Security Flaws In a Popular Smart Home Hub Let Hackers Unlock Front Doors

In new research published Tuesday, security researchers Chase Dardaman and Jason Wheeler found three security flaws which, when chained together, could be abused to open a front door with a smart lock. TechCrunch reports: Dardaman and Wheeler began looking into the ZipaMicro, a popular smart home hub developed by Croatian firm Zipato, some months ago, but only released their findings once the flaws had been fixed. The researchers found they could extract the hub's private SSH key for "root" -- the user account with the highest level of access -- from the memory card on the device. Anyone with the private key could access a device without needing a password, said Wheeler. They later discovered that the private SSH key was hardcoded in every hub sold to customers -- putting at risk every home with the same hub installed.

Using that private key, the researchers downloaded a file from the device containing scrambled passwords used to access the hub. They found that the smart hub uses a "pass-the-hash" authentication system, which doesn't require knowing the user's plaintext password, only the scrambled version. By taking the scrambled password and passing it to the smart hub, the researchers could trick the device into thinking they were the homeowner. All an attacker had to do was send a command to tell the lock to open or close. With just a few lines of code, the researchers built a script that locked and unlocked a smart lock connected to a vulnerable smart hub.

Re: There is no ZUUL, only dana

[Dharkfiber]

I love this. Preach it!

Re: Pass the hash

[sound+vision]

This gives a whole new avenue of attack for the moochers. Imagine: You get home, they spy you've got the bag on camera as you walk in. As soon as Alexa hears the bong start to bubble - click! Your door unlocks, and there appears the neighbor. "Hey dude, pass the hash..."

Re:

[Opportunist]

This joke is roughly 5 seconds younger than the attack...

Re:

[Anonymous Coward]

Challenge-response is different than 2 factor. Users could still elect to save their password in a challenge-response scenario with the client software hashing the stored password with the nonce (challenge) to send for authentication (response).

Most security professionals would tell you that 2 factor is no better than challenge-response when Alice can own the SMS channel (or whatever you choose to use) for 2 factor authentication.

Hung out with these hackers today. Does challenge

[raymorris]

Tonight I hung out with the guys who did this, and got the details. Even examkned the lock and hub they used for testing. I was invited to hack it myself, but no need - I had already seen the source code.

The lock actually does challenge response, with a nonce.
The problem with challenge-response is that the lock has to store / have the user's password in plain text in order to calculate H(nonce + password). That's a big problem.

In this lock, they actually calculate SHA1(nonce + sha1(password)).
That LOOKS l

Re:

[JustAnotherOldGuy]

"... This is a lock for a door, you don't add security by adding IoT shit to it."

I think you meant, " This is a lock for a door, you don't reduce security by adding IoT shit to it."

Re: Pass the hash

[Dharkfiber]

Hahahahaaa, I can pick your home locks easier than you can hack my IoT ones. At least my IoT locks tell me (and log to syslog) when they are opened and closed and typically who did it whilst taking a snapshot (pic). Do your old-ass hardware locks do that?

They can already get inside

[Kohath]

Residential door locks only provide a very basic level of security. Someone wants to get into your home, there are probably several ways they can get in. Hacking the lock over the WiFi isn't high on the list of vulnerabilities.

Re:

[Kohath]

Throwing a rock through a window is even more trivial

Re:

[Kohath]

Oh yeah. I keep forgetting that rocks are mostly extinct now because of climate change.

Re:

[Hognoxious]

Imagine someone made a reductio ad absurdum argument along the lines that since walls can be demolished given enough time and the right equipment there is no point having locks at all. Or doors. Or, indeed, buildings.

That's you, that is.

Re:

[Kohath]

This is really the point. A lock on your door is like sealing a letter in an envelope (when people used to send paper mail). A sealed envelope keeps people from reading your mail. It's not because envelopes are tricky to open, it's because reading your mail isn't worth the trouble.

Door locks are similar.

Hacking the door lock is similar to steaming open an envelope. Why bother? Real life isn't a crime story. Criminal mastermind hackers are very, very few, and they aren't trying to break into houses.

Re:

[Hognoxious]

A sealed envelope tells you if someone has read your mail.

