Backdooring the Frontdoor
This is a modal window.
The media could not be loaded, either because the server or network failed or because the format is not supported.
Formal Metadata
| Title |
| |
| Title of Series | ||
| Number of Parts | 93 | |
| Author | ||
| License | CC Attribution 3.0 Unported: You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor. | |
| Identifiers | 10.5446/36251 (DOI) | |
| Publisher | ||
| Release Date | ||
| Language |
Content Metadata
| Subject Area | ||
| Genre | ||
| Abstract |
|
DEF CON 2458 / 93
4
6
7
11
15
20
26
33
34
35
36
39
40
46
49
53
58
62
63
66
68
72
79
90
92
93
00:00
Slide ruleSoftware engineering1 (number)TwitterHacker (term)Euler angles
00:45
InternetworkingPlastikkarteInternet der DingeVideoconferencingPlastikkarteLevel (video gaming)Object (grammar)Mechanism designTerm (mathematics)ThumbnailTouchscreenType theoryComputer configurationFood energyComputer animation
01:45
Key (cryptography)Codierung <Programmierung>Key (cryptography)Virtual machineWebsiteCode
02:22
Key (cryptography)Computer animation
02:52
Large eddy simulationLoop (music)VideoconferencingYouTubeInformation securityComputer animationSource codeMeeting/Interview
03:28
Information securityInformation securityMultiplication signSet (mathematics)Ferry CorstenCodeForm (programming)Key (cryptography)Scheduling (computing)
04:17
Black boxCartesian coordinate systemBoundary value problemSoftware engineeringNeuroinformatikWeb applicationPoint cloudProxy server
04:46
Proxy serverInheritance (object-oriented programming)Cartesian coordinate systemProxy serverPublic key certificateSoftware developerMobile appPersonal identification number
05:24
Physical systemTransport Layer SecurityoutputPublic key certificateValidity (statistics)Revision controlComputer animation
05:56
Point cloudUniform resource locatorType theoryNumberPublic key certificateMenu (computing)Differential operatorComputer configurationCartesian coordinate systemBoom (sailing)Level (video gaming)CausalityIntegrated development environmentRevision controlInheritance (object-oriented programming)Personal identification number
06:56
Large eddy simulationCartesian coordinate systemKey (cryptography)Software developeroutputGoodness of fitPersonal identification numberPublic key certificatePerfect groupInformation security
07:32
Large eddy simulationRepository (publishing)Cartesian coordinate systemServer (computing)TouchscreenMobile app
08:06
Large eddy simulationMultiplication signSet (mathematics)Profil (magazine)Proxy serverHost Identity Protocol
08:42
Web 2.0Cartesian coordinate systemScripting languageServer (computing)Goodness of fitMobile appLogin
09:19
EmailNumberAddress space
09:55
Set (mathematics)Inheritance (object-oriented programming)Mobile appType theoryRight angleMessage passingLecture/Conference
10:26
MathematicsInheritance (object-oriented programming)Message passingType theoryRight angleProxy serverSystem administratorMenu (computing)Server (computing)Endliche ModelltheorieGame controllerCartesian coordinate system
11:13
Cartesian coordinate systemElectronic mailing listCASE <Informatik>Right anglePoint cloudMobile appLecture/ConferenceMeeting/InterviewComputer animation
11:45
Digital video recorderService (economics)Mobile appGoodness of fitFood energyEncryption2 (number)Personal identification number
12:23
Cartesian coordinate systemTouchscreenMenu (computing)LoginEmailAddress spaceNeuroinformatikComputer animation
13:11
Computer fileAuthenticationCartesian coordinate systemMobile appCiphertextTouchscreenMetropolitan area networkTelecommunicationEncryptionLogin
13:54
RandomizationServer (computing)BitFirmwareWeb 2.0Key (cryptography)EncryptionComputer configurationFactory (trading post)Symmetric-key algorithmGame controller
14:58
FirmwareFirmwareNumberText editorGreatest elementDependent and independent variablesHexagonExistenceCASE <Informatik>RandomizationKey (cryptography)1 (number)Server (computing)BitSheaf (mathematics)Web 2.0Series (mathematics)Computer clusterComputer animation
16:07
Key (cryptography)Codierung <Programmierung>Key (cryptography)CodeComputer animation
16:43
Computer fileKey (cryptography)Web 2.0BitServer (computing)Point (geometry)Data loggerPasswordElectronic mailing listFirmwareLoginLecture/Conference
17:20
Key (cryptography)PlastikkartePhysical systemBitPersonal identification numberCodeEmailComputer animation
17:55
CodeDemo (music)Address spaceSet (mathematics)CodeSoftwareRevision controlGreatest elementFirmwareFactory (trading post)Multiplication signDemo (music)
18:50
