The Nokelock Smart Padlock Fails to Protect Users' Belongings and Passwords

Nokelock Smart Padlocks Can Leak Passwords

Anyone who has an active interest in technology will tell you that big and small manufacturers the world over are in a race to connect as many everyday objects to the internet as possible. The so-called Internet of Things (IoT) craze has indeed taken over the planet, and often, the results are somewhat strange.

Objects that we have known and used for years are now given chips and are made more complicated than they need to be. People reading about and reviewing the newest IoT gadgets are often left with the impression that they are looking at a solution to a problem that doesn't exist. It must be said, however, that some ideas have quite a lot more potential.

Smart padlocks – a more convenient and more secure alternative?

What's wrong with the traditional padlock? Well, depending on the type of lock we're talking about, you need to use either a key or a numeric combination to open it, which is a less than ideal situation for one very simple reason - keys can be lost and duplicated, and codes can be forgotten or guessed. In other words, neither keys nor passcodes are infallible.

The people behind a China-based company by the name of Nokelock think that the advancement in technology can give us a solution. They, like quite a few others like them, have developed various locks that can be opened either with a mobile phone application or using the fingerprint scanner embedded on the lock itself. In theory, this does seem like a great idea.

Even if you do lose your mobile phone along with the application that unlocks your padlock, the people who are trying to steal your possessions will first need to break into your device which, with the right setup, should be a very difficult task in and of itself. At the same time, you can't forget or lose your fingerprint which means that you're unlikely to ever get locked out of whatever it is you're trying to protect.

This is the theory Nokelock and its competitors are actively using in order to convince us to buy their products. Unfortunately, it's only the theory.

Smart padlock makers don't pay too much attention to security

Last year, a YouTuber going by the nickname JerryRigEverything took a smart padlock called Tapplock, and popped it open using nothing more than a GoPro mount and a screwdriver. Later, penetration testing experts from Pen Test Partners managed to break through its virtual security as well and unlocked the device after collecting its Bluetooth MAC address. All in all, the Tapplock padlock came with quite a few design flaws, and its makers received their fair share of criticism.

You'd think that the people that run Nokelock have learned from Tapplock's mistakes. Sadly, this is not the case.

Once again, the experts from Pen Test Partners took it upon themselves to find out if the Nokelock is any good, and once again, their findings might disappoint quite a few people. In fact, completely compromising Nokelock's security turned out to be terrifyingly easy. Pen Test Partners' David Lodge examined the way his Nokelock works, and he realized that due to a vulnerability in the implementation of the Bluetooth protocol, he could steal an important encryption key and do all sorts of damage. As long as he is within Bluetooth range (about 10 meters or 33 feet), for example, he can unlock any Nokelock padlock, and he doesn't even need to know who it belongs to.

After some more poking around, he learned that he can de-register a Nokelock, effectively locking the owner out of it and that he could scrape the GPS coordinates the lock records every time it's synced to a mobile phone. Last but not least, Lodge found out that he can obtain the owner's login credentials with relative ease, and he realized that Nokelock is storing passwords as unsalted MD5 hashes.

MD5 is an ancient hashing function that can be cracked with ease using today's hardware. It's a woefully insecure way of storing passwords, and the people who are still using it should stop doing it as quickly as possible. Those who run Nokelock, however, are not interested.

Nokelock doesn't want to plug the security hole

Last year, the people selling Tapplock took their sweet time, but they eventually said that they'll release patches and will fix the issue presented by Pen Test Partners' experts. When he discovered the gaping security vulnerabilities in Nokelock, David Lodge tried to get in touch with the manufacturer and hoped that this time, the issue will be better prioritized. It wasn't to be.

Pen Test Partners spent close to six months trying to get through to Nokelock via a number of different channels. All attempts failed, and eventually, the experts decided that their best course of action is to publicly release their findings.

The fact that smart locks are not meeting everyone's high expectations shouldn't be too surprising. Teething problems are to be expected in every new product. This, however, doesn't mean that Nokelock should ignore the security problems, leaving the belongings (and data) of their customers vulnerable.

May 30, 2019

Leave a Reply