picking bluetooth low energy locks from a quarter mile away con 24/def con 24... · >>>...
TRANSCRIPT
![Page 1: Picking Bluetooth Low Energy Locks from a Quarter Mile Away CON 24/DEF CON 24... · >>> What is Bluetooth Low Energy? [5/42] * Designed for apps that don’t need to exchange large](https://reader033.vdocument.in/reader033/viewer/2022042402/5f13c78273160e36ef570825/html5/thumbnails/1.jpg)
>>> Picking Bluetooth Low EnergyLocks from a Quarter Mile Away
Anthony Rose & Ben Ramsey
[1/42]
![Page 2: Picking Bluetooth Low Energy Locks from a Quarter Mile Away CON 24/DEF CON 24... · >>> What is Bluetooth Low Energy? [5/42] * Designed for apps that don’t need to exchange large](https://reader033.vdocument.in/reader033/viewer/2022042402/5f13c78273160e36ef570825/html5/thumbnails/2.jpg)
>>> whoami
[2/42]
* Anthony Rose
- Researcher,Merculite Security
- Lockpicking hobbyist- BS in ElectricalEngineering
- Prior work:Wireless videotraffic analysis
- Currently focused onBLE security
* Ben Ramsey
- Research Director,Merculite Security
- Wireless geek- PhD in ComputerScience
- Recent work:Z-Wave attacks-DerbyCon 2015-ShmooCon 2016-PoC||GTFO 12
![Page 3: Picking Bluetooth Low Energy Locks from a Quarter Mile Away CON 24/DEF CON 24... · >>> What is Bluetooth Low Energy? [5/42] * Designed for apps that don’t need to exchange large](https://reader033.vdocument.in/reader033/viewer/2022042402/5f13c78273160e36ef570825/html5/thumbnails/3.jpg)
>>> Overview
1. Goals
2. What is Bluetooth Low Energy?
3. Why Should I Care?
4. Exploits
5. Demo
6. Takeaways & Future Work
7. Questions
[3/42]
![Page 4: Picking Bluetooth Low Energy Locks from a Quarter Mile Away CON 24/DEF CON 24... · >>> What is Bluetooth Low Energy? [5/42] * Designed for apps that don’t need to exchange large](https://reader033.vdocument.in/reader033/viewer/2022042402/5f13c78273160e36ef570825/html5/thumbnails/4.jpg)
>>> Goals
[4/42]
* Identify vulnerabilities in BLE smart locks
* Release proof of concept exploits
* Put pressure on vendors to improve security
* Raise consumer awareness
![Page 5: Picking Bluetooth Low Energy Locks from a Quarter Mile Away CON 24/DEF CON 24... · >>> What is Bluetooth Low Energy? [5/42] * Designed for apps that don’t need to exchange large](https://reader033.vdocument.in/reader033/viewer/2022042402/5f13c78273160e36ef570825/html5/thumbnails/5.jpg)
>>> What is Bluetooth Low Energy?
[5/42]
* Designed for apps thatdon’t need to exchangelarge amounts of data
* Minimal powerconsumption
* Operates at 2.4 GHz(same as BluetoothClassic)
* Short range (<100m)
![Page 6: Picking Bluetooth Low Energy Locks from a Quarter Mile Away CON 24/DEF CON 24... · >>> What is Bluetooth Low Energy? [5/42] * Designed for apps that don’t need to exchange large](https://reader033.vdocument.in/reader033/viewer/2022042402/5f13c78273160e36ef570825/html5/thumbnails/6.jpg)
>>> What is Bluetooth Low Energy?
[6/42]
* GATT (Generic AttributeProfile)
- Client sendsrequests to GATTserver
- Server storesattributes
![Page 7: Picking Bluetooth Low Energy Locks from a Quarter Mile Away CON 24/DEF CON 24... · >>> What is Bluetooth Low Energy? [5/42] * Designed for apps that don’t need to exchange large](https://reader033.vdocument.in/reader033/viewer/2022042402/5f13c78273160e36ef570825/html5/thumbnails/7.jpg)
>>> Why Should I Care?
