Smart Locks Unlocked: The Hidden IoT Security Risks Exposed by Aleph Research

Independent vulnerability research plays a crucial role in cybersecurity. Sometimes, companies release products without preliminary security testing, or the security tests conducted before the release fail to identify all vulnerabilities. In either scenario, the result is a vulnerable product that malicious attackers can exploit. Independent research identifies such vulnerabilities and discloses them to vendors for fixing, enhancing the security of these products. 

Aleph Research by HCLSoftware excels in vulnerability research, independently analyzing various products with a focus on those requiring advanced research techniques. Their security researchers leverage their expertise to uncover vulnerabilities often missed by standard penetration tests. This type of research not only helps keep the public safe, but also provides HCLSoftware with valuable insights that can be incorporated into the HCL AppScan suite of application security testing tools.

IoT security is a specialty of Aleph Research. For their latest project, they chose the smart lock, an increasingly common device in modern smart homes. Researchers were intrigued by the implications of potential vulnerabilities that could include providing an attacker with both online and physical access to a home. Aleph Research selected an advanced smart lock developed by the Chinese company Sciener, marketed under various brands globally. The research began by identifying the potential attacks of the target, including the smartphone app (TTLock), the BLE communication between the app and the lock, the companion gateway, and the physical security of the lock. 

Through extensive analysis involving decompilation of the app, advanced hardware debugging, and reverse engineering of the lock's and gateway's firmware, researchers discovered multiple, serious vulnerabilities across all identified surfaces. The risk covered a wide range of CWE issue types, from combined man-in-the-middle/protocol downgrade attacks to improper encryption handling and unauthorized code execution with top privileges. 

These vulnerabilities in IoT devices pose significant risks to the public which is choosing these devices for the convenience they offer without being aware of their  exposure to potential threats. This gives the thieves an advantage, allowing them to unlock the device with a nearby smartphone and making it easier to target smart homes compared to simply looking for locks that are easy to pick. 

After documenting all vulnerabilities, Aleph Research disclosed them to the Israeli Cyber Directorate and CERT organizations that coordinate vulnerability risk to vendors. The industry standard to publicize vulnerabilities is usually 90 days after disclosure, but due to the critical nature of these issues, Aleph Research waited more than twice as long. Unfortunately, the vendors were non-responsive despite Aleph Research's efforts

Eventually, in coordination with CERT, they disclosed the vulnerabilities publicly (CVE-2023-7006, CVE-2023-7005, CVE-2023-7003, CVE-2023-6960, CVE-2023-7004, CVE-2023-7007, CVE-2023-7009, and CVE-2023-7017). This disclosure prompted the vendors to begin urgent work on patching the issues, proving that public disclosure can effectively stimulate vendor cooperation.

While some identified vulnerabilities required complex logic and an experienced penetration tester to uncover, others could be detected during development using a SAST tool like HCL AppScan Source. As a result, Aleph Research tools will receive updates and enhancements to their rules to detect similar issues in the future.

Aleph Research by HCLSoftware continues to push the boundaries of vulnerability research, ensuring that even the most advanced products undergo rigorous security analysis. Their recent work on smart locks highlights the critical need for thorough testing and proactive measures to secure IoT devices. 

For a more detailed explanation of this research project and similar projects, visit the  Aleph Research blog. 

Learn more about how our suite of application security testing platforms and tools can enhance your security practices.