1 Introduction

Smart-locks (see Fig. 1) have been made possible by technological progress, and they offer greater protection for both homes and businesses. These locks allow doors to be opened or unlocked using various methods, such as a mobile device, remote control, NFC card, fingerprint, or numeric code. Not only can these locks provide different access options, but they can also be considered smart since they can store and retrieve an access log, and communicate and sync with calendars to manage access based on predetermined criteria. Furthermore, some of these locks even allow door access by entering a code upon touching the door.

Fig. 1
figure 1

Smart-locks

Full size image

However, as with any new technology, there are always potential risks and vulnerabilities that must be considered. Here we will discuss some of the cybersecurity risks associated with smart-locks, and how to mitigate them. One of the most common risks associated with smart-locks is that of hacking [1]. If a hacker is able to gain access to the lock’s security, for example, by capturing packets with the Wireshark tool [2] and a Bluetooth Sniffer, they could potentially unlock the door without the owner’s permission. To mitigate this risk, it is important to ensure that the lock is sufficiently secure and that only authorised users have access.

Another risk that needs to be considered is that of physical manipulation. Smart-locks are typically installed on the exterior of doors, making them more susceptible to tampering. If someone were to physically tamper with the lock, they could potentially bypass the security measures and gain access to the property. To mitigate this risk, it is important to choose a smart-lock that is tamper-resistant and has a robust physical security design.

Finally, it is also important to consider the risk of human error. While smart-locks are designed to be user-friendly, there is always the potential for user error. For example, if a user forgets to lock the door, or fails to properly secure the lock, this could lead to a security breach. To mitigate this risk, it is important to educate users on the proper use of smart-locks, and to ensure that they are aware of the importance of security.

1.1 Smart-locks

Smart-locks are a type of electronic lock that can use an encrypted keypad, Bluetooth device, smartphone, WiFi Bridge, or other methods to grant access to a locked door. They offer a number of advantages over traditional mechanical locks, including the ability to add or remove users without re-keying the lock, and the ability to receive notifications when someone accesses the locked door. There are different smart-locks, but in this work, we have concentrated on locks that do not require any modification to the door mechanism. It is not necessary to disassemble the original lock because it is adhered to the door by a very strong 3M adhesive or screws (see Fig. 2).

Fig. 2
figure 2

Smart-locks physical mechanism

Full size image

Its installation is very simple. It adapts to the cylinder that the user has in the door and one of the keys is used inserted in the smart-lock to open the door, the key could also be used to open if the door has a double clutch cylinder, while the lock is installed, for its correct operation. It is glued directly over the one that is currently available.

In particular, smart-locks that have been analyzed physically in this work are the following:

1.1.1 Nuki smart-lock

The Nuki smart-lock [3] has been gaining considerable popularity in recent years. Nuki stands out for its security and easy installation. The Nuki lock is a motorized lock whose motor turns the key automatically.

The Nuki lock was the first smart-lock in Europe that opens doors with the help of a smartphone. In addition, it is the first most flexible lock, i.e. it can be installed on almost all existing European locks.

Nuki is supported by a physical button, as well as an app control, a keypad or a remote control, and has other features that allow it to be defined as smart. It is compatible with both horizontal and vertical locks and is designed to be strong enough to work with multi-point locks. It also doesn’t matter how many turns the lock has. Nuki is designed to work with all models. Nuki has a remote, a keypad, a WiFi bridge (available separately), or the smartphone app that can be linked to the Nuki smart-lock to allow you to open your door (see Fig. 3).

Fig. 3
figure 3

Nuki smart-lock connection scheme

Full size image

It has other functions such as assigning secure access permissions via the application and digital key sharing. These functions are practical for occasions when you want to give someone access to your home without granting them permanent access. For example, you can give permission for the cleaner to access your home between 08:00 and 12:00 every Wednesday for example.

You can also control who has entered and who has left through the Activity Log. This log shows which family members have access to the house, as well as any other activity that has taken place at the door. It lists how the door has been opened, by whom, and by what method, whether manual, sensor or button, etc. Nuki has an API connection with tourist platforms like Airbnb or Booking. In this way, it generates a temporary code that can be issued to users to prevent keys from being lost or copied. This lock allows several users to register at the same time, sending them an invitation code, which can be withdrawn as soon as desired. The reason to choose this smart-lock was that this device is one of the most famous in the European market.

