IMCAFS

 Home

network security analysis report of intelligent door lock

Posted by tzul at 2020-04-11
all

Introduction

1. Current situation and development trend of smart door lock Market

2. Development status of intelligent door lock technology

2.1 networking technology of intelligent door lock

2.2 intelligent door lock unlocking mode

2.2.1 fixed password unlocking mode

2.2.2 temporary password unlocking mode

2.2.3 biological key unlocking mode

2.2.4 smart card key unlocking mode

2.2.5 unlocking mode of mobile app

3. Security risk and case analysis of intelligent door lock

3.1 safety risk model

3.2 security risk of intelligent door lock

3.2.1 biological key attack

3.2.2 fixed password security

3.2.3 firmware stealing and reverse

3.2.4 wireless feed attack

3.3 security risks of mobile applications

3.4 near field communication security risk

3.4.1 RFID door lock attack

3.4.2 315MHz radio lock attack

3.5 network communication security risks

3.6 security risks of cloud platform services

4. Risk prevention and safety suggestions

4.1 door lock user

4.2 door lock manufacturer

4.3 industry supervision and guidance

National Engineering Laboratory of network security emergency technology of national Internet Emergency Center

Star active defense laboratory (adlab)

Beijing Tongyu Technology Co., Ltd

Yunding network technology (Beijing) Co., Ltd

Introduction

Since 2016, with the continuous maturity and wide application of Internet of things, cloud computing, big data and other technologies, and with the help of capital, smart home has emerged as a new industry force. As one of the representative products in smart home industry, smart door lock has great development potential. In 2017, the output value of smart door lock exceeded 10 billion yuan, and the market scale is close to 8 million. It is estimated that the market scale of smart door lock will reach 40 million in 2020.  

Smart door lock is a typical Internet of things system. The whole system consists of sensing layer, transmission layer and application layer, including smart door lock device, smart home gateway, mobile app and cloud service components. Among them, the technology of transmission layer and application layer is the existing Internet technology, which is relatively mature and stable. In the perception layer, the user identity authentication mode mainly includes fixed password, temporary password, fingerprint, palmprint, face, RFID, NFC and app, and the near-field access technology mainly includes WiFi, Bluetooth, ZigBee, 433MHz and 315MHz. With the popularity of smart door lock, all kinds of security risks have been exposed. Fingerprint duplication, password guessing, strong magnetic interference, APP vulnerability, near-field communication hijacking, WiFi traffic hijacking, Cloud Service Vulnerability and other security events of smart door lock have been widely reported by the media.

The safety of smart door lock will directly lead to the safety of life and property of individuals and families, its importance need not be said. This report focuses on the network security of intelligent door lock. Firstly, it analyzes the development trend of intelligent door lock and sorts out various unlocking technologies of intelligent door lock. Next, the paper analyzes the networking technology of intelligent door lock, and puts forward its security risk model according to the network architecture of intelligent door lock, at the same time, combining with the specific security vulnerability of intelligent door lock for case verification and analysis. Finally, some suggestions on the network security of intelligent door lock are put forward from the aspects of individual users, manufacturers and industry directors, hoping to provide some reference for the intelligent door lock industry.

One

Intelligent door lock is a kind of lock improved on the basis of traditional mechanical lock, which is more intelligent and simple in user safety, identification and management. Broadly speaking, the door lock with fingerprint lock, password lock, Bluetooth lock or app Internet lock can be called intelligent door lock.

According to the data of the deep research report on China's intelligent door lock industry of whale Research Institute 2018, the sales volume of intelligent door locks in 2017 was about 8 million sets, and the total output value of the industry exceeded 10 billion yuan, which doubled on the basis of 2016, and is expected to continue to double in 2018. By the end of June 2018, the penetration rate of intelligent door lock for 400 million families in China is about 5%, and the penetration rate of 30 million b-end operating rental apartments is about 10%. There is a huge development space in the future.

By 2020, the annual sales volume of smart door locks in China will exceed 40 million sets, and the market scale will exceed 40 billion yuan. 2018, 2019 and 2020 will be the golden three years for the development of smart door locks. By 2022, the penetration rate of smart door locks for 400 million families in China will reach 35%, reaching the level of Europe and the United States in 2018, and the penetration rate of apartment end will exceed 50%.

From the aspect of technology development trend, the networking mode of intelligent door lock is mainly WiFi and Bluetooth, in addition to ZigBee, 433MHz and 315MHz. Because of the obvious advantages of WiFi and Nb IOT, it will become the mainstream networking mode of intelligent door lock in the future.

