Remember the Balboa Internet of Things (IoT) hot tub whose security was so dire it allowed researchers to remotely tweak important settings via the internet?
A few months on and the researchers behind that exposé, Pen Test Partners, have turned their attention to another incarnation of the same IoT theme in the form of the ‘smart’ Bluetooth padlock made by a Chinese company Nokelock (not to be confused with the unrelated company Nokē).
While Nokelock might not jump out as a household name, its smart padlocks feature prominently on Amazon.com for around $40 (£30) – including one rated ‘Amazon’s Choice’ – as well as under a range of other brand names.
Obviously, the point of a traditional padlock is to stop anyone who doesn’t have a key from unlocking it. In the case of the Nokelock, the function of the key is performed by a fingerprint reader built into the shackle that is configured using a smartphone app.
This convenience means that lots of users can be enrolled to use it without having to hand out keys that cost a lot to copy and might get lost.
Unfortunately, says Pen Test Partners, the Nokelock and its API also come with some major security flaws that prospective owners might like to know about before they stump up their cash.
Such as the ability to:
- Unlock the Nokelock within a range of 10m without needing to know anything about the registered account.
- Discover the owner’s information from the Nokelock database, including the email address and password hash.
- Discover the lock’s location from its GPS coordinates.
- Assign the lock to another account, locking owners out of their Nokelock.
Frankly, it’s hard to imagine a more damning list of vulnerabilities for a security lock, compounded by the fact these flaws are now in the public domain as proofs of concept.
Even more concerning is the fact that this is not the first smart padlock Naked Security has covered that has glaring weaknesses (see previous coverage of the eerily similar Tapplock from last year), which hints at wider development problems in this category of product.
The pwn
Communication with the Nokelock happens via the Bluetooth Low Energy (BLE) protocol, which is encrypted using AES.
However, the researchers discovered the key could be discovered by getting hold of an API token supplied by creating a new user with a temporary email address, or by getting the lock to respond to getDeviceInfo which helpfully returned the key. Meanwhile, as well as the API calls being sent via HTTP, no authentication is applied, which could:
Allow an attacker to read information about a user or lock, including email address, password hash and the GPS location of a lock.
The user password hash was also stored as in unsalted MD5, a crushingly obsolete hashing algorithm that makes security people groan when they encounter it.
Wall of silence
When Pen Test Partners tried to disclose these weaknesses to Nokelock, it was met with… no response at all. Writes David Lodge:
So, let’s get on to the fun bit: the API. We found a number of vulnerabilities in the API, for which we tried to disclose to the vendor, from January 2019, through many mechanisms, including email, phone and WeChat. We even tried to get a Mandarin speaker to talk to them.
That’s damning because it suggests that the company is unable or unwilling to fix the problems in its products despite them being on sale.
But doesn’t revealing these flaws makes them less secure?
That argument is called security by obscurity and it’s based on the fallacy that nobody else will find out that the weaknesses exist.
On the contrary, the ethos of responsible disclosure demands that companies are given time to fix the flaws or to agree to a timescale by which that will be achieved. If researchers receive no response despite their best efforts, it is their job to make the wider world aware of their findings. Cautions Lodge:
Even though the idea of a Bluetooth padlock is a great one, I cannot advise anyone to use a Nokelock (or clone) and expect their stuff to be safe.