>>Afternoon. How is everyone’s
Defcon going? [whooping] [applause] So this talk is on
backdooring the front door um and got a lot of slides so I’m
just gonna get right into it. So to start off I’m Jay Max, I work
as a software engineer um hacker for fun. I like doing things
with locks and the thing I always like to tell people is
the best puzzles are the ones that were never meant to be
solved and I think that explains a lot about the hacker attitude.
Um now all opinions expressed in this talk are my own. They
aren’t my past, present, or future employers opinions and if
you see something you like and you wanna reach out later um you
can find me on Twitter um at Jaymax. So obviously this talk
is gonna be about the internet of things. Oh and we just lost
video. There we go, internet of things. Um so are homes are
getting smarter and we’re bringing more technology into
our homes to replace traditionally dumber mechanical
um objects and for this talk we’re gonna be looking at the
August lock. Particularly the August smart lock uh that I have
up state on stage here. This is what an August lock looks like
when you put it on your door. Um I don’t know if you can see it
on the screens up there but replaces the thumb turn on your
deadbolt. So if you live in an apartment like me this is a
great option because you don’t actually have to replace the
outside of your your lock and that would annoy your landlord.
Um and the device itself is just bluetooth low energy um and it
give you smart lock features like auto unlocking, unlocking
when you approach the door, uh those type of things. But why
the, what got me interested in this lock was actually August’s
marketing team. One of the things I like to do when I’m
looking at a technology is see what claims the company
distributing it is making. Now on August’s website it puts up
them showing you up here um they’re actually no longer on
their website you can find em on the way back machine um but they
said such things as uh their lock is unlike physical keys
which can be duplicated and distributed without your
knowledge. It also said, it’s safer than codes that can be
copied. And so we get this reoccurring theme that it’s not
like a traditional key, it’s somehow safer. And their most um
aggressive claim, I’m gonna let them explain it to you because I
don’t think you’d believe me if I told you. [music playing]
>>August is the lock that requires no key, only an
invitation. [panting] [jingling] An invitation that you can give
and take away whenever [beeps] you please. [background noises]
Keyless, codeless, and completely secure. [laughter]
and completely secure [laughter] and completely secure and
completely secure and completely secure. >>So I didn’t just loop
that video for the hell of it, um that’s actually what I did
when I first heard this piece of marketing material. I went back
to that Youtube video and I just played that section over and
over again thinking I must’ve misunderstood something um
because I’m sure what they’re trying to is comfort people and
say oh we know it’s technology but it’s safe technology and
their thought was this will make people feel comfortable with
their lock and think it’s secure. However that’s not
really how I took it at all. I kind of took this as well, you
have a completely secure lock. Sure it would be worth looking
into I suppose, I don’t think I’ve ever seen a completely
secure lock. So putting together this security claims. Obviously
they claim perfect security which is a little morphic uh but
they also claim things like guest access can be revoked at
any time, guest have permissions can be limited to a schedule,
guests can’t use the auto unlock feature. They can’t access lock
settings. The can’t see who’s using the lock. Um and the keys
can’t be duplicated. We saw that claim twice in 2 different
forms. They said co their codes can’t be de they don’t have
codes that can be copied and they don’t have keys that can be
duplicated. Um they also say that you can track who enters
and exits your home, that should say home not phone. So to start
looking at the lock set I’m gonna map out the API. I work as
a software engineer um ju let’s just look at the boundaries of
this application. Let’s approach it black box. But the problem is
which API? There’s actually 2 API’s in the August lock.