Re: They can already get inside

[jabuzz]

Many years ago now there was a local club that was broken into on Christmas Eve - no chance to bank the takings so there was plenty of cash. The method of entry was to take a sledge hammer and make a hole in the brick wall. Pictures where on the local news on Boxing Day. If they want in they are coming in. Remember I don't need to out run the lion, I only need to out run you. The same applies to building security, you just need to be reasonably secure in the first place and then more secure than your neighb

Re:

[asylumx]

Well it requires physical access to the device, so I suppose you have to break in twice -- once to get the memory card to obtain the SSH key, and then once again using the wifi hack in order to steal stuff...?

The article seems more concerned about apartment buildings linking several door locks to one of these hubs, which I could see as a reasonable concern; it makes the opportunity quite a bit more lucrative for the bad actor to be able to access multiple residences with one hack.

Either way, it's not

Re:They can already get inside

[timeOday]

When my house was burglarized they just kicked in the front door which broke out the door frame.

Meanwhile the back door wasn't even locked.

Re:

[JaredOfEuropa]

Common methods here are breaking exposed euro cylinder locks, or core pulling. Both are fast and make virtually no noise. Yes, they leave a trail. Why would you think burglars give a hoot about that?

Re: They can already get inside

[jabuzz]

Which is why you need to buy an anti snap cylinder. Not going to work on my doors

Re:They can already get inside

[DRJlaw]

probably leaving boot/shoe prints or other evidence...

Spoken like someone how has never experienced a burglary.

Dude thinks that real-world policing works like CSI instead of Reno 911.

Re:

[ebvwfbw]

The cops also have to give a damn where you live. If you solve the case for them maybe you have a chance. Maybe. If you live in a bad neighborhood, it's just another break in. Add it to the other 500.

CSI - What a joke. People get onto juries and they think that shit is real. No idea it's just a TV show. So cases that 30 years ago were slam dunks are being lost because people think there should be DNA or other fantasy evidence that only fits into the TV shows story to make it work.

Even if you get by all of t

Re:

[Kohath]

When my house was burglarized they just kicked in the front door which broke out the door frame.

Meanwhile the back door wasn't even locked.

The responses here are interesting. People would rather make up stories about outwitting criminal mastermind hackers than paying attention to the guy who experienced an actual burglary.

Re:

[dissy]

When my house was burglarized they just kicked in the front door which broke out the door frame.
Meanwhile the back door wasn't even locked.

My homeowner insurance wouldn't open a claim for me without a police report being on file.
The police that came out implied they are writing the report because the broken window was a sign of a break in.

I presume a burglar opening an unlocked door would not be considered a break in by the police, so no police report, and no insurance claim.

Did you go through any of that process? If so, did you mention at all the backdoor being unlocked?
I was curious if you got different results than I did.

Ultimately though,

Re: They can already get inside

[sound+vision]

It will be high on the list if these reach any level of prevalence. Many targets worth hitting have alarm systems that go off if you break a window, or take a battering ram to the door. When the system indicates "User unlocked the door" and it opens - Maybe that won't trigger the alarm system. Depending on how they integrate. Current track record is "badly".

Re:

[AmiMoJo]

Could be even worse if these delivery services that have access to your house ever take off. Wasn't Amazon trialling one recently?

Suddenly random strangers entering your home while you are known to be at work doesn't look suspicious. Especially if they are wearing a brown shirt and cargo shorts.

Re:

[SlaveToTheGrind]

Someone wants to get into your home, there are probably several ways they can get in. Hacking the lock over the WiFi isn't high on the list of vulnerabilities.

Thing is, those other ways 1) make it blatantly obvious that someone who doesn't belong there is breaking into a house rather than the owner simply entering it, and 2) don't automagically disable the alarm as unlocking the front door in any self-respecting "smart home" would do.

This sort of tactic can turn what would have been a higher-risk grab and go into a lower-risk, leisurely survey of all the good stuff in your house.

Re:

[Kohath]

This sort of tactic can turn what would have been a higher-risk grab and go into a lower-risk, leisurely survey of all the good stuff in your house.

Houses don't have "good stuff" in them, in general. High-tech burglars (or, for that matter, sober burglars who aren't stupid) are almost entirely imaginary. The thing you're worried about makes sense in a story, not in real life.

Re:

[Cro Magnon]

I'd consider laptops and tablets to be "good stuff". Especially to the type of people who break into most houses. They don't have to be sober or non-stupid.