1.1.2 Sherlock S2 smart-lock

Xiaomi’s Sherlock S2 [4] was one of the best-selling and best-rated locks on the market. Probably because it was one of the cheaper and easier to install. This is the second lock to be analyzed in this work. The Sherlock lock has multiple ways of unlocking. Using the original key, a SmartKey (a remote control that is configured from the mobile app to operate the lock), fingerprint unlocking (sliding the finger on the side of the lock) and, finally, using the Sherlock mobile app. The reason for choosing this smart-lock was the lack of security information from the manufacturer. Note that nowadays, this smart-lock and the associated Android app are not being maintained by its manufacturer.

2 State of art

In the state of the art of this work, we analyze papers related to smart-lock security, from Bluetooth security, mobile application security, secure smart-lock design, as well as general Bluetooth security issues. For example, authors in [5] present an approach for deobfuscating Android APKs based on probabilistic learning of large code bases. The experimental results indicate that DeGuard is practically effective: it recovers 79.1% of the program element names obfuscated with ProGuard, it predicts third-party libraries with an accuracy of 91.3%, and it reveals string decoders and classes that handle sensitive data in Android malware.

Paper in [6] demonstrates several practical attacks based on the threat models toward August smart-lock including handshake key leakage, owner account leakage, personal information leakage, and denial-of-service (DoS) attacks. Authors in paper [7] propose several defenses that mitigate different attacks. One of these defenses is a novel approach to securely and usefully communicate a user’s intended actions to smart-locks, which was prototyped and evaluated.

Authors in [8] analyzed a realistic smart-lock solution and identified the main requirements that access control systems for IoT should satisfy. In their approach, an initial blueprint for developing access control mechanisms for edge-cloud-enabled IoT was incrementally extended to incorporate new access control capabilities. Paper [9] evaluates the security of the Verisure smart-lock system by identifying and attempting to exploit potential vulnerabilities using threat modeling and penetration testing. It concludes that the system under consideration is relatively secure. Authors of [10] cover a security assessment of a smart-lock, focusing on the firmware of the embedded devices as the main assets. Based on the identified threats, penetration tests are conducted to demonstrate the security of the firmware. The results show that the firmware could not be obtained and that the product constitutes a good example within consumer IoT for how to manage the firmware of embedded devices. Paper [11] presents an efficient access control scheme for smart-lock based on asynchronous communications. The proposed scheme avoids the break-in. They also present a lightweight and efficient tree-based access control solution. The experiment results prove that our scheme provides higher security and it requires low calculation load and storage resources, ensuring it can be implemented in IoT devices.

A smart door lock that can be completely monitored and controlled from a remote location using an Android application on a smartphone is proposed in paper [12]. Paper [13] outlines various features that are currently available in smart locks. Considering the different versions discussed, it presents a comprehensive understanding of how the smart-lock system enhances the security of the home or workplace by providing hassle-free access from anywhere.

Artificial intelligence and Internet of Things (AIoT) technologies were used to develop an integrated system for remote room authentication and power management. Through hardware and software integration, the study in [14] created the AIoT smart-lock, promoted the use of IoT devices in relevant industries, and enhanced the competitiveness of product research and development. Paper [15] conducts a case study on three different Bluetooth smart devices. They show how these devices can be attacked and abused to not work properly. They also present a vulnerability that is due to the behavior of BLE smart devices and the Just Works pairing mode. This vulnerability can be exploited to generate an attack that affects BLE availability. The authors propose a solution to mitigate the attack. Paper [16] analyzes the security of the BLE link layer, focusing on the scenario in which two previously-connected devices reconnect. Authors developed BLE Spoofing Attacks (BLESA). These attacks enable an attacker to impersonate a BLE device and to provide spoofed data to another previously paired device.

The study [17] aims to assess the security of a smart-lock unit. They first present a background including threat modeling and previously found vulnerabilities. Then a methodology section for different attacks performed as well as the results from doing them. Finally, a discussion where they assess the security implications of the results. The conclusion to be drawn from the results is that the smart lock has weaknesses in its design. Specifically, its file system encryption, resistance to disruption attacks, and consistency of access granted to guests. Authors in [18] present a methodology to carry out ‘wireless spiking’ attacks on smart-lock devices that would allow an unauthenticated adversary to open a lock, without direct physical tampering, through the manipulation of its electrical control circuitry using IEMI. They demonstrate the proposed methodology–reverse engineering, identification of attack points, development of an attack vector, and design and transmission of attack signals–on a commercially popular smart-lock.

