by RSS David Maciejak  |  Oct 06, 2016  |  Filed in: Security Research

About 4000 years ago, as we began the development of our modern way of life, people started to also want their own privacy and the ability to safeguard their possessions. The lock and key concept was created at that time. The first were made with hardwoods, then metals. Some were amazingly intricate. But eventually, they evolved to become the latest iteration of that ancient concept, something we have seen developing over the last few years: the smart lock. The key has been replaced by your smartphone or smartwatch, but the lock is still there and it is getting smarter.

The smart lock is also a good example of the convergence of the Internet of Things (IoT) with security.  Usually, people buy locks for something they want to protect from others. For example, you buy a lock for your bike to prevent it from being stolen, or a lock for your front door to prevent intruders. Today, these locks are available in a variety of configurations, from the traditional key and lock model, to combination locks, to smarter versions with touchpads and alarm systems.

Many newer smart locks and security systems for your home can be accessed, monitored, and managed remotely. In some models, you can be alerted that someone is at your front door while you are away, look at a camera feed on your phone, see that it is a friend who has arrived early for dinner, speak to them through your remote connection telling them you will be home in a few minutes, and even unlock the door for them while you continue to pick up a few last minute things at the store. Likewise, keyless entry systems for cars have become surprisingly sophisticated, and can also be considered to be smart locks.

The market behind these new advanced security solutions is huge. Analysts are forecasting that the global smart lock market will grow at an astonishing rate of 75% during the coming few years, eventually reaching $3.6 billion by 2019.

These devices are quite appealing. Ironically, their hardware is not much more secure than a traditional deadbolt. What has happened is that the traditional lock has been wrapped in a layer of monitoring and communications software, and has been linked to such things as video cameras, lighting systems, and alarms. While you can argue that combining these things can make a homeowner more secure, there is also a downside, as the software being used has also created lead to a larger attack surface for criminals to exploit.

Frankly, the primary goal of many of these smart locks is to be convenient. They also create a sense of increased security, which may not actually be true. But that’s what people are looking for, and they are willing to pay for it. But there are pros and cons to this new technology

 On the pro side, this new technology provides real security conveniences for property owners, such as:

  • Geofencing allows a virtual key loaded on a fob, or as an app on your smartphone or smartwatch, to automatically lock and unlock a door depending on how far away that virtual key is from the deadbolt. For Bluetooth Low Energy configurations, you can set your door to lock up or lock down automatically from up to 100 meters away. This functionality can be quite useful when you are returning to your car or home with your hands full of shopping bags!
  • With remote key management you can grant access to specific doors or devices by sending virtual keys to a guest and revoking them later. You can even schedule when and for how long you want that access to last. This technology is particularly useful for people using something like Airbnb to rent out rooms, apartments, or vacation homes. It eliminates the need to have keys duplicated, and they can’t be lost as by definition a virtual key can’t be misplaced, duplicated, or transferred.
  • Remote monitoring, on top of key management, allows you to be notified when an authorized key opens the door, allowing you to keep records of any or all usage at any time.

Some of the more simplistic concerns about smart lock technology are a bit more technical in nature. A technophobe might ask, what happens if the battery on a fob or in your phone dies, or if access to the Internet is down? First, in the unlikely event that the battery is dying, you will certainly receive a bunch of warnings - not only visual feedbacks and sounds from the lock itself but also messages within the app – that the battery needs to be changed.  But ultimately, the answer is simple: in most configurations you can always still use your physical key on the old dumb deadbolt.

But what if you have lost your key or you just left it inside your apartment? There is a solution for that as well. Some locks now come with an external connector to which you can pin an external battery allowing you to jump start the lock and then replace the dead battery.

But these concerns are really just the tip of the iceberg.

The raging battle between IoT standards

Smart locks utilize a variety wireless technologies, such as Bluetooth Smart (aka Bluetooth Low Energy, BLE was release in 2010 as part of version 4), Wi-Fi, Z-Wave, ZigBee, Apple HomeKit, and more. The main difference between these options is that some are intended to be simpler and less expensive than other wireless technologies, especially for small and low-power devices (such as those working on batteries.) Here is a quick overview:

 

That’s the case for the ZigBee solution, the first version of which was created all the way back in 1998, and was then later standardized as IEEE 802.15.4. It’s a wireless mesh network standard that can be used instead of Bluetooth or Wi-Fi for short-range wireless communication from approximatively 10 to 20 meters.

Figure 1: ZigBee module (ref: Wikipedia)

 

One challenge is that using many different protocols can sometimes lead to interoperability issues. So it’s good to see that some vendors are willing to open their standards, like Sigma Designs, which just released its new Z-Wave specifications (which is also identified as the G.9959 radio standard). Currently, they claim to have certified their solution on more than 1500 products. Open source projects like OpenZWave can also significantly improve the user experience.

