Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

WE.LOCK is a smart home access solution provider that manufactures and sells smart locks. WE.LOCK smart locks can be unlocked using a fingerprint, access codes, RFID tags, a smartphone app via Bluetooth (BLE) or the physical key supplied with a lock.

The smartphone app went CRAZY on the obfuscation. However, obfuscation is security by obscurity and will always lose to a determined attacker. The mobile app packs with Jiagu and encrypts the dex files. Additionally, the web traffic itself is encrypted using Triple DES.

Some mistakes were made though: there is no stopping on the dynamic instrumentation. Hence, the Triple DES key can be easily stolen using something like Frida (as it is hardcoded). Frida could likely be scripted to dump the decrypted dex files out of memory as well. Additionally, the app uses HTTP instead of HTTPs for communication.

The communication (although some of the content is encrypted) does not do any sort of authentication! The only parameter that determines a user is a phone number. Yikes! This means that if you know somebody's phone number, you can essentially become the user of the API.

The API gets a password that will unlock the device when paired via BLE. Because we can become any user by simply knowing the phone number, we can still the password and open the lock. Pwned!

This is a classic case of misused security. Encryption means nothing is you use a static key; the important thing was to limit who can access what by having something like an access key for the device.