PlastikkarteTape driveCodeElectronic signatureDemo (music)Cartesian coordinate systemCuboidRight angleState of matterSinc functionFactory (trading post)Information securitySet (mathematics)Lecture/Conference
21:09
Level (video gaming)Electronic mailing listLevel (video gaming)Game controllerSet (mathematics)Computer animation
22:01
Electronic mailing listMultiplication signBackdoor (computing)Computer fontTouchscreenPhysical lawResultantExploit (computer security)Computer hardwareXMLComputer animation
23:07
Cycle (graph theory)Computer animation
24:06
Cycle (graph theory)Green's functionClosed setOpen setDemo (music)Multiplication signFactory (trading post)Computer animation
25:04
Factory (trading post)PlastikkarteTape driveFactory (trading post)State of matterMultiplication signKey (cryptography)MereologyConnected spaceDemo (music)TouchscreenLecture/ConferenceComputer animation
26:34
Asynchronous Transfer ModeForceCommon Intermediate LanguageFirmwareFactory (trading post)Menu (computing)CuboidKey (cryptography)Level (video gaming)NeuroinformatikoutputCartesian coordinate systemMobile appPersonal identification numberDefault (computer science)PasswordProof theoryWordInformation securityMereologyAuthenticationRevision controlInformation privacyLoginPhysical systemBackupEndliche ModelltheorieCommunications protocolTouchscreenProduct (business)Asynchronous Transfer ModeMaxima and minimaMultiplication signAndroid (robot)Mechanism designCodeDifferential (mechanical device)Block (periodic table)Computer filePublic key certificateOperator (mathematics)Backdoor (computing)Hacker (term)Point (geometry)State of matterIntelligent NetworkMessage passingCryptographyeBayCausalityEncryption1 (number)PlastikkarteDivisorFood energyConnected spaceReading (process)
35:04
Key (cryptography)PermanentNumberCartesian coordinate systemFirmwareMultiplication sign1 (number)TwitterNear-ringMobile appLink (knot theory)Demo (music)Address spaceRight angleMechanism designTable (information)Revision controlEmailRandomizationAuthorizationDatabasePlastikkartePrice indexAssociative propertyBitLeak
Transcript: English(auto-generated)
00:00
afternoon how is everyone's DefCon going? So this talk is on back dooring the front door um and got a lot of slides so I'm just gonna get right into it. So to start off I'm JMax I work as a software engineer um hacker for fun like doing things with locks and the thing I
00:21
always like to tell people is the best puzzles are the ones that were never meant to be solved and I think that explains a lot about the hacker attitude. Um now all opinions expressed in this talk are my own they aren't my past, present or future employers opinions and if you see something you like and you want to reach out later um you
00:40
can find me on Twitter um at JMax. So obviously this talk is gonna be about the internet of things. Oh and we just lost video. There we go internet of things. Um so our homes are getting smarter and we're bringing more technology into our homes to
01:01
replace traditionally dumber mechanical um objects. And for this talk we're gonna be looking at the August lock. Particularly the August smart lock uh that I have upstage on stage here. This is what an August lock looks like when you put it on your door. Um I don't know if you can see it on the screens up there but it replaces the thumb
01:21
term on your deadbolt. So if you live in an apartment like me this is a great option because you don't actually have to replace the outside of your your lock and that would annoy your landlord. Um and the device itself is just bluetooth low energy um and it gives you smart lock features like auto unlocking, unlocking when you approach the door. Uh
01:42
those type of things. But why the why it got me interested in this lock was actually August's marketing team. One of the things I like to do when I'm looking at a technology is see what claims the company distributing it is making. Now an August website the quotes up that I'm showing you up here um they're actually no longer on their
02:03
website you can find them on the way back machine. Um but they said such things as uh their lock is unlike physical keys which can be duplicated and distributed without your knowledge. They also said it's safer than codes that can be copied. And so we get this reoccurring theme that it's not like a traditional key it's somehow safer. And
02:24
their most um aggressive claim I'm gonna let them explain it to you because I don't think you'd believe me if I told you. August is the lock that requires no key. Only an invitation. An invitation that you can give and take away whenever you please.
