Pen Test Partners along with 2 additional researchers, @evstykas and @cybergibbons, recently took a look at the U-tec Ultraloq and found a number of critical vulnerabilities that would allow an unauthorized person to bypass the lock. The first vulnerability they found was that their application API leaks data about the users of the locks, including the physical location of where the lock is. The second vulnerability found in their API is much more interesting though. By simply changing the user ID value during the login process you can impersonate any other user and have full control of their locks. Pairing these 2 vulnerabilities together means you would first be able to find installations of these locks and then unlock them when you get there.
The researchers also spent some time looking at the Bluetooth based proximity unlocking feature. Due to a poor encryption implementation in the app and lock they were able to develop a brute force attack capable of unlocking the lock. This attack would allow someone to open an Ultraloq without requiring knowledge of who the lock belongs to like in the first attack. These 2 attacks alone allow complete bypass of the smart lock, but what if the attacker isn’t very technical? No problem, the lock is also easily picked. By inserting a thin pick into the body of the lock an attacker is able to shim the mechanism and open the lock with ease. The fallback physical lock mechanism was also easily picked by the researchers using only basic lockpicking techniques.
The Ultraloq isn’t the only smart lock smart lock to have showstopping vulnerabilities and probably won’t be the last. Smart home products, especially security related ones have been a popular target for researchers since they first hit the market. If you’re considering a smart lock it is important to research the specific model being considered and stick to trusted manufacturers. Even still there is no guarantee that the lock won’t have a vulnerability found at some point so it is also important to apply firmware updates when they become available from the manufacturer. Ultraloq released a fix for their API last week but have not provided an update for the Bluetooth vulnerability yet.