Ash Allen - Security

IoT Security Research

Am I an academic now?

So, for the past two years I have been studying for a Masters in Cybersecurity part time, and thankfully managed to pass with a Distinction. Yay! It’s an itch that I’ve been wanting to scratch for a good long while, and I’m glad to have done it.

This leads me on to my next announcement. I’m going to be studying for a PhD in IoT Security part time, alongside my current work commitments. A couple of people have asked me why I’m doing it, so I thought I’d lay out my reasons here:

  1. It sounds like fun! Seriously; I’m a bit of a nerd with this stuff, and the ability to really dig down into the weeds of a topic is really appealing!
  2. I want to discover something new! The thesis has to show originality, and again that appeals. I’m not expecting to discover gravitational waves, or evolution, but having a little bit of the tree of knowledge that I found first is a really cool thought.
  3. I think I’ll be good at it! Having had a 20 year break between undergraduate and Masters study, I wasn’t sure what to expect, but thankfully I managed to pick things up pretty quickly. Speaking to my now supervisor and putting together a proposal, it seems that I have the ability to do this, and that others agree.
  4. I want to be Doctor Allen! Maybe it’s an ego thing, but I like the idea of knowing I can use that title. I’m not going to, but it’s a cool thing, and it’s a validation. So yeah, Dr. Ash!

I’m not doing this for career progression; there are much shorter and cheaper ways of getting qualifications that employers want. I also don’t want to transfer to academia full time – I’ve seen enough to know that I’m happy in my current little niche! So, that’s the announcement. Let’s see what the next six (!) years bring…

Fortessa FTBTLD Smart Lock allows unauthorized users to change the device name. Hilarity ensues…

The Fortessa FTBTLD smart lock is a fairly bog-standard type of generic smart lock, sold in the UK by CEF for around £100, and available on auction sites for maybe 3/4 of that price.

Fortessa FTBTLD smart lock showing the default device name

As can be seen on the sticker on the left hand portion of the lock above, it is configured with a default device name. The lock offers a variety of features, such as auto-locking, key sharing, and so on, and in the main they work pretty well. It’s never going to win any beauty awards, and the app interface is pretty basic, but in the main it does what it sets out to do. Unfortunately, however, there is an issue with the lock allowing unauthorized updates to config parameters that mean it should not be used anywhere outside of the lab.

The tool of choice for this investigation is HomePwn, an IoT testing suite developed by a group of Spanish researchers. It provides a similar interface to Metasploit, and is able to work with a number of different protocols such as BLE and RFID which means less switching between tools.

HomePwn splash screen

Loading up the Bluetooth Low Energy discovery tool, we can see that amongst a bunch of other devices, our Fortessa lock is detected (2nd from the bottom):

Locally detected BLE devices

We can then look to run the read-characteristics tool, with the various options laid out like so:

ble/read-characteristics options

We can then use the discovered MAC address of the lock, and the local BLE adapter, like so:

ble/read-characteristics configuration

Running the command then returns the following (abbreviated):

Fortessa lock name

Note that at this time we have not had to authenticate, and that is correct; the companion app needs to be able to read these fields. However, this particular service is set to READ WRITE. In general, again, this is not necessarily an issue; it may be perfectly reasonable for an unauthenticated user to write to a particular BLE service. In this case, though, the lock name is likely something that we would not want just anyone updating. Unfortunately, that is how the devices is configured. Using the ble/write-characteristics plugin, we can update the lock name without authentication, like so:

Updating the lock name

Checking again with the ble/read-characteristics plugin, we can see that the device name has been updated:

Updated lock name

It should be noted that you don’t need to use HomePwn to do this; something like the nRF Connect app will let you do this from your phone.

So, what’s the big deal? Your neighbor may be able to give your door lock an obscene name, but this can’t do any damage, right? Right?