There’s the one between your phone and the lock, and the one
between your phone and the cloud, or if you read XKCD
someone else’s computer. Um and working as a software engineer
mostly on web applications, I wanted to look at that HTP one
first, the rest side. So what I did is I downloaded MTM proxy
and if you’re not familiar with this tool you really should get
familiar with it. It’s an awesome tool, super easy to use
to get in the middle of any application, particularly if
they’re using SSL. Um so I installed the certificates on my
phone, fire up MTM proxy and launch the application and it
get’s something that looks like this. And what this is
indicating is that the August application is using certificate
pending. Now if you’re a developer and you develop mobile
apps certificate pending is a really good idea and you should
absolutely have it on on your applications. However, if you’re
a hacker and you’re trying to figure out how something works,
it’s real pain in the ass. So we need a way around this. One
solution is to use IOS kill switch. Um it's originally
developed by iSEC partners. Um there’s a new version, IOS kill
switch 2. Basically what it does is shut off certificate
validation on your iphone. Now th this being a Defcon talk, I
really didn’t wanna walk in and shut off SSL on my phone and
then connect to the Defcon wifi and see what happened. I don’t
think that would work out well for me so I needed a better
solution. Fortunately August built one into their
application. If you just tap on the hamburger, press and hold on
the version number, and then you type the super secret phrase
dreadful dow. Casing matters, make sure your D’s are capital.
You’ll get access to their debug menu. On their debug menu at the
very top you’ll see a URL. That URL is the end point that their
application's talking to when it reaches out to the cloud. If you
just tap on that, it pulls up this menu. Now I obviously don’t
wanna look at staging and their development environments cause
well that’s probably outside of scope and I don’t really want
any nasty letters from from August but this other option
looks pretty cool. So if you just tap on it it opens another
dialogue where you can specify any end point you want. Now
obviously if you can specify any endpoint you want. They can’t
have ss pinned the certificate for every endpoint in the world,
so I just enter an end point I control and it can be HTP or HPS
so you can choose not to deal with HTPS at all if you want to.
Enter in URL you control, hit custom, the application will
crash and when it relaunches, boom. You’re in the middle. So
now we have access to all the traffic back and forth and we
can start looking at how the application works. And one key
thing I’d like to point out here is unlike IOS kill switch, SS or
sorry, SSL kill switch uh this didn’t require a jailbreak.
There’s no jailbreak required. This could be a stock phone and
this would work. And being a developer um a thought occurred
to me, there’s probably a Sprint review where some developer
walked in the room and was just like I didn’t plan certificate
pending, we’re good. Ship the perfect security claim. So we’re
gonna cross that out. Now obviously after we map out the
API we can build up a collection. I used postman put
together a collection of all the endpoints that it talks to uh
this collection will be available in the gift hub
repository after this talk. Now looking through all the API’s
that the August application uses, one of em caught my
interest and that was this one. And for those who can’t see
what’s on the screen it’s the mobile application telling
August’s servers that you just unlocked your lock and this is
the owner of the lock doing it. And what’s interesting here is
it’s not anonymous. This is tied to your account. So what August
is doing is they’re building up a collection of every time
you’ve entered or exited your house if you’re the owner of the
lock. This is something your shlag and your dumb locks are
not going to do. Um it’s a little creepy. I’m not sure I
wanna company that makes a lock that they can open. Also being
heh also being able to build a profile of when I am home and
when I’m not home. Those 2 sets of data together would be
incredibly valuable on the black market. So let’s fix this. MTM
proxy can actually modify traffic as well as just
listening to it. So with a little script we just intercept
all the API’s that log data about locking and unlocking and
we tell the application ya 200 everything’s good and we don’t
tell the web servers anything. And the nice thing about this is
it gives us privacy but if we remember they made the claim
that you’ll know when your guests open your door. Well the
way they know that guests open your door is the mobile
application logs their server hey I just opened this door and
then they notify you um Jimmy opened your door. Um obviously
if you can just say I’m not going to tell you when I open a
door, that kind of defeats that feature. But they also said um
guests can’t be notified or know the see the activity feed of a
lock. Well it turns out if we look at this this API, there’s
an API to set up notifications. So when someone opens your door,
it’s supposed to notify you and say um someone opened your door,
someone locked your door, um and if we just specify any lock it
could be a lock you don’t own, um and any user identified by
their phone number or their email address and we say notify
me when this user opens this lock. It doesn’t matter what the
lock is or what the user is, August will dutifully notify you
that that user opened the lock. Even if you don’t own that lock.