Two

2.1 networking technology of intelligent door lock

The whole network of the intelligent door lock is a typical three-layer structure of the Internet of things, namely, the sensing layer, the transmission layer and the application layer. The sensing layer consists of smart door lock and smart phone app. The transmission layer includes home smart gateway and mobile communication base station. The application layer is the smart door lock cloud platform. The following figure shows the common networking schemes of smart door locks. Different manufacturers and models of door locks often choose one or several connection methods to realize networking.

Figure 2-1 typical networking technology of intelligent door lock

In the sensing layer, due to the limitation of power consumption, most of the smart door locks are battery powered, and their communication modes mainly include Bluetooth, ZigBee, Nb IOT, 433MHz and 315MHz. There are also some locks that can be powered by alternating current, which usually communicate with the cloud through WiFi.

In the transmission layer, the main communication modes are home broadband (WiFi / Ethernet) and mobile communication (3G / 4G).

The application layer is the cloud service of smart door lock, which is mainly responsible for the device access, identity authentication, logic control, data analysis and business display of smart door lock. At present, smart door lock cloud services are mainly deployed on the cloud, such as Alibaba cloud, AWS, azure and Tencent cloud, as well as the private cloud of each manufacturer.

2.2 intelligent door lock unlocking mode

2.2.1 fixed password unlocking mode

When installing the fixed password smart door lock, users need to initialize the door lock and complete the password setting. The password is stored in the solid-state storage space of the smart door lock, and will also be uploaded to the cloud for storage.

When the user unlocks the door, enter the password on the door lock. If the password entered is consistent with the preset password, the door lock can be opened.

Figure 2-2 fixed password unlocking mode

2.2.2 temporary password unlocking mode

In the temporary password unlocking mode, the householder will obtain the temporary password of unlocking in the current period from the cloud through the mobile app, and send the temporary password to the visitors through SMS, wechat or mobile app.

After the visitor enters the received temporary password on the door lock, the door lock will compare the password with the current period temporary password automatically generated by the cloud. If the password is successful, it will be unlocked.

Figure 2-3 temporary password unlocking mode

2.2.3 biological key unlocking mode

At present, fingerprint, palmprint, iris and face are the common and reliable biological characteristics of intelligent door lock.

In the process of installing this kind of door lock, fingerprint, palmprint, iris, face and other biometrics will be initialized to the smart door lock solid-state storage or cloud.

When users unlock the lock, they need to collect the fingerprint, palmprint, iris and face features of users, and compare the traditional features to the cloud and initialization features. If the comparison is successful, the lock will be unlocked.

Figure 2-4 biological key unlocking mode

2.2.4 smart card key unlocking mode

The smart cards used to unlock the smart door lock mainly include RFID card, NFC card and CPU card, which are mainly used in hotels and apartments.

For the door lock with RFID card, the access control management system will write a string representing the identity of the card in the RFID card. When unlocking, the door lock extracts the string from the RFID card and transmits it to the cloud for comparison. If the comparison is successful, the door is unlocked.

With the NFC card and CPU card lock, the access control management system will write the private key and public key representing the identity of the card in the NFC card and CPU card. When unlocking, the card will conduct two-way identity authentication through the door lock and the cloud. If the authentication is successful, the door lock will receive the unlocking instruction from the cloud and open the door lock.

Figure 2-5 unlocking mode of smart access card

2.2.5 unlocking mode of mobile app

In the process of initialization, the cloud will bind the door lock to the app on the specified mobile phone.

When the user unlocks the lock, the user completes the identity authentication on the mobile app, and then clicks the unlock button on the mobile phone, the smart door lock will receive the unlock command from the cloud, and then open the lock.

Figure 2-6 unlocking mode of mobile app

Three

3.1 safety risk model

According to the network architecture of smart door lock, its security risks can be divided into the following five aspects: security risks of smart door lock (attacks against smart door lock devices), security risks of mobile applications (attacks against smart door lock mobile app), security risks of near-field communication (attacks against WiFi, ZigBee, Bluetooth, 433, 315 and other communication modes), security risks of network (attacks against smart door lock devices) Home smart gateway and wired data interception attacks) and application security risks (attacks against smart door lock cloud platform).

Figure 3-1 network security risk model of intelligent door lock

3.2 security risk of intelligent door lock

3.2.1 biological key attack

Among the commonly used biological keys of intelligent door lock, the forgery of iris and face is more difficult, and the known attack risk is less, but fingerprint and palmprint have higher forgery risk, and the difficulty is low, which has been relatively common.

Figure 3-2 fingerprint identification attack

3.2.2 fixed password security

In the smart door lock with fixed password, there are many problems such as using default password, back door password, password logic loopholes and short password, and password leakage.