Re:

[SlaveToTheGrind]

Houses don't have "good stuff" in them, in general.

We must inhabit somewhat different universes. In mine, there's probably a decent intersection between the people with enough disposable income to blow on a bunch of "smart home" tech and the people with enough disposable income to collect jewelry/art/coins/guns/etc.

Re:

[tlhIngan]

Houses don't have "good stuff" in them, in general.

We must inhabit somewhat different universes. In mine, there's probably a decent intersection between the people with enough disposable income to blow on a bunch of "smart home" tech and the people with enough disposable income to collect jewelry/art/coins/guns/etc.

Why are people forgetting the most obvious? Information is for stealing as well.

Passports, credit cards, documents containing personal information is extremely valuable.

A big screen TV is useless

Re:

[LynnwoodRooster]

Someone wants to get into your home, there are probably several ways they can get in. Hacking the lock over the WiFi isn't high on the list of vulnerabilities.

Thing is, those other ways 1) make it blatantly obvious that someone who doesn't belong there is breaking into a house rather than the owner simply entering it, and 2) don't automagically disable the alarm as unlocking the front door in any self-respecting "smart home" would do.

This sort of tactic can turn what would have been a higher-risk grab and go into a lower-risk, leisurely survey of all the good stuff in your house.

I suspect you do not have a smart lock on your home. I do. I have a pretty complete SmartThings setup for everything. And one of the features is that it not only allows everything to be automated, but it records everything that happens.

I will know when the door was opened. I will know what code was used to do so. I'll also know which door, and thus will know which camera to check (and what time stamp to look at) to check the recorded video of the intruder. I'll have motion and inner door sensors tell

Re:

[SlaveToTheGrind]

If anything, I'll have a better record of what happened, who did it, and when - than just someone kicking in the door of a standard lock, in a house that is not smart.

All well and good, but isn't the more relevant comparison the exploit of a smart lock vs. more forceful modes of entry for a given house? From what you've said, it seems to me the latter would result in an alarm/local siren/security service notification/etc., while the former would simply give you a chirp on your phone if you happened to have it with you and be paying attention to it at the time (and that assumes the same sort of compromise couldn't also be used to disable remote notifications). Beyond al

Re:

[LynnwoodRooster]

Having a smart lock does NOT preclude having an alarm system as well; my smart system also acts as an alarm system, if I so choose to do it. At my office, we also have a smart system with motion sensing cameras. They are automatically active after 8 PM, and if they are tripped - then 3 people receive text and e-mail notices, and if someone does not remotely disarm it within 3 minutes, the police are notified as well. It works very well.

Re:

[SlaveToTheGrind]

Having a smart lock does NOT preclude having an alarm system as well; my smart system also acts as an alarm system, if I so choose to do it.

If your alarm system requires separate disarming rather than being disarmed automatically out of convenience by the smart lock, then it's outside the hypothetical of my original post and our last couple of exchanges have been unnecessary. But your "if I so choose" makes me think it currently doesn't.

Well yeah

[Anonymous Coward]

Connecting your front door to the internet is an inherently flawed idea, regardless of the implementation. Stop doing that.

Re: Well yeah

[sound+vision]

The big risk is when everyone lines up to be the canary. Then, that attack surface starts to look like much more of an enticing target. You, as an individual, are increasingly denied the choice. When your apartment manager installs smart locks, there may be nothing you can do besides leave town. Delivery services might refuse to drop packages without checking in with a door unit. Suddenly, you're the weird one that can't function in society.

Time to get on the internet, blame socialism, and advocate for th

Re:

[Opportunist]

No! Don't stop! Buy more! Everyone should have one, everyone but me, that is.

If your neighbor has an internet of trash door, why would the burglar bother to kick down your door if he can simply unlock his? It's not like he cares whether he robs you or your neighbor.

Re:

[Kohath]

Is it? I get keys I can share with anyone. I can revoke their keys from my phone. I can check to see whether I locked the door, and I can unlock it remotely. I can have it automatically unlock when I arrive home. The benefit is real.

The only downside is that (fictional) criminal mastermind hackers will break in and steal my (fictional) Picasso. The drawbacks are imaginary.

Not again?

[AndyKron]

No! Really?

Re:

[Opportunist]

If you think about it, this makes absolute sense.

