UPDATE
Researchers have uncovered vulnerabilities in a popular smart deadbolt could allow attackers to remotely unlock doors and break into homes. The manufacturer behind the smart lock, Hickory Hardware, has deployed patches to the affected apps on the Google Play Store and Apple App Store.
The six vulnerabilities exist in the Hickory Smart Bluetooth Enabled Deadbolt, manufactured by Hickory Hardware, which enables users to remotely lock their homes via a mobile app on their Android or iPhone handset. The vulnerabilities are medium severity as some level of access to an already compromised mobile device is required for exploitation – however, once an attacker accesses a victim’s phone, they can easily exploit the flaws to remotely unlock the deadlock from the mobile app.
“This, in turn, may present a physical risk to the people and property protected by these locks,” said Tod Beardsley with Rapid7 in a Thursday analysis. “As of the initial release of this vulnerability disclosure, the vendor has not acknowledged these vulnerabilities, nor has it offered a software update to address these issues.”
Overall researchers found six flaws impacting the smart lock, which range from insecure storage on Android and iOS apps to improper API access control and cleartext credential transmission.
In an email to Threatpost, Dan Kennard with Belwith Products (the parent company of Hickory Hardware) said that patches have now been issued that resolve all of the vulnerabilities.
That said, “Belwith has assessed that none of the identified vulnerabilities pose an immediate security risk to Hickory Smart Lock users,” he said via email. “It is not possible to operate a Hickory Smart Lock by exploiting any of these vulnerabilities due to the employment of end-to-end encryption on all command and control messages routed through the MQTT service, as already identified by the researchers who unearthed these vulnerabilities. In addition, there are further authentication and authorization checks performed by the governing operations platform and the APIs used by the apps, to ensure secure operation. However, the simple existence of these vulnerabilities invites further exploitation and thus, they are being addressed with the utmost of urgency.”
Insecure Deadbolt
Out of the six vulnerabilities discovered, three can be exploited to potentially unlock the smart door lock. Two of the flaws (CVE-2019-5632 and CVE-2019-5633) stem from the smart deadbolt’s complementary mobile app storing unencrypted critical data in a database. The database contained information that could be used to control the lock devices remotely.
CVE-2019-5632 stems from unencrypted critical data being stored in an SQLite database (called SecureRemoteSmartDB.sqlite) in the Android application, while CVE-2019-5633 stems from sensitive unencrypted data being stored in a Cache.db database in the iOS app.
The caveat here is that a malicious actor would need physical access to an unlocked handset to view the app before compromising the sensitive data, Beardsley said.
Researchers found another flaw (CVE-2019-5634) in the Android app that enabled debug logging on Android devices. As debug logs are used for troubleshooting issues and development in apps, the feature is supposed to be disabled when the app goes into live products.
However, researchers found that all communications to the internet API services and direct connections to the lock were being logged in the debug log that existed in the Android device’s default USB or SDcard storage paths – meaning they could be easily accessible by anyone with control over the phone.
“It’s important to note that a user given any level of access to remote control the lock, even on a temporary basis, could use this log data to gain unauthorized access at a later time,” said researchers.
Other Vulnerabilities
Researchers found a slew of other issues in the device, including an improper API access control flaw (which did not have a CVE), the ability of disabled users to retain API access (which was also not assigned a CVE) and cleartext credential transmission (CVE-2019-5635).
The latter stemmed from the Hickory Smart Ethernet Bridge device communicating over the network to an MQTT broker without using encryption, exposing default usernames and passwords used to authenticate to the MQTT.
“While we were able to uncover this username and password to the MQTT service associated with the cloud-hosted infrastructure, it’s unclear what exactly an attacker would be able to do with this password, as all other data appeared to be encrypted or encoded or otherwise obfuscated,” said researchers.
Despite Rapid7 disclosing the vulnerabilities to Hickory Hardware on May 16, researchers when they first released the report said that the manufacturer has not yet acknowledged nor issued a fix for the flaws, researchers said. Thursday marks the planned public disclosure deadline (more than 60 days past May 16) for revealing the flaws.
“In the absence of vendor-supplied patches, users of these iOS and Android applications and their associated door locks should take care to not share access with people who should not have long-term, permanent access to the protected property,” researchers warned. “Regardless of updates provided by the vendor, mobile devices should be protected with a unique PIN, password, or pattern in order to prevent the accidental disclosure of sensitive passwords and tokens in the event the mobile device is lost.”
It’s not the first issue to plague smart home devices, particularly connected deadbolts. In June researchers warned that a keyless smart door lock made by U-tec, called Ultraloq, could allow attackers to track down where the device is being used and easily pick the lock – either virtually or physically. And last year, smart padlock Tapplock, which was marketed as “unbreakable,” received a critical patch after researchers discovered several security issues enabling them to easily hack into and unlock the device.
This article was updated on August 8 at 8am EST with comments from Hickory Hardware.