The F-Secure people created a nice tool that generates the three secret keys by simulating the action of these two methods (although they REDACTED and obfuscated their work, rendering it generally harmless). The AppKey and DoorKey are created from two algorithms (and heavily obfuscated) methods makeAppKey and makeDoorKey. This suggests that the CommonKey is highly predictable and based solely on two bytes within a 16-byte static value per device! Upon further examination of the CommonKey on multiple KeyWe devices, it appears the only difference between all devices examined were the last two bytes of the device Bluetooth address! In my case, the values 4C and 93 were unique to my device. Note: Understanding Bluetooth Low Energy GATT and GAP is beyond the scope of this write-up, however, the BLE specifications are easily accessible here, should you want to read up.
KEYWE LOCK FOR FREE
I also ran my Nordic nRF Connect mobile app (available for free on Google Play store) to gain useful information about my lock, such as the Bluetooth address, primary service UUIDs, characteristics, etc. I got familiar with the functionality of the lock and the look and feel of the mobile app.
KEYWE LOCK ANDROID
This blog is intended to, not only consolidate my notes and document my research but to maybe inform others of some pretty cool tools and methods for reverse engineering Android/iOS applications.Īfter receiving the shipment of my KeyWe Smart Lock and creating a test fixture to mount it, I downloaded the android app to my mobile phone and created my account. During my journey, I found myself constantly going back to their blogs, especially as I discovered new and relevant information of my own. Instead, they chose to use obfuscation in their android app in an attempt to hide the more relevant sections of code (which they did quite well I might add).Īlthough F-Secure had laid the groundwork, they were careful not to reveal too much information and even REDACTED some of their own tools, thereby retaining the ‘keys to the kingdom’ as they put it.
KEYWE LOCK UPDATE
Unfortunately, their mitigation options were extremely limited due to the fact that they had no firmware update functionality.
I soon became motivated to see if I could duplicate their efforts, realizing that F-Secure had issued an advisory and that the vendor had been given an opportunity to mitigate their exposure. I found their blog (posted in December of 2019) to be extremely fascinating and very informative. The F-Secure people found that due to a design flaw, an attacker could intercept and decrypt traffic coming from a legitimate owner of the lock. Recently I was afforded the opportunity to research the findings of a well-known security firm (F-Secure), who had discovered a vulnerability in the Guardtec KeyWe Smart Lock.
0 kommentar(er)