The next section presents the attack models that we have performed to achieve the objective of this work. We try to verify the security level of current smart locks and show that such security is sometimes not sufficient.

3 Attack models and use cases

Smart-locks can work in different ways. These locks can use different types of authentication mechanisms such as biometric sensors, key fobs, mobile apps, or PIN codes to verify the identity of the user. However, like any other digital device, smart-locks are vulnerable to cyber-attacks. This paper is centered on the cyber-security of the smart-locks with an Android app, on a smartphone or tablet.

This section presents, firstly, the attack models that can be performed on smart locks and, secondly, the selected attacks performed to check the cybersecurity of some smart locks with different characteristics. Here are some attack vectors for smart locks:

Brute Force Attack In this attack, an attacker tries every possible combination of PIN codes or passwords to gain access in case the smart-lock has a keyboard. If the user has chosen a weak or easily guessable PIN code, the attacker may be able to unlock the smart-lock by trying all the possible combinations.

Bluetooth Hacking Smart-locks that use Bluetooth technology to communicate with the user’s smartphone can be vulnerable to Bluetooth hacking. An attacker may intercept the Bluetooth signal and gain access to the smart-lock without the user’s permission.

Physical Tampering Smart-locks that use biometric sensors, such as fingerprint or facial recognition, may be vulnerable to physical tampering. An attacker can create a fake fingerprint or face to fool the biometric sensor and gain access to the smart-lock.

Man-in-the-Middle (MITM) Attack In this attack, an attacker intercepts the communication between the user’s smartphone and the smart-lock. The attacker can then modify the communication to gain access to the smart-lock without the user’s permission.

Malware Attack Smart-locks that use mobile apps for authentication can be vulnerable to malware attacks. An attacker may infect the user’s smartphone with malware that can steal the user’s login credentials and use them to unlock the smart-lock.

Denial of Service (DoS) Attack In this attack, an attacker floods the smart-lock with a large number of authentication requests, making it unresponsive. This attack can render the smart-lock useless and prevent the user from gaining access to the locked area.

It’s essential to use strong authentication mechanisms and keep the smart-lock updated with the latest security patches to prevent these attacks.

After an analysis of the possible attacks that can be performed on smart-locks, in this work we have chosen to perform two different types of analysis. First, an Android app reversing allows us to check the possibility of performing brute force attacks or malware attacks, and can provide information to perform Bluetooth hacking or man-in-the-middle attack. Second, a Bluetooth replication attack can allow us to perform Bluetooth hacking and man-in-the-middle attacks. Physical tampering and denial of service are outside the scope of this work because these types of attacks do not allow access to the protected space.

3.1 Android app reversing

Reversing an Android app can reveal the underlying code and logic used in the app, including its functionality, user interface, and communication with servers or other devices. In the context of a smart-lock app, reversing can provide valuable information about how the app interacts with the smart-lock and its associated services. The first aspects that can be discovered by reversing an Android app are knowing if the app code is obfuscated as well as finding the IP paths that the app connects to.

Here are some more things that can be discovered by reversing an Android app for a smart-lock:

Communication Protocol This information can help identify potential vulnerabilities in the communication protocol or URLs to connect and provide insight into how an attacker could exploit these vulnerabilities.

Encryption Smart-lock apps must use encryption to secure the communication between the app and the smart-lock but not always do it. Reversing the app can reveal the encryption algorithm used and the keys used for encryption and decryption.

User Authentication Smart-lock apps typically require users to authenticate themselves before accessing the lock. Reversing the app can reveal how the app handles user authentication, including the storage and handling of user credentials.

Authorization The access controls used by the app to restrict access to the smart-lock can be revealed. This information can help identify potential vulnerabilities in the authorization process and provide insight into how an attacker could bypass these controls. Even it is possible to find Authorization tokens to the cloud database embedded in the app.

Device Security Smart-lock apps often include features that enhance the security of the lock, such as locking the app with a PIN or fingerprint. Reversing the app can reveal how these security features are implemented and whether they can be easily bypassed.

