A MAC address is all it takes to open a smart lock

According to researchers, an attacker can open a smart lock sold by major US retailers with nothing more than a MAC address.

Over time, smart locks have come into use as a modern IoT alternative to traditional locks as a means of securing properties.

Property managers have been using them to grant property access to Airbnb customers, as handing over physical keys can sometimes be a challenge.

However, in return for the extra convenience, a smart lock introduces a number of security issues.

For example, several years ago, LockState customers were locked out of their own homes due to a faulty firmware update.

Not only do the rightful owners stand to lose access to their property when securing it with a smart lock, but also the criminals are now using network sniffers rather than lockpicks.

Tripwire researchers have identified a U-Tec UltraLoq misconfiguration error that leaked data through which attackers were able to steal unlock tokens with nothing more than a MAC address.

The UltraLoq is marketed as a keyless entry solution that allows access via Bluetooth.

It allows temporary access codes to be generated that friends can use to access a property.

Tripwire researcher Craig Young said that a MAC address can be leaked through MQTT, a publish-subscribe protocol in IoT devices that’s used to exchange data between nodes.

MQTT contains the following:

  • Local MAC addresses
  • Email addresses
  • Public IP addresses suitable for geolocation

An anonymous attacker would therefore be able to gather sensitive data about their victim.

Young reached out to U-Tec with his findings in November 2019.

After initially denying that anything was wrong, the firm proceeded to make a couple of changes, including:

  • Closing an open port
  • Adding subscribing rules
  • Turning off access to non-authenticated users

Ultimately, however, this failed to address the problem.