Updated for clarification
A popular smart lock has a serious flaw that could easily be opened by anyone, security researchers warn [According to a study by security firm Tripwire, threat actors have the ability to access data stored on cloud servers associated with the U-Tec UltraLoq, including Internet Protocol (IP) addresses and email addresses of key users, to physically identified and had sufficient capability to open it
"This is enough to identify a specific person along with their household address," Tripwire security researcher Craig Young said in a blog post yesterday (August 5)
He further stated that the server data "relates email addresses, local MAC addresses, and public IP addresses suitable for geolocation" so that hackers can "accurately identify individuals"
If a user sends an unlock command to UltraLoq from a smartphone app while the attacker is monitoring the cloud server, the attacker can replay the unlock command at a later date to unlock the device
"If that person ever uses the U-Tec app to unlock the door, the attacker also has a token to unlock the door at any time of the day," Young wrote
Another flaw meant that the attacker had the ability to prevent users from accessing their locks by delivering spoofed messages
UltraLoq is a connected lock available at retailers such as Amazon, Walmart, and Home Depot
"The lock boasts advanced features such as a fingerprint reader, a peek-proof touchscreen, and Bluetooth and Wi-Fi connectivity for app-based control," Young wrote
While the lock is "convenient" for consumers, he warns that "some users may be concerned about security"
Last November, Young discovered the flaw in question, which was subsequently fixed on the server side by the manufacturer But this time, for the first time, he revealed the details of the vulnerability and what it means for customers
Young explained that "an attacker could easily steal 'unlock tokens' in bulk or from a specific device if they only knew the MAC address"
A MAC address is a unique device identifier consisting of six pairs of two letters, such as A1:2B:C3:4D:E5:F8 Everything that connects to the network has a MAC address for each network port
By design, networked devices broadcast their MAC addresses over Wi-Fi, Bluetooth, Ethernet, and other network protocols so that devices can be found and connected Essentially, each device shouts its name and says, "I am here"
UltraLoq's lock uses MQTT, a low-power protocol that relays messages between the Internet of Things and smart home devices
However, devices cannot send messages directly to each other; they must relay messages through an MQTT "broker," a piece of software that sits on a server and acts as a telephone operator
In U-Tec's case, its MQTT broker was hosted on Amazon Web Services and exposed to the Internet Young found it by scanning the Internet with Shodan, a search engine for finding non-PC, non-smartphone devices connected to the Internet
Young noticed that the U-Tec MQTT server listed the status of each UltraLoq Each entry listed the UltraLoq's Internet Protocol (IP) address, often whether the lock was connected or disconnected, and the user's e-mail address
While monitoring the entries of his locks on the MQTT cloud broker, Young, using his UltraLoq and the corresponding smartphone app, discovered that the smartphone sent the unlock command to his UltraLoq using the same text string each time He discovered that he was using the same text string to send the unlock command to his UltraLoq each time
He replayed that text string from his computer, which he was not authorized to unlock his UltraLoq, and the lock opened anyway
ESET security specialist Jake Moore told Tom's Guide: "The proliferation of IoT devices being installed in homes and offices is a perfect breeding ground for hackers looking to take full advantage of user convenience [IoT devices are] too often packaged with weak (if any) security features built in, leaving the average user on the back foot from the start, enjoying devices that work right out of the box In addition, security updates are infrequent, so owners take extra risks to make sure they are secure
He recommends: "The best way to protect IoT devices is to set strong, unique passwords on them and ensure that two-factor authentication is available [But some things are better left physical, and if locking them up is that important, then obviously it is important to protect them in the best way possible It is also essential for users to turn off access for unauthenticated users, as this can lead to remote interception by threat actors"
Comments