Even if you’re not a guest on that lock, any lock in the
world. But what else can we do? Well August has this idea of
owners and guests, or as they like to call em users and super
users. But guests are supposed to be limited in what they can
do. Specifically they’re not supposed to be able to use
things like the auto unlock feature and they’re not supposed
to be able to change lock settings. But how does the
mobile application know when you’re an owner and when you’re
a guest? Well it’s actually this message right here. They say
user type, user. And if it’s user type user, you’re a guest.
If it’s super user, you’re an admin. So let’s just use MTM
proxy again and we’ll just replace user with super user and
we get access to the menu as a guest. [inaudible sound]
[applause]. So this is the first big, interesting discovery we
have here which is the lock itself has no concept of owner
and guest, it only knows about users. The entirety of the
access control model is implement server sited in the
application and since they’re relying on you to talk to the
server, well we can just cut that out eventually. So to the
claim that guests can’t do these things, I’d just have to say
that’s wrong. Guest can absolutely do them. They may not
not be able to do em through your application, but they can
do them. So now the list of claims looks something like
this. Less grey and more red but I think we can do more. We only
looked at one side of the API right now. What about that
bluetooth side? Now, incase you forgot, it’s structured like
this. The lock itself has no wifi, it relies on your phone to
talk to the cloud. So if you wanna play with bluetooth low
energy, a good app to start with is light blue. It’s great for
enumerating services and just seeing what um bluetooth low
energy looks like. Um and you’ll get something like this. This is
an August lock and because we are able to connect to it and
pull services from the thing, we know that we’re able to pair it
with it which means it must just be using it just works pairing
because I never have had to enter a pin. Um but August
relies on a second layer of encryption so that’s not too big
of a deal but, I would like to intercept some traffic and if
you look at bluetoo bluetooth low energy long enough you’re
eventually gonna run across the ubertooth which is supposed to
make this really easy. Unfortunately, I didn’t think it
was that easy and after about a week I said well this is too
hard I need I need to find something else. But again
there’s a better solution. It’s built into the August
application again. [laughter] [applause] If we go back to the
previous menu there’s this send logs button. If we just tap
that, it’ll pull up a screen that looks like this and for
those who can’t read it in the back of the room it's 2 auto
unlock at august dot com. Now if like me you look at that title
and say I wonder if this will auto unlock my lock um I hate to
disappoint you, it won’t. What it will do is get you an email
from their VP of engineering asking why you just sent this to
them. [laughter] But what I am going to do is just replace that
with my email address to avoid those emails. Then once I get on
my computer I open up a Notepad plus plus and I search for
ciphertext. And what do you know on the left side of the screen
is the ciphertext for the communication between the phone
and the lock and on the right side of the screen is the plain
text. So man in the middle attack built into the
application. [laughter] So that ubertooth I bought completely
useless, throw it out, I just need their mobile app. And again
no jailbreak is required to do any of this. Um in particular
for the bluetooth logs if you just use August support instead
of directal dial you’ll just get the send the send logs button
and it’ll work just as well. So now that we have the bluetooth
how does how did they authenticate with the lock?
Hello. It’s fairly simple um again all access control is on
the web server so when your phone connects to the lock, eh
your phone then generates 64 bits of random data. They send
that 64 bits to the web server, the web server encrypts it to a
packet to be sent to the lock, your phone gets it from the web
server and then hands it off to the lock. The lock is able to
decrypt it and then hand generate it’s own 64 bits hand
it back to your your phone, your phone can’t decrypt it so it
hands it to their server and then their server hands it back
to you decrypted and you take those 2 things, you glue em
together and that gives you a session key, and then you just
use AES and that session key and now you can talk to the lock.
