Tuesday, August 11, 2020

Electronic door locks remotely hackable

It's a truism in the software development industry that if architects designed buildings the way programmers wrote code, the first woodpecker that came along would destroy civilization.  Today's example is the U-Tec UltraLoq door lock, sold at many fine retailers including Wally World and the Big Orange Box store.  If costs you $139.99, and you can unlock your front door with an app on your phone.

And here's where the fly dives into the ointment.  The cloud service your app talks to had a bunch of vulnerabilities that allowed any Tom, Dick, and Harry to anonymously get access to the device and user database.  It let researchers unlock the door:

The MQTT data correlates email addresses, local MAC addresses, and public IP addresses suitable for geolocation. This is enough detail to precisely identify an individual. The device is also broadcasting the MAC address to anyone within radio range.

This means that an anonymous attacker would also be able to collect identifying details of any active U-Tec customers including their email address, IP address, and wireless MAC addresses.

  • This is enough to identify a specific person along with their household address.
  • If the person ever unlocks their door with the U-Tec app, the attacker will also now have a token to unlock the door at a time of their choosing.
Emphasis in the original.

Oh, for added coolness, the Shodan search tool will identify all of these, worldwide.

The vendor has fixed the cloud service so this can't be exploited, but my original point remains - any woodpecker that stumbles by could have opened your front door.  We only know about this because the White Hat guys at Tripwire took a look.  Who else has a product like this where nobody has taken a look?

Now think about the "peaceful protesters" coming into neighborhoods to "peacefully protest" outside people's homes.  These "peaceful protesters" have a bunch of mal-adjusted sociopaths who look to me like some of the Black Hat guys we've seen in the past.  What are the chances that some Antifa d00d can get a lot of status on the Island of Misfit Toys by figuring out what people could be targeted for a living room serenade?


Old NFO said...

Which is why I don't have a 'connected' house and never will.

G-man said...

Have an electronic lock with a noted vulnerability in the Bluetooth app... which is only an issue if you set up the Bluetooth. Not a problem, since I never bothered to set it up. So it’s a “Smart” lock that I just left as a “dumb” lock with an electric keypad.

John said...

Depending on the latest tech to keep you safe from intruders is a fools bet.
The more exposure you have online opens you up to more intrusions.
I hate doing any personal business online and avoid it to the maximum extent
possible barring going dark and I still need a dozen garbage letter, number
and punctuation passwords just to do things I can't avoid.
At least I keep in-depth physical barriers locked by hands on locks and keys
to keep honest men honest and slow down a thief until he would usually go after
easier pickings.

Sean D Sorrentino said...

Is it more or less hackable than the big sheet of glass in your bedroom window?

Borepatch said...

Sean, it's more hackable. If nobody is home and someone breaks a window to get in you will know about it. If they hack your lock when you're not there, you might never know that someone was there.

libertyman said...

Let's see, we have a connected house, a connected car, your cellphone that monitors your every movement, a home computer that may or may not be safe from hackers, government or amateur in origin.
I think this may be a recipe for complete control of well, everyone with this stuff.

But I am sure Top Men will keep this from happening...