User Privacy Reversing the app can also reveal how the app handles user privacy, including the collection and storage of user data. This information can help identify potential privacy risks and provide insight into how user data is used by the app and its associated services.

It’s important to note that reversing an Android app can be a complex and time-consuming process, and it may require specialized tools and expertise. It’s also important to follow ethical hacking practices and not use the information obtained through reversing for malicious purposes.

In order to reverse an Android app, there are some steps that must be done. Firstly, the attacker has to obtain the APK file. It can be obtained from the smartphone by using different apps or downloaded directly from the internet using sites such as APKPure, APKMirror, APKDonwloader, or much more [19]. Once obtained the APK, there are some tools that can help to obtain the code:

ApkTool [20] This tool helps to decompile the application (Fig. 4) to get the SMALI code. Smali, also called baksmali, is a tool that was created to decompile Android executables into a language that could be readable. This way, you can decompile an application, modify it and recompile it to run on Android. The Smali code is reminiscent of assembly language code, but in this case, you see the Java and Android class names and method names. Its syntax is based on the Jasmin and Dedexer languages. In order to decompile the APK file, the next sentence must be executed.

$$\begin{aligned}{} & {} \textit{java -jar apktool.jar d [victim path.apk]} \\{} & {} -\textit{o [path from directory name to create]} \end{aligned}$$
Fig. 4
figure 4

Android App reversing - Obtaining SMALI code

Full size image

Jadx-Gui [21] This tool is used to be able to understand the code, in this case, this tool allows you to execute in graphical form, as well as at command level to obtain the Java code (Fig. 5).

Fig. 5
figure 5

Android App reversing - Jadx-Gui to obtain Java code

Full size image

Jad-Gui can also help in case the code of the app is obfuscated. It is even possible to modify the SMALI code and recompile the application with a modified behavior, but in this work, we will not perform this part.

Most of these applications are obfuscated. Jadx-Gui allows to de-obfuscated code with limited results. In many of these applications, relevant URLs were easily found. All these applications are complex with more than 20 or 30 permissions required to work. File AndroidManifest.xml shows relevant information such as the Landing Page or the activities. All the applications except the Sherlock lock uses AES encryption to communicate with the smart-lock.

Next Table 1 shows the main Android apps for smart-locks and some information from their code. After downloading and performing a reversing of the apps, some relevant information has been found.

Table 1 Android apps for smart-locks and information after decompiling the apps
Full size table

3.2 Bluetooth replication attack for two smart-locks

The process of locking and unlocking the lock is very simple. The user must enter the app with the username used to register previously. Then the app will take him to the main menu of the application, where if there is already a lock associated, it will appear with the options to unlock, sliding the finger to the right, or lock, by sliding the finger to the left. Another way to unlock the smart-lock is by using a key fob or a keyboard with its corresponding PIN.

In order to study the Bluetooth security of the smart-lock, we will check how the sending of information between the application and the lock works. This attack has been performed for two different locks with different levels of cyber-security.

The objective of this process is to be able to capture the traffic when the lock connects with the smartphone and sends it the key to unlocking the door, and then try to replicate that traffic. For this purpose, we use a tool to make the connection between our computer, the application, and the lock. In this project, we use the Adafruit bluefruit LE sniffer, which allows us to capture and analyze the packets in transit between the devices. To analyze the traffic captured in the Wireshark application, we first need to link the information received by the sniffer. The nRF Sniffer for Bluetooth LE program is used for it. This tool allows us to see in real-time all the devices that are being captured by the sniffer in order to capture the data to later filter that content in Wireshark and check the information in detail. Thanks to this tool we can see all the available nearby Bluetooth devices with their respective MAC addresses. Furthermore, there is a guide to all the useful commands we can use with this tool.

Adafruit bluefruit LE Sniffer Adafruit bluefruit LE Sniffer [22] is programmed with a firmware image that makes it an easy-to-use firmware image that makes it an easy-to-use Bluetooth Low Energy (BLE) sniffer.

Bluetooth antenna CBT40NANO The CBT40NANO Bluetooth Nanoadapter [14] is used to establish a wireless connection with other Bluetooth devices. In this project, it is used to create a connection through a virtual machine, running the Linux operating system, to the lock. In this way, the traffic required to unlock the lock can be replicated.

