@@ -10,17 +10,17 @@ <meta content="#021012" name="theme-color">
 <meta name="HandheldFriendly" content="true">
 <meta name="twitter:card" content="summary_large_image">
 <meta name="twitter:site" content="@icyphox">
-<meta name="twitter:title" content="Picking the FB50 smart lock">
+<meta name="twitter:title" content="Picking the FB50 smart lock (CVE-2019-13143)">
 <meta name="twitter:description" content="… and lessons learnt in IoT security">
 <meta name="twitter:image" content="/static/icyphox.png">
-<meta property="og:title" content="Picking the FB50 smart lock">
+<meta property="og:title" content="Picking the FB50 smart lock (CVE-2019-13143)">
 <meta property="og:type" content="website">
 <meta property="og:description" content="… and lessons learnt in IoT security">
 <meta property="og:url" content="https://icyphox.sh">
 <meta property="og:image" content="/static/icyphox.png">
 <html>
   <title>
-    Picking the FB50 smart lock
+    Picking the FB50 smart lock (CVE-2019-13143)
   </title>
 <script src="//instant.page/1.1.0" type="module" integrity="sha384-EwBObn5QAxP8f09iemwAJljc+sU+eUXeL9vSBw1eNmVarwhKk2F9vBEpaN9rsrtp"></script>
 <div class="container-text">
@@ -37,7 +37,7 @@ <body>
    <div class="content">
     <div align="left">
       <p> 2019-08-05 </p>
-      <h1 id="picking-the-fb50-smart-lock">Picking the FB50 smart lock</h1>
+      <h1 id="picking-the-fb50-smart-lock-cve-2019-13143">Picking the FB50 smart lock (CVE-2019-13143)</h1>
 
 <h2 id="and-lessons-learnt-in-iot-security">… and lessons learnt in IoT security</h2>
 
@@ -47,11 +47,11 @@ <p>The lock in question is the FB50 smart lock, manufactured by Shenzhen
 Dragon Brother Technology Co. Ltd. This lock is sold under multiple brands
 across many ecommerce sites, and has over, an estimated, 15k+ users.</p>
 
-<p>The lock pairs to a phone via bluetooth, and requires the OKLOK app from
+<p>The lock pairs to a phone via Bluetooth, and requires the OKLOK app from
 the Play/App Store to function. The app requires the user to create an
 account before further functionality is available. 
-The app facilitates the fingerprint unlock configuration on the
-lock, and unlocking from a range via bluetooth.</p>
+It also facilitates configuring the fingerprint,
+and unlocking from a range via Bluetooth.</p>
 
 <p>We had two primary attack surfaces we decided to tackle — Bluetooth (BLE)
 and the Android app.</p>
@@ -86,7 +86,7 @@ <p>The entire exploit is a 4 step process consisting of authenticated
 HTTP requests:</p>
 
 <ol>
-<li>Using the lock&#8217;s MAC (obtained via a simple bluetooth scan in the 
+<li>Using the lock&#8217;s MAC (obtained via a simple Bluetooth scan in the 
 vicinity), get the barcode and lock ID</li>
 <li>Using the barcode, fetch the user ID</li>
 <li>Using the lock ID and user ID, unbind the user from the lock</li>
@@ -207,6 +207,10 @@ <p><strong>DO NOT</strong>. Ever. Buy. A smart lock. You&#8217;re better off with the &#8220;dumb&#8221; ones
 with keys. With the IoT plague spreading, it brings in a large attack surface
 to things that were otherwise &#8220;unhackable&#8221; (try hacking a &#8220;dumb&#8221; toaster).</p>
 
+<p>The IoT security scene is rife with bugs from over 10 years ago, like
+executable stack segments<sup class="footnote-ref&#8221; id="fnref-3"><a href="#fn-3">3</a></sup>, hardcoded keys, and poor development 
+practices in general.</p>
+
 <p>Our existing threat models and scenarios have to be updated to factor 
 in these new exploitation possibilities. This also broadens the playing 
 field for cyber warfare and mass surveillance campaigns. </p>
@@ -230,6 +234,10 @@ </li>
 