What you have here is basic network security from the 1990s all over again. Back then, developers of computer programs slowly learned what attacks exist and that they have to deal with them now that their programs and systems can be reached via networks and especially the internet. They were not used to that, 'til that time they mostly developed programs and systems that had some local networking against them. If that.

Same now with appliances. The people deve

Re: A Paperclip Is All One Needs

[sound+vision]

I recall when I traveled to Finland in the late 90s, all the residential door locks were of a different kind, the key and keyhole looked like a half-cylinder, a C-shaped looking thing. I have never seen these keys in the US, at least not in residences.

It's common there to have a summer home and winter home that are basically abandoned for half the year. Probably fertile ground for lockpicking.

Go cloudless

[mrwireless]

I'm part of a team that's working on a privacy-first smart home system (yes, we're in the EU). It's been a real challenge, but one of the starting points is that you don't have to connect it to the internet. A side effect of which is that it becomes air gapped, and rather secure.

It has a smart lock, and you can open the door when away from home. But instead of using HTTP it uses good old SMS. You can set which phone numbers are allowed to trigger the lock, and of course you also set a password.

I'd actually be curious to hear opinions from Slashdotters on whether this is a good idea.

A sneak preview: https://www.createcandle.com/ [createcandle.com]

Re:Go cloudless

[Bert64]

SMS is easily spoofed... Attacks are just as possible over sms.

Running over the internet is not a problem in itself, having a device with severe security flaws connected to the internet is.

Also connecting to a third party service is a risk to privacy and a risk that the service will be shut down. A device that is directly connected to by the user's device without any third party interference is better but is impractical on an ipv4 network due to the shortage of addresses and prevalence of nat.

There are also many door access devices where the entire unit sits outside, including the bit that makes the access decision. The simplest attack is to buy an identical device and swap them, thus gaining entry. Really you want only a dumb reader to sit outside, and all the logic to sit inside of the protected area so it's inaccessible unless you've already got past the lock.

The answer is open sourcing the devices themselves, so security flaws can be fixed once the original manufacturer has lost interest, and providing a setup which includes a vpn that the user connects to etc.

Good idea? ALl smart locks are a dumb idea.

[Viol8]

Sometimes the simple things are best - just use a key with a deadlock. There is ZERO *good* reason for ANY home lock to be electronic and the only reason people buy them is the geek factor.

Sure, some will say its to let people in remotely - well if you're stupid enough to let a stranger into your house when you're not in then I guess this sort of product is just for you.

Re: Good idea? ALl smart locks are a dumb idea.

[jabuzz]

Time to teach them to be better human beings then.

Re:

[ratbag]

Either good or bad reason, depending on whether you think they are destroying neighbourhoods, but AirBnB and their friends are the stock answer to "why an electronic lock?".

Used properly (and ceteris paribus), a smart lock increases the security for you and successive customers, since you change the entry code between every booking. No physical keys that can be cloned or forgotten. No need to let new clients in when they turn up at 2am.

Re:

[Ksevio]

Sure there are. I made one hooked up to an RFID reader. Much easier to swipe a tag than fiddle around with keys.

I also can remotely lock the door so I know when I go to bed I can just press a button to turn off all the lights and secure the house.

The remote access has been helpful. A couple times my wife's forgotten her keys and I've been able to VPN in and unlock the door for her.

I don't know why you jumped to letting a stranger in - the other uses for remotely unlocking would be if a friend wanted

Re:

[Viol8]

"Sure there are. I made one hooked up to an RFID reader. Much easier to swipe a tag than fiddle around with keys."

Oh please. Are you seriously giving that as a good reason?

"I also can remotely lock the door so I know when I go to bed I can just press a button to turn off all the lights and secure the house"

I'm guessing you don't go to a gym, cycle or walk much if at all.

"would be if a friend wanted to stay over or something and got there when I wasn't around. "

Do you run a boarding house or something?

Re:

[LynnwoodRooster]

I travel a lot for work. It's nice to have codes for the contractor who is redoing my kitchen. Or the pet lady who comes by once a day to feed the cats. I can issue them each a unique code, and enable it for certain days and times only - and I have a record of when they came and went. And the lock automatically locks after a preset amount of time - so if they forget to lock when they leave, the system still solves the issue. Yes, I could do keys - but what if the key is lost? What if they forget to lo

Re:

[Viol8]

" What if they forget to lock the door?"

