Smart Lock Vulnerability

Yet another Internet-connected door lock is insecure:

Sold by retailers including Amazon, Walmart, and Home Depot, U-Tec’s $139.99 UltraLoq is marketed as a “secure and versatile smart deadbolt that offers keyless entry via your Bluetooth-enabled smartphone and code.”

Users can share temporary codes and ‘Ekeys’ to friends and guests for scheduled access, but according to Tripwire researcher Craig Young, a hacker able to sniff out the device’s MAC address can help themselves to an access key, too.

UltraLoq eventually fixed the vulnerabilities, but not in a way that should give you any confidence that they know what they’re doing.

EDITED TO ADD (8/12): More.

Tags: , , , ,

Posted on August 10, 2020 at 6:23 AM34 Comments

Comments

Bounce August 10, 2020 7:29 AM

Barfa is partly right. Until the exploit is mitigated, all such locks are “open” to those with the exploit where manual locks (are often easily) pickable, each has to be addressed anew.

echo August 10, 2020 8:25 AM

From a UK perspective I don’t personally trust American quality control or education or much of anything else especially when making money is concerned. America can and has in the past produced good stuff but there is too much bad and sometines lethally bad stuff in the mix. It’s not just China which sells tat.

Simply enforcing existing UK/EU law if it was properly done would bankrupt a few American companies at least as far as selling into the UK/EU goes. The thought of America getting a free pass after Brexit is concluded fills me with horror.

American locks and electrical plugs (and food!) have always been a joke over here.

Clive Robinson August 10, 2020 9:11 AM

@ ALL,

It’s realy nothing new, and shows a horible failure in society to actually be proactive.

The article quotes Tripwire’s researcher Craig Young,

    “Even with safety-critical systems like locks and furnaces, there is little in the way of requirements to make the products secure, and there is even less security oversight”

I’ve been going on for quite some time that NIST should have implemented a security framework for embedded devices years ago as this was not just “predictable to a few” but should have been “bl@@dy obvious to all”. It’s a concequence of the “race to the bottom” mentality that has gripped the consumer electronics market since the closing decades of the last century.

But as Craig Young further notes,

    “As we’ve seen with Mirai and other IoT botnets, devices on the Internet do not even need to be safety critical to wreak havoc when they fail.”

And this is before we start talking about the “security intel” they hemorrhage out for all to hear on WiFi, Bluetooth etc.

After all why send “a man in a van with cameras and video” when I can use a gumstick sized or smaller Single Board Computer(SBC) and a USB device and a LiPo battery pack with a solar cell on top and just put it on top of some “street furniture” like a sign/lamp post and stick a fake “traffic department” sticker on it… All for less than a hundred bucks[1].

An idea that is not exactly lost on the slightly smarter “Ouff Crims”…

After all once thry have your habits for a week or two the chances are they will know when you are all out and just “walk right in”…

Perhaps Insurance companies should have much higher rates for people daft enough to have these types of “easy access” locks. Say an extra 1000USD / year…

[1] Asuming the USD does not continue it’s current declination of ~-10% in 3 months against the Euro http://www.exchangerate.com/CurrencyRatesLineGraph?last30=90;cid=282;currency=239;date_from=05-12-2020;date_to=08-10-2020

TimH August 10, 2020 9:40 AM

Ingersoll SC71 (Double Locking) or Ingersoll SC73 (Non-Double Locking) is what you need, on a metal door/frame assembly that can’t be attacked at the hinges. This are not cheap.

I’d be curious if anyoine here has heard of pick attacks for these.

Andy August 10, 2020 11:10 AM

I would like to recommend the YouTube Channel “LockPickingLawyer”. It doesn’t offer a whole heap of confidence in mechanical locks, either. However, he’s started looking at electronic locks too, and some of them are pretty disappointing too. Plus, there’s something strangely relaxing about watching locks be defeated.

echo August 10, 2020 12:04 PM

@Andy

I would like to recommend the YouTube Channel “LockPickingLawyer”. It doesn’t offer a whole heap of confidence in mechanical locks, either. However, he’s started looking at electronic locks too, and some of them are pretty disappointing too. Plus, there’s something strangely relaxing about watching locks be defeated.

It’s been a casual interest for a long time but I bought a lockpick set after watching his videos. Annoyingly I bought the American not European specification set by mistake. Yes, there is a difference. You can pick American locks with a European set but not the other way around because American locks are to a looser standard. By and large European locks are more secure than American locks.

I’m kicking myself I was suckered for one lockbox which can be picked in second due to a long standing design fault. It meant to be the final key container behind layered protection so I’m not too bugged but it’s still annoying.

I’m happy with my combination lock portable lockboxes although they could do with 5-6 numbers not 4. Again, it’s layered protection so if this fails I have bigger problems.

