Device trustability and security

[maxdd]

Hello, I was wondering whether there was an open source easy to mount smart lock and I've found the M5xx series. Although not fully open source I'm concerned on the fact that to open the door of my house i need to pass through a private cloud potentially giving access to my house or door. For you guys that worked on it what do you think? I would rather have my own system setup without the needs to go through cloud api. I admit i haven't looked too much into it but it seems that some calls are required

[formatBCE]

What do you mean "not fully open-source"? This library is open-source from start to end. Also, the cloud connection is required only for configuration - all lock interactions are done locally (unlike official integration).

[maxdd]

Oh I see, so the verification code is only to perform the initial paring? I was referring to the tuna/airbnk possibility to interact with the lock remotely. Is that possible?

[formatBCE]

Yes, verification code needed here to receive token, which is used to encrypt/decrypt local messages to the lock. After initial step, everything is processed on HomeAssistant.

To other question: this integration works with HomeAssistant. If you have it, then most probably you have access to it from outside. If not - then I doubt this code will help you: it doesn't work standalone.

[maxdd]

I see, I'm not really a fun of home assistant for various reasons. In any case I guess it will still be really helpful to implement the protocol itself. Other than locking and unlocking, are temporary pins or other feature (if any) supported or are they just feature in the airbnk app that can be replicated? I honestly just find out about this product and it seems really interesting

[formatBCE]

As far as I understand, all additional functionality is not the part of lock interaction, so it would be only possible to have it on top. But it's unreliable for HA, so it's not here.

Yeah, you may take the protocol, and use it for some new local-only product - it should be done from scratch though.

[maxdd]

I've also seen this repo from you

https://github.com/formatBCE/Airbnk-MQTTOpenGateway

My understanding is that the encrypted payload is supposed to come from the mqtt and that there is no protocol implementation in here right?

[formatBCE]

No, this is just a gateway, basically translator from WiFi to Bluetooth. There's no any business logic there.

[maxdd]

Ok, do you have any useful documentation about the protocol perhaps?

[formatBCE]

Don't think there is technical info. You can ask @rospogrigio or @nourmehdi 's library (he's the one who scraped all API stuff from Airbnk).

[maxdd]

Is it known the difference from Wehere and Airbnk? Are they compatible?

[formatBCE]

It's same company, rebranded some time ago.

[maxdd]

I'm back to clarify about the security and trustability of the device My understanding is that "newSnInfo" and "appKey" are needed to calculate the lock and unlock commands, what i can't understand though is why we can exclude the possibility of an attacker to open the door. I mean there is really no "hard" secret that it is used and that it is not easily "available" for an attacker

What blocks an attacker from "re-pair" the device? I hoped for an ID written on the inside of the device but the API are setting "123456789012345" is that a placeholder?

I also saw that the pairing mechanism sends an email with the code so that you can than use it to create the keys. Seems like at this point that chinese company is owning a lot and can only be "trusted". Not so "safe" from my PoV

[rospogrigio]

The newSnInfo is specific for your lock, and moreover it is user-dependent. This means that if you associate more than one user to the lock in the app, every user has a different newSnInfo. Moreover, if you change your password, it changes again. The only way to retrieve this key is through cloud API calls, but you need your credentials or an active token, so unless the attacker knows your credential he cannot get this key and open the door. Don't know how it is generated on the chinese end though, you might be right when you say you have to trust them...

[maxdd]

Ciao @rospogrigio Thank you for the answer. In the videos i saw they are scanning a QRCode, does it have anything to do with the newSnInfo or is it something else e.g. app download only

[rospogrigio]

Looks like it is a download link, where is this video? Can you post the URL?

[maxdd]

https://www.youtube.com/watch?v=ymH1C7qDMyc

it felt like she is pairing it actually

[rospogrigio]

Ah ok, it probably just gets the serial number from there.

[maxdd]

I guess the video process shall be done at least once to pair the device with the email right? I thought there was no concept of fixed serial number and that QR code is definitely not changing, do you mean like an anchor HW serial number to recognize it?

Anyway what about that 123456789 deviceID used in the Airbnk API source code, is it from a the decompiled apk from them or does it mean take all devices associated with the email?

[rospogrigio]

I guess the video process shall be done at least once to pair the device with the email right? I thought there was no concept of fixed serial number and that QR code is definitely not changing, do you mean like an anchor HW serial number to recognize it?

Now I can't remember precisely but I'm pretty sure that the QR code is not mandatory at all for the pairing (what if you lose the cap, or they forget to stick the label? I have removed the cap since it comes off very easily so I no longer know where it is). I seem to remember that everything happens at the beginning when you pair it using the physical button (that can be pressed only from the inside, which makes it safe). I may be wrong but I thing the QR code is useless, it probably tells just the type of device you want to add (lock, fingerprint, wifi-to-BT adapter...) but doesn't contain any info about the serial number or other specific codes or keys: it would be just the wrong place where to put this data.

Anyway what about that 123456789 deviceID used in the Airbnk API source code, is it from a the decompiled apk from them or does it mean take all devices associated with the email?

It comes from the decompiled apk, it looks like a placeholder because it's a fixed value. It would not surprise me if it weren't used at all by the server and can probably be omitted (it has no sense in when retrieving the token), I just coded it the same way I found it in the apk without asking myself too many questions, honestly.