amazon ULTRALOQ reviews
Researchers warning that the keyless unlocking of the Ultraloq smart door lock by U-tec could allow an attacker to track where the lock is being used and easily unlock it – both locking numbers and physical locks .
According to ThreatPost, Ultraloq is a fingerprint door lock with Bluetooth connectivity and a touch screen that sells for about $ 200. It allows users to use fingerprints or PINs to open doors to the building. Ultraloq also has an application that can be used on the spot or remotely.
Pen Test Partners, with help from researchers with accounts of @evstykas and @cybergibbon, took a closer look and discovered that Ultraloq has been break. First, the researchers found that the application programming interface (API) used by the mobile application leaked personal data from the user account, resulting in the location of the Ultraloq device being identified used.
Researchers have taken a step further and said that physical hacking is small and easy.
According to a report published in late June, U-tec fixed the API problem. However, the unlocked manufacturer does not solve the Bluetooth Low Energy problem (BLE), which allows an attacker to easily crack with a brute force attack. The penetration of multiple layers of security associated with the Ultraloq begins by unlocking the BLE security key.
The BLE key is built and operated in two parts: One part is the token that captures the keyword. The second is static salt protection of authentic data information. These parts (tokens and static salts) are put together to create a 16 octet byte array, the right size for the AES key, the researchers said. Static salt can be taken from the application and equivalent to the chain.
Next, the token is obtained by querying BLE properties with a unique global identifier (UUID). Because the key code is a 6-digit integer, this allows a brute force attack via the BLE interface.
Another weakness of Ultraloq according to researchers is the lack of API validation.
“APIs do not have any authentication,” the researchers wrote. “The data is disturbed by base64 twice but decrypting it shows that the server side has no authentication or authorization logic. This leads the attacker to retrieve the data and impersonate all users.”
This can lead to crooks who can interfere with all Ultraloq keys that are connected to the cloud service. “The easiest way to break in is to block the login process and change the user ID of the logged-in user. After that, the application will act as a user with the user ID we provided, login and have full control of all courses, according to researchers.
And yet, the researchers also said that the physical lock can be easily opened with only a thin sticks due to an unsafe physical locking mechanism. They tested and found an amateur can open them quickly and easily.
U-tec was informed of the loopholes in April 2019 and quickly responded to the request for clarification. On May 1, U-tec fixed the API flaw and on May 28 asked researchers for another month to fix the BLE problem before revealing.
where can you get a ULTRALOQ online
Ultraloq UL3 BT Bluetooth Enabled Fingerprint and Touchscreen Smart Lock (Satin Nickel) | 5-in-1 Keyless Entry | Secure Finger ID | Anti-peep Code | Works with iOS and Android | Match Home Aesthetics: Buy it now
Ultraloq UL3 Fingerprint and Touchscreen Keyless Smart Lever Door Lock (Satin Nickel): Buy it now
Ultraloq UL3 BT Bluetooth Fingerprint and Touchscreen Keyless Smart Door Lock, Satin Nickel: Buy it now
3 Pack Ultraloq UL3 BT Bluetooth Enabled Fingerprint and Touchscreen Keyless Smart Door Lock(Satin Nickel): Buy it now