02:45
Keyless, codeless, and completely secure. Completely secure. Completely secure. And completely secure. So I didn't just loop that video for the hell of it. Um that's
03:05
actually what I did when I first heard this piece of marketing material. I went back to that YouTube video and just played that section over and over again thinking I must have misunderstood something. Um because I'm sure what they're trying to do is comfort people and say oh we know it's technology but it's safe technology and their thought
03:24
was this will make people feel comfortable with their lock and think it's secure. However that's not really how I took it at all. I kind of took this as well you have a completely secure lock. Sure it would be worth looking into I suppose. I don't think I've ever seen a completely secure lock. So putting together the security claims. Obviously they claim
03:44
perfect security which is a little amorphic. Uh but they also claim things like guest access can be revoked at any time. Guests have permissions can be limited to a schedule. Guests can't use the unlock feature. They can't access lock settings. They can't. Um and the keys can't be duplicated. We saw that claim twice in two different forms.
04:04
They said their codes can't be duplicated. They don't have codes that can be copied and they don't have keys that can be duplicated. Um they also say that you can track who enters and exits your home. That should say home not phone. So to start looking at the lock I said I'm gonna map out the API. I work as a software
04:22
engineer. Um let's just look at the boundaries of this application. Let's approach it with a black box. But the problem is which API. There's actually two APIs in the August lock. There's the one between your phone and the lock and the one between your phone and the cloud. Or if you read XKCD someone else's computer. Um and working as a
04:40
software engineer mostly on web applications I wanted to look at that HTTP one first. The rest side. So what I did is I downloaded MTM proxy and if you're not familiar with this tool you really should get familiar with it. It's an awesome tool. Super easy to use to get in the middle of any application. Particularly if they're using SSL. Um so I installed the certificates on my phone. Fire up MTM proxy and launch the application.
05:03
And I get something that looks like this. And what this is indicating is that the August application is using certificate pinning. Now if you're a developer and you develop mobile apps certificate pinning is a really good idea and you should absolutely have it on on your applications. However if you're a hacker and you're trying to figure
05:21
out how something works it's a real pain in the ass. So we need a way around this. One solution is to use iOS kill switch. Um it's originally developed by ISEC partners. Um there's a new version iOS kill switch 2. Basically what it does is shut off certificate validation on your iPhone. Now this being a Defcon talk I really didn't walk
05:44
in and shut off SSL on my phone and then connect to the Defcon wifi and see what happened. I don't think that would work out well for me. So I need a better solution. Fortunately August built one into their application. If you just tap on the hamburger,
06:01
press and hold on the version number and then you type the super secret phrase dreadful dao casing matters make sure your D's are capital. You'll get access to their debug menu. On their debug menu at the very top you'll see a URL. That URL is the endpoint that their application's talking to when it reaches out to the cloud. If you just
06:20
tap on that it pulls up this menu. Now I obviously don't want to look at staging in their development environments cause well that's probably outside of scope and I don't really want any nasty letters from from August. But this other option looks pretty cool. So if you just tap on that it opens another dialogue where you can specify any endpoint you want. Now obviously if you can specify any endpoint you
06:40
want they can't have pinned the certificate for every endpoint in the world. So I just enter an endpoint I control and it can be HTTP or HBS so you can choose not to deal with HTTPS at all if you want to. Enter a URL you control, hit custom the application will crash and when it relaunches boom you're in the middle. So now we have access to all the
07:00
traffic back and forth and we can start looking at how the application works. And one key thing I'd like to point out here is unlike iOS kill switch SS or sorry SSL kill switch uh this didn't require jailbreak. There's no jailbreak required. This could be a stock phone and this would work. And being a developer um thought occurred to
07:21
me there's probably a sprint review where some developer walked in the room and was just like I've implemented certificate pinning. We're good. Ship the perfect security claim. So we're gonna cross that out. Now obviously after we map out the API we can build up a collection. I use postman put together a collection of all the endpoints that it talks to. Uh
