On our site you can buy a number for registering any account and you will no longer have to run for a new sim to the store.
To make matters worse, the manufacturer of smart door locks has not yet recognized or corrected the flaws.
Six vulnerabilities exist in Hickory Smart Bluetooth device with Deadbolt support, manufactured by Hickory Hardware, which allows users to remotely lock their homes using a mobile application on their Android phone or iPhone. Vulnerabilities are of medium danger, since exploitation requires a certain level of access to an already compromised mobile device, however, as soon as an attacker gains access to the victim’s phone, he can easily exploit flaws to remotely unlock a lock from a mobile application.
“This, in turn, may pose a physical risk to people and property protected by these locks,” said Todd Beardsley. “At the time of the initial release of this disclosure, the vendor did not recognize these vulnerabilities and did not offer a software update to address these issues.
In general, the researchers found six shortcomings that affect smart blocking: from insecure storage in Android and iOS applications to incorrect access control for APIs and transferring credentials in clear text.
Unsafe deadbolt
Of the six vulnerabilities discovered, three can be used to potentially unlock an intelligent door lock. Two of the drawbacks (CVE-2019-5632 and CVE-2019-5633) are associated with the optional Smart Deadbolt mobile application that stores unencrypted critical data in the database. The database contained information that could be used to remotely control locking devices.
CVE-2019-5632 stems from unencrypted critical data stored in the SQLite database (called SecureRemoteSmartDB.sqlite) in the Android application, and CVE-2019-5633 stems from confidential unencrypted data stored in the Cache.db database in the iOS application.
The caveat is that an attacker will need physical access to an unlocked handset to view the application before compromising sensitive data, Beardsley said.
Researchers found another flaw (CVE-2019-5634) in an Android app that included debug logging on Android devices. Because debug logs are used for troubleshooting and application development, this feature should be disabled when the application enters operational mode.
However, the researchers found that all communications with the Internet API services and direct connections to the lock were recorded in the debug log, which existed in the standard storage path of the USB or SD card of the Android device - that is, they could be easily accessible to anyone who controls the Phone .
“It is important to note that a user with any level of access to remote lock control, even on a temporary basis, can use this log data to gain unauthorized access in the future.”
Other vulnerabilities
Researchers found many other problems with the device, including the wrong flaw in API access control (which did not have a CVE), the ability of disconnected users to retain access to the API (which also did not have a CVE), and the transfer of credentials in plain text (CVE-2019 -5635).
The latter is because the Hickory Smart Ethernet Bridge device communicates over the network with the MQTT broker without encryption, providing the default usernames and passwords used for authentication in MQTT.
"Despite the fact that we were able to disclose this username and password for the MQTT service associated with the infrastructure located in the cloud, it is not clear what exactly the attacker can do with this password, since all other data turned out to be encrypted or encoded."
Despite the fact that Rapid7 revealed the Hickory Hardware vulnerabilities on May 16, the manufacturer has not yet recognized and released a patch for the shortcomings. On Thursday, a public disclosure deadline is planned (more than 60 days after May 16) to identify deficiencies.
"In the absence of manufacturer-supplied fixes, users of these iOS and Android applications and their associated door locks should take care not to share access with people who should not have long-term permanent access to a protected property."
“Regardless of the updates provided by the provider, mobile devices must be protected with a unique PIN code, password or pattern to prevent accidental disclosure of confidential passwords and tokens in the event of loss of a mobile device.”
This is not the first problem that smart home devices suffer, especially locks.