Well…

Once the lock name is updated, the app refuses to connect, as seen below:

Fortessa app fails to connect

In fact, it will refuse to connect until the power to the lock is cycled by removing the batteries. If you are locked outside of your house, because the battery compartment is on the inside, you can see the issue! I have reached out to the distributor and manufacturer with this finding, but have had nothing back. Whether this can be patched in a firmware update, I can’t say. It seems like something that would be pretty easy to fix, but who knows. For the moment, though, if you have a Fortessa lock, remember to take your keys with you as well…

Smart Lock or Spyware? The eGeeTouch TSA Travel Lock is a bit of both

In a previous post I discussed the Bluetooth pairing issue that means anyone with a sniffer and access to your lock can open it. However, this is not the most concerning aspect of the device. I’m a big fan of static analysis tools, and use a few when investigating IoT devices; they generally provide useful starting points for further investigation, and so it proved here. In this instance, MobSF produced a report that pointed at a couple of insecure Firebase databases (I’ve redacted some of the information below to casual readers from investigating further; of course, it is perfectly possible to recreate exactly what I have done. I have tried reaching out to the manufacturer on a number of occasions regarding this and the Bluetooth issue but have had no response).

eGeeTouch Firebase Databases

Digging down into the data returned from the URL, I had the (mis)fortune of finding my own details, captured as I tested the lock (redacted, although of course the above applies).

The author’s information

The information captured includes the GPS coordinates and approximate address of where the lock was accessed, the time of access, the email address of the user, and whether the device was locked or unlocked. Nowhere in the EULA is it stated that this information will be collected. Aside from why this information is stored at all (I’m assuming some sort of audit trail), it is clear that this represents a severe privacy intrusion. Not only is the device collecting personally identifiable information (PII) about the user, but it is storing it in a location that can be accessed without requiring any authentication. PII, of course, is subject to GDPR regulation in the UK and other, similar restrictions elsewhere in the world. This would seem to be, then, a significant concern for anyone tempted to buy the lock.

The eGeeTouch TSA Smart Lock is Anything But

IoT security devices, such as smart padlocks, need to perform at least as well as their non-smart counterparts if consumer trust is to be gained. Unfortunately, many such devices are fundamentally flawed, with poor design meaning they are simple to subvert. Once such device is the eGeeTouch 3rd Generation Travel Padlock.

The eGeeTouch 3rd Generation Travel Padlock

Available in the UK for £19.90 from Amazon, the lock boasts a number of features, including Bluetooth operation via the companion smartphone app, RFID tag support, and a TSA manual override. So far, so good. However, digging deeper, it is clear that the device should be used with extreme caution. Access to the device is handled via a password set in the app:

eGeeTouch app – password management screen

This password is required when initially pairing the lock with the app; without that the two can’t talk to each other. Setting the password to 080379, we can then look to see how the lock communicates with the app, and vice versa. To do so, we can use btlejack, a Python tool that leverages the Bluetooth LE chipset in the BBC micro:bit development board to hijack the connection and dump the output to a Wireshark format dump file (download it here). Looking at output from a successfully captured session, we can see the following in packet 78:

Authentication capture

The capture indicates a write to the 0xfff8 attribute of the letter a plus our secret code, 080379. The lock then replies with a range of other information, for example the Model Number in packet 89 :

eGeeTouch model number

and the firmware revision in packet 92:

eGeeTouch Firmware

Triggering an unlock event via the app sends the following (packet 95):

Unlock event

whilst a lock event sends the following (packet 101):

Lock event

It seems clear therefore that the operation of the lock, at least via the companion app, is controlled by these three commands; an initial authentication, followed by the relevant lock or unlock code. All three use the “secret” code that was set in the app. How much access can we get knowing that?

The app is currently logged in using the following account:

User account

Let’s then log out and try signing up with a brand new account:

Attacker account

Logging in, we can see that no devices are currently registered:

No devices registered

Clicking the Add Lock button brings up the following:

Lock choice screen

Select the correct device and we are asked for the pairing password. Enter that and:

Success!

The user now has full admin rights over the lock, including, crucially, the ability to change the pairing password and so lock the legitimate owner out. No notification is provided to the original user that their password has been used on another account, so they are none the wiser that the lock is compromised.

The exploit relies on the attacker having the ability to capture the data flowing between the device and the companion app. There are a number of different ways of doing this in addition to the btlejack method; for example, the image below identifies the same back and forward communication as in the PCAP, though in this case it was captured using the Gattacker tool:

Gattacker output

The attack does require a small amount of contact with the device, amounting to a push of the power button on the side of the lock. In a busy environment such as a railway station or airport it is not an impossible obstacle to surmount. In short, the eGeeTouch Travel Padlock should be passed over if you are looking for a reliably secure device.

I will be returning to this lock in a later post, as there are a number of other serious issues that greatly impact its desirability as a consumer product.