According to researchers, an attacker can open a smart lock sold by major US retailers with nothing more than a MAC address.
Over time, smart locks have come into use as a modern IoT alternative to traditional locks as a means of securing properties.
Property managers have been using them to grant property access to Airbnb customers, as handing over physical keys can sometimes be a challenge.
However, in return for the extra convenience, a smart lock introduces a number of security issues.
For example, several years ago, LockState customers were locked out of their own homes due to a faulty firmware update.
Not only do the rightful owners stand to lose access to their property when securing it with a smart lock, but also the criminals are now using network sniffers rather than lockpicks.
Tripwire researchers have identified a U-Tec UltraLoq misconfiguration error that leaked data through which attackers were able to steal unlock tokens with nothing more than a MAC address.
The UltraLoq is marketed as a keyless entry solution that allows access via Bluetooth.
It allows temporary access codes to be generated that friends can use to access a property.
Tripwire researcher Craig Young said that a MAC address can be leaked through MQTT, a publish-subscribe protocol in IoT devices that’s used to exchange data between nodes.
MQTT contains the following:
- Local MAC addresses
- Email addresses
- Public IP addresses suitable for geolocation
An anonymous attacker would therefore be able to gather sensitive data about their victim.
Young reached out to U-Tec with his findings in November 2019.
After initially denying that anything was wrong, the firm proceeded to make a couple of changes, including:
- Closing an open port
- Adding subscribing rules
- Turning off access to non-authenticated users
Ultimately, however, this failed to address the problem.