[7/42]
* Widely used and gaining popularity
* Securing homes and valuables
* Current BLE "security" products:
- Deadbolts- Bike locks- Lockers- Gun Cases- Safes- ATMs- Airbnb
![Page 8: Picking Bluetooth Low Energy Locks from a Quarter Mile Away CON 24/DEF CON 24... · >>> What is Bluetooth Low Energy? [5/42] * Designed for apps that don’t need to exchange large](https://reader033.vdocument.in/reader033/viewer/2022042402/5f13c78273160e36ef570825/html5/thumbnails/8.jpg)
>>> Who is Using BLE?
[8/42]
![Page 9: Picking Bluetooth Low Energy Locks from a Quarter Mile Away CON 24/DEF CON 24... · >>> What is Bluetooth Low Energy? [5/42] * Designed for apps that don’t need to exchange large](https://reader033.vdocument.in/reader033/viewer/2022042402/5f13c78273160e36ef570825/html5/thumbnails/9.jpg)
>>> Bluetooth Hacking is Affordable
[9/42]
* Ubertooth One - $100
* Bluetooth Smart USB dongle - $15
* Raspberry Pi - $40
* High gain directional antenna - $50
![Page 10: Picking Bluetooth Low Energy Locks from a Quarter Mile Away CON 24/DEF CON 24... · >>> What is Bluetooth Low Energy? [5/42] * Designed for apps that don’t need to exchange large](https://reader033.vdocument.in/reader033/viewer/2022042402/5f13c78273160e36ef570825/html5/thumbnails/10.jpg)
>>> Ubertooth One
[10/42]
* Created by Michael Ossmann
* Open source Bluetooth tool
* First affordable Bluetooth monitoring anddevelopment platform
* Promiscuous sniffing
* BLE receive only capability (with current firmware)
![Page 11: Picking Bluetooth Low Energy Locks from a Quarter Mile Away CON 24/DEF CON 24... · >>> What is Bluetooth Low Energy? [5/42] * Designed for apps that don’t need to exchange large](https://reader033.vdocument.in/reader033/viewer/2022042402/5f13c78273160e36ef570825/html5/thumbnails/11.jpg)
>>> Wardriving
[11/42]
* Ubertooth + high gaindirectional antenna
* Bluetooth dongle
* Easy deployment
* Long range (1/4+ mile)
* Concealable
* Warflying with drones...
![Page 12: Picking Bluetooth Low Energy Locks from a Quarter Mile Away CON 24/DEF CON 24... · >>> What is Bluetooth Low Energy? [5/42] * Designed for apps that don’t need to exchange large](https://reader033.vdocument.in/reader033/viewer/2022042402/5f13c78273160e36ef570825/html5/thumbnails/12.jpg)
>>> Wardriving
[12/42]
![Page 13: Picking Bluetooth Low Energy Locks from a Quarter Mile Away CON 24/DEF CON 24... · >>> What is Bluetooth Low Energy? [5/42] * Designed for apps that don’t need to exchange large](https://reader033.vdocument.in/reader033/viewer/2022042402/5f13c78273160e36ef570825/html5/thumbnails/13.jpg)
>>> Wardriving
[12/42]
![Page 14: Picking Bluetooth Low Energy Locks from a Quarter Mile Away CON 24/DEF CON 24... · >>> What is Bluetooth Low Energy? [5/42] * Designed for apps that don’t need to exchange large](https://reader033.vdocument.in/reader033/viewer/2022042402/5f13c78273160e36ef570825/html5/thumbnails/14.jpg)
>>> Uncracked Locks
[13/42]
* Noke Padlock
* Masterlock Padlock
* August Doorlock
* Kwikset Kevo Doorlock
![Page 15: Picking Bluetooth Low Energy Locks from a Quarter Mile Away CON 24/DEF CON 24... · >>> What is Bluetooth Low Energy? [5/42] * Designed for apps that don’t need to exchange large](https://reader033.vdocument.in/reader033/viewer/2022042402/5f13c78273160e36ef570825/html5/thumbnails/15.jpg)