Now what’s interesting here is you’ll notice this is all
symmetric encryption. Which means the web server and the
lock must have the same key. So how did they get that key onto
the lock? One option is it’s burnt in at their factory and
there’s absolutely no way to pull it out. Another option
would be maybe it’s flashed in with the firmware. So let’s
request firmware as a guest. So as a guest user I request access
to I request a copy of the firmware and to make it
interesting I’ll request firmware that doesn’t exist and
I get a response that looks like this. And at the bottom of that
request, just a normal 4 0 4 for a piece of firmware that doesn’t
exist, I see the serial number of my lock and then a bunch of
garbage. That garbage looks awful suspicious. Why is there
garbage in HTML? So if we open that up in a hex editor and we
just start walking through this and trying random series of bits
and just skip the obviously wrong ones like the all zero
sections, we’ll come across the one the highlighted one and that
decrypts the packets that were sent to the web server. So now
we know that must be the key that’s being used. This key I’ll
call the firmware key. I think August internally calls it the
online key but, I think firmware key’s more accurate in this
case. Um so this key appears to be unique for every lock but
with this key we’re actually able to emulate the web server.
Now the way August works is there’s actually 256 key slots
in each of these locks, uh key slot zero is this key, the
firmware key. Now if we go back to their claims they said it’s
safer than codes that can be copied and it’s unlike physical
keys that can be duplicated or distributed without your
knowledge. Well, I didn’t have any problems copying and pasting
it. [laughter] So duplication seems to work. [laughter]
[applause] I also didn’t have any problems distributing it
because you all have it now. [laughter] So this silver lock
if anyone tries to sell this to you on Ebay, it is worth
nothing. But it actually goes further, if we stick those log
files we got earlier. I need to stop touching this HDMI cable.
If we take those log files we got earlier and we just run grap
on em, um looking for some interesting stuff we can pull a
lot outta there. We can actually pull all the offline keys, we
can pull the usernames passwords, um the firmware key,
the JWT tokens that’re used to talk to the web server, so
basically all the secrets. So that log file not only contains
all the bluetooth traffic but it also contains everything you
need to talk to the web server. Now I think most of these are
fixed at this point um but you’ll probably still be able to
pull offline keys from from those logs. So now the list
looks a little bit more like this, not so hot. So the moral
of the story here is with a smart lock don’t give access to
someone you wouldn’t give a key to because, in spite of what the
vendor claims it behaves much more like a traditional pin and
tumbler system where when you hand someone a key they can do
anything with that lock. Then it behaves like your g an email you
sent through Gmail or something like that. Um it behaves like a
physical key. If you give someone guest access to one of
these locks assume they they can get permanent access. So all the
code after um this talk will be published on get hub. There’s
the address, um I’ll Tweet it out after this as well. So I
think we’re, we’re doing good on time actually, much faster live.
Um so I’m going to do um a couple demos here. So obviously
I have 2 locks here, there’s a bunch of wires coming out of em
so you probably won’t trust anything I do with them. Um so
we’re going to be using a new lock that’s never been
associated with an account and but before I switch em out, I
wanna show you something. So if we look at this silver lock here
and we just go to settings, and we go down to the bottom, I
dunno if everyone can see the version of software that lock
happens to be running. [inaudible voices] It’s safe to
say this is not factory firmware which means that the codes being
pushed to these locks is unsigned. So the lock itself
could be running any code because it doesn’t have any
signature checking um to make sure that the code came from
August. But now let’s uh swi we’re I’m gonna switch that lock
out and uh we’re gonna do a demo. [background noise] I’m
just gonna unpower this one so that I don’t pick it up in the
demo. [shuffling] So this is a brand new lock that’s never been
associated with any user’s account and hopefully it’s not
DOA. Pull off the battery tab. [shuffling] There we go.
[shuffling] Okay. So we have a new lock on our door now [click]
fresh from the factory and right outta the box [clicking] in it’s
perfectly secure state. [click] [laughter] [clicking] Okay,
let’s add this to our account. So we’re just gonna go in here
and set up a new lock. If you have the August application
don’t try to beat me to this. [heavy breathing] There we go.
