haven't sacrificed the gods today so this may or may not work oh you know if I click the right thing it may work

right so here's I'm just pressing the button on these to reactivate them but there that one's already unlocked so that gets an API token which it needs

that's actually just locking it itself now yeah that's funny relocked itself let me actually unlock that now yeah I

[Applause] always do that sorry wrong window so there's one vector left and this is a bit which I haven't actually done before even in b2 test so hopefully it's slightly better and that's the API now one of the reason why I haven't done it is because there was disclosure on it and now is past the point where I can actually disclose some stuff in here so one of the things that we found is as Dave Lewis at the start mentioned is you know how long has sequel injection been on Leo was top ten how long has has anybody heard of insecure direct object reference how long has that been around we thought that died out about five

years ago new it's coming back what we find is injection broken access control so we did try and disclose this to a number of different vendors as different Lots in here and many time ago we made the bingo the disclosure bingo card about the sort of responses we get from vendors when we try and disclose stuff and we have we have literally had every single one of those responses which one do you think we got

nothing so no clock I have tried multiple methods of disclosing since January to them so oh I do placate to that slide I'm sorry about that so we're going to talk about the cloud so first off obviously I can't be Irish I can't have be called or Lodge or we get not only a sequel injection string we get a stock dump now I couldn't go any further because of course there are laws against this sort of thing so I cannot attempt to go any further than this but I wouldn't trust our database now here is a sample request so this is how you log into no clock can anybody see the floor here a security vulnerability here sorry

that's right so that's the basic one all communications across HTTP which is quite frankly ridiculous in these day ourselves difficut don't even cost money anymore you know my personal blog is encrypted and changes with vollis or cell encryption I don't pay any money for that so once we logged in we have this important thing here a token which is an authorization token now in theory all I need all I can should be able to access is my own stuff their aim so here I am looking at somebody else's one actually it is the same email address I do apologize but um that's just what happened to be in my Bert block log at the time so he's the same address but

look at some of the stuff I get back I can get back for any user the whole dump including a password hash which is have a guess what what what that is md5 so these are some of the requests that you can do in total this allows me to do a number of things I can gather your email addresses PII I can take your lock not only can i and can i unlock your lock I can steal your lock I can take it away from your account and I can put it on my account which means I can stop using your lock which i think is a lot more tricks than actually just unlocking it I

can steal your passwords and nobody reuse their password illy and finally when you unlock went when the way the lock works it stores the GPS coordinates I can I can literally sit up my desk and I can look and go through and find people's where physical locks are locked that doesn't make sense that sentence I can find out where physical locks are and make out girl to my way to find your locks and unlock them that's pretty much it [Applause] thank you very cool I'm actually glad you didn't hit anything with a hammer this demos were much more unfortunately health and safety often gets in the way yeah well you're right next to an open

window so blowtorch would have been very game does anybody have any questions for Dave about yeah you worked your quite quite fast through two slides but did you say that when you charged one of the locks it appeared as cd-rom drive sorry say that again did ya you worked pretty quickly through the through the USB charging port slides but did you say that one of the locks appeared as a cd-rom driver yeah one of them I pay the cd-rom it's then it's done there are my follow up question is did you try to eject the CD ROM Drive no I didn't that is a brilliant question I have to I think what that is is I think that's a

dump from the fingerprint sensor but quite frankly I got bored of doing that lock because it wasn't that exciting but I will try and eject it next time thank you just a short question now have you found any good smart locks some good smart walks yes there are I can't give you names unfortunately cuz they are customers going back have you looked into Dora Lux what smart door locks elmer smart door locks yes does it disclose your coming about one of the companies for that I can't really tell anything yet because we're still waiting that time out anybody else I'm wondering if you if you think that the benefits of these locks are are worth it

in many applications or are we trading a type of security in the form of mechanical locks that we kind of understand for something that is a mysterious black box I'm sharing a bit of a negative slant on them here there are decent locks out there it's the same as any teeth in new technology some of them will work some of them have flaws one of the problems here is they're trying to get stuff out quite cheaply I'm trying to make it and you know get into the market as quick as possible they're not doing the due diligence they're not getting things tested as an example the slock I can't undo the Bluetooth interface for that that

because it comes to a point where you it once it gets bound on it to an account you cannot unbind it which is good that's how it should be the appalling without one is you can take the back off very easily as a point to demo here's one I took apart very quick very easily and in fact you can take the back of that one with a screwdriver that comes in the pack all right anybody else have questions for Dave before we wrap up here people are getting ready for dinner and socializing I guess okay one more

so I understand you cannot disclose the good ones that you found but would you say the price is an indicator of how this looks how good these rocks are or they're not connected I think not probably quite fair the the the bottom end of the market the really cheap ones ones that are about 20 euros that euros most more rubbish but did you find expensive ones that are rubbish as well actually no I tend to go for the tea I start again I've tented to is sort of attack the cheap one so far we found there's one of them which I can't really go into which is an expensive one that was not brilliant we found a number of bypassing

including a very thin wire would allow you to bypass the lock okay thanks alright if if that's it then I will give you a token of our appreciation for coming all the way over here to Norway as soon as I pull it out from under your bolt cutters yes so we started the day with in with a foreign Dave and we're ending with another so here you go God - thanks alright that would be very useful and when you come back which we hope you will then you will be prepared this time Thanks

you