Smart Products are always not that smart…… Tinxy Smart Door Lock Vulnerability..
Tinxy Smart Door Lock uses a controller to control (lock/unlock) a lock using mobile app over internet. It has also an option to control the lock even in offline mode via WLAN.
In Online Mode it was observed that the Device Communicates in MQTT Protocol.
However in Offline mode, android app sends HTTP based requests to the server running in the Controller.
This makes us interested in digging deeper.
Vulnerability Details:
Attacker/ Unauthenticated user in a network can unlock the Tinxy Wifi Enabled Smart Door Lock just by replaying a captured HTTP based Offline Unlock Request of an Authenticated User. The Replay Attack works even if the authenticated user is denied its privilege for accessing the Smart Lock.
Affected Product:
Tinxy Door Lock with wifi Controller and Door Sensor — Tinxy Android Apk V 2.1.1 and the corresponding Firmware
Steps to replicate the vulnerability:
STEP 1. Start Proxy in Burp Suite
STEP 2. Home owner share Smart Door Lock Details to person A via Tinxy App. Person A accept the request and can now control the Door Lock
STEP 3. Put Same Proxy in Mobile of person A for capturing traffic of Tinxy App.
STEP 4. Person A performs Door Unlocking in Offline Mode and the request is intercepted. The request is in HTTP which can be accessed by an attacker over the air.
A HTTP based json Request to “/toggle” page is sent to the server for unlocking with “action”:”1"
STEP 5. Now Home Owner deletes Person A from his privilege of accessing and unlocking the door lock. Privilege from Person A in his mobile app also gets deleted.
STEP 6. Now in Burp Suite, captured request of Person A is sent to the Repeater and replayed.
Observation:
The Lock was successfully unlocked by Person A without having the Privilege to Unlock the Door Lock.
The vulnerability is published as CVE-2020–9438
The Vulnerability was reported to the vendor and currently patched in the latest version of android app and device firmware.
Patched Version:
Android Version 3.2.2
Firmware Version v 3.2
Timeline:
Vulnerability Identified and reported to CVE: 26.02.2020
CVE ID received: 28.02.2020
Vulnerability Reported to Vendor: 05.03.2020
Vulnerability Patched by Vendor and verified: 23.06.2020
Credits:
SERET Centre Project Team
Electronics Regional Test Laboratory (East), Kolkata,
STQC Directorate, Ministry of Electronics & Information Technology (MeitY),
Government of India