>>> Uncracked Locks
[13/42]
* Noke Padlock
* Masterlock Padlock
* August Doorlock - hard-coded key
* Kwikset Kevo Doorlock
Discovered by Paul Lariviere & Stephen Hall
![Page 16: Picking Bluetooth Low Energy Locks from a Quarter Mile Away CON 24/DEF CON 24... · >>> What is Bluetooth Low Energy? [5/42] * Designed for apps that don’t need to exchange large](https://reader033.vdocument.in/reader033/viewer/2022042402/5f13c78273160e36ef570825/html5/thumbnails/16.jpg)
>>> Uncracked Locks
[13/42]
* Noke Padlock
* Masterlock Padlock
* August Doorlock
* Kwikset Kevo Doorlock - fragile
![Page 17: Picking Bluetooth Low Energy Locks from a Quarter Mile Away CON 24/DEF CON 24... · >>> What is Bluetooth Low Energy? [5/42] * Designed for apps that don’t need to exchange large](https://reader033.vdocument.in/reader033/viewer/2022042402/5f13c78273160e36ef570825/html5/thumbnails/17.jpg)
>>> Features of "Uncrackable" Locks
[14/42]
* Proper AES Encryption
* Truly random nonce (8-16 bytes)
* 2-factor authentication
* No hard-coded passwords
* Long passwords allowed
- 16-20 characters
![Page 18: Picking Bluetooth Low Energy Locks from a Quarter Mile Away CON 24/DEF CON 24... · >>> What is Bluetooth Low Energy? [5/42] * Designed for apps that don’t need to exchange large](https://reader033.vdocument.in/reader033/viewer/2022042402/5f13c78273160e36ef570825/html5/thumbnails/18.jpg)
>>> Vulnerable Devices
[15/42]
* Plain Text Password
- Quicklock Doorlock & Padlock v1.5- iBluLock Padlock v1.9- Plantraco Phantomlock v1.6
* Replay Attack
- Ceomate Bluetooth Smart Doorlock v2.0.1- Elecycle EL797 & EL797G Smart Padlock v1.8- Vians Bluetooth Smart Doorlock v1.1.1- Lagute Sciener Smart Doorlock v3.3.0
![Page 19: Picking Bluetooth Low Energy Locks from a Quarter Mile Away CON 24/DEF CON 24... · >>> What is Bluetooth Low Energy? [5/42] * Designed for apps that don’t need to exchange large](https://reader033.vdocument.in/reader033/viewer/2022042402/5f13c78273160e36ef570825/html5/thumbnails/19.jpg)
>>> Vulnerable Devices
[16/42]
* Fuzzing
- Okidokey Smart Doorlock v2.4
* Decompiliing APKs
- Poly-Control Danalock Doorlock v3.0.8
* Device Spoofing
- Mesh Motion Bitlock Padlock v1.4.9
![Page 20: Picking Bluetooth Low Energy Locks from a Quarter Mile Away CON 24/DEF CON 24... · >>> What is Bluetooth Low Energy? [5/42] * Designed for apps that don’t need to exchange large](https://reader033.vdocument.in/reader033/viewer/2022042402/5f13c78273160e36ef570825/html5/thumbnails/20.jpg)
>>> Connection Sniffing
[17/42]
* Ubertooth used for sniffing
* Must be listening on anadvertisement channel (37,38, 39) and follow aconnection
- Use 3 Ubertooths(Uberteeth?), 1 on eachadvertisement channel
* Passively listen toconversation between theApp and Lock
User
Device
![Page 21: Picking Bluetooth Low Energy Locks from a Quarter Mile Away CON 24/DEF CON 24... · >>> What is Bluetooth Low Energy? [5/42] * Designed for apps that don’t need to exchange large](https://reader033.vdocument.in/reader033/viewer/2022042402/5f13c78273160e36ef570825/html5/thumbnails/21.jpg)
>>> Python Implementation
[18/42]
* Communicates directly tothe HCI
* Allows implementation ofadditional commands andfunctions- 20+ commands thusfar
* Spoofing (BD Addr andHost Name)
* Role reversal* Connection oriented
channels* ...and more!
