Security researchers from F-Secure smart door locks KeyWe Smart Lock and revealed a serious , which allows using for Bluetooth Low Energy and Wireshark, intercept control traffic and extract from it a secret key used to open the lock from a smartphone.
The problem is exacerbated by the fact that the locks do not support firmware updates and the vulnerability will be fixed only in a new batch of devices. Existing users can only get rid of the problem by changing the lock or stop using their smartphone to open the door. KeyWe locks retail for $155 and are typically used on private home and retail doors. In addition to the usual key, the lock can also be opened with an electronic key through a mobile application on a smartphone or using an NFC-tag bracelet.
To protect the communication channel through which commands are transmitted from the mobile application, the AES-128-ECB algorithm is used, but the encryption key is formed on the basis of two predictable keys - a common key and an additional calculated key, which can be easily determined. The first key is generated based on Bluetooth connection parameters such as MAC address, device name, and device characteristics.
The algorithm for calculating the second key can be determined through the analysis of the mobile application. Since the information for generating keys is initially known, encryption is only formal, and to break the lock, it is enough to determine the parameters of the lock, intercept the door opening session and extract the access code from it. Toolkit for analyzing a communication channel with a lock and determining access keys on GitHub.
Source: opennet.ru