We’ll name it Front Door since that’s the name of this talk and
we’ll put in our Defcon house and we’ll go ahead and configure
it. So to calibrate the lock we just put it on our door, lock
it, unlock it, it sets up the lock. Kay now we have a lock on
our door and it opens and closes as you can see. Let’s make sure
it still connects here, there we go. So there’s our lock um,
let’s invite a guest user to this lock. So I’m just gonna
invite myself another account um and we can see on the front door
the access level is none, let’s just change that. We’re just
going to change that to guest and it just reminds us that
guests can’t use the auto unlock, they can’t invite other
guests, they can’t control lock settings um a bunch of stuff we
know probably isn’t true. We’ll just update that. Kay, so now we
have a guest user and you know what, let’s go back and let’s
make sure we have notifications turned on and we do. Great so we
should be notified then every time uh this user attempts to
use this lock. Okay let me just shut down the flashing lights
demo here, there we go and we’re just going to run backdoor dot
JS. Can’t see? Okay. Let me um font size this. Um does anyone
know where the font size is? Thank you. The obvious answer is
answer. Okay so Atwood’s Law is in play here. Anything that can
be written in javascript, will eventually be written in
javascript, so. I figure if we’re going to attack hardware
we might as well write the exploits in javascript. Um so we
can see the results here. It connected to the lock, added a
back door, and then disconnected from the lock. Um and if we go
go back to other screen, we still haven’t been notified that
anything has happened. So we know we’re connected to the
lock, let’s. We we know we backdoored the lock, let’s see
if we can just cycle the lock. So i’m just gonna try to open
and close the lock as that guest user. Thank you. So we’re
connected to the lock and it should. There we go. Start
opening and closing. So we just made from a guest user, we added
a backdoor lock and now we’re using that backdoor to open and
close the that lock. And if we go back and we look at the
owner’s phone, they still have been notified we used that lock.
But, what happens when we revoke access from that guest? So I go
to the guest and I, I’ll just delete him all together. I don’t
want him accessing any of my locks, he’s gone. And we cycle
the lock again, it should still work. For those in the back room
if you can see the lights on the lock, uh they’ll tell you when
it’s opening and closing. Green is open, red is closed. So there
we go, the lock is opening and closing. [applause] And that’ll
actually just keep going on forever. Um we’ll just
disconnect from that. Still plenty of time so let’s just try
the high risk demo here. What I’m going to do is I’m actually
just going to factory reset this lock. So if I go back to the
iphone here there’s our lock. We’ll issue a factory reset. So
now that lock has been reset to factory state and if we go back
to our demo, let’s do something else maybe. Let’s go back to the
lights. It should still connect up and still work. There we go.
We we established a connection and now it’s sending um the
light up and the screen is. There we go, that’ll make it
better. [applause] But there’s still the possibility that maybe
August clears the keys when you add it back to your account. So
let’s just add it back to a user’s account. [inaudible
sound] Start setup, scan for locks. This part takes a while
apparently. There we go front door. We’ll actually add it to a
different house. We’ll just skip the calibration this time, not
too interested. Okay, so there’s our lock again and it still
works. Um but if we. Let me se close outta this, disconnect
from it okay. If we go back to our guest user who was once a
guest to this lock. The lock’s been factory reset and it’s been
added to a new house and we eh, we see if it still works using
the backdoor we previously inserted. And again what should
happen here is it’ll scan for the lock, it’s gonna find the
lock, connect to the lock and then it’s going to open and
close it indefinitely. [applause] So the interesting
thing here is if you bought one of these locks used off of Ebay
and you put it on your front door, the previous owner had
access to it. The previous owner had the ability to insert an
offline key and the previous owner now knows where you live.
So again it mallows much like a physical lock. Just like buying
a used pin and tumbler lock means that you have a key that
someone else could have a copy of. Buying a used August lock
means you have a lock that someone else could have the key
for. So there’s a bunch of mistakes made obviously um in
the aw August application. Um there’s it logs sensitive data,
it doesn’t differentiate between guests and owners at the lock.