07:43
this collection will be available in the GitHub repository after this talk. Now looking through all the APIs that the August application uses one of them caught my interest and that was this one. And for those who can't see what's on the screen it's the mobile application telling August's servers that you just unlocked your lock. And this is
08:03
the owner of the lock doing it. And what's interesting here is it's not anonymous. This is tied to your account. So what August is doing is they're building up a collection of every time you've entered or exited your house. If you're the owner of the lock. This is something your schlag and your dumb locks are not going to do. Um it's a
08:23
little creepy. I'm not sure I want a company that makes a lock that they can open. Also being ha- also being able to build a profile of when I'm home and when I'm not home. Those two sets of data together would be incredibly valuable on the black market. So let's fix this. MTM proxy can actually modify traffic as well as just listening to it. So
08:42
with a little script we just intercept all the API's that log data about locking and unlocking. And we tell the application yeah 200 everything's good. And we don't tell the web servers anything. And the nice thing about this is it gives us privacy but if we remember they made the claim that you'll know when your guests open your door. Well
09:03
the way they know that guests open your door is the mobile application logs their server hey I just opened this door and then they notify you um Jimmy opened your door. Um obviously if you can just say I'm not going to tell you when I open a door that kind of defeats that feature. But they also said um guests can't be notified or know be- see the
09:25
activity of feet of a lock. Well it turns out if we look at this this this API there's an API to set up notifications. So when someone opens your door it's supposed to notify you and say um someone opened your door someone locked your door um and if we just specify any lock it could be a lock you don't own. Um and any user identified by their phone
09:46
number or their email address and we say notify me when this user opens this lock. It doesn't matter what the lock is or what the user is. August will dutifully notify you that that user opened the lock. Even if you don't own that lock. Even if you're not a
10:00
guest on that lock. Any lock in the world. But what else can we do? Well August has this idea of owners and guests. Or as they like to call them users and super users. But guests are supposed to be limited in what they can do. Specifically they're not supposed to be able to use things like the auto unlock feature and they're not supposed to be able to change lock settings. But how does the mobile application know when you're an owner and
10:24
when you're a guest? Well it's actually this message right here. They say user type user. And if it's user type user, you're a guest. If it's super user, you're an admin. So let's just use mtm proxy again and we'll just replace user with super user and we get
10:44
access to the menu as a guest. So this is the first big interesting discovery we have here. Which is the lock itself has no concept of owner and guest. It only knows about
11:01
users. The entirety of the access control model is implemented server side and in the application. And since they're relying on you to talk to the server, well we can just cut that out eventually. So to the claim that guests can't do these things, I just have to say that's wrong. Guests can absolutely do them. They may not be able to do them
11:21
through your application, but they can do them. So now the list of claims looks something like this. Less grey and more red. But I think we can do more. We only looked at one side of the API right now. What about that bluetooth side? Now in case you forgot, it's structured like this. The lock itself has no wifi. It relies on your phone to talk
11:44
to the cloud. So if you want to play with bluetooth low energy, a good app to start with is light blue. It's great for enumerating services and just seeing what bluetooth low energy looks like. Um and you'll get something like this. So this is an August lock and because we were able to connect to it and pull services from the thing, we know
12:01
that we're able to pair it with it. Which means it must just be using it just works pairing because I never had to enter a pin. Um but August relies on a second layer of encryption. So that's not too big of a deal. But I would like to intercept some traffic. And if you look at bluetooth bluetooth low energy long enough, you're eventually going to run across the ubertooth. Which is supposed to make this really
12:22
easy. Unfortunately I didn't think it was that easy and after about a week I said well this is too hard yet I need to find something else. But again there's a better solution. It's built into the August application again. If we go back to the previous menu, there's this send logs button. We just tap that, it'll pull up a screen that
