Vulnerability in KeyWe Smart Locks Could be Exploited by Attackers to Intercept Communications to Steal Key and Unlock Doors
A smart home is a vulnerable home. It is replete with interconnected IoT devices, many with their own known or unknown vulnerabilities and connected to the internet by a router that probably has the original, unchanged default password. Sometimes the connection is via a mobile phone app, often introducing a further weakness.
At this stage in the evolution of smart homes, they have another characteristic: they are almost by definition the abode of wealthy or significant people. This makes the smart home a target for cybercriminals, and — potentially — a target for cyber-savvy physical burglars. The latter is not yet a major crime vector; but it is likely to grow.
F-Secure’s latest discovery of a design flaw in a smart lock illustrates the dangers. The product is the KeyWe Smart Lock, a remote-controlled entry device primarily used in private dwellings. Users can open and close doors via an app on their mobile phones.
The flaw is not in the lock, but in the communication between the app and the lock. The lock itself is quite strong, including data encryption to prevent unauthorized parties from accessing system-critical information, such as the secret passphrase. Communication between the lock and the controlling app is not so secure. It uses Bluetooth Low Energy over WiFi, and although ostensibly encrypted, there is a flaw in its design: the common key does not change between executions, but it does change with the device address.
“This is a grave mistake!” writes F-Secure Consulting’s Krzysztof Marciniak in an associated blog. “As an in-house key exchange is used – with just two values involved – to decrypt all of the communication, one simply needs to intercept the transmission. The common key can then be easily calculated based on the device address.”
He says, “Unfortunately, “the lock’s design makes bypassing these mechanisms to eavesdrop on messages exchanged by the lock and app fairly easy for attackers — leaving it open to a relatively simple attack. There’s no way to mitigate this, so accessing homes protected by the lock is a safe bet for burglars able to replicate the hack. All attackers need is a little know-how, a device to help them capture traffic — which can be purchased from many consumer electronic stores for as little as $10 — and a bit of time to find the lock owners.”
A sniffing device could be hidden close to the door awaiting the return of the homeowner. The command communicated by the app to the lock could be captured and decrypted, and the attacker could enter the building next time it is vacant — or potentially worse, at night when the occupants are asleep.
At the personal level, the smart home would likely include an actual or metaphorical jewel box of valuables. At the corporate level, the smart homeowner is likely to be a senior executive accustomed to working from home on a computer with some form of connection to at least part of the enterprise network. The attacker now has physical access to this device.
“Security isn’t one size fits all,” explains Marciniak. “It needs to be tailored to account for the user, environment, threat model, and more. Doing this isn’t easy, but if IoT device vendors are going to ship products that can’t receive updates, it’s important to build these devices to be secure from the ground up.”
F-Secure reported the issue to the vendor, who has been responsive in communication with the researchers. “Unfortunately,” writes Marciniak, “no firmware upgrade functionality has been included and thus the issue will persist until the device is replaced. According to the vendor, new devices will contain a security fix. Moreover, the next version of the lock will have the firmware upgrade functionality — although no information is available regarding the release date.”
Secure by design is a principle that is not yet being applied by all smart device manufacturers. In this instance, security has been designed into the lock, but not into the environment in which it is used. Smart home threats are likely to increase through 2020 and beyond.