Budi Arief, Senior Lecturer at the University of Kent, came to the University of Lancaster to give a presentation about his team’s efforts to break the security on the Nokē smart lock. I’m always game for hearing about the latest IoT blunder, so I headed along.
The vulnerability lay within the Nokē’s override mechanism, for access when one is without access to the accompanying app. This is a user-set series of short- and long-presses on the padlock shackle itself, similar to Morse code.
Arief and his team found that the 8–16-press codes were susceptible to human biases. Interviewing a number of users as to the reasons for them choosing the codes that they had, they found a number based them off of remembered melodies—earworms, in other words.
They plotted the code lengths they found on a graph, and found that the lengths peaked at the 8-press end of the scale, peaked again slightly around the 11-press mark and then dropped sharply off. 87 % of code lengths were between 8–12 bits and 29 % were the minimum possible length of 8 bits. Markov chain analysis showed the likelihood of a given string of presses being followed by a short- or a long-press—one short-press tended to lead to another.
The team categorised the types of codes into: earworms (the most popular, at 46/100 responses); pseudo-random; numerical; Morse; and name subsitution (the least, at 2/100).
The team then created an Arduino-powered mechanical tool to rapidly test the codes on the padlock. They found that it took 2.52 s to test a code, and 40 % of codes were cracked within 10 minutes. The users’ bias towards more, easier to enter short-presses made testing 3× faster.
The biggest design advantage afforded to the attackers is that the Nokē smart lock requires no sequence to delimit code entry, meaning it is not necessary to know the code length, which drastically reduces the entropy of the available codes.
Arief and his team submitted their findings to Nokē, who replied to the effect that they had implmented a number of their suggests, such as allowing the user to disable the override option and increasing the max. code length.