Figure 3-3 fixed password attack

3.2.3 firmware stealing and reverse

After the attacker disassembles the smart door lock, he reads the firmware content from the firmware memory through a special tool, and then analyzes the vulnerability of the firmware in reverse, and uses other attack methods to exploit the vulnerability.

Figure 3-4 firmware reading

3.2.4 wireless feed attack

(1) Principle analysis

Wireless feed is a widely used technology, including induction cooker, wireless charging, contactless card and so on. Due to the design defects of some intelligent door locks, electromagnetic interference is not considered in the wiring and circuit design. The attacker can use the Tesla coil to interfere with the radio wave, which makes the internal circuit of the smart door lock generate DC feed.

If the DC feed is high enough, it will trigger the smart door lock small motor to drive the lock cylinder to unlock. Or it may cause the logic of MCU to be abnormal and restart. Some intelligent door locks will automatically unlock after restarting by default.

Figure 3-5 unlocking circuit diagram

(2) Case study

On May 26, 2018, at the 9th China (Yongkang) International Door Industry Expo, a woman opened several brands of smart door locks with a small black box. The shortest time was only 3 seconds. An article named "that woman destroyed the whole fingerprint lock industry" quickly became a nightmare of the smart door lock circle.

The principle of "small black box" is that after the Tesla coil is powered on, it may produce two effects: one is to open the door lock by using the current driven by the feeding system of the intelligent door lock circuit; the other is that the coil generates strong electromagnetic pulse to attack the intelligent door lock chip, which will cause the chip to crash and restart, and some intelligent door locks will automatically unlock after restarting by default.

Figure 3-6 "small black box" unlocking diagram

3.3 security risks of mobile applications

(1) Principle analysis

There are various common security risks in mobile app, such as: fixed encryption and decryption key is used in mobile app code or firmware; mobile app code does not adopt reinforcement and confusion technology to make the code completely reverse, so as to understand and crack the unlocking mechanism and then construct control instructions for attack; code bug left by developers may lead to bypass of relevant problems Authority verification; mobile terminal operating system has related vulnerabilities, resulting in malicious code implanted to control mobile phone attack; mobile terminal app and device authentication problems, if there is a vulnerability in the authentication process between mobile terminal app and device, it is easy to lead to man in the middle attack, that is, forging a fake mobile terminal app and real device to communicate to achieve the purpose of deception Attack.

The attacker uses these vulnerabilities or defects of the app corresponding to the smart door lock to bypass the pre-set logic of the smart door lock, app and cloud service, and realize the unauthorized unlocking operation.

(2) Case study

There is a password reset vulnerability in a brand of smart door lock (vulnerability number cnvd-2017-03908). Through the reverse intelligent door lock app, we analyze its code logic and the message of interaction between the intelligent door lock app and the cloud network, and grasp the definition of the relevant cloud interface. It is found that one of the business interfaces of the brand lock is lack of user legitimacy verification. The attacker can use the user information already known to bypass the legitimacy verification to reset the password. After the attacker logs in with the reset password, he can unlock the lock and modify the user information. On the basis of this research, we do further security analysis and find a more influential security problem: through this vulnerability, the attacker can obtain all user information of the smart door lock product, including cell phone number and door opening password. As the vulnerability does not rely on the mobile phone verification code, this attack has greater concealment, so the harm is greater.

Figure 3-7 mobile application security case

3.4 near field communication security risk

3.4.1 RFID door lock attack

(1) Principle analysis

The RFID card stores the string representing the cardholder's identity information, while the information in the general RFID card is stored in the form of clear text, or only after simple processing, the attacker can read the information and copy it to its card, so as to obtain the authorization of the cardholder.

(2) Case study

A brand of smart door lock is RFID door lock. Testers can buy a simple RFID reader from Taobao, read information from the existing RFID card, write it into the new RFID card, and open the door normally through the new RFID.

This kind of RFID card often appears in the form of community access control, building access control and hotel room card, which has a great impact.

Figure 3-8 reading access card information

3.4.2 315Mhz wireless door lock attack

(1) Principle analysis

The radio door lock responds to the specified radio signal, while the general radio door lock signal is fixed. The attacker can replay the radio signal or simply process the signal, thus forging the real user's behavior of opening and closing the door lock.

(2) Case study

A brand of smart door lock has a radio signal replay attack vulnerability (vulnerability number cnvd-2018-02695). The door lock is a radio lock. The tester can buy a simple radio transceiver from Taobao, grab the radio lock opening and closing signal, store the radio data packet to the local, and open the door by replaying the radio data packet containing the unlocking signal.

