Shulou(Shulou.com)05/31 Report--

In this issue, the editor will bring you about how to use Bluetooth to attack and unlock the Tapplock intelligent padlock within two seconds. The article is rich in content and analyzes and describes for you from a professional point of view. I hope you can get something after reading this article.

A few weeks ago, a man named JerryRigEverything on Youtube uploaded a video of dismantling the Tapplock smart Bluetooth fingerprint padlock. The video shows that the Tapplock back cover can be removed with a GoPro camera fixed to the adhesive base, and then the Tapplock lock can be easily opened with a screwdriver.

It's a little weird that this video makes me curious about the security of Tapplock smart padlock. How secure is this smart padlock with fingerprint identification, Bluetooth and Morse code unlocking? So I did some research on Tapplock, and finally I realized the unlocking of Tapplock in 2 seconds.

Demo video: hardware composition

The Tapplock smart padlock is made of quenched steel and durable die-cast Zamak-3 zinc alloy. Zamak-3 zinc alloy is often used in die-casting products such as children's toys, door handles and men's razors. Strictly speaking, this metal material has low strength and can melt and deform under 400℃, which is not a good material choice for strong lock bodies. Zamak-3 makes it easy to make fine castings that look exquisite and feel strong, but only look safe and secure.

Encryption mechanism

Tapplock intelligent padlock uses AES 128bit encryption algorithm, the encryption strength is very high.

This kind of encryption strength is equivalent to the military level, but for IoT hackers, this kind of symmetric encryption still has some shortcomings, especially in the Tapplock instructions here, there is no provision for key pairing, exchange and sharing, or even basic identity authentication in the security description. Therefore, in similar application scenarios, AES-128 encryption is still insufficient.

In addition, there is also a lot of controversy about the security of the Tapplock padlock, such as the "unbreakable Tapplock is not so safe and reliable" here. The article lists a lot of security tests for Tapplock hardware and software, and finally finds that Tapplock is not so secure.

Tapplock officially claims that its padlock is "very strong", but in fact, in front of Abloy Protec locks, it is probably incomparable. Tapplock officials also claimed that their padlock was "almost unbreakable", but was eventually disintegrated by a 4-inch bolt cutter. It seems that everything is a boastful marketing strategy.

Safety testing

The above safety tests have also aroused my curiosity, so buy a Tapplock smart padlock for actual testing, the price is 80 euros, and 14 hours later, a Tapplock smart padlock will be sent to my home. First of all, according to JerryRigEverything's method, I glued the Tapplock rear cover with a GoPro camera adhesive base.

After 30 minutes of full bonding, pull the adhesive base hard, but it's a pity that you can't open the back cover of Tapplock. It turns out that there is a spring tip extending to the rear cover neck in the rear cover, which is specially designed to prevent the rear cover from loosening or turning. The spring tip may be damaged, but it may not be possible to rely on a camera to stick to the base. However, JerryRigEverything's Tapplock test lock does not have this protruding spring tip, but the Tapplock test lock we bought has this spring tip, so we pulled hard on the camera adhesive base and finally failed to open the Tapplock back cover according to the JerryRigEverything method.

Use low-power Bluetooth (BLE) to control Tapplock

Now, we turned to low-power Bluetooth (BLE) for testing, and surprisingly, we found something incredible here. Generally speaking, I like to read some time-consuming and creative IoT cracking articles, but let's not go around here and get to the point. In less than 45 minutes, we need to complete the unlocking of Tapplock.

First of all, we found that there is no transmission encryption mechanism in the HTTP communication of Tapplock mobile phone APP. This is 2018, not ancient times, which is completely surprising.

As you can see from the above network analysis, every time I connect to Tapplock with BLE, a "random" string is sent to the Tapplock side, which appears to be a command to communicate with Tapplock.

But it's also worth noting that no matter how many connection requests I make to Tapplock, the string data remains the same. As you can see from the command line execution of the Bluetooth utility gatttool below, Tapplock is also vulnerable to replay attacks.

Because the Tapplock phone APP allows users to share Tapplock padlocks with others, or revoke the right-to-use license within a certain period of time. As a result, I shared the test with other users with locks, and then grabbed the BLE communication data in it. I found that this practice of sharing Tapplock among users is exactly the same as the control of Tapplock by a normal single user, that is, even if you revoke the unlocking rights of other shared users, other users can still obtain all the information of unlocking authentication through communication data grabbing. Using this information, the authentication of Tapplock can be unlocked, which is no different from a single control user. This is a bit like the problem with the smart doorbell Ring Smart Doorbell, where it is impossible to undo another user with high unlock privileges.

