Ash Allen

Introduction The following technical report provides background information relating to four CVEs found in the following products: Ultraloq UL3 BT (2nd Generation) (Firmware 02.27.0012) – CVE-2022-46480 Yale Conexis L1 Smart Lock (Firmware v1.1.0) – CVE-2023-26941 Yale IA-210 Intruder Alarm (Firmware v1.0) – CVE-2023-26942 Yale Keyless Smart Lock (Firmware v1.0) – CVE-2023-26943 The work discussed here was carried out by Ash Allen, Dr. Alexios Mylonas, and Dr. Stilianos Vidalis as part of a wider research project into smart device security. Responsible…

Read More Read More

The details below discuss the vulnerabilities found in the following devices: WAFU Keyless Smart Lock (firmware v1.0) – CVE-2023-34553 An attacker can use a software-defined radio to capture commands sent to the alarm from the remote keyfob. As no rolling code is implemented, it is a simple matter to play back the code and gain full access to the alarm’s functions. As an example, see the following image, comparing subsequent keypresses of the arm/disarm keyfob: As of 22nd May, 2023,…

Read More Read More

The Fortessa FTBTLD smart lock is a fairly bog-standard type of generic smart lock, sold in the UK by CEF for around £100, and available on auction sites for maybe 3/4 of that price. As can be seen on the sticker on the left hand portion of the lock above, it is configured with a default device name. The lock offers a variety of features, such as auto-locking, key sharing, and so on, and in the main they work pretty…

Read More Read More

In a previous post I discussed the Bluetooth pairing issue that means anyone with a sniffer and access to your lock can open it. However, this is not the most concerning aspect of the device. I’m a big fan of static analysis tools, and use a few when investigating IoT devices; they generally provide useful starting points for further investigation, and so it proved here. In this instance, MobSF produced a report that pointed at a couple of insecure Firebase…

Read More Read More