TY  - EJOU
AU  - Tleuberdin, Saken 
AU  - Satybaldina, Dina 
AU  - Muratkhan, Raikhan 
AU  - Abisheva, Gulsipat 

TI  - Security Audit of Tuya Smart Lock Using Penetration Testing Methodology
T2  - Computers, Materials \& Continua

PY  - 
VL  - 
IS  - 
SN  - 1546-2226

AB  - We perform a cross-layer penetration testing on one of the most popular Wi-Fi smart locks (Tuya 902V). The methodology combines wireless traffic analysis using an Alfa AWUS036AXML adapter, forced re-association via deauthentication to make Wi-Fi Protected Access 2 (WPA2) 4-way Extensible Authentication Protocol over LAN (EAPOL) handshake visible with Airodump/Aireplay, offline dictionary attack with Aircrack-ng, Android app reverse engineering using Apktool, Jadx, and MobSF; denial-of-service experiment (DoS) executed by hping3; Near-Field Communications (NFC)/Radio-Frequency Identification (RFID) key-clone attempt by Flipper Zero. Handshake is empirically captured but no Wi-Fi passphrase found under 14M dictionary entries; DoS test breaks cloud notification and remote control features; MObsF-assisted analysis shows dangerous permissions, many exported components, sensitive data being logged and hardcoded strings even though communication between app and lock is encrypted; Registered MIFARE Classic 1K credential fully read (including both A/B keys) however not able to emulate because of Flipper Unique Identifier (UID)/emulation limitations. This work tackles the issue of having no systematic or experimental method for discovering vulnerabilities in smart lock systems across several layers. We need to investigate how various attacks, for instance, via wireless, reverse-engineering applications, through Denial of Service, or cloning of credentials, could impact the overall security of commercially available products. We summarize the mitigations and check their relevance: enable Protected Management Frames (802.11 w) and move to Wi-Fi Protected Access 3—Simultaneous Authentication of Equals (WPA3-SAE) to reduce de-auth/handshake usefulness, enforce strong Pre-Shared Keys (PSKs), use TLS with cert pinning, rate-limit and make device APIs fault-tolerant, enforce signed/anti-rollback firmware updates, and replace static RFID tokens with Data Encryption Standard Fast Innovative Reliable and Secure (DESFire)/rolling-code credentials. The results show real attack surfaces across the network and application layers and provide actionable hardening guidance for smart-lock vendors and operators.
KW  - Android app reversing; ethical hacking; Internet of Things (IoT); penetration testing; smart-lock security; threat modeling; Wi-Fi security

DO  - 10.32604/cmc.2026.081906