Full Report
Locks being controlled by computers are great, until you realize that they are subject to security vulnerabilities like everything else. This post goes through hacking a smart lock through various techniques. The system has a single global AES key that is used to communicate with the lock. Although there is client side protections for giving and taking keys, since they have the AES key this doesn't matter. The authors realized that a MitM attack was possible to get an encryption challenge and response by spoofing the locks information, since it will only hold a single connection at a time. By having our device get this open, we can advertise our fake lock only to get a victim app to connect to it. The authentication process uses a challenge to communicate with the lock. This challenge value is only 16 bit integer. By trying to authorize with our encrypted message from the MitM, getting a 1/65536 chance then sending back the challenge response, we will become authenticated! This takes several seconds per attempt, resulting in several days for this to work. When performing the decryption of the AES encrypted data, the code needs to know how many iterations to do. To find this out, it takes the length of the buffer and divides it by 16. However, it doesn't check if they are in groups of 16. So, by sending a non-divisible value of 16, such as 15, the decryption won't occur on those bytes. What does this mean? We can trick the process to process our plaintext data as decrypted. Abusing a different authentication, we can use vulnerability to trick the authentication process. The app has an original version of the protocol. With this, the only encryption is a 1 byte repeating XOR key, such as 0xABAB.... It's possible to downgrade a user with a MitM to force this version of the protocol. Again, amazing. The lock has another device called a gateway. This is used for internet communication. By spoofing a MAC address when talking to a server, it's possible to force a re-registration to reset some parts of the key material. This does require knowing the MAC address, which is difficult to get. There is support for a wireless keypad to connect to the lock. Since the communication key is hardcoded for this initially, all users can send data here now problem. They can now send key presses over a single connection, which speeds up the process drastically. The code uses the strstr function as well, so de Bruijn sequences can be used to make this even more efficient. There is a lockout for failed attempts here though. There is a second Bluetooth service being advertised. This literally allows for updating the firmware without any signature checks. That's game over. Most of the time, debug ports are good for reverse engineering. In this case, the debug port is on the part of the board that is on the onside of the lock. So, if an attacker drilled a small hole in the lock, they could communicate with the debug port. With debug access, we would have complete control over the lock. There are many, many classic cryptography issues within this. Downgrade attacks, brute forcing... many awesome things! This also shows that cryptography isn't always crazy complicated; just understanding some basics is helpful for exploitation.
Analysis Summary
# Vulnerability: Multiple Cryptographic and Architectural Flaws in Kontrol Lux Smart Lock
## CVE Details
- **CVE ID**: Not specified (Research disclosure)
- **CVSS Score**: 9.8 (Critical) - *Estimated based on unauthenticated OTA and complete takeover*
- **CWE**:
- CWE-311: Missing Encryption of Sensitive Data
- CWE-327: Use of a Broken or Risky Cryptographic Algorithm
- CWE-437: Incomplete Authorization
- CWE-494: Download of Code Without Integrity Check
## Affected Systems
- **Products**: Kontrol Lux Smart Lock (and potentially other locks using the same Telink TLSR8251 firmware base)
- **Versions**: All versions prior to the research disclosure
- **Configurations**: Default configurations using the global AES key and the auxiliary BLE firmware update service.
## Vulnerability Description
The system suffers from several critical security flaws:
1. **Global AES Key**: Uses a single hardcoded AES key across all devices, rendering client-side protections moot.
2. **Encryption Bypass via Buffer Manipulation**: The decryption function determines the block count by dividing the buffer length by 16. If a non-divisible value (e.g., 15 bytes) is sent, the block count becomes 0, causing the code to skip decryption and process ciphertext as plaintext.
3. **16-bit Challenge Brute Force**: The authentication challenge is only 2 bytes (16-bit), allowing a 1/65,536 success rate through Man-in-the-Middle (MitM) replay.
4. **Protocol Downgrade**: Attackers can force the app to use an older protocol version that relies on a simple 1-byte repeating XOR key.
5. **Unauthenticated OTA Updates**: A hidden secondary BLE service allows firmware flashing without any signature verification or administrative authentication.
6. **Physical Debug Port Exposure**: The main MCU (handling logic and security) is located on the external-facing side of the door, with a debug pad accessible by drilling a small hole through the plastic keypad housing.
## Exploitation
- **Status**: PoC demonstrated by researchers.
- **Complexity**: Low to Medium (depending on the specific vector).
- **Attack Vector**: Adjacent (BLE/MitM) and Physical (Debug port).
## Impact
- **Confidentiality**: **High** (Access to all communication and key material).
- **Integrity**: **High** (Ability to flash malicious firmware or manipulate lock state).
- **Availability**: **High** (Ability to permanently lock/unlock the device or brick it via OTA).
## Remediation
### Patches
- No specific publicly available CVE patch was cited in the text; users should contact the vendor for firmware updates that disable the unauthenticated OTA service and the secondary Bluetooth service.
### Workarounds
- **Disable BLE**: If possible, restrict use to physical keys.
- **Physical Shielding**: Applying a metal plate behind the keypad may prevent the "drill-and-debug" attack.
- **Gateway Security**: Ensure the Wi-Fi gateway is on a secure, isolated network to prevent MAC spoofing/re-registration attacks.
## Detection
- **Indicators of Compromise**:
- Unexplained "alarm" sounds (indicating failed PIN brute-force attempts).
- Presence of a second, unauthorized BLE device advertising near the lock.
- Disconnection of the legitimate app due to the lock's single-connection limitation.
- **Detection Methods**: Specialized BLE scanning tools (like NRF Connect) can monitor for unauthorized firmware update service UUIDs.
## References
- Aleph Security: hxxps://alephsecurity[.]com/2024/02/20/kontrol-lux-lock-1/
- Aleph Security: hxxps://alephsecurity[.]com/2024/03/10/kontrol-lux-lock-2/