The penetration testing company Pen Test Partners (PTP) has found security vulnerabilities in the Ultraloq smart lock from U-tec. David Lodge, one of PTP’s consultants, was able to access personal data from the user’s account as well as the house location and lock location. The smart lock, which can be accessed through fingerprint, passcode or key, is easy to hack, with Lodge resetting the lock’s PIN remotely, allowing him complete control. The physical lock, Lodge continued in his report on the Ultraloq, is also easy to pick, only requiring a thin pick.
“The Ultraloq has a back-up key lock in the base of the device – in case the electronic side fails. And that lock is not a good one – an amateur can reliably open them quickly and easily, both with single pin picking and raking. It’s certainly not up to the standards we would expect to see on an external door.”
Lodge has been working with U-tec since April of 2019, helping them fix an API flaw. However, the company has yet to fix the BLE encryption key, which is easily obtainable. The lock’s storage is unencrypted and can be accessed using only a Raspberry Pi and a SOIC-8 clip, according to Lodge. Guillermo Montalvo, a member of the Product Marketing team at U-tec, told Security Baron that a brute force attack would be nearly impossible for the following reasons:
- The lock processes pin tests itself 10 times a second.
- It would take 30 hours to guess a six digit pin.
- It would take 3,000 hours to guess an eight digit pin, and the battery of the Ultraloq would run out before this was possible.
One in Four U.S Households Will Purchase Smart Lock, Survey Says
A quarter of all broadband households in the U.S reported that they’re planning on purchasing a smart lock within the next year, according to a survey from marketing company Parks Associates. While the original owners of smart locks were of higher-income households, the new wave of owners will have moderate incomes and smaller houses. Currently, large companies like Schlage, Yale and Kwikset dominate the smart lock market, but Denise Ernst, Parks Associates’ Vice President, believes that newer companies can succeed by pointing out weaknesses in popular smart locks. However, given the Ultraloq’s alleged security issues, it’s unclear how it will fare in this competitive marketplace.