Insecure Authorization Scheme for API Requests in DBD+ Mobile Companion Application for Megafeis Smart Locks

CVE-2022-45636

    Affected Products

  • DBD+ Mobile Companion Application for IOS & Android - IOS: Version 1.4.3, Android: 1.4.4 WithSecure leveraged this issue in a chain of vulnerabilities on Megafeis branded locks with the following model numbers: FB50S Smart Padlock, GS60FB Smart Outdoor Lock, GS40S Smart Padlock, GQ10FB Smart Bike Lock.
  • Severity

  • High
  • Type

  • Insecure Authorization Scheme
  • Credit

  • This issue was discovered by Abdullah Ansari
  • CVE Reference

  • CVE-2022-45636
Timeline
2022-08-05WithSecure makes first attempt to notify the vendor.
2022-08-23After no response from the vendor, WithSecure makes a subsequent attempt to notify the vendor.
2022-11-16After months without response from the vendor, WithSecure notifies MITRE to Request a CVE ID.
2023-01-31MITRE assigns CVE ID.
2023-03-03WithSecure publishes this advisory.

Description

An authorization issue was discovered in the HTTP API used by the DBD+ mobile companion application, which is used to manage Megafeis branded smart locks. An authenticated user that is able to forge request signing keys can utilize this vulnerability to perform arbitrary API requests. This would grant them the ability to enumerate, transfer ownership of, and unlock any Megafeis smart lock within physical proximity using only the lock's MAC address, which it broadcasts over Bluetooth.

As of this advisory's publishing date, there has been no response from the manufacturer, nor is WithSecure aware of any remedial action taken.

Additional information on this issue, along with related issues discovered by the researcher, can be found in the following locations:

Technical Details

Detailed information on this issue's exploitation and discovery can be found at the associated publication, Megafeis-palm: Exploiting Vulnerabilities to Open Bluetooth SmartLocks.

The authorization scheme's weakness can be attributed to two main factors. The first factor is Megafeis' solitary use of a signing key to validate requests sent from the DBD+ application to the backend API server. The second factor is that although session tokens are being sent with each web request to the API, the session tokens do not appear to be used for checking if a user is authorized to make that request.

The signing key was included in a custom HTTP header called "SecSignDest". Version 1.4.2 of the DBD+ application exposed its generation process as being a concatenation of various fixed and dynamic values. They are listed in order below:

  • The string "OKLOK"
  • The request's timestamp
  • Truncated data from the request's body
  • The API endpoint to which the request is being sent

After the above information is combined into a single string, a MD5 hash value is generated of that string. The resulting hash value is then used as the "SecSignDest" HTTP header value.

Recreating this formula to forge request signing keys allowed users to send arbitrary authorized requests to the API. Since the server did not perform proper authorization checks, this allowed arbitrary actions to be performed on other users' accounts (i.e. lock ownership reassignment).

To better demonstrate the above, WithSecure modified the source code of the DBD+ application to also add two additional HTTP headers with each web request.

  • The first header, "AbdullahMKey" is the previously mentioned concated string
  • The second header, "FinalDigest", is a MD5 hash of the "AbdullahMKey" header value

Below is a sample API request sent from the modified application, showing the additional headers mentioned. Note that the "FinalDigest" and "SecSignDest" header values are the same:

Sample API request sent from the modified application, showing the additional headers mentioned. Note that the "FinalDigest" and "SecSignDest" header values are the same

WithSecure also put the "AbdullahMKey" header value through a MD5 hash tool, which outputed the same hash value as "FinalDigest" and "AbdullahMKey", as shown in the image below. This demonstrates that the application generated the "SecSignDest" value using the method discovered by the researcher.

WithSecure also put the "AbdullahMKey" header value through a MD5 hash tool, which outputed the same hash value as "FinalDigest" and "AbdullahMKey"

Proof of Concept

WithSecure created a proof of concept script that can be used to fully exploit this issue and take over any Megafeis-branded smart lock. The script requires the MAC address of the target smart lock as well as the attacker's DBD+ account username and password. The script was successfully tested on Megafeis smart lock models FB50S, GS60FB, GS40S, and GQ10FB

The script is available here: https://github.com/WithSecureLabs/megafeis-palm/blob/main/CVE-2022-45636/CVE-2022-45636_PoC.py