It does that all remotely and at the application lever level. The
firmware’s not signed. There’s no apparent way for a user to
discover if their lock has been backdoored. Um but you actually
don’t even need to backdoor the lock because that firmware key
is so so central to the locks uh operations. Um the the system
relies on guests reporting when they open and close the lock and
the vendor makes claims that they have 2 factor
authentication when really they only have 2 step authentication.
There’s a couple things that they fixed and um the final one,
this one’s really entertaining is all the key material for the
lock is not actually stored on the apple keychain so it’s all
just in a preference file. Um so if you just look at your IOS
backups you can just pull keys for these things if you want. Um
but they’ve done a couple things correctly. For the most part
they’ve been fairly responsive. Um their application does use
certificate pending which is pretty good. Um and their
protocol makes use of nuances and this is important because
they use CBC in the mode for their encryption and if you know
um cryptography and AES, you’ll know that um with CBC if you’re
using an all IV like they are, you can’t repeat messages that
can disclose what someone’s doing. So the use of nuances eh
is important. Traditionally they don’t just rely on the bluetooth
low energies security mechanisms uh they built in there own. So
this brings me to my real point which is why we need hackers,
why we need security researchers. Because the
security claims that vendors are making can’t be validated by
consumers. Consumers lack the expertise necessary to determine
if these claims are valid, so they have to the manufacturer's
word for it. And what can asserted without proof, can also
be dismissed without proof. And if a vendor isn’t providing
evidence of the claims of the security of their device, then
we should assume that there is no security in that device. So
that’s eh got through that pretty quick so uh I will
actually take questions. Um there’s a microphone in the
front if anyone has any. [cough] [applause] >>That was really
amazing, thank you. [inaudible sound] Uh I do have one burning
question. >>Yes? >>How did you get the password that allowed
you to uh get into the debug mode of uh the application?
>>Sure, um. So there’s a couple ways you could do it. You could
look at the IOS application and try to get the IPK off the off
the phone. Um initially try doing that and reversing IOS
apps is a little difficult so I just download the Android app
and then it’s obvious [laughs] [crowd laughter] [applause] >>Uh
hi uh my name’s David Rogers, I’m from the IOT security
foundation. Uh so fantastic work and we’ve seen this all over the
place. In particularly in consumer products that are going
out and since this is an open invitation really to yourself
and to everyone in this room and we’ve reached out to people to
come and help us because this stuff is absolutely shocking.
You know we’ve been through this in the mobile industry uh, we’ve
fixed it time and again uh as you as you mentioned all the
stuff for the I IOS apps. You know some of these consumer
products companies have never uh done anything like this before.
Or they they’re creating minimal viable products and selling this
stuff for crazy prices. So uh let’s just kind of stop it now
and uh come and help us. IOT security foundation. >>Thank
you. [applause] >>How much were these and can I get some?
[laughter] >>Uh bef >>Cause I wanna play with them. >>Uh the
smart locks? >>Yes. >>Um you can pick so you can pick em up on
Ebay for maybe 150 [laughter] the original version. [laughter]
>>Outstanding. >>Um if you want their latest revision, which
most of this stuff still works on, um you can get those for
about 200 220 eh now and obviously again look at Ebay if
you’re researching security a block doesn’t really matter so
buy it off of Ebay. [laughs] >>Ya um the other question was
did they fix anything in the app or have you know if I go buy or
download the app right now did they fix anything in it or can
you provide the uncached version so we can play with it? >>Um if
you just um if you just download the IOS app today you can still
unlock that debug menu and so the question was whether it was
patched or not. So one of the key things here is the firmware
side of it right? Because we’re using uh we’re inter interacting
with the lock directly from the computer here. Um so one of the
important things since on the debug menu there, let me show
you it. >>Oh, and thank you. >>Is this disable over the air
updates. Um this is uh really good feature if you wanna look
at these and I recommend if you buy one get it with factory
firmware and check that box immediately. Um you can also
check it by modifying your IOS’ back backups. Um but the reason
you wanna check that is there’s a york on the device and the
factory firmware logs to UR and every division thereafter
doesn’t. Um so keeping it at the stock firmware we’ll give you a
way in. Additionally I’ll be publishing um all the code for
this um so that you can uh work with that as a face and that’ll
get you connected to the lock. It’ll take care of these
security mechanisms and it should let you uh do some of the
basic stuff yourself. Um you can also use that to write an
application that doesn’t have the the logging of when you open
and close your lock if if you care about your privacy. >>Hi.