![Page 22: Picking Bluetooth Low Energy Locks from a Quarter Mile Away CON 24/DEF CON 24... · >>> What is Bluetooth Low Energy? [5/42] * Designed for apps that don’t need to exchange large](https://reader033.vdocument.in/reader033/viewer/2022042402/5f13c78273160e36ef570825/html5/thumbnails/22.jpg)
>>> Plain Text Passwords
[19/42]
* Are they even trying?
* Found on 4 separate locks
- Quicklock Doorlock- Quicklock Padlock- iBluLock Padlock- Plantraco Phantomlock
001234567812345678Opcode Current Password New Password
![Page 23: Picking Bluetooth Low Energy Locks from a Quarter Mile Away CON 24/DEF CON 24... · >>> What is Bluetooth Low Energy? [5/42] * Designed for apps that don’t need to exchange large](https://reader033.vdocument.in/reader033/viewer/2022042402/5f13c78273160e36ef570825/html5/thumbnails/23.jpg)
>>> Plain Text Passwords
[19/42]
* Are they even trying?
* Found on 4 separate locks
- Quicklock Doorlock- Quicklock Padlock- iBluLock Padlock- Plantraco Phantomlock
001234567812345678Opcode Current Password New Password
![Page 24: Picking Bluetooth Low Energy Locks from a Quarter Mile Away CON 24/DEF CON 24... · >>> What is Bluetooth Low Energy? [5/42] * Designed for apps that don’t need to exchange large](https://reader033.vdocument.in/reader033/viewer/2022042402/5f13c78273160e36ef570825/html5/thumbnails/24.jpg)
>>> Admin Privileges
[20/42]
* Can change admin password
![Page 25: Picking Bluetooth Low Energy Locks from a Quarter Mile Away CON 24/DEF CON 24... · >>> What is Bluetooth Low Energy? [5/42] * Designed for apps that don’t need to exchange large](https://reader033.vdocument.in/reader033/viewer/2022042402/5f13c78273160e36ef570825/html5/thumbnails/25.jpg)
>>> Admin Privileges
[20/42]
* Can change admin password
- 011234567866666666
![Page 26: Picking Bluetooth Low Energy Locks from a Quarter Mile Away CON 24/DEF CON 24... · >>> What is Bluetooth Low Energy? [5/42] * Designed for apps that don’t need to exchange large](https://reader033.vdocument.in/reader033/viewer/2022042402/5f13c78273160e36ef570825/html5/thumbnails/26.jpg)
>>> Admin Privileges
[20/42]
* Can change admin password
- 011234567866666666
* Locks out owner with new password
![Page 27: Picking Bluetooth Low Energy Locks from a Quarter Mile Away CON 24/DEF CON 24... · >>> What is Bluetooth Low Energy? [5/42] * Designed for apps that don’t need to exchange large](https://reader033.vdocument.in/reader033/viewer/2022042402/5f13c78273160e36ef570825/html5/thumbnails/27.jpg)
>>> Admin Privileges
[20/42]
* Can change admin password
- 011234567866666666
* Locks out owner with new password
* Requires hard reset (battery removal)
![Page 28: Picking Bluetooth Low Energy Locks from a Quarter Mile Away CON 24/DEF CON 24... · >>> What is Bluetooth Low Energy? [5/42] * Designed for apps that don’t need to exchange large](https://reader033.vdocument.in/reader033/viewer/2022042402/5f13c78273160e36ef570825/html5/thumbnails/28.jpg)
>>> Admin Privileges
[20/42]
* Can change admin password
- 011234567866666666
* Locks out owner with new password
* Requires hard reset (battery removal)
- Only possible if lock is already open
![Page 29: Picking Bluetooth Low Energy Locks from a Quarter Mile Away CON 24/DEF CON 24... · >>> What is Bluetooth Low Energy? [5/42] * Designed for apps that don’t need to exchange large](https://reader033.vdocument.in/reader033/viewer/2022042402/5f13c78273160e36ef570825/html5/thumbnails/29.jpg)
>>> Admin Privileges
[20/42]
* Can change admin password
- 011234567866666666
