Security concerns about Matter / Aqara U200 Smartlock

Hello everyone!
I have a problem with the security of access to the door lock (Aq U200).
I operate the lock via HA-MATTER-THREAD. I have necessarily set it up via the AQARA app.
My aim is to operate the lock from HA without it being accessible from the internet. However, I have now noticed that when a one-time code is assigned in the Aqara app, it becomes known to the lock without the smartphone (with the Aq app) being in the vicinity of the lock and therefore not being able to establish a Bluetooth connection.
The one-time code can therefore only have reached the lock via HA-Matter.
Does anyone know more about this?
If I can’t understand the transmission mechanisms, I will unfortunately have to classify the lock as potentially insecure and look for something else.
thanks in advance!

Hello, the generation of one-time codes occurs locally on the lock through an encryption algorithm that generates 8 key set every hour. Essentially, the lock, locally and without connecting to anything (no Bluetooth, no Matter, no Wi-Fi), generates one-time codes every hour thanks to an internal algorithm. The Aqara app knows the exact same algorithm and therefore also generates the exact same one-time passwords every hour. This way, without any data exchange taking place, you can open the app and generate a one-time code; the same one-time code has been generated by the lock, so it is considered valid. From this perspective, you can rest assured that there are no security issues (unless someone knows the one-time code generation algorithm to generate a valid key).

2 Likes

At the same time, Thread is a protocol that runs over IP (IPv6 to be precise). It can be used to establish external connections, if you allow it to.

The Nuki lock can use Matter/Thread wit HA to enable remote access from the app. So while I think the previous post might be right, it is also possible for the lock to reach the app over Thread. If Nuki can, Aqara could too:

At the same time, if HA is exposed to the internet, and the lock can be opened from HA, you have similar issues. But if I were a burglar, I’d probably use bluetooth as the attack surface, becauseI’d need to be near the door anyway.

That, or try to get physical access to the knob on the back of the door, through the letterbox if that is close to it, or a window.

2 Likes

The same technic is used on the key chain token generators you get for online banking and other online services.
It is just a devices with a seed key, a real time clock and the algorithm to generate response codes. No WiFi, Bluetooth or other communication parts.
The bank or whatever the service maybe just enter the same seed key in their system and it will then generate challenge codes that match the response codes on the token generator.

1 Like

If I were a burglar, I would probably break the lock rather than go crazy trying to hack a wifi protocol. :slight_smile:

1 Like

I would go for the lock too, like picking it.
Smart locks are generallyhave both a smart digital part and an analog part for when you want to use a key.
The physical size of a smart lock is though often the same as the old analog version, which means some corners have to be cut to fit both parts in the fixed physical size.
This compressed design often means the protection against lock picking is less on smart locks.

And whatever you do, don’t expose it to voice assistants without safeguards.

Hey Google, open the door! :rofl:

OK thanks for all reply! I assume (and hope) that the seed key used for key generation will not be transferred from Aqara app to any external partys. So even if someone knows the the algorithm it is useless.

One thing is having the seed key.
Another is knowing where the h*** the door is in the physical world.

Stealing information from a phone is usually done online by people far away.

Your explanation has a very important mistake. The algorithm is no secret at all. The algorithm is public. It’s not security by obscurity. The devices have a shared secret and thus are able to generate valid keys for a time period.

I might be wrong, but I didn’t see any information regarding the type of algorithm used in the Aqara specifications. It could be public or not.

Most security is based on obscurity and especially encryption.