 <li id="fn-2">
 <p>Thanks to Ilja Shaposhnikov (@drakylar) for bruteforcing the IDs and sharing the data dump.&#160;<a href="#fnref-2" class="footnoteBackLink" title="Jump back to footnote 2 in the text.">&#8617;</a></p>
+</li>
+
+<li id="fn-3">
+<p><a href="https://gsec.hitb.org/materials/sg2015/whitepapers/Lyon%20Yang%20-%20Advanced%20SOHO%20Router%20Exploitation.pdf">PDF</a>&#160;<a href="#fnref-3" class="footnoteBackLink" title="Jump back to footnote 3 in the text.">&#8617;</a></p>
 </li>
 </ol>
 </div>

@@ -37,7 +37,7 @@ <div class="content">
     <div align="left">
       <h1 id="all-posts">all posts</h1>
 
-<p>2019-08-06 — <a href="/blog/fb50">Picking the FB50 smart lock</a></p>
+<p>2019-08-06 — <a href="/blog/fb50">Picking the FB50 smart lock (CVE-2019-13143)</a></p>
 
 <p>2019-06-06 — <a href="/blog/rop-on-arm">Return Oriented Programming on ARM (32-bit)</a></p>
 

@@ -52,7 +52,7 @@ or via <a href="https://twitter.com/icyphox">Twitter</a> DMs.</p>
 
 <h1 id="latest-post">latest post</h1>
 
-<p>2019-08-05 — <a href="/blog/fb50">Picking the FB50 smart lock</a></p>
+<p>2019-08-05 — <a href="/blog/fb50">Picking the FB50 smart lock (CVE-2019-13143)</a></p>
 
 <p>(<a href="/blog">see all</a>)</p>
 

@@ -0,0 +1,21 @@ 
+<?xml version='1.0' encoding='UTF-8'?>
+<rss xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/" version="2.0">
+  <channel>
+    <title>icyphox's blog</title>
+    <link>https://icyphox.sh/blog/feed.xml</link>
+    <description>icyphox's blog</description>
+    <atom:link href="https://icyphox.sh/blog/feed.xml" rel="self"/>
+    <docs>http://www.rssboard.org/rss-specification</docs>
+    <image>
+      <url>https://icyphox.sh/icyphox.png</url>
+      <title>icyphox's blog</title>
+      <link>https://icyphox.sh/blog/feed.xml</link>
+    </image>
+    <language>en</language>
+    <item>
+      <title>new post 2</title>
+      <description>wall of shit</description>
+      <guid isPermaLink="false">another id</guid>
+    </item>
+  </channel>
+</rss>

@@ -21,7 +21,7 @@ or via [Twitter](https://twitter.com/icyphox) DMs.
 
 # latest post 
 
-2019-08-05 — [Picking the FB50 smart lock](/blog/fb50)
+2019-08-05 — [Picking the FB50 smart lock (CVE-2019-13143)](/blog/fb50)
 
 ([see all](/blog))
 

@@ -6,7 +6,7 @@ ---
 
 # all posts
 
-2019-08-06 — [Picking the FB50 smart lock](/blog/fb50)
+2019-08-06 — [Picking the FB50 smart lock (CVE-2019-13143)](/blog/fb50)
 
 2019-06-06 — [Return Oriented Programming on ARM (32-bit)](/blog/rop-on-arm)
 

@@ -1,11 +1,11 @@ 
 ---
 template: text.html
-title: Picking the FB50 smart lock
+title: Picking the FB50 smart lock (CVE-2019-13143)
 subtitle: … and lessons learnt in IoT security
 date: 2019-08-05
 ---
 
-# Picking the FB50 smart lock
+# Picking the FB50 smart lock (CVE-2019-13143)
 ## … and lessons learnt in IoT security 
 
 ### The lock
@@ -14,11 +14,11 @@ The lock in question is the FB50 smart lock, manufactured by Shenzhen
 Dragon Brother Technology Co. Ltd. This lock is sold under multiple brands
 across many ecommerce sites, and has over, an estimated, 15k+ users.
 