 

HomeKit, Apple’s own home app guidelines, were released two years ago, but according to the specialists, it will start to really gain momentum in the IOS 10 release coincided to launch with the release of the first Apple’s home app. This year, nearly 100 products have been certified. As anyone who has built apps for Apple devices, Apple’s guidelines are quite strict, and most of the time require IoT vendors to adapt not only their software (a proprietary authentication module is required) but also their hardware to satisfy Apple’s requirement. Note: as of now, Siri is used as the primary interface for controlling your HomeKit accessories.

In the final notice, it’s almost impossible to draw a winner. There are currently multiple different standards competing and as it’s a really competitive market we can forecast that more will arrive in the coming years. One special note for Wi-Fi and BLE, for the latter the interest group behind it was clever enough to have it evolves various times from the first version released by Ericsson in 1994.
Now, it brings key features like mesh network, 6LowPAN support (stands for “IPv6 over Low power Wireless Personal Area Networks”, defined in RFC 4944) and even a lower power consumption than competitor like ZigBee. However, the main key advantage is its wide user base. Nowadays, almost every device supports it, with the race to miniaturization it will mostly be unlikely that smartphone manufacturers will embed redundant chips no matter how small it is.

Breaking smart locks – state of the art vs determined hackers

While these solutions and approaches listed above, along with a number of others, are vying for top positions as market leaders, they are certainly not all as secure as they claim. Smart locks include embedded software because to be smart the lock has to communicate, and to sell it needs all kinds of nifty features, which is where most of the differentiation between solutions exists. While some vendors have actually put a lot of effort into their product security to try and make them unbreakable, if there is anything a cybersecurity professional knows, it’s that software code is a rich attack surface, and that hackers always find a way.

This past August, at the DEFCON 2016 security conference in Las Vegas, for example, the security of smart locks was challenged by two talks that were dedicated to the topic.

Security researchers Rose and Ramsey publicly demonstrated security flaws in 12 (out of 16) popular smart locks. At the end of their presentation, only four locks still stood. But if that wasn’t enough, the very next day a researcher called Jmaxxz presented his findings on how to bypass even more security features.

Below is the list of common software vulnerabilities that were identified in many of today’s smart lock solutions:

  • Plain text password
    • In spite of years of warnings about this, some solutions still transmit passwords in clear text between the smart lock and the smart device app. Armed with something as simple as a network sniffer, an attacker can just grab the password out of the air without much effort.
    • Brute forcing a password is also an option when the secret used by the home owner or manufacturer is too short, such as a 6-pin code, which can be cracked in a matter of minutes.
  • Replay attack
    • Weak usage of cryptographic standards can let an attacker grab and store the signal when the lock is used, and simply send it again later to unlock the device.
    • In some cases, eavesdropping traffic is not even necessary, as simply decompiling the companion app often leads to some strong artifacts, including the Holy Grail of hacker data: hardcoded crypto keys.
  • Device spoofing
    • Every single Bluetooth device has a unique 6-byte device address (named BD_ADDR), which most of the time is presented as a 12-digit hexadecimal value. It’s sort of like a hardware MAC address in the Ethernet world. By simply using some basic commands from the BlueZ stack package, it’s possible to clone a device address, thereby effectively bypassing the basic trusted device test.
  • Fuzzing
    • In a nutshell, fuzzing is a blackbox testing technique used to automatically generate and provide random data to affect implementation bugs. By sending malformed packets to the lock, some can be forced to enter in a fail-open state, which means it automatically opens when it encounters an error.
  • Rogue devices
    • An attacker can also conduct a man-in-the-middle attack by configuring a malicious device to act as a proxy between the lock and the application.
      • In case of SSL proxy, this attacks enables a criminal to decrypt and re-encrypt traffic while recording everything that passes through. Since rogue devices come with rogue certificates, one solution to counter this attack is to use certificate pinning.
      • In case of Bluetooth proxy, this attack method can embed various attacks, such as targeting weak usage of the Secure Simple Pairing (SSP) of Bluetooth version 2.1, or targeting a weak implementation of device pairing and link layer encryption of Bluetooth LE with the GATTack, which is an attack used to clone the Generic Attribute profile of the original device and broadcast it in much shorter intervals.

Summary

At its core, SmartLock technology is really just a variation on the ancient lock and key concept, but with a lot of software wrapped around it to make it more convenient, and in some cases, easier to monitor. But these new applications and services also add risk because they also provide a growing set of opportunities for criminals to circumvent those locks, and sometimes at a distance. At the moment, the caveat is that most attacks require close proximity to the key. But with the advent of smartphone-enabled applications, this may change.

In part two of this two-part series, we bring a number of SmartLock technologies into our lab for a deeper dive into how they work and an analysis of their strengths and weaknesses.

-= FortiGuard Lion Team =-

by RSS David Maciejak  |  Oct 06, 2016  |  Filed in: Security Research