The flaw here is that, once paired with the controller, the lock should check the current
key in its electrically erasable programmable read-only memory (EEPROM) and load the exist-
ing key if one exists. The lack of this fundamental validation step allowed Fouladi and Gha-
noun to arbitrarily open door locks enabled by Sigma Design’s Z-Wave implementation.
Another side effect of this attack is that, since the shared keys on the lock are replaced
with those of the attacker, events sent to the controller (such as “door is open”) will be rejected
by the controller—because the keys shared between the lock and the controller no longer
match, the authenticity check will be rejected. This, in turn, creates a situation in which any
logic built into the controller to alert owners of the door being opened will be bypassed.
The research and findings by Fouladi and Ghanoun are a good illustration of how a sim-
ple validation check can have severe implications for the physical security of our homes and
offices, where we rely upon door locks to help preserve the safety of ourselves and our loved
ones. This example shows the need for not just lock manufacturers, but also those who imple-
ment firmware and radio protocols, to make sure their designs are sound when it comes to
security. In this case, a single oversight from the Z-Wave protocol implementer rendered the
design of various locks insecure.
According to Fouladi and Ghanoun, Sigma Designs was responsive and worked with
them to figure out how to best verify and proceed with the remediation of the vulnerability.
Although this is a positive gesture on the part of Sigma Designs, the issue of applying firm-
ware updates still stands. Managers of physical facilities and homes do not usually have a pro-
cess of checking for firmware updates and applying them to their door locks and controllers.
In many cases, the functionality to update is not implemented or is too expensive to apply at
scale.
The main point to take away, as we look into physical security in the IoT space, is that a
simple oversight can leave millions of homes vulnerable, and given the complexity and cost of
remediation this condition can persist.
Bluetooth Low Energy and Unlocking via Mobile Apps
So far, we’ve studied research and attacks pertaining to magnetic stripe key card–enabled
doors, providing a solid foundation to understand basic attacks against popular door locks.
We’ve also looked at Z-Wave-enabled door locks and seen how a simple mistake in the imple-
mentation of a protocol can render door locks insecure.
In this section, we will take a look at the Kwikset Kevo door lock, shown in Figure 2-3,
which uses Bluetooth Low Energy (BLE). What makes this lock particularly interesting, from
an IoT perspective, is the ability to control it using an iPhone app.
BLUETOOTH LOW ENERGY AND UNLOCKING VIA MOBILE APPS 45