Researchers at Pen Test Partners have discovered a number of security vulnerabilities with Nokelock products. Nokelock is a smart padlock maker that sells smart padlocks under the Nokelock brand, and third-party brand names. The security vulnerabilities expose lock users in about every way a smart lock user would not want to be exposed. Researchers were able to:
- unlocking locks via Bluetooth within a range of 10 meters
- pull users' email addresses and passwords
- pull GPO coordinates of locks
- deregister and reassign accounts associated with locks
Many of the vulnerabilities stem from API weaknesses. For instance, the encryption used (AES) in conjunction with the Bluetooth features (BLE) requires an encryption key for entry. By setting up a new user and temporary email address, researchers easily discovered the encryption key. The getDeviceInfo method was used to retrieve the encryption key, GPS information, email address, and password.
Additionally, the user passwords were held in a secondary location that used MD5 technology for storage. This technology is outdated and not used as a best practice. Pen Test Partners brought the many vulnerabilities to Nokelock's attention prior to publishing its full report. However, after no response, the researchers published the report along with suggestions for how Nokelock users can protect themselves.