KlicUnLock
A Python program to unlock any Tzumi Klic smart padlock!
·
Report Bug
·
Request Feature
About The Project
An authentication bypass in website post requests in the Tzumi Electronics Klic Lock application 1.0.9 for mobile devices allows attackers to access resources (that are not otherwise accessible without proper authentication) via capture-replay. Physically proximate attackers can use this information to unlock unauthorized Tzumi Electronics Klic Smart Padlock Model 5686 Firmware 6.2
This program was developed during scientific research in Bluetooth lock security. Attempts were made to contact the manufacturer 45 days before release. This vulnerability was assigned to CVE-2019-11334.
Built With
Major frameworks used in the project.
Getting Started
You will need a valid account name and password for the Klic Lock application downloadable from Google Play or the App Store.
Prerequisites
The program requires a Linux operating system with bluepy and pycrypto installed. See respective links for installation procedures.
Usage
Unlock lock associated with valid account and password:
python KlicUnlock.py -a myaccount@example.com -p mypasswordScan and unlock all locks within range using valid account and password:
python KlicUnlock.py -a myaccount@example.com -p mypassword -uUnlock lock using lock key and MAC:
python KlicUnlock.py -k 99999999999999999999999999999999 -m 01:02:03:04:05:06Contributing
Contributions are what make the open source community such an amazing place to be learn, inspire, and create. Any contributions you make are greatly appreciated.
- Fork the Project
- Create your Feature Branch (
git checkout -b feature/AmazingFeature) - Commit your Changes (
git commit -m 'Add some AmazingFeature) - Push to the Branch (
git push origin feature/AmazingFeature) - Open a Pull Request
License
Distributed under the MIT License. See LICENSE for more information.
Contact
Kerry Enfinger - k.enfinger@whitehatdefenses.com
Project Link: https://github.com/whitehatdefenses/KlicUnLock
