One cannot say that no attention has been given to security, the researchers noted, but rolling your own in-house cryptography is always a risky proposition, and so is doing no threat modeling before design and development. The vendor told the researchers that new iterations of the app will contain a fix for this issue and, equally important, new locks will have the firmware upgrade functionality. Lock owners will need to replace the lock or live with the risk. That being said, the mobile application should still be paired with a mobile device – otherwise a malicious user can pair with it without any additional owner confirmation.” “The touchpad option, however, seems to be the right fallback here. NFC could be used to counter this attack, but it is prone to other attacks (cloning the access key, intercepting the traffic with proper equipment etc.),” Marciniak told us. “The mobile application does use Bluetooth (Smart/Low Energy), so that option is not safe either. The vendor has acknowledged the issue and is working on fixing it, the researchers noted, but since the lock has no firmware upgrade functionality, already deployed locks will remain vulnerable. More technical information about their research and discovery can be found here and here, but since the lock can’t receive firmware updates, the researchers decided to not to share some crucial details. The recording of the traffic can later be analyzed to extract the key value needed to generate the lock-opening key. The attacker (or just the intercepting device) must be within 10-15 meters from the victim for the traffic interception to work. Once the app is run, it connects to the lock to check its status, and the password can be intercepted. The user doesn’t even have to lock/unlock the door with the application for the attacker to intercept the operator password – they just need to run/open the mobile application. It should also be mentioned that the mobile application needs to be analyzed (one needs to retrieve the key generation algorithm) in order to execute this attack.” “In terms of software, this requires additional work from the attacker – in our case a Python script was developed, but pretty much any language can be used as long as it can interact with a Bluetooth controller. It can be bought for ~10$ and used out-of-the-box,” Krzysztof Marciniak, cyber security consultant at F-Secure, told Help Net Security. “The hardware needed is a board able to sniff Bluetooth Low Energy traffic. They discovered that, while the company did implement some security protections for the lock and app (not so much the bridge), a flaw in the in-house developed key exchange protocol can be exploited to, ultimately, get the secret key needed to unlock the lock. They analyzed its hardware and firmware, as well as the hardware and firmware of the accompanying KeyWe bridge (which is used to connect the lock to a wireless network) and the code of the associated Android app. About the vulnerability and the attackį-Secure security consultants acquired the KeyWe Smart Lock by pledging on Kickstarter. It has additional options like generating one-time guest codes, unlocking the door based on proximity, etc. The lock can be opened via an application (Wi-Fi, Bluetooth), an armband (NFC), through a touchpad (numeric code), or mechanically (with a regular key). KeyWe smart lock is developed by the Korean company KeyWe, which raised money for it on Kickstarter. To add insult to injury, in this present incarnation the lock can’t receive firmware updates, meaning that the security hole can’t be easily plugged. A design flaw in the KeyWe smart lock (GKW-2000D), which is mostly used for remote-controlled entry to private residences, can be exploited by attackers to gain access to the dwellings, F-Secure researchers have found.
0 Comments
Leave a Reply. |