Smart locks opened with nothing more than a MAC address

Updated: Researchers demonstrated how remote attackers could exploit UltraLoq and steal access keys with minimal effort.
Written by Charlie Osborne, Contributing Writer

A smart lock sold by major US retailers could be opened with no more than a MAC address, researchers say. 

Smart locks have slowly been adopted as an intelligent, Internet of Things (IoT) alternative to traditional lock-and-key methods to securing a property. 

Complementing other IoT devices including wireless doorbells, smart locks and deadbolts are used by the general public to secure their homes, and they also have business use cases -- such as when properties are listed on Airbnb, as they can be remotely managed by hosts who do not have to organize a key handover on-site to guests. 

While convenience is king, such connectivity can also create a new set of security problems. Several years ago, for example, a botched firmware update caused chaos for LockState customers who took to Twitter in their droves to complain they were unable to remotely control their smart locks -- and, therefore, access their properties. 

Now, lockpicks are being replaced with network sniffers and vulnerability exploits, and in the case of the U-Tec UltraLoq, Tripwire researchers have disclosed a misconfiguration error and other security issues, now resolved, that leaked data and allowed attackers to steal unlock tokens with nothing more than a MAC address. 

Sold by retailers including Amazon, Walmart, and Home Depot, U-Tec's $139.99 UltraLoq is marketed as a "secure and versatile smart deadbolt that offers keyless entry via your Bluetooth-enabled smartphone and code."

Users can share temporary codes and 'Ekeys' to friends and guests for scheduled access, but according to Tripwire researcher Craig Young, a hacker able to sniff out the device's MAC address can help themselves to an access key, too. 

Young first started by scouring the IoT search engine Shodan for any entries related to U-Tec and the vendor's use of MQTT, a publish-subscribe protocol found in IoT devices to exchange data between nodes. For example, a smart thermostat's sensors could transfer data relating to heating in a particular room -- or a smart lock could use MQTT to record users and their access activities. 

MQTT records these details under topic names. The researcher's queries revealed an Amazon-hosted broker containing UltraLoq topic names, including customer PII such as email addresses. 

The researcher then examined the UltraLoq device itself, which pairs with a bridge device connected to Wi-Fi via Bluetooth. Young found a "repeating message flow on the unlock process" of interest, and after knocking up a Python script to replay messages, worked out that the messages could be used to open the lock. 

All it took was the right MAC address -- conveniently leaked via the MQTT data, and also made available via radio broadcast to anyone within range.  

See also: Black Hat: How your pacemaker could become an insider threat to national security

Young says that this security issue made it easy to steal unlock tokens either in bulk or from specific devices.

"The MQTT data correlates email addresses, local MAC addresses, and public IP addresses suitable for geolocation," the researcher says. "An anonymous attacker would be able to collect identifying details of any active U-Tec customers including their email address, IP address, and wireless MAC addresses."

Young reached out to U-Tec on November 10, 2019, with his findings. The company told Young not to worry in the beginning, claiming that "unauthorized users will not be able to open the door."

CNET: Trump administration calls for broad ban on 'untrusted' Chinese apps like TikTok

The cybersecurity researcher then provided them with a screenshot of the Shodan scrape, revealing active customer email addresses leaked in the form of MQTT topic names.

Within a day, the U-Tec team made a few changes, including the closure of an open port, adding rules to prevent non-authenticated users from subscribing to services, and "turning off non-authenticated user access."

While an improvement, this did not resolve everything.  

"The key problem here is that they focused on user authentication but failed to implement user-level access controls," Young commented. "I demonstrated that any free/anonymous account could connect and interact with devices from any other user. All that was necessary is to sniff the MQTT traffic generated by the app to recover a device-specific username and an MD5 digest which acts as a password."

After being pushed further, U-Tec spent the next few days implementing user isolation protocols, resolving every issue reported by Tripwire within a week. 

TechRepublic: COVID-19 highlights need for business and security leaders to work together to prevent cyberattacks

"Even with safety-critical systems like locks and furnaces, there is little in the way of requirements to make the products secure, and there is even less security oversight," Young said. "As we've seen with Mirai and other IoT botnets, devices on the Internet do not even need to be safety critical to wreak havoc when they fail."

Tripwire's findings build upon a slew of critical issues discovered in the UltraLoq by Pen Test Partners. In June 2019, the penetration testing company disclosed mobile app API security failures leading to user information exposure, as well as the means to reset lock PINs, thereby potentially locking a victim out of their own property -- or granting attackers access. It was also possible to pick the lock locally over Bluetooth in what the researchers called a "trivial" attack. 

Update 14.02pm BST: U-Tec has published a security guide in response to Tripwire's research. The vendor says that 128-bit AES encryption is implemented and a dynamic key code -- ECDH -- is randomized for each data transfer. 

"Our customers' security is our top priority; that's why we strive to have the latest technology to maintain their data protected," the company says. "We regularly update our software and hardware for security and performance to avoid any threat."

Previous and related coverage

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0

Editorial standards