Wireshark Wireshark is the most widely known and used packet analyzer in the world and is the program used in this project to analyze the packets sent between the mobile device and the lock. Thanks to this program, you can capture and analyze in detail all network traffic entering and leaving your PC. This free program allows you to perform an in-depth inspection of hundreds of protocols, as it supports the physical layer, link layer, network layer, transport layer, and application layer protocols.

Gatttool Gatttool [23] is a tool that allows obtaining information or manipulating attributes of a BLE device. Thanks to this tool, in this project we have implemented the writing of keys in the lock.

3.2.1 Sherlock S2 lock bluetooth attack

In order to carry out a Bluetooth attack, firstly, The Wireshark program detects the Sherlock lock once the device is located. The next step is to analyze its traffic in Wireshark. To do this, we select the lock and press the ’w’ key, this will redirect us directly to the Wireshark tool, filtering only the traffic of the selected Bluetooth device. Another method to capture the traffic between the two devices, implemented for the development of the project is through the HCI snoop log function [24]. This is a log file containing all Bluetooth transmissions that have been made from a smartphone. To be able to use this functionality, the developer mode must be activated on the mobile device and, once activated:

  • Activate Bluetooth HCI logging, to enable the logs.

  • And, USB debugging, to later be able to extract the logs via USB and view them on a computer.

Bluetooth is then turned ’on’ and ’off’ to enable data collection. Once Bluetooth is enabled, the lock can be unlocked to capture traffic.

In order to analyze the collected data on a computer, the log is passed through an adb (Android Debug Bridge) command line tool [25], which enables communication with a device, and finally, a .log file is generated that can be analyzed in Wireshark. This method was discarded because the use of a Bluetooth sniffer streamlines the data collection process. Once in Wireshark, we can start the analysis. To filter the traffic more effectively, the ’btatt’ filter [26] is used. This filter shows all protocols related to Bluetooth traffic and, therefore, we can obtain only the packets that are sent between the lock and the application. When the filter has been introduced, we start capturing the traffic by blocking or unblocking the lock. In this way, information will start to reach the program, which we will later use to replicate the traffic and check if it is possible to hack it. A brief explanation of the details of the list of packets captured in the process is provided below.

Fig. 6
figure 6

Capturing packet traffic from Sherlock using Wireshark, with requests and responses

Full size image

The protocol used for the connection is ATT (Attribute Protocol) [27], an attribute-based protocol belonging to the BLE protocols, with client–server architecture, which allows the exchange of information. This protocol defines how data is represented and the methods by which this data can be read or written. In this case, it acts as a server, holding the data until the phone requests it. This data is stored in the BLE server as attributes. Image 6 shows the packets sent from the smartphone to Sherlock. The last column notifies us about the information being acquired at each packet in the connection. The point we are interested in for our investigation is when the key is sent from Master to Slave.

This is a packet that is making a written request with a Handle 0x0019. The Handles [28] are the components that process each of the packets that belong to the captures. The Handle extracts from the packet the necessary information, as in this case the value being sent. We can observe that three key writing requests are sent from the lock to the smartphone. Subsequently, the mobile application responds to the lock by sending a series of notifications informing that the value has been received. Finally, Sherlock again sends four key write requests to the device. This implies that unlocking the lock requires entering seven keys in total.

The next step is to look at the values that are written in each write packet. We can see this information by selecting the packet we want to analyze and a number of characteristics of that packet will appear. To see the value, we are interested in the information provided by the ATT protocol. The ATT protocol provides us with the three most important points to solve the problem:

  • Opcode (Operation code) [29]. In this case, it is a write operation ’Write Command’

  • Handle (Pointer). Indicates the attribute to which the script is pointing.

  • Value. Tells us the value of the key that is going to be written.

When we get all the keys that are sent, we can move on to replicating the packets. To do this, we need a Linux operating system or a virtual machine containing it. In our case, we opted for the latter option. Because of this, a Bluetooth adapter is needed as the virtual machine does not have a Bluetooth connection. First, we check that a signal is being received from the lock. To do this, we use the hcitool tool to scan for nearby Bluetooth devices. By executing the following command ’sudo hcitool lescan’ we can see the available BLE devices with their respective MAC address and check that we have a connection to our lock.

The next step is to use the hciconfig command,

which is used to configure Bluetooth devices. hciX is the name of a Bluetooth device installed on the system. In our case, the one we have installed is hci0. To be able to work with Bluetooth devices it is required to initialize it.

The last tool used and the most important for our research is Gatttool. This tool allows us to connect to BLE devices with the MAC address of the device and manipulate its attributes with a series of commands available from the tool. In such a way, it will be possible to replicate the packets we have previously captured. In case the MAC address of the lock to be analyzed is not known, there are two options for searching for it. Firstly, we can obtain this information from packet capture in Wireshark, which shows the addresses of the two communicating devices. Secondly, thanks to the hcitool tool, mentioned above, we can easily see the BLE devices found and their associated MAC address. The Gatttool tool has several interesting commands for manipulating Bluetooth devices or simply acquiring relevant information about them. Bluetooth devices or simply to acquire relevant information from them.

Once the commands necessary to replicate packets are clear, we connect to the lock and send the keys obtained. At first, in order to connect to the device, each key is entered individually by using Gattool.

This was not feasible because the connection to the lock was lost a few seconds after initialization, and since 7 keys had to be entered, it was unfeasible to establish the connection for each key that had to be entered. Therefore, a simple bash script has been implemented, see Fig. 7) which contains all the necessary commands for connecting and writing, making the process of sending packets easier and faster.

Fig. 7
figure 7

Bluetooth script for sending Sherlock lock keys

Full size image

In this way, all the commands explained above are executed together saving a lot of time when hacking the lock. And finally, the lock is unlocked by replicating the packets. It’s a fairly simple process and one that raises questions about the security of this brand of smart-lock. However, even though it is easy and quick to hack, Sherlock does have some security measures, such as changing the keys after several minutes have passed since the door has been opened.

However, there is still ample time to perform packet replication. In addition, in the future, a program could be implemented or the script could be optimized to make the data collection more effective and faster, thus unlocking the lock in a matter of seconds.

3.2.2 Nuki lock bluetooth attack

Nuki lock has been studied in this project. Next, some technical concepts about it and its operation will be shown, and then proceed to the analysis of its security. It is especially noteworthy that the Nuki lock operates at the highest level of security encryption, as it uses AES with 256-bit keys. AES is a symmetric block cipher, which means that it encrypts and decrypts data in blocks of 128 bits each. To do this, it uses a specific cryptographic key, which is effectively a set of protocols for manipulating information. This key can be 128, 192, or 256 bits long. AES-256, the 256-bit key version of AES, is the encryption standard used by LE VPN. It is the most advanced form of encryption and consists of 14 rounds of substitution, transposition, and mixing for an exceptionally high level of security. Its larger key size makes it essentially unbreakable, meaning that even if hacked, the data would be impossible to decrypt. The Nuki lock stands out in Europe for its good reviews regarding its security, therefore, it has been analyzed if a package replication would hack it.

With the Adafruit bluefruit LE sniffer and its nRF Sniffer for Bluetooth program to detect nearby BLE devices, we connect to the Nuki lock to later analyze the packets sent and received in Wireshark. Once Wireshark has been started and the ’btatt’ filter has been introduced to acquire only Bluetooth traffic, we can unlock the lock and check what information is reaching us and if it will be possible to hack it. In Fig. 8 we can appreciate the communication between the Nuki lock and our Samsung mobile device.

Fig. 8
figure 8

Capturing packets traffic of Nuki Smart-Lock using Wireshark

Full size image

The protocol used for the connection is also ATT where the attributes sent are stored, but in the column indicating the packet information, slight formatting changes can be observed, which will be discussed later. In this case, we can see that several write requests are made to the lock to send the keys with Handle 0x0092 with the command:

Sent Write Request, Handle 0x0092

Therefore, we must collect all the values that are sent in order to later perform their replication. In order to see these values, we are interested in the information provided by the ATT protocol. Once we have all the keys that are sent, we can replicate the traffic again from our virtual machine. First, we check that we are receiving a connection from the Nuki lock with the hcitool tool and, since we get a signal, we can run our bash script, previously modified with the values found in Wireshark. However, even though the values are correctly written to the lock, it fails to unlock it. This is because, when unlocking the door, Nuki instantly changes the key for the next opening, being unfeasible to hack the lock with this method, since the previously collected keys would be automatically obsolete.