I don’t have confidence in electronic locks.

At the end of the day it’s all a stack of bellcurves.

myliit August 10, 2020 12:15 PM

Perhaps tmi, but I proceed under the assumption that all my electronic devices have been hacked, and my vehicle(s) and living space Are open books.

In other words, I do appreciate a master locksmith:

https://www.abqjournal.com/813986/master-locksmiths-team-safeguards-critical-assets-at-sandia-labs.html 25 July 2016

“… He [ Highland ] started full time at Sandia labs in 2000 and plans to keep working to build the ultimate access delay system.

“I have a challenging job,” he said. “And I never have a boring day.”

Despite his encyclopedic knowledge of locks, safes and vaults, Highland admits that he once locked himself out of his new Chevy pickup truck.

“I had to call OnStar to unlock it,” he said.“

vas pup August 10, 2020 3:02 PM

As I recall, all locks are considered just delay access devices, meaning attempt to unlock any type of locks should take long enough time that security response team could arrive and put crook in a custody.

Current events with mass looting override this altogether because security response team just does not to do their job. That not technical, but pure political issue.

@Winter – thank you for the link provided. Good to be reminded:

“Always remember that risk to your person or sensitive data is a combination of threat and vulnerability.”

But as you know combination of determination and resources (when provided) is a key to break any security device when target is not random, but rather predefined.

Big Sam August 10, 2020 3:12 PM

@echo

Are you sure this is even a USA designed & made product, the sort of failures that would support your whining?

Given that when asked about its origin, the ESL response was obvious:

Q: Where is this product made?

A: Font door

and the other responses from the manufacturer, it sure seems like the typical Asian cheap product layered with a slick website and half-assed marketing.

Working with truly better locks, the consumer market stateside or in Europe really doesn’t demand that upgraded level of performance, and certainly recoils quickly from the 10x to 20x increase in costs for locks with a better level of deterrence. I don’t think even Echo will loosen their purse strings for a £800 per door basic security lock.

And that expenditure is a long ways from actually being “secure.”

As for truly secure, that is another magnitude of expense and inconvenience, and becomes part of a system approach not all that well suited for these sort of rental access restriction locks.

Given that none of several UK properties came with decent locks, one at purchase was even was like-keyed all ground floor outside doors to the iron monger’s M16 standard key, and few were able to provide more than a few moments of deterrence, ditto for properties in Germany and Spain, I’m not very taken with the Euro Security.

What did impress me with British security was the inability to apprehend and effectively punish thieves….

echo August 10, 2020 4:19 PM

@Big Sam

My main focus is security and consumer standards. Where something is branded/assembled/manufactured is really irrelevant. If the standards are rubbish and there is no push to produce better standards then don’t expect anything good.

It’s just a fact US locks are easier to pick (and generally less secure all round) than European locks.

If you want to patronise about systems maybe I don’t need an £800 lock because I don’t live in a paranoid country with easy access to guns and third world social programmes which thinks wasting more money on more technology is a quick fix? Plus I have better locks as standard anyway.

MarkH August 10, 2020 9:22 PM

@myliit:

Thanks for the story about the locksmith, though the bloated Albuquerque Journal web page nearly paralyzed my old computer :/

It’s interesting that he uses the term “access delay”, which I suppose acknowledges that no locking system will prevent access for unlimited time.

A special category are access control systems which impose a delay even for authorized access. I have heard that some bank vaults will only unlock after a time delay.

A special case of this which I have witnessed is the process of entry for maintenance of Minuteman ICBM silos. Not only are they practically impossible to enter without access to the unlocking codes; they also require a good hour to enter even for authorized entry (and that’s when everything goes smoothly).

This enables the the Launch Facility equipment to signal that an entry attempt has been initiated, with enough time for Military Police to respond if the attempt was not authorized.

Singapore Noodles August 10, 2020 11:23 PM

Full disclosure: not a lock picker, half the time can’t even find the right key on the ring, but –

How big is the “state space” of a lock ? Can it be regarded as or reduced to a discrete finite set ? The key “finds” the right point in the space, picking is just simulating the key. How hard should this be in principle ?

Jonathan Wilson August 11, 2020 12:19 AM

I would say that the vast majority of electronic locks out there (including most of the ones that have any kind of wireless connectivity) are junk from a software security point of view (weak or no encryption, software flaws etc). And as YouTube channels like LockPickingLawyer and BosnianBill like to show, many of them can be defeated without even messing with the electronics.

There ARE locks out there (the Abloy Protec2 for example) that will be secure enough to deter just about any thief (unless they are really skilled in lockpicking AND have a specific reason to target what the lock is securing rather than just finding somewhere else to rob that isn’t so secure) but for most residential applications they are overkill.

