Case Study: Hacking Smart Lock Security

Update: This case study was presented at the CanSecWest 2016 conference held in Vancouver, British Columbia, Canada. The presentation is available as a PDF from this link.

 

Exponential growth of smart technology and Bluetooth Smart

With the booming of Internet of Things (IoT), Bluetooth Smart, or Bluetooth v4.0 (aka Low Energy or BLE), has played an increasing role in technology adoption. According to Bluetooth SIG, the global market is expected to reach 1.2 billion Bluetooth Smart devices and 2.7 billion Bluetooth Smart Ready devices by 2020. The power efficiency of BLE is a perfect fit for IoT devices. From Bluetooth.com, “You wake up and go for a run with a heart rate monitor that communicates with your smartwatch, then listen to music through your shower head. You unlock your doors, set the temperature, turn on the lights and control your TV using the smartphone or tablet you already own.” With the development of BLE, we’re now witnessing new product developments such as home security products, ergo the Bluetooth Smart Lock.

 

Bluetooth Smart Lock: another $1 Billion IoT market, and our vulnerability study

Smart locks are no exception to this IoT trend and have become popular with homeowners. Consumer Electronics predicted the smart locks market to grow from a $600 million market worldwide in 2014 to $3.7 billion by 2019. Smart locks can automatically detect your presence via the Bluetooth connection in your smartphone or a Bluetooth key fob and unlock the lock on your front door.

But how secure are the smart locks on the market? We’ve studied several smart locks to understand the potential for intrusion vulnerabilities, including some of the top 5 brands. In this blog, we’ll begin the discussion with the Kwikset Kevo Smart Lock.

 

Kwikset Kevo Smart Lock: how it works

As a leader in the market, the Kwikset Kevo Smart Lock has a state of the art design and user experience. Let’s list a few cool features below.

  • No smartphone? No problem: a smartphone is not required. Since the Bluetooth LE sensor of the Kevo key fob broadcasts constantly, the smart lock detects the presence of the key fob, and enables its “Touch to Open” feature when it is within a short distance to the smart lock. Attach your Kevo key fob to your keychain, it is that nice and easy.
    Kwikset Kevo Smart Lock
    Figure 1. Kwikset Kevo Smart Lock and key fob ( Image from http://www.kwikset.com )

     

  • Direction or position sensing in security design: Kevo has apparently put a lot of effort into security assurance. “Kevo includes patent-pending intelligent positioning technology that detects whether an authorized user is inside or outside of the home before granting access, to help prevent unauthorized entry.”
    Kevo Touch to Open feature
    Figure 2. Kevo Touch to Open feature

     

  • Low energy consumption: low energy consumption is the beauty of BLE devices. A study by beacon software company Aislelabs reported that peripherals, such as proximity beacons, usually function for 1–2 years with a 1,000 mAh coin cell battery. According to the Kwikset Kevo website, “The Kevo lock operates on 4 AA batteries, and the Kevo fob operates on one CR2025 battery. Depending on usage, the batteries should last for a year before they need to be replaced.” The Kevo smart lock is in the ballpark of industry expectation for being energy friendly.

 

Vulnerabilities and attack vectors of the Kevo Smart Lock

Our attack video:

We break down the vulnerabilities and attack vectors into three categories.

  1. Denial of Service (DoS) via communication racing. In this scenario, an attacker/hacker could hijack the Kevo key fob and prevent communication with the Kevo lock, thus preventing the owner from unlocking the door. In our proof of concept (PoC), we achieved the attack scenario using a mobile phone app. The attacking app purposefully connects to the BLE key fob before the key fob communicates to the lock control unit. As a result, the lock stops responding to the Touch to Open event of the deadbolt. After the PoC app disconnects from and releases the key fob, the lock functions as normal. This suggests that it would be easy for a neighbor script kiddie to attack the lock at a low overhead cost.Kwikset has taken significant consideration in security and safety. If the communication racing DoS attack is on the Smart Lock itself, it will only allow the attack to temporarily prevent a door from opening for a few seconds before the lock blacklists the attacking device and disconnects via BLE. However our PoC attack takes a different approach. The attack is via key fob pairing, not a direct communication with the Smart Lock.
  2. Denial of Service (DoS) via battery drain of the key fob. While the BLE standard and implementation generally promises over a year of battery life, our PoC hack shows we can reduce the battery life of the key fob to two weeks or less, resulting in a DoS. During our test, the Kevo key fob discharged its battery at a surprisingly fast speed. A new battery lasted for just about 2 weeks, during which only two days were heavy duty testing.If a hacker applies this technique, she would constantly abuse the communication with the key fob to drain its battery to last only a few days. We admit that it is a stretch to categorize it as DoS since the owner is likely to figure out the key fob has a dead battery and find a convenience store to replace with a new one.
  3. Hijack and Control. By hijacking and further controlling the key fob, the hacker could “break and enter” the victim’s home during any of the following scenarios
    1. anytime the victim is home with the key fob
    2. during a short time window as you are arriving home (short distance)
    3. or anytime if the key fob is in the home when the owner isn’t present