No factory reset settings

Tapplock smart padlock is not equipped with the proper factory reset mechanism, the user account can only delete its corresponding padlock information, but not the corresponding unlocked data. The retained unlocked data is sent to the server or to the Tapplock from the server, so the attacker in the appropriate position in the network can intercept the unlocked data and use the data to unlock Tapplock indirectly.

This is no small problem, nonsense, the key is to be able to open the lock, and now we need to analyze how the random data can be unlocked.

Complete control

After several minutes of research and analysis, I found a specific functional method for pairing with the unlocking process of the Tapplock padlock:

Public void regularPair (String str, byte [] bArr, byte [] bArr2) {bArr = getCMD (CMD_PAIRING_REGULAR, bArr, bArr2); send (str, bArr); str = TAG; bArr2 = new StringBuilder (); bArr2.append ("Regular pair called, send"); bArr2.append (BluetoothTool.byteToStr (bArr)); Log.e (str, bArr2.toString ();}

In this method, a fixed command CMD_PAIRING_REGULAR containing two double-byte arrays is sent to the Tapplock padlock. These two double-byte arrays read the following corresponding information:

This.bluetoothCenterManager.regularPair (lockMacAddress, BluetoothTool.strToBytes (lockInfo.getKey1 ()), BluetoothTool.strToBytes (lockInfo.getSerialNo ()

The valid messages are Key1 and SerialNo. Where do they come from? It turns out that when the initial pairing of the lock occurs, the above information is indirectly converted into the Bluetooth MAC address of the Tapplock padlock through the keyAndSerialNo method. The keyAndSerialNo method is as follows:

Public static String keyAndSerialNo (String str, String str2) {str = AndroidTool.md5 (str.toUpperCase ()). ToUpperCase (); if (str2.equals (KEY_ONE) {str = str.substring (0,8);} else if (str2.equals (KEY_TWO) {str = str.substring (8,16);} else if (str2.equals (SERIAL_NO) {str = str.substring (16,24) } return str;}

Here, it capitalizes the Bluetooth MAC address of the Tapplock padlock and converts it to a MD5 hash, where 0 to 7 characters are key1,16 to 23 bytes are SerialNo serial numbers.

Yes, the only thing you need to know to unlock a Tapplock is the Bluetooth MAC address of the Tapplock, which is broadcast by Tapplock. I was directly shocked by the poor security, so I reordered a Tapplock and confirmed the authenticity of the Tapplock padlock and its APP.

Finally, I wrote an attack script to scan the Tapplock padlock and unlock it. With this script, any Tapplock can be unlocked in less than 2 seconds without any advanced knowledge and skill. Later, I will migrate the script to an Android application to make the whole unlocking operation easier and faster. Overall, the cost of unlocking a Tapplock padlock is very low. The security of Tapplock smart padlocks is shameful, which is disrespectful to consumers, and I am speechless.

Physical security

Tapplock, which claims to have an anti-gasket function, uses the traditional practice of extending another bite in the latch to prevent attackers from opening the latch with a gasket. But the bite of Tapplock is relatively thin and far away from the joint of pressure.

In addition, with a 12-inch bolt cutter, the Tapplock bolt can be fixed in less than 10 seconds:

Loophole reporting

As a smart padlock, Tapplock's security mechanism is actually very clear, that is to prevent attackers from opening the lock. The security degree of the lock depends on its own threat model design, the correct security design can slow down the attack process of the attacker to the lock, and there will be no security flaws that can be exploited. As an intelligent padlock in the IoT era, the security of Tapplock is worrying, and it can be unlocked in less than 2 seconds. But when I sent this question back to the Tapplock authorities, they replied:

"Thanks for your note. We are well aware of these notes."

Thank you for your reminder. We are already aware of these problems.

Ah, it turns out that while Tapplock officials are aware of these problems, they not only do not fix them, but also continue to sell these locks and not let consumers know about them. It totally shocked me.

The above is how to use Bluetooth to attack and unlock the Tapplock intelligent padlock within two seconds. If you happen to have similar doubts, you might as well refer to the above analysis to understand. If you want to know more about it, you are welcome to follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.