-The lock pairs to a phone via bluetooth, and requires the OKLOK app from
+The lock pairs to a phone via Bluetooth, and requires the OKLOK app from
 the Play/App Store to function. The app requires the user to create an
 account before further functionality is available. 
-The app facilitates the fingerprint unlock configuration on the
-lock, and unlocking from a range via bluetooth.
+It also facilitates configuring the fingerprint,
+and unlocking from a range via Bluetooth.
 
 We had two primary attack surfaces we decided to tackle — Bluetooth (BLE)
 and the Android app.
@@ -52,7 +52,7 @@ 
 The entire exploit is a 4 step process consisting of authenticated 
 HTTP requests:
 
-1. Using the lock's MAC (obtained via a simple bluetooth scan in the 
+1. Using the lock's MAC (obtained via a simple Bluetooth scan in the 
 vicinity), get the barcode and lock ID
 2. Using the barcode, fetch the user ID
 3. Using the lock ID and user ID, unbind the user from the lock
@@ -169,20 +169,20 @@ - **2nd July, 2019**: CVE-2019-13143 reserved
 - No response from vendor
 - **2nd August 2019**: Public disclosure
 
-
 ### Lessons learnt
 
 **DO NOT**. Ever. Buy. A smart lock. You're better off with the "dumb" ones
 with keys. With the IoT plague spreading, it brings in a large attack surface
 to things that were otherwise "unhackable" (try hacking a "dumb" toaster).
 
+The IoT security scene is rife with bugs from over 10 years ago, like
+executable stack segments[^3], hardcoded keys, and poor development 
+practices in general.
+
 Our existing threat models and scenarios have to be updated to factor 
 in these new exploitation possibilities. This also broadens the playing 
 field for cyber warfare and mass surveillance campaigns. 
 
-[^1]: [This](https://www.pentestpartners.com/security-blog/pwning-the-nokelock-api/) article discusses a similar smart lock, but they broke the encryption.
-[^2]: Thanks to Ilja Shaposhnikov (@drakylar) for bruteforcing the IDs and sharing the data dump.
-
 ### Researcher info
 
 This research was done at [SecureLayer7](https://securelayer7.net), Pune, IN by:
@@ -190,3 +190,9 @@ 
 * Anirudh Oppiliappan (me)
 * S. Raghav Pillai ([@_vologue](https://twitter.com/_vologue))
 * Shubham Chougule ([@shubhamtc](https://twitter.com/shubhamtc))
+
+[^1]: [This](https://www.pentestpartners.com/security-blog/pwning-the-nokelock-api/) article discusses a similar smart lock, but they broke the encryption.
+[^2]: Thanks to Ilja Shaposhnikov (@drakylar) for bruteforcing the IDs and sharing the data dump.
+[^3]: [PDF](https://gsec.hitb.org/materials/sg2015/whitepapers/Lyon%20Yang%20-%20Advanced%20SOHO%20Router%20Exploitation.pdf)
+
+

@@ -0,0 +1,22 @@ 
+#!/usr/bin/env python3
+
+import html
+from markdown2 import markdown_path
+import sys
+import os
+
+mdfile = sys.argv[1]
+url =  os.path.splitext(mdfile)[0]
+rendered = markdown_path(os.path.join('pages/blog/', mdfile), extras=['metadata', 
+        'fenced-code-blocks', 'header-ids', 'footnotes', 'smarty-pants'])
+meta = rendered.metadata
+esc = html.escape(rendered)
+
+item = f"""<item>
+      <title>{meta['title']}</title>
+      <description>{esc}</description>
+      <guid isPermaLink="false">https://icyphox.sh/blog/{url}/</guid>
+</item>
+"""
+
+print(item)