In these hijack and control scenarios, a hacker hijacks the Kevo key fob to force it into a “false safety mode”, or “pseudo sleep mode”. The owner tests the lock to confirm it cannot be unlocked (intruder cannot unlock to break in). However, hacker can wake up the key fob any time to unlock the Kevo lock. In the meantime, we understand that Kevo enforces a good security layer so that the key fob stops sending BLE signal to the lock for activation after 30 seconds without motion. We believe the key fob uses the gyro sensor to detect motion to switch to “sleep mode” after timeout. This makes sense as it not only helps conserve battery life, but also ensures that the smart lock is not operated by touch and open when the owner is sleeping. Despite this security design, we are able to create our PoC to attack the key fob while it is still active, and trick it to enter a mode which we call “pseudo sleep mode”. In this mode, the key fob and the lock behave as if the key fob is in the normal sleep mode. However, we can wake up the key fob using the PoC app from a phone at any time, say, such as 2:00 AM. After activated or in wake mode, with the key fob inside the house, an attacker can Touch to Open the Kevo smart lock.

Ideally, the majority of hijack and control attack scenarios should be prevented based on Kevo’s inside/outside detection sensing design. Even when the lock is controlled by the hacker, as long as the sensor detects the key fob is inside the house, the lock should refuse the intruder’s attempt of Touch to Open from outside the home.

We discovered that hackers could still exploit the above security design. To test this, we installed and calibrated the lock, in the normal operation mode, and we identified that the main inside/outside detection is based on the following detection logic.

1.  The owner (key fob) is positioned outside the door to calibrate the lock. The smart lock calculates the key fob BLE signal as the baseline signal strength.

2.  When the owner opens the lock and enters the home, she places the key fob inside at a distance greater than during calibration of the lock (her posture of attempting to open the door).

3.  If an intruder tries to Touch and Open, it should fail, because the key fob signal strength detected by the smart lock is weaker than the baseline and the key fob will safely go into sleep mode in 30 seconds.

Figure 3. Kevo Smart Lock installed and calibrated for inside and outside proximity detection
Figure 3. Kevo Smart Lock installed and calibrated for inside and outside proximity detection

We tested the intrusion by placing the key fob at a distance range between two and 10 feet during a 30-second time window. We were able to unlock the smart lock!  It was consistent in a short distance test, such as two or three feet, and was less consistent when the distance stretched to nine or ten feet. (Note this is just one of the surrounding environments we tested.  We also tested in other environments, e.g. metal entrance door and signal resistant wall in residential area, where the hackable distance is much smaller, up to two feet only)

Figure 4. Key fob is placed near the door inside the house (approx. two feet distance)
Figure 4. Key fob is placed near the door inside the house (approx. two feet distance)

 

At this point we applied our hijack and control PoC. We were able to extend the exploitation window to as long as we wanted. The takeaway is this: if the key fob is placed close enough to the door, such as a key chain rack or hook near the door, intruders can hijack the key fob, and wake it up any time to unlock the door.

Mitigation and follow-up

We recommend the following mitigation:

  1. Avoid using the key fob.  Kevo provides a mobile app to control the lock, and the app is not exposed to the same vulnerabilities.
  2. Place the key fob far away from the door.
  3. Place it in a metal box or metal plate so that the intruder cannot control it.
  4. Take out the batteries of the key fob when you are home.

NewSky Security researchers are actively working with vendors to address the issues raised. We plan to present more details of the findings in security conferences once the vendors have resolved the vulnerabilities. We’ll continue to cover related vulnerabilities of other smart locks once the associated vendors have reviewed our reports.

NewSky Security LLC.