12:44
looks like this. And for those who can't read it in the back of the room, it's to auto unlock at August dot com. Now if like me you look at that title and say I wonder if this will auto unlock my lock. Um I hate to disappoint you it won't. What it will do is get you an email from their VP of engineering asking why you just sent this to
13:01
them. But what I'm going to do is just replace that with my email address to avoid those emails. Then once I get on my computer I open it up in notepad plus plus and I search for cipher text. And what you know on the left side of the screen is the cipher text for the communication between the phone and the lock and on the right side
13:23
of the screen is the plain text. So man in the middle attack built into the application. So that Uber tooth I bought completely useless, throw it out I just need their mobile app. And again no jailbreak is required to do any of this. Um in particular for the
13:41
bluetooth logs if you just use August support instead of dreadful dow you'll just get the send the send logs button and it'll work just as well. So now that we have the bluetooth how does how do they authenticate with the lock? Now it's fairly simple um again all access control is on the web server. So when your phone connects to the lock
14:04
your phone then generates 64 bits of random data. They send that 64 bits to the web server. The web server encrypts it into a packet to be sent to the lock. Your phone gets it from the web server and then hands it off to the lock. The lock is able to decrypt it and then hand generate its own 64 bits hand it back to your your phone. Your phone
14:23
can't decrypt it so it hands it to their server and then their server hands it back to you, decrypt it and you take those two things you glue them together and that gives you a session key. And then you just use AES and that session key and now you can talk to the lock. Now what's interesting here is you'll notice this is all symmetric encryption
14:42
which means the web server and the lock must have the same key. So how did they get that key onto the lock? One option is is burnt in at the factory and there's absolutely no way to pull it out. Another option would be maybe it's flashed in with the firmware. So let's request firmware as a guest. So as a guest user I request access to I request a
15:05
copy of the firmware and to make it interesting I'll request firmware that doesn't exist. And I get a response that looks like this. And at the bottom of that request just a normal 404 for a piece of firmware that doesn't exist I see the serial number of my lock and then a bunch of garbage. That garbage looks awful suspicious. Why is there
15:23
garbage in HTML? So if we open that up in a hex editor and we just start walking through this and trying random series of bits and just skip the obviously wrong ones like the all zero sections we'll come across the highlighted one. And that decrypts the
15:40
packets that were sent to the web server. So now we know that must be the key that's being used. This key I'll call the firmware key. I think August internally calls it the online key but I think firmware key is more accurate in this case. Um so this key appears to be unique for every lock but with this key we're actually able to emulate the web server. Now the way August works is there's actually 256 key slots in each of these
16:03
locks. Uh key slot zero is this key the firmware key. Now if we go back to their claims they said it's safer than codes that can be copied and it's unlike physical keys that can be duplicated or distributed without your knowledge. Well I didn't have any
16:20
problems copying and pasting it. So duplication seems to work. I also didn't have any problems distributing it because you all have it now. So this silver lock if anyone tries to sell this to you on eBay it is worth nothing. But it actually goes further. If
16:46
we take those log files we got earlier. I need to stop touching this HDMI cable. If we take those log files we got earlier and we just run grep on them. Uh looking for some interesting stuff. We can pull a lot out of there. We can actually pull all the offline keys. We can pull all the usernames, passwords. Um the firmware key, the JWT
17:04
tokens that are used to talk to the web server. So basically all the secrets. So that log file not only contains all the bluetooth traffic but it also contains everything you need to talk to the web server. Now I think most of these are fixed at this point. Um but you'll probably still be able to pull offline keys from from those logs. So now the list looks a little bit more like this. Not so hot. So the moral of the
17:29
story here is with a smart lock don't give access to someone you wouldn't give a key to. Because in spite of what the vendor claims it behaves much more like a traditional pin and tumbler system where when you hand someone a key they can do anything with
17:42
