Ultraloq is a Bluetooth fingerprint and touchscreen door lock sold for about $200. It allows a user to use either fingerprints or a PIN for local access to a building. Ultraloq also has an app that can be used locally or remotely for access.
When Pen Test Partners, with help from researchers identified as @evstykas and @cybergibbons, took a closer look they found Ultraloq was riddled with vulnerabilities. For starters, researchers found that the application programming interface (API) used by the mobile app leaked enough personal data from the user account to determine the physical address where the Ultraloq device was being used.
Researchers went one-step further and said hacking open the physical lock is trivial and “easy to pick”.
According to a report released Thursday, U-tech fixed the glaring API issue. However, the keyless lock maker has not addressed a Bluetooth Low Energy (BLE) issue that allows the attacker to easily crack the lock open with a brute force credential attack.
Compromising the multiple layers of security tied to the Ultraloq began with cracking BLE security key.
Brute Forcing BLE Encryption Key
The BLE key is constructed and operates in two parts, the researchers explained. One part is a token obtained from the lock. And the second is static salt protection of credential data.
“These parts (token and static salt) are concatenated together to produce a 16 octet byte array, the appropriate size for an AES key,” researchers said. “The static salt can be obtained from the app and is equivalent to the string.”
Next, the token is obtained by querying the BLE characteristics with a universally unique identifier (UUID). “As the code for the lock is a 6 digit integer, this makes it possible to attempt a brute force attack against the lock through the BLE interface,” the researcher stated.
From BLE to Worse
An additional weakness was identified in the API’s lack of authentication.
“[The] API has no authentication at all,” researchers wrote. “The data is obfuscated by being base64 twice but decoding it exposes that the server side has no authentication or authorization logic. This leads to an attacker being able to get data and impersonate all the users,” researchers wrote.
This could lead to a full compromise of all Ultraloq locks that are connected to the cloud service, they said. Researchers added the vulnerability opened the door for an attacker to retrieve the BLE encryption key and potentially all the user’s PINs.
“The easiest way to a full compromise is to intercept the login process and change the user id of the logged in user. After that, the app will function as the user with the userId that we have provided [and that] has logged in, providing full control over all of their locks,” they wrote.
Adding insult to injury, researchers also said the physical locks can easily be picked with a “thin pick”.
“The device allows for a thin pick to be inserted into the body and used to shim the internal mechanism to open the lock manually,” the researchers said.
The physical lock mechanism is meant as a failsafe should the electronic locking mechanism fail. “An amateur can reliably open them quickly and easily, both with single pin picking and raking. It’s certainly not up to the standards we would expect to see on an external door,” researchers cautioned.
U-tec was notified of the vulnerabilities in April 2019 and quickly replied asking for clarification. On May 1, U-tec fixed the API flaw and on May 28 requested another month to fix the BLE issue before disclosure. Last week, Pen Test Partners asked for an update and did not hear back from U-tec. Public disclosure of the flaws was Thursday.