Uh I dunno if I missed it but was your future access to it
because you rested that key zero, that firmware key from the
from the lock and you said that was per lock and have you seen
an ability to change? >>So >>that easier at all? >>I have
the ability to change it, I don’t recommend people change it
because it’s high risk. You can break a device by changing that
that key if you change it to something and you change it um
to a value you forget or you mess up while you're changing it
and it ends up in some intermediate state, you end up
in a world of hurt because that firmware key is the only one
that can enroll new keys. Um so it’s a fairly high risk key to
change so the cut I’ll be publishing has a safety check in
it. Um so by default it’s not gonna let you do that but it
also has the ability to bypass that safety check so you can
replace it. If you do replace that key, their application will
stop to work on your device. Um for what was involved in um the
backdoor I was showing. What’s actually happening is I’m
inserting this key, the one up on the screen which no one can
read um into key slot 200. And the reason I’m putting it into
key slot 200 is because the mobile application starts
putting offline keys at key slot 1 and if you get there key pad
device it starts putting offline keys at key slot 255 so any
number in the middle is going to survive for quite some time. So
this is actually using a different mechanism to maintain
access so even if they rotate firmware keys on reset, unless
they clear all offline keys uh this would still work. >>Thank
you. >>I have 2 questions. So the first one, you showed that
you had a modified firmware loaded on the thing. Did you do
anything with that or was it just to show that they weren’t
signing in? >>Um so in that one the only modification act is
actually the changing of the version number um because the
goal was just to show that you can put custom firmware on it.
Um I didn’t write a custom firmware or do anything
interesting uh but obviously you could. >>Right. Uh so the other
question is as far as I could tell from following your kind of
narrative of the whole thing, if I were just walking around with
light blue and I saw an August smart lock none of the phones
that you had would be able to open it. I would’ve had to
already either bought it from somebody else and and all that
stuff or given it to somebody else or I’d have to already have
guest access and then upgrade. >>Right. So everything I I’ve
shown here will get your from guest um to permanent access or
near permanent access. The only one that didn’t require any
authorization was notification of when the lock is unlocked or
locked but in that scenario you do need to know the owner’s
phone number or their email address. Um and if you see the
lock on their door, uh it broadcasts the ID in the um
light blue application you can pull the lock ID um off of it
and that’s how it’s identified in the system and that remains
the same no matter how many times it’s reset. >>Cool. Thank
you. [coughing] >>So that’s my talk um the final I’ll I’ll give
you is if you wanna play with the locks at all, Best Buy’s a,
a great place. Most of the locks at Best Buy add up aren’t
actually paired with an account. If you walk in they have an
August demo booth. Just fire up the August application and
associate with your account and it’ll give you um something you
can play with on their API’s. >>One last question. Was there
any indication that maybe the AES key was actually derived
from the serial number? >>I don’t have any evidence of that.
Um I don’t know how it’s generated. I’m assuming it’s
random and it’s probably using the same mechanism they used to
generate offline keys. Um I also don’t think it’s generated from
the serial number because you used to be able to enroll non
existent locks in their API’s um and for those ones it wouldn’t
hand you a key back so there’s probably a database somewhere uh
that has a table joining the lock ID and then the um the
offline key that’s the- the firmware key. Ready? Um if you
wanna play with this the IOT village has a lock um a smart
lock there. Uh I’ll be publishing on this immediately
here after and get providing a leak, a link on Twitter um so
you can take it over there and uh mess with their lock.
[applause]