that lock. Then it behaves like your g a email you sent through gmail or something like that. Um it behaves like a physical key. If you give someone guest access to one of these locks assume they they can get permanent access. So all the code after um this talk will be published on github. There's the address um I'll tweet it out after this as well. So I
18:07
think we're we're doing good on time actually. Much faster live. Um so I'm going to do um a couple demos here. So obviously I have two locks here there's a bunch of wires coming out of them so you probably won't trust anything I do with them. Um so we're
18:21
going to be using a new lock that's never been associated with an account. And but before I switch them out I want to show you something. So if we look at this silver lock here and we just go to settings and we go down to the bottom I don't know if everyone can see the version of software that lock happens to be running. It's safe to say that is not factory
18:46
firmware. Which means that the code being pushed to these locks is unsigned. So the lock itself could be running any code because it doesn't have any signature checking um to make sure that the code came from August. But now let's uh I'm going to switch that lock
19:04
out and uh we're going to do a demo. I'm just going to unpower this one so I don't pick it up in the demo. So this is a brand new lock that's never been associated with any
19:27
user's account. And hopefully it's not DOA. Pull out the battery tab. Ok so we have a new
20:04
lock on our door now. Fresh from the factory and right out of the box. In it's perfectly secure state. Ok let's add this to our account. So we're just going to go in here and set
20:24
up a new lock. If you have the August application don't try to beat me to this. There
20:44
we go. We'll name it front door since that's the name of this talk. And we'll put in our Defcon house. And we'll go ahead and configure it. So to calibrate the lock we just put it on our door. Lock it. Unlock it. Sets up the lock. Ok now we have a lock on our
21:11
door. And it opens and closes as you can see. There we go. So there's our lock. Um
21:25
let's invite a guest user to this lock. So I'm just going to invite myself another account. Um and we can see on the front door the access level is none. Let's just change that. We're just going to change that to guest. And it reminds us that guests
21:42
can't use the auto unlock. They can't invite other guests. They can't control lock settings. Um bunch of stuff we know probably isn't true. We'll just update that. Ok so now we have a guest user. And you know what let's go back and let's make sure that we have notifications turned on. And we do. Great so we should be notified then every
22:02
time uh this user attempts to use this lock. Ok let me just shut down the flashing lights demo here. And we're just going to run backdoor dot JS. Can't see? Ok let me um
22:29
font size this. Does anyone know where the font size is? Thank you. The obvious answer is answer. Ok so Atwood's law is in play here. Anything that can be
22:47
written in JavaScript will eventually be written in JavaScript. So I figure if we're going to detect hardware we might as well write the exploits in JavaScript. Um so we can see the results here. It connected to the lock, added a backdoor and then disconnected
23:01
from the lock. Um and if we go back to the other screen we still haven't been notified that anything has happened. So we know we're connected to the lock. Let's we know we backdoored the lock. Let's see if we can just cycle the lock. So I'm just going to try to open and close the lock as that guest user. Thank you. So we're
23:25
connected to the lock. And it should, there we go, start opening and closing. So we just made it from a guest user. We added a backdoor lock and now we're using that
23:40
backdoor to open and close that lock. And if we go back and we look at the owner's phone they still have been notified we used that lock. What happens when we revoke access from that guest? So if I go to the guest and I, I'll just delete him
24:05
altogether. I know I'm accessing any of my locks. It's gone. And we cycle the lock again. It should still work. For those in the back room if you can see the lights on
24:25
the lock uh that'll tell you when it's open and closing. Green is open, red is closed. So there we go. The lock is opening and closing. And they'll actually just
24:47
keep going on forever. Um we'll just disconnect from that. So plenty of time. So let's try the high risk demo here. What I'm going to do is I'm actually just going to factory reset this lock. So if I go back to the iPhone here. There's our lock. We'll
25:08
issue a factory reset. So now that lock has been reset to factory state. And if we go back to our demo, let's do something else maybe. Let's go back to the lights. It
25:28
should still connect up and still work. There we go. We established a connection and now it's sending um the light up. And the screen is there we go. That'll make it better.
