Open in app

Sign in

Write

Sign in

Smart Products are always not that smart…… Tinxy Smart Door Lock Vulnerability..

Avishek Raychoudhury
3 min readJun 23, 2020

--

Tinxy Smart Door Lock uses a controller to control (lock/unlock) a lock using mobile app over internet. It has also an option to control the lock even in offline mode via WLAN.

In Online Mode it was observed that the Device Communicates in MQTT Protocol.

However in Offline mode, android app sends HTTP based requests to the server running in the Controller.

This makes us interested in digging deeper.

Vulnerability Details:

Attacker/ Unauthenticated user in a network can unlock the Tinxy Wifi Enabled Smart Door Lock just by replaying a captured HTTP based Offline Unlock Request of an Authenticated User. The Replay Attack works even if the authenticated user is denied its privilege for accessing the Smart Lock.

Affected Product:

Tinxy Door Lock with wifi Controller and Door Sensor — Tinxy Android Apk V 2.1.1 and the corresponding Firmware

Steps to replicate the vulnerability:

STEP 1. Start Proxy in Burp Suite

Burp Configuration for Intercepting Traffic from Android Device

STEP 2. Home owner share Smart Door Lock Details to person A via Tinxy App. Person A accept the request and can now control the Door Lock

Home Owner share access to Door Lock to Person A
Device Access granted at Person A Device

STEP 3. Put Same Proxy in Mobile of person A for capturing traffic of Tinxy App.

STEP 4. Person A performs Door Unlocking in Offline Mode and the request is intercepted. The request is in HTTP which can be accessed by an attacker over the air.

A HTTP based json Request to “/toggle” page is sent to the server for unlocking with “action”:”1"

Captured Toggle Request from user A for unlocking the Lock

STEP 5. Now Home Owner deletes Person A from his privilege of accessing and unlocking the door lock. Privilege from Person A in his mobile app also gets deleted.

Access to Person A is deleted by the owner
Same is reflected in Person A Device

STEP 6. Now in Burp Suite, captured request of Person A is sent to the Repeater and replayed.

Captured request from User A is Replayed

Observation:

The Lock was successfully unlocked by Person A without having the Privilege to Unlock the Door Lock.

The vulnerability is published as CVE-2020–9438

The Vulnerability was reported to the vendor and currently patched in the latest version of android app and device firmware.

Patched Version:

Android Version 3.2.2

Firmware Version v 3.2

Timeline:

Vulnerability Identified and reported to CVE: 26.02.2020

CVE ID received: 28.02.2020

Vulnerability Reported to Vendor: 05.03.2020

Vulnerability Patched by Vendor and verified: 23.06.2020

Credits:

SERET Centre Project Team

Electronics Regional Test Laboratory (East), Kolkata,

STQC Directorate, Ministry of Electronics & Information Technology (MeitY),

Government of India

Reference:

https://en.wikipedia.org/wiki/Replay_attack

IoT
Security
Smart Lock
Cybersecurity

--

--

Avishek Raychoudhury

Written by Avishek Raychoudhury

5 Followers

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams