This article for the Internet of things Shangba project engineer Longmiao submission. Stakeholder Statement: Yunba provides a shared bicycle solution.
A while ago, an article entitled "Breaking the Locks of OFO's Latest Locks" caught my attention, saying that Baidu Security Researcher cracked the bicycle lock by using special tools to hijack the signals of locks and cloud communications.
As the same is the development of shared bicycle smart lock engineers, I read the article also sprouted the idea: Can a simpler way, ono small yellow car the most common Uranus Lock a crack?
Uranus, our most common lock, is a collection of GPRS, password, Bluetooth module locks, I try to unlock this lock from the start of Bluetooth, using Android App and common Android capture tool to achieve The purpose of cracking.
Use Bluetooth to unlock the principle
After the user scans the code, the mobile App sends an unlock request to the server, and then the server sends the Bluetooth message back to the mobile phone. The mobile App sends the information to the lock for unlocking via Bluetooth. Throughout the process, the user's mobile phone acts as a middleman, connecting the server with the bike.
Than that, I want to pass the paper to sit more distant classmates but not enough, only to the students handed next door. Mobile App plays the role of "man in the middle" as we pass the paper.
Crack, start from the official App
To unlock the lock from the way Bluetooth unlock, the first step you need to know its Bluetooth protocol, to be blunt is to know how to communicate between the device and the cloud. The way I get the OFO Bluetooth protocol is simply to download its official Android app and use the right tool.
There is a simple method: Android 4.3 above the phone has a Bluetooth log option, as long as we check, the system will record all the activities of an interface record, ofo Bluetooth unlock all read and write operations will be recorded Down. Then we analyze the exported log files, we can analyze the above OFO Bluetooth unlock protocol.
Mobile phone on the "master key" & rdquo;
We found that the app unlocked before the need to lock and certification to be able to successfully open. This code we call token. The token here can be simply understood as a shared electronic password for each car on the bicycle. After the phone obtains the password, it can be unlocked by sending it to the bicycle lock with Bluetooth.
I have two ideas on the acquisition of token, one by listening to the app and the OFO server unlock interaction, and then intercepted each bike number corresponding to the token; the second is by recording the phone and lock the Bluetooth log between access to unlock the token . Both of these methods can obtain the token corresponding to the bicycle number.
Make a comprehensible metaphor, we write the traditional letter, send the letter to the destination must be delivered through the postman letter, we want to intercept the contents of the letter must be in the postman to take credit or send tricks. In the process of this crack, Mobile App played the postman role, intercepting the token by snatching the token "before the mailman" took the credit, or intercepting the token before the "mailman" rushed to the mail.
Every time a bicycle is used, I can intercept and record the token corresponding to this car, and then use the same car no longer needs to request the token from the server for unlocking directly. It does not take a long time for me to get the token for all the bicycles in a certain area.
Even more extreme, I can even find different channels by number request, get token and record, build a bike lock token database, integrated into a mobile App.
Mentioned earlier, we have access to ofo small yellow car Bluetooth protocol, coupled with the token can get the number of cycling, so that cracked no longer need to carry any professional equipment, and now only need to put my phone integrated good Crack app, you can crack tens of millions ofo bike with Uranus lock, equivalent to the phone is installed ono Uranus Lock's "master key" & rdquo ;.
Not only that, I also have some ways to add a one-touch unlock feature to my cracker, which takes only one action to drive any ofo's cycling with nearby Uranus.
Repair a certain degree of difficulty
There are three ways to fix it:
First, update ofo small yellow car Bluetooth protocol, which requires a dynamic firmware update for each vehicle; Second, each bicycle unlock token for each unlock dynamic change; Third, re-design of unlock logic, using mobile phone through , In the lock and server-side encryption to prevent protocol exposure and prevent man-in-the-middle attacks, which is what we are currently doing.
Compared to previously exposed hijacking signal to crack the lock method, this crack is more simple, we installed a cracked mobile phone software can achieve the purpose of cracking, do not need expensive professional equipment, does not require special tools . My crack this time has given feedback to ofo staff.
There are two elements of the Internet of Things, one is connected, the other is security. Many bicycles on the market share the connection to this part of the business a lot of effort, but its lack of security, did not pay enough attention.
From the beginning of the development of the shared bicycle industry, we have been paying attention to the problem of sharing the bicycle safety. In addition to this cracked ofo Uranus Lock, I used the same principle to solve a series of shared bicycle locks on the market, including the small Ming bicycles, Uber bike, cool odd bike.
I do not know attack, how to prevent. As we share the same bike program providers, of course, not to crack and crack, but in the process of cracking these locks continue to learn, hoping to crack down again and again to find better ways to continuously improve the safety of their products .