25:54
But there's still the possibility that maybe August clears the keys when you add it back to your account. So let's just add it back to a user's account. Start set up, scan for
26:12
locks. This part takes a while apparently. There we go. Front door. We'll actually add it
26:29
to a different house. We'll just skip the calibration this time. Not too interested. Okay. So there's our lock again. And it still works. Um but if we close out of this.
26:45
Disconnect from it. Okay. If we go back to our guest user who was once a guest of this lock. The lock has been factory reset and it's been added to a new house. And we see if it still works using the back door we previously inserted. And again what should
27:06
happen here is it'll scan for the lock. It's going to find the lock, connect to the lock and then it's going to open and close it indefinitely. So the interesting thing here is
27:21
if you bought one of these locks used off of Ebay and you put it on your front door, the previous owner had access to it. Previous owner had the ability to insert an offline key and the previous owner now knows where you live. So again it models much like a physical lock. Just like buying a used pin and tumbler lock means that you have a key
27:43
that someone else could have a copy of. Buying a used August lock means you have a firmware key. So there's a bunch of mistakes made obviously um in the August application. Um there's a log sensitive data. It doesn't differentiate between guest and owners at the
28:02
lock. It does that all remotely and at the application level. The firmware is not signed. There's no apparent way for a user to discover if their lock has been back doored. Um but you actually don't even need to back door the lock because that firmware key is so so central to the lock's um operations. Um the the system relies on guests reporting when they
28:22
open and close the lock. And the vendor makes claims that they have two factor authentication when really they only have two step authentication. There's a couple things that they fixed and um the final one this one's really entertaining is all the key material for the lock is not actually stored on the Apple keychain. So it's all just
28:41
in a preference file. Um so if you just look at your iOS backups you can just pull keys for these things if you want. Um but they've done a couple of things correctly. For the most part they've been fairly responsive. Um their application does use certificate pinning which is pretty good. Um and their protocol makes use of nuances. And this is
29:01
important because they use CBC in the mode for their encryption. And if you know um cryptography and AES you'll know that um with CBC if you're using a null IV like they are you can repeat messages that can disclose what someone's doing. So the use of no ones is is important. Additionally they don't just rely on the Bluetooth low energies
29:22
security mechanisms uh they've built in their own. So this brings me to my real point which is why we need hackers. Why we need security researchers. Because the security claims that vendors are making can't be validated by consumers. Consumers lack the
29:41
expertise necessary to determine if these claims are valid. So they have to take the manufacturer's word for it. And what can be asserted without proof can also be dismissed without proof. And if a vendor isn't providing evidence of the claims of the security of their device then we should assume that there is no security in that
30:02
device. So that's got through that pretty quick. So I will actually take questions. Um there's a microphone in the front if anyone has any.
30:29
That was really amazing. Thank you. Um I do have one burning question. Yes. How did you get the password that allowed you to uh get into the debug mode of uh the application? Sure. Um so there's a couple ways you could do it. You could look at the
30:45
iOS application and try to get the IPK off the off the phone. Um initially tried doing that and reversing iOS apps is a little difficult. So I just download the Android app and then it's obvious. Uh hi uh my name's David Rogers. I'm from the IOT security
31:06
foundation. Um so fantastic work. Um we've seen this all over the place in particularly in consumer products that are going out. And so this is an open invitation really to yourself and to everyone in this room. Um we're reaching out to people to come and help
31:22
us. Because this stuff is absolutely shocking. You know we've been through this in the mobile industry. Uh we fixed it time and again. Uh as you as you mentioned all the stuff for the iOS apps. You know some of these consumer products companies have never uh done anything like this before. Or they're they're creating minimal viable
31:41
products and selling this stuff for crazy prices. So uh let's just kind of stop it now. And thank you. How much were these and can I get some? Cause I want to play with them. Of the
32:00
smart locks? Yes. Um you can pick so you can pick them up on eBay for maybe 150 the original version. Outstanding. Um if you want their latest revision which most of this stuff still works on. Um you can get those for about 200 220 new and then obviously again look at eBay if you're researching security of the lock doesn't really matter so buy
32:23
it off of eBay. Yeah. Um the other question was did they fix anything in the app? Or have you know if I go buy or download the app right now did they fix anything in it? Or can you provide the unpatched version so we can play with it? Um if you just um