ME August 11, 2020 1:02 AM

It has key hole as well as “smartness”? This thing was security risk even before the vulnerability. It has weakness of both key and electronic systems.

Hongkong Soup August 11, 2020 1:23 AM

@Singapore Noodles

Key it’s practically a mechanical password. You can’t manufacure keys and locks with enough precision to have it really non-discrete. You need to define finite number of key height levels with enough room for tolerances and material wear over time. Otherwise, you risk that two keys can be similar enough to work with a single lock.

echo August 11, 2020 1:49 AM

The Abloy Protec2 is an interesting design but has been picked. I think BosnianBill was the one who defeated it.

Groups can be as clever as the cleverest person in the room but are as dumb as the average. The internet is just a bigger room.

@Singapore Noodles

Not difficult in theory but the problem space is expanded by various traps and tolerances. Barging in with fumblefingers can block a lock from opening. Part of the skill in lock picking is avoiding triggering the traps and being delicate/forceful enough to work the lock. It also helps with some locks to have one you can take apart so you can figure out how the work. So what you have is difficulty bellcurves versus detection bellcurves versus laziness bellcurves. This is why in practice locks don’t have to be that secure to be secure.

Moving on from domestic and regular commercial settings at the other extreme with expensive locks and motion detectors something as simple as a sledgehammer putting a large hole in a backwall is more effective. It’s been done.

In any case the whole landscape of crime has changed. People simply don’t have small high value and resellable items any more. Goods have plummeted in value to earnings comparied with the 1970s. Password protected electronics like computers, which are probably the biggest value smallest size goods most people have, don’t protect against tier one adversaries but make easy reselling unprofitable. Gone are the days when you could dine out on a Trinitron television or a Bang and Olufson hifi. This is one reason why in the UK at least these kinds of crime have dropped.

If you can pick a £1000 lock you may as well steal the lock and leave everything else behind.

JPA August 11, 2020 7:42 PM

@echo
“If you can pick a £1000 lock you may as well steal the lock and leave everything else behind.”

But I think you would have to be one heck of a salesperson to get a good price on it, given that you were able to pick it. 🙂

Weather August 12, 2020 1:31 AM

@all
Raking is a sign the lock isn’t good,and picking tools are just a sliver plus thing, racking is lick bump, echo maybe you ran. Into someone that nows the subject.

Ismar August 12, 2020 4:08 AM

This is one of those cases of you get what you pay for. Why would we expect to get a highly secure electronic lock for this kind of money and then complain it is not secure enough?

echo August 12, 2020 11:07 AM

@Weather

I’m not sure which topic you’re discussing but from what I’m reading I severely doubt it. So much so it’s not worth a reply.

Clive Robinson August 12, 2020 11:42 AM

@ Petre Peter,

The smart trend is turning stupid in tech.

Apparently to match the requirments of the average consumer who buys such things…

Once upon a time “Buyer Beware” had some kind of meaning as the cost of goods was proportionaly higher with respect to peoples income.

Modern “smarts” appears to be a process of,

    From wallet to waste tip in less time than a guarantee slip is valid.

But hey that’s the whole ethic of consumerism,

1, See glitzy promos.
2, Reach for Credit Card.
3, Eagerly await your delivery drone.
4, Open box/wrapping.
5, Damage goods during assembly.
6, Drop goods in trash.
7, Cover goods in box/wrapping.
8, Put trash out.
9, Feel depressed go to step 1.

Just remember the side order of “Instant Sunshine” to make the 9-1 transition less painful. It only costs ten times what step 2 did… But hey it’s all “On the never never”…

myliit August 12, 2020 2:49 PM

@MarkH

“… process of entry for maintenance of Minuteman ICBM silos. [ Oh ] Not only are they practically impossible to enter without access to the unlocking codes; they also require a good hour to enter even for authorized entry (and that’s when everything goes smoothly).

This enables the the Launch Facility equipment to signal that an entry attempt has been initiated, with enough time for Military Police to respond if the attempt was not authorized.”

Humor can be hard, but how about lighting-up and counting-down a LCD display like on the show Spooks or Mi-5. Expressions of WTF, if not classified, might be marketable to Candid Camera. [1]

Examples of DIY security systems. [2] [3]. Or what could possibly go wrong?

[1] https://en.wikipedia.org/wiki/Candid_Camera. OT, but iirc, there was a Clive character (McTaggart, or something like that) on Mi-5 in the U. S..

