As the mechanical part is dependent on the servomechanisms steering the locking mechanism, this results in a full compromise as well. In the unlikely scenario of the device not being registered at all (utilising only the mechanical lock), a malicious actor is able to hijack the lock and operate it without any additional interaction. Moreover, the EKEY value is saved online rendering changing the mobile device insufficient to overcome such an attack. This is possible as long as the original application is registered to the device. Once the EKEY value is retrieved, the attacker can perform any actions a legitimate user is able to. Traffic interception can be performed at a relatively low cost as well, as - for example - the nRF51822 chip able to sniff BLE communication can be bought at ~5$. Thus, as long as the malicious attacker is in the effective range of around 15 meters, the traffic can be intercepted and decrypted similarly to the description provided above. from the Android library - and reverse engineered at a relatively low cost. The whole solution, however, can be targeted by a determined attacker that can - and will - overcome such protections regardless of their number and/or quality.Ī technical blog post detailing this vulnerability and other features of the lock has been published here.Īlthough the door/key generation is based on a custom algorithm, it can be retrieved - i.e. It should be noted that the application utilises obfuscation and root detection to protect users from threats targeting their devices. Secondly, the key generation process can be retrieved from the mobile application. Firstly - the common key is created based on the device bluetooth MAC address available globally, making it trivial to decrypt the first stage of the negotiation.
0 Comments
Leave a Reply. |