32:41
download the iOS app today you can still unlock that debug menu. And so the question was whether it was patched or not. So one of the key things here is the interacting with the lock directly from the computer here. Um so one of the important things and it's on the debug menu there. Let me show you it. Oh and thank you. Is
33:06
this disable over the air updates. Um this is a really good feature if you want to look at these and I recommend if you buy one get it with factory firmware and check that box immediately. Um you can also check it by modifying your iOS backups. Um but the reason
33:20
why I check that is there's a UART on the device and the factory firmware logs to UART and every revision thereafter doesn't. Um so keeping it at the stock firmware will give you a way in. Additionally I'll be publishing um all the code for this um so that you can uh work with that as a base and that'll get you connected to the lock it'll take care of
33:43
these security mechanisms and it should let you uh do some of the basic stuff yourself. Um you can also use that to write an application that doesn't have the the logging of when you open and close your lock if if you care about your privacy. Hi uh I don't know if I missed it but was your future access to it because you rested that key zero that
34:01
firmware key from the from the lock and you said that was per lock and have you seen an ability to change that key zero at all? So I have the ability to change it. I don't recommend people change it because it's high risk. You can brick a device by changing that that key if you change it to something and you change it um to a value you
34:21
forget or you mess up while you're changing it and it ends up in some intermediate state you end up in a world of hurt because that firmware key is the only one that can enroll new keys. Um so it's a fairly high risk key to change so the code I'll be publishing has a safety check in it um so by default it's not gonna let you do that but it also has the ability to bypass that safety check so you can replace it. If you do
34:42
replace that key their application will stop to work on your device. Um for what was involved in um the back door I was showing what's actually happening is I'm inserting this key the one up on the screen which no one can read um into key slot two
35:08
hundred and the reason I'm putting in key slot two hundred is because the mobile application starts putting offline keys at key slot one and if you get their keypad device it starts putting offline keys at key slot two hundred and fifty five so any number in
35:22
the middle is going to survive for quite some time. So this is actually using a different mechanism to maintain access so even if they rotate firmware keys on reset unless they clear all offline keys uh this would still work. Thank you. I have two
35:40
questions so the first one you showed that you had a modified firmware loaded on the thing did you do anything with that or was it just to show that they weren't signing it? So in that one the only modification is actually the changing of the version number um because the goal was just to show that you can put custom firmware on it um I didn't write a custom firmware to do anything interesting uh but obviously you could. Right. Uh so the
36:04
other question is as far as I could tell from following your kind of narrative of the whole thing if I were just walking around with light blue and I saw an August smart lock none of the bones that you had would be able to open it I would have had to already either bought it from somebody else and all that stuff or given it to somebody else or I'd
36:21
have to already have guest access and then upgrade. Right. So everything I've showed here will get you from guest um to permanent access or near permanent access. The only one that didn't require any authorization was notification of when the lock is unlocked or locked but in that scenario you do need to know the owner's phone number or their email address um and if you see the lock on their door uh it broadcasts the ID in
36:46
the um light blue application you can pull the lock ID um off of it and that's how it's identified in the system and that remains the same no matter how many times it's reset. Cool. Thank you. So that's my talk um the final I'll give you is if you want to play
37:06
with the locks at all Best Buy is a a great place most of the locks at Best Buy add up aren't actually paired with an account if you walk in they have an August demo booth just fire up the August application and associate it with your account and they'll give you um something you can play with on their APIs. One last question. Was there any
37:24
indication that maybe the AES key was actually derived from the serial number? I don't have any evidence of that. Um I don't know how it's generated I'm assuming it's random and it's probably using the same mechanism they use to generate offline keys. Um I
37:41
also don't think it's generated from the serial number because you used to be able to enroll non-existent locks in their APIs um and for those ones it wouldn't hand you a key back so there's probably a database somewhere that has a table joining the lock ID and then the um the offline key that's the firmware key. Great. Um if you want to play
38:11
with this the IOT village has a lock um a smart lock there I'll be publishing um this immediately here after and providing a link on Twitter um so you can take it over there
38:22
and um mess with their lock.