In the following, we will explain in detail how the encryption works in the Nuki lock [30]. This lock uses the principle of end-to-end encryption, i.e., it applies a cipher to the key in such a way that only the receiving device can decrypt it. To establish communication between the Nuki app and the smart-lock, a proprietary key is used that is known only to both devices. To protect against attackers, the data is encrypted before it is transmitted by the sender (the Nuki app). This is done using the NaCl (Networking and Cryptography library) process [31]. In this process, unique combinations of numbers and letters are used only once. This data is transferred via Bluetooth and decoded again when received by the receiver (Nuki smart-lock).

  1. 1.

    The Nuki app sends the “unlock” instruction and encrypts it in such a way that only the app and Nuki smart-lock know the key.

  2. 2.

    The Nuki app transfers the encrypted message via Bluetooth to the lock.

  3. 3.

    Nuki smart-lock knows the key and can therefore decrypt the contained message and execute the “unlock” command.

  4. 4.

    In the unlocking process, the Nuki app receives a random number. The “unlock” instruction can only be sent to the lock when it necessarily contains an identical random number.

If another unlock instruction with the same random number is subsequently sent to the door lock, Nuki smart-lock rejects the instruction. This analysis shows us that the security level of Nuki is high, as reported by the manufacturers, and that overall it is a lock that the market can currently rely on. However, since the packet replication method used in this project is only one of the options for hacking, this research does not imply that there may not be another procedure for unlocking the lock and that this lock may end up being vulnerable to attack.

3.2.3 Bluetooth cyber-security comparison (Nuki-Sherlock S2)

Having analyzed the operation of both locks and seen how the packets are sent between the two devices, we can make an analysis of the differences that have been found during the hacking procedure for both locks. First of all, it has been possible to verify that the Nuki lock has better security than the Sherlock lock, since during the investigation Sherlock was successfully unlocked, but not Nuki. In addition, there is more open information about the encryption used in the Nuki lock than in the case of the Sherlock, and in fact, it is known that the Nuki lock uses AES with 256-bit keys.

In conclusion, there are a number of points that show the main differences between the two locks and why one is more vulnerable than the other.

  • Packet writing format Although in both connections write requests are made and keys are stored in the ATT protocol, the request is not sent in the same format. In the Sherlock lock “Rvcd write command” is used which means that it has received the write command with the key value and in the Nuki lock “Sent Write Request” is used which implies that the requested write has been sent with that value. Moreover, in the first case, it is the lock that sends the value and in the second case, it is the mobile application that does the sending. With this information it can be assumed that we manage to unlock the Sherlock lock because we are attacking the lock, however, we were unable to hack the Nuki lock because we attacked the mobile device, which would not be present at the time of the cyberattack.

  • Key change time AAs mentioned above, Sherlock keeps the same key for a few minutes after unlocking the door, making it easy to attack his security. However, Nuki controls time much more securely. This lock changes the key the instant the door is unlocked. In this way, there is no time margin for burglary. This is the most important and strongest point of Nuki in terms of its security and the one that makes it stand out from Sherlock.

4 Conclusions and future work

In conclusion, the security of smart-locks in general is quite good. Most of them use AES encryption for the keys used in Bluetooth communication and have obfuscated the Android app code. However, security in the use of Bluetooth technology is of utmost importance due to the potential risk of unauthorized access. As demonstrated in this research, smart-locks using Bluetooth can be vulnerable to man-in-the-middle attacks if there is no encryption is used, as is the case with the Sherlock S2 smart-lock. This attack can result in unauthorized access to the lock and compromise the security of the property. It is therefore important to be aware of the security gap that can exist in some smart-locks against such attacks. Smart-locks with AES encryption and one-time keys, such as the Nuki lock, are secure, and as you can see in the analysis of the smart-locks application code, most of them use AES and are generally secure.

Future Work There are several potential avenues for future work to investigate further the vulnerabilities of some types of smart-locks. First, research should focus on thorough code reviews to find bugs that allow unauthorized access or other types of errors. Second, efforts should be made to develop modified Android apps to bypass the authentication required to open the smart-locks. Thirdly, check the connection between the Android app and the vendor API in the cloud using Burp Suite to see if there is any relevant information or any kind of SQL injection, GIT code online, etc. Finally, old versions of Android apps can be scanned for information and security vulnerabilities.

Overall, it is important to continue to research and look for vulnerabilities to ensure that smart-locks have robust security and cannot be compromised, and that users can continue to rely on them to secure their properties.