This kind of wireless door lock often appears in the form of garage door access, family door access and car door. This kind of attack can form a huge security risk.

Figure 3-9 use radio tool to replay signal to unlock

3.5 network communication security risks

(1) Principle analysis

Some smart door locks are directly connected to the Internet through WiFi signals, while other communication mode door locks will also be connected to the Internet through WiFi signals after they are connected to the corresponding gateway. At the same time, when the mobile app is at home, it will also be connected to smart door locks and cloud servers through WiFi. Considering that a large number of intelligent door lock communication protocols adopt plaintext transmission, or there are loopholes in the encrypted transmission process, the control of intelligent door lock can be realized by attacking WiFi router, smart home gateway, or intercepting WiFi signal.

(2) Case study

A brand of smart door lock has a design vulnerability (vulnerability number cnvd-2016-12586). The tester analyzed that the communication between app and cloud service of smart door lock is plaintext transmission, and identified the specific data package of smart door lock.

After hijacking the WiFi signal, the tester can control the door lock by replaying the WiFi signal.

Figure 3-11 WiFi signal hijacking to realize door opening and closing operation

3.6 security risks of cloud platform services

(1) User identity authentication vulnerability

The complexity of the password is not limited, the number of illegal login is not limited, and the SMS verification code for resetting the password is generated locally or exists in the returned packet.

(2) Access control vulnerability

The back-end information system does not verify the important access control parameters in the data package, which leads to the unauthorized operation. There is also a remote code execution vulnerability, which can execute root permission commands. Important reply information is hijacked.

(3) Web security problems in cloud management platform system

Common web security vulnerabilities also exist in smart door lock cloud management platform, such as SQL injection, arbitrary file upload, invalid authentication and call back management, cross site script attack, insecure direct object reference, security configuration error, sensitive information disclosure, lack of function level access control, cross site request forgery, using components with existing vulnerabilities and unverification Redirection and forwarding.

Four

According to the risk model of the intelligent door lock, the security risks faced by the intelligent door lock include five aspects: the security risks of the intelligent door lock, the security risks of the mobile application, the security risks of the near-field communication, the network security risks and the application security risks.

Once the security problem of smart door lock is concerned and used by hackers, it will bring very direct economic and property losses to users, and cause extremely serious negative impact on society. Next, we will give some targeted improvement suggestions and measures from three perspectives of users, manufacturers and industry.

4.1 door lock user

For individual users, first of all, try to choose intelligent door lock products that are produced by famous brand manufacturers and are cost-effective and suitable for themselves. Secondly, if the family chooses to install the smart home gateway device, it should try to choose the device with security functions, such as near-field communication security monitoring and traffic security monitoring and other related security functions. Monitoring common attacks can effectively improve the family security.

4.2 door lock manufacturer

(1) Really improve the security quality of mobile applications

Smart door lock manufacturers can improve the security quality of mobile applications by introducing security design in the process of mobile application design, adding security test in the process of mobile application test, and strengthening the anti analysis ability of mobile applications by means of security reinforcement.

(2) Strengthen the safety design of intelligent door lock

In the process of design, smart door lock manufacturers can really improve the anti attack ability of smart door lock by improving electromagnetic shielding, closing debugging interface and debugging function, strengthening firmware, increasing fingerprint activity detection, implementing RFID encryption, prohibiting simple password, dynamically and rapidly upgrading firmware and other security measures.

(3) Improve the level of network security protection

In the smart door lock system, the smart door lock, the mobile application and the cloud service should adopt the standard encryption transmission mode for communication, and the priority should be given to the use of the password algorithm approved by the national password management department and the use of the password algorithm specification to ensure the security of network communication.

(4) Continuously guarantee the security of cloud services

In order to improve the security risk of application layer, we should introduce security design in the process of cloud service design, security test in the process of product test, continuous penetration test and risk assessment after the service goes online, select cloud service platform with security protection strength, deploy relevant cloud security protection products or services, and implement physical layer and virtual protection for cloud Comprehensive system, all-round and all-time security monitoring and operation and maintenance from chemical layer, host layer, network layer, data layer to application layer, forming complete security protection measures to ensure the high security of cloud service.

4.3 industry supervision and guidance

For the whole industry of intelligent door lock, relevant industry departments should organize to formulate a set of perfect safety implementation standards, covering the whole process of intelligent door lock system from planning, design, development, testing, deployment, online to operation, strengthen the safety awareness of the whole industry, and indeed improve the overall product safety level of the whole industry. At the same time, organize the development of supporting intelligent door lock network security product testing specifications, and conduct network security related testing and certification before the online intelligent door lock products go on the market.

© 2023