This popular smart lock could have been easily hacked -- what to do now

UltraLoq smart lock
(Image credit: Amazon)

UPDATED for clarification.

A security researcher warns that a popular smart lock could have been easily opened by anyone as the result of a major flaw.

According to an investigation by security firm Tripwire, a threat actor would have had the ability to access data stored on cloud servers pertaining to any U-Tec UltraLoq, including its Internet Protocol (IP) address and the email address of its primary user -- enough to physically locate the lock and open it.

Serious flaw

“This is enough to identify a specific person along with their household address,” Tripwire security researcher Craig Young in a blog posting yesterday (Aug. 5).

He went on to say that hackers could “precisely identify an individual” because the server data "correlates email addresses, local MAC addresses, and public IP addresses suitable for geolocation.”

If the user then sent the UltraLoq an unlock command from a smartphone app while the attacker was monitoring the cloud server, the attacker could replay the unlock command at a later time and unlock the lock.

“If the person ever unlocks their door with the U-Tec app," wrote Young, "the attacker will also now have a token to unlock the door at a time of their choosing.”

Another flaw meant attackers had the ability to stop users from accessing their locks through the distribution of spoofed messages, an action described by Young as “disruptive.”

UltraLoq is a connected lock that is available to purchase at retailers such as Amazon, Walmart and Home Depot

“The locks boast some advanced features including fingerprint readers and anti-peep touchscreens as well as Bluetooth and Wi-Fi connectivity for app-based control,” wrote Young. 

While describing the locks as “convenient” for consumers, he warned that “they may leave some users feeling uneasy about security.” 

Last November, Young discovered the flaw in question, which has since been fixed by the manufacturer on the server side. But for the first time, he’s detailed the vulnerability and what it meant for customers.

Young explained that “attackers could easily steal ‘unlock tokens’ in bulk or from specific devices knowing only the MAC address”.  

The MAC address is a device unique identifier that consists of six two-character pairs, such as A1:2B:C3:4D:E5:F8. Anything that connects to a network has a MAC address for each network port. 

By design, networked devices broadcast their MAC addresses over Wi-Fi, Bluetooth, Ethernet and other network protocols so that they can be found and connected to. Basically, each device is shouting its name and saying "I'm here!"

Security nightmare

UltraLoq locks use MQTT, a low-power protocol that relays messages between Internet of Things and smart-home devices. 

Devices can't send messages directly to each other, however -- they have to relay messages through an MQTT "broker", a piece of software that sits on a server and acts as a telephone operator. 

In U-Tec's case, that MQTT broker was hosted on Amazon Web Services, and it was open to the internet. Young found it by scanning the internet with Shodan, a search engine meant to find non-PC, non-smartphone devices connected to the internet.

Young noticed that the U-Tec MQTT server was listing the status of each UltraLoq. Each entry listed the UltraLoq's Internet Protocol (IP) address, and often whether the lock was connected or disconnected and the user's email address. 

Using his own UltraLoq and the corresponding smartphone app while he monitored his own lock's entries on the MQTT cloud broker, Young found that his smartphone sent unlock commands to his UltraLoq using the same text string every time. 

He replayed that text string from his computer, which wasn't authorized to unlock the UltraLoq, and the lock opened anyway.

What to do 

Jake Moore, a security specialist at ESET, told Tom’s Guide: “The massive growth in IoT devices placed in the home and office is the perfect breeding ground for hackers to make the most of user convenience.

“IoT devices are far too often packaged up with weak (if any) built-in security features so the public are on the back foot from the get go and enjoy these devices working straight out of the box. Furthermore, security updates tend to be infrequent which put extra risk on the owner to make sure they are safe.”

He recommends: “The best way to protect your IoT device is by setting a strong and unique password for it and making sure it is capable of implementing two factor authentication

“However, some things are best left physical and if it’s that significant to have a lock in place, it is clearly important enough to secure in the best way possible. It is also vital for users to turn off non-authenticated user access as this can lead to threat actors intercepting remotely."

Nicholas Fearn is a freelance technology journalist and copywriter from the Welsh valleys. His work has appeared in publications such as the FT, the Independent, the Daily Telegraph, The Next Web, T3, Android Central, Computer Weekly, and many others. He also happens to be a diehard Mariah Carey fan!

  • Jim Larson
    Your misleading headline doesn't jive with your statement that the problem was fixed months ago. Makes it sound like this is still an issue, doesn't it??

    "Last November, Young discovered the flaw in question, which has since been fixed by the manufacturer. But for the first time, he’s detailed the vulnerability and what it meant for customers."
  • Mikerichardson
    I have this model and when I saw your headline got quite scared, complete clickbait. this news is from more than 8 months ago
  • AlexR12
    this was useful last november when it happened, not august 2020 :confused_old: