How I “Red Teamed” into my smart home (Part 2a) — Hacking the Smart Digital Door Lock
Recap of Part 1
Here’s a recap on the Prelude — Part 1. The game plan was to first assess the physical security of my smart home, where the Smart Digital Door Locks protect access to the perimeter of my place.
If these Smart Digital Door Locks (arrow 1) are connected directly to the home wireless network or via a smart home hub, compromising them would give attackers access to my home network.
My mission — To find out how I can better protect my smart home.
The attack vectors
In this exercise, I examined a commercial Smart Digital Door Lock to uncover security vulnerabilities that could allow an attacker to gain unauthorised access to my home network.
From the product’s technical specifications, four attack vectors were identified — 1) RFID key card, 2) Remote Control (Wireless floating ID technology — the world’s first real-time dynamic password technology in which the ID/password is designed to be changed automatically each time it is used), 3) Smart connectivity (Bluetooth Low Energy / BLE) with the mobile application and 4) Over the Internet via the mobile application + link bridge. Of course, there’s also the physical attack vector, which will not be covered in this exercise.
Posing as an external threat actor for this simulation, I did what a typical attacker would do. I first performed the attack on the third vector, i.e. “Smart connectivity with the mobile application”, as that only involves downloading a mobile application easily from the app store at no cost.
The Digital Lock Mobile Application (Android)
The digital lock mobile application allows the user to register and manage all the Smart Digital Door Locks of a brand. I analysed the mobile application to check if there exist any vulnerabilities that could lead to unauthorised remote access to the home network. These vulnerabilities may include hard-coded PIN code, remote backdoor access, and more.
To do so, I decompiled the Android Package (APK) and performed a static code analysis to understand its workings. This was a straightforward process as there was neither code obfuscation nor root detection protection implemented in the mobile application.
First, there were seven entry points (six exported services and one exported receiver) from the AndroidManifest.xml file. These exported instances would allow other applications to access the APK’s application components, potentially leading to arbitrary code execution if security vulnerabilities are present in them.
Examining the code revealed that these exported services and receivers are accessible by Firebase (Google services) and iRevo (DFU, BLE, geofencing and alarm notification services).
Next, I analysed the Application Programming Interfaces (APIs) that handled HTTP connections as these are potential vectors for remote access. I gathered some server-side information by using some of the readily available tools (as shown below), but that did little in achieving the goal of this exercise.
After assessing the “low-hanging fruits” that did not yield results, I went on to analyse the code used for the cryptography and registration of Smart Digital Door Lock keys to the mobile application.
In short, asymmetric cryptography was used in the registration process between the mobile application and the Smart Digital Door Lock. This diagram illustrates how the secret key of a registered user is sent and stored in the mobile application:
With this understanding, I analysed the rest of the code for any insecure storage of sensitive data and discovered that the keys and credentials were stored insecurely in the SQLite database and XML file.
Although no credentials were stored, the Smart Digital Door Lock’s master code was stored insecurely in this database. An attacker who has physical access could enter this master code to perform administrative functions and register new key cards or users for unauthorised access in future.
The code analysis also revealed other observations such as an uncalled code that communicates with the Baidu channel. The code enables the Smart Digital Door Lock to send push notification messages to the user’s mobile application through the Baidu Cloud Push service. With both products targeted at the Chinese market, the service shares the same code base as the Digital Lock mobile application.
Additionally, a hardcoded service Universal Unique Identifier (UUID) that could be used for BLE Man-in-The-Middle (MITM) attack was identified.
Conclusion
Code Obfuscation and root detection were not implemented in the Digital Lock mobile application that was examined in this exercise. Attackers can readily access insecurely stored data and decipher the workings of the Smart Digital Door Lock — using asymmetric keys, to exchange a shared secret key between the application and the lock, granting access.
Furthermore, the mobile application stores an unencrypted master code that malicious applications or attackers can extract with ease. To avoid this pitfall, the mobile application should leverage Android Keystore to protect this sensitive data. This cached sensitive data should also be purged during a reboot of the application.
As a security measure, users should be allowed to set a password for access to the application. This helps to prevent unauthorised access to the application and the stored sensitive data in the event of a lost or stolen mobile device.
Though I did not discover any security vulnerabilities in the mobile application that could lead to unauthorised remote control of the Smart Digital Door Lock, the insecure storage of the master code poses a substantial risk.
To mitigate this risk, I have changed my master code and stopped using the mobile application to administer users and keys that have been registered on the Smart Digital Door Lock.
I’m also relieved that I did not purchase the link bridge, that allows the mobile application connected, to remotely control the Smart Digital Door Lock from the internet. Although it may be convenient to grant visitors access remotely, the security risk may not be worth it after all.
Are you a Smart Homeowner with a Digital Door Lock too? I hope this article has helped you understand the potential risks of the system and what you need to know to better protect your home.
Join me next in part 2 (b) where I will attempt to hack into the Remote Control (Wireless floating ID technology) and Smart Connectivity (BLE) to learn how to better secure the use of my Smart Digital Door Lock.