[2] https://www.theguardian.com/us-news/2019/dec/01/maine-man-booby-trap-home-dies

[3] https://www.washingtonpost.com/local/public-safety/md-man-killed-by-officer-during-raid-had-door-booby-trapped-to-fire-at-anyone-entering-police-say/2020/03/17/d636ebe6-688a-11ea-b313-df458622c2cc_story.html

MarkH August 12, 2020 3:42 PM

@myliit:

I don’t know what the operator interface looks like, for the time-delayed “secondary door”. Maybe it has a minutes-to-go display …

The young airmen I saw working there all seemed to wear serious expressions, though I’m sure they joke among themselves when not on duty.

Anyway, when I’m surrounded by automatic weapons at ready — including a .50 caliber air-cooled machine gun pointed not far over my head — I don’t feel even a bit comical!

However, I did once make a light-hearted remark to a co-worker in a Security Control Center, to which he responded by “putting up his dukes” as though ready to fight, which had me thinking “of all places to do that, NOT HERE.” Luckily, though it’s a very small room, the airman on duty didn’t react.

echo August 13, 2020 5:36 PM

Oooh. Look what I found.

https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/832633/Approved_Document_B__fire_safety__volume_2_-_2019_edition.pdf

HM Government
The Building Regulations 2010
Building Regulations 2010
APPROVED DOCUMENT B – VOL 2
Fire safety

2006 edition incorporating 2007, 2010 and 2013 amendments

Page 48.

5.8 Electrically powered locks should return to the unlocked position in all of the following situations.

a. If the fire detection and alarm system operates.

b. If there is loss of power or system error.

c. If the security mechanism override is activated.

Security mechanism overrides for electrically powered locks should be a Type A call point as described in BS 7273-4. The call point should be positioned on the side approached by people escaping. If the door provides escape in either direction, a call point should be installed on both sides of the door.

MarkH August 13, 2020 7:48 PM

@echo:

Excellent catch!

I wonder how many of those designing, manufacturing, selling or installing these gadgets thought of that?

Is there some restriction based on the type or use of the building (for example single dwelling vs. apartment block vs. place of public accommodation)?

Clive Robinson August 13, 2020 7:50 PM

@ echo,

Oooh. Look what I found.

And after fourty years of being told to get it right by both the “access control” industry and many fire and safety officers they have still not got it right…

The issue,is to do with what are known as “FB” or “Firebrigade” locks. The purpose of these locks is not “security” but access control for administrative or safety reasons. FB locks as I’ve mentioned before are found on the access door to roofs and lift rooms on tower blocks, rubbish shutes, biffer bin and other large refuse bin stores, electrical and telecoms risers and the like. All places where fires may start or fuel –yup rubbish is a fuel– are stored.

The problem is actually those heavy duty anti-vandal / anti-vagrant / anti-druggy doors at the bottoms of tower blocks where access is by typing in a code. When the tower blocks etc were designed such tank proof doors were not in the design specs or even thought necessary. Now however they are and their purpose is “security” not “administration” / “safety”… These thus block off access to all those other doors with “FB” locks that firemen realy do need access to.

Thus “security” and “safety” have come into conflict and instead of being guided by those who understand the problem…

echo August 13, 2020 8:55 PM

@Clive

I was once on a state sponsored jolly around state funded development and improvement housing projects in London which the then Tory government wanted to show off. It was an experience seeing things normally seen only on television whether from an architectural point of view or seeing what conditions other people lived in. Some things stood out on the visit. The top flats overlooking Hyde Park was later known to be sold for a song and the burglaries they had of the top floor show propertywere an inside job. Other details are people adding steel bar doors to protect their front door. This kind of thing has resulted in deaths as fairly recent news reported.

A third item at the time is, if I recall, funding provided to pay for new entry systems and a concierge. This, if I recall, was done away with in Cameron era austerity cuts.

At least one of the properties viewed on the tour either turned into a property developers white elephant or there was something fundamentally wrong with its construction, or both, I forget which.

The ghastly concrete jungle we toured where even delivery vans had grills over the windows was one of those iconic brutalist daydreams city planners fell in love with and a nightmare for residents. I believe it has now been bulldozed.

Now we live in a post Grenfell world and “poor doors” and a financial engineer ex-banker who married into the billionaire class as a Chancellor of the Exchequer and a tax dodging Etonian psycho as PM. Deep sigh…

This is the general handwave against which the security and safety conflicts you mention play out.

Before all the “Docklands” development took off it was predicted by the movie “The Long Good Friday”. Produced by Handmade Films, co-founded by George Harrison of Beatles fame, its end scene is legendarily chilling. Fun fact: Bob Hoskins and the young Pierce Brosnan never met during filming. And, yes, that’s Helen Mirren. It was a time while the Cold War was on going and the IRA still set bombs off and government ministers were still expected to resign for performing below expectations. All very much pre-Snowden, pre-Londonistan, and pre-Brexit.

https://www.youtube.com/watch?v=HdRkhzDmxvY

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.