What if they leave the door propped open like a lot of contractors do. Still, like I said, if you're dumb enough to allow strangers into your house when you're out then this is the perfect sucker buy for you.

Re:

[LynnwoodRooster]

Yeah, who wants those untrusted people in your house! I will watch them like a hawk, but it's OK that they're going to reroute gas lines, pull new electrical, and change load-bearing structure. I'll trust that... They may walk out with a candlestick though - and we can't have that!

Seriously, does it hurt to live life so paranoid over non-issues?

Re:

[Viol8]

"Seriously, does it hurt to live life so paranoid over non-issues?"

Don't say you weren't warned when things here and there go missing while you're having work done. But if you trust guys who arn't earning much to leave all your stuff along while you're not in and you can't prove they took something if it vanishes then you go for it. I'm sure the thrill of having an internet enabled lock more than makes up for it.

Re:

[LynnwoodRooster]

If I didn't trust them to enter my house in the first place - why would I hire them? I guess I could give them a key to come in and do work, how is that different? Again - you're making no sense. If someone has to come into your house anyway - why does the access method matter?

Re:

[antdude]

SMS isn't secured. :(

Re:

[ErikTheRed]

I love the concept, but as has been mentioned SMS is a pretty crappy communication medium. My thinking is that there should be three modes, from most-secure to least-secure.

1) LAN / WiFi / Bluetooth-range control. This can be extended via VPN for those geeky enough, although user-friendly private VPNs are becoming more of a thing.

2) P2P encryption-based comms via a cloud-based relay server. Standard PKI libraries should allow for reasonably-secure communication.

3) Extend control via Apple HomeKit. I wouldn'

OTP

[DrYak]

as other have pointed out SMS can be spoofed and aren't well encrypted (an attacker could manage to sniff the password).

Instead of a *plain password*, you would need an OTP (think Google Auth 2-factors).

An attacker would also need to know the secret stored on OTP generator (never sent over SMS, so non sniffable).

Also just to be sure:
the radio is only used for the setup ?

it's possible to remove if and only have the device work locally, without needing to use the web interface shown in the screen shots ?

a different smartlock, ultraloq

[Anonymous Coward]

Pen Test Partners has blogged about a different model of smart lock.

The Ultraloq smart lock can be opened in less than a couple of hours by trying PIN numbers over bluetooth until the correct six digit pin is found.

The manufacturer has not fixed that, despite being notified three months ago.

The manufacturer provided an API with no authentication that allowed control of the locks, if you can figure out that your target is userid 1234 or whatever.
The API has now been fixed, they claim.

This lock can be easily

To be fair...

[hyades1]

Since hackers have now apparently asserted control over our front doors, and we know the governments of the US, China and Russia gained control over our back doors quite a while ago, and even the most egregious security breaches by corporations and financial institutions incur so few consequences even the term "slap on the wrist" seems excessive, it seems we'll have to restrict old fashioned burglars to Windows when they want access to our valuables.

I doubt we'll have long to wait before we're advised to dr

They wont Rob You though

[wolfheart111]

Murder, there's $ in that though.

Passionate about WordPress development!

[Max Jon]

I think it is right...Passionate about WordPress development!... [bit.ly]

Raise your hand if you're surprised

[JustAnotherOldGuy]

Raise your hand if you're surprised...

I said, "raise your hand if you're surprised."

Hmmm, no one? Alrighty then.

The IoT (Internet of Trash) apocalypse is upon us. Just assume that every IoT device is easily compromised and you'll sleep better.

Smart Locks for Dumb People

[RAHH]

You'd have to be insane to hook your home security/locks into the internet. SMH!

Zipawho?

[LynnwoodRooster]

Popular? Maybe in Croatia... Zero reviews on Amazon here in the US. I think the definition of popular has changed...

2001 a space oddesy

[ebvwfbw]

Home automation - all outside doors are computer controlled.

Dave says - Alexa unlock the front door.
Alexa - I'm sorry Dave, I can't do that.

Could be worse. Police insist that everyone have one of these locks on their doors. After all, you have nothing to hide do you? Think of the Children! They don't need to break down the door or even get a warrant. Just get home automation to unlock the door for them.