* Locks out owner with new password
* Requires hard reset (battery removal)
- Only possible if lock is already open
![Page 30: Picking Bluetooth Low Energy Locks from a Quarter Mile Away CON 24/DEF CON 24... · >>> What is Bluetooth Low Energy? [5/42] * Designed for apps that don’t need to exchange large](https://reader033.vdocument.in/reader033/viewer/2022042402/5f13c78273160e36ef570825/html5/thumbnails/30.jpg)
>>> A Wild Plain Text Password Appears
[21/42]
![Page 31: Picking Bluetooth Low Energy Locks from a Quarter Mile Away CON 24/DEF CON 24... · >>> What is Bluetooth Low Energy? [5/42] * Designed for apps that don’t need to exchange large](https://reader033.vdocument.in/reader033/viewer/2022042402/5f13c78273160e36ef570825/html5/thumbnails/31.jpg)
>>> A Wild Plain Text Password Appears
[21/42]
![Page 32: Picking Bluetooth Low Energy Locks from a Quarter Mile Away CON 24/DEF CON 24... · >>> What is Bluetooth Low Energy? [5/42] * Designed for apps that don’t need to exchange large](https://reader033.vdocument.in/reader033/viewer/2022042402/5f13c78273160e36ef570825/html5/thumbnails/32.jpg)
>>> A Wild Plain Text Password Appears
[21/42]
![Page 33: Picking Bluetooth Low Energy Locks from a Quarter Mile Away CON 24/DEF CON 24... · >>> What is Bluetooth Low Energy? [5/42] * Designed for apps that don’t need to exchange large](https://reader033.vdocument.in/reader033/viewer/2022042402/5f13c78273160e36ef570825/html5/thumbnails/33.jpg)
>>> A Wild Plain Text Password Appears
[21/42]
Password is 69696969???
![Page 34: Picking Bluetooth Low Energy Locks from a Quarter Mile Away CON 24/DEF CON 24... · >>> What is Bluetooth Low Energy? [5/42] * Designed for apps that don’t need to exchange large](https://reader033.vdocument.in/reader033/viewer/2022042402/5f13c78273160e36ef570825/html5/thumbnails/34.jpg)
>>> A Wild Plain Text Password Appears
[21/42]
Password is 69696969???
![Page 35: Picking Bluetooth Low Energy Locks from a Quarter Mile Away CON 24/DEF CON 24... · >>> What is Bluetooth Low Energy? [5/42] * Designed for apps that don’t need to exchange large](https://reader033.vdocument.in/reader033/viewer/2022042402/5f13c78273160e36ef570825/html5/thumbnails/35.jpg)
>>> Brute Forcing
[22/42]
* When all else fails, throweverything at it
* Quicklock
- 8 digit pin- 100,000,000 combos
* iBluLock
- 6 character password- A LOT!
* Solution
- Common pins (11111111,12345678, 69696969, ...)
- Phone numbers- Street address- Wordlists
![Page 36: Picking Bluetooth Low Energy Locks from a Quarter Mile Away CON 24/DEF CON 24... · >>> What is Bluetooth Low Energy? [5/42] * Designed for apps that don’t need to exchange large](https://reader033.vdocument.in/reader033/viewer/2022042402/5f13c78273160e36ef570825/html5/thumbnails/36.jpg)
>>> Replay Attacks
[23/42]
* Claim "encryption" is being used
![Page 37: Picking Bluetooth Low Energy Locks from a Quarter Mile Away CON 24/DEF CON 24... · >>> What is Bluetooth Low Energy? [5/42] * Designed for apps that don’t need to exchange large](https://reader033.vdocument.in/reader033/viewer/2022042402/5f13c78273160e36ef570825/html5/thumbnails/37.jpg)
>>> Replay Attacks
[23/42]
* Claim "encryption" is being used
* Who cares what they are sending as long as it opens!
![Page 38: Picking Bluetooth Low Energy Locks from a Quarter Mile Away CON 24/DEF CON 24... · >>> What is Bluetooth Low Energy? [5/42] * Designed for apps that don’t need to exchange large](https://reader033.vdocument.in/reader033/viewer/2022042402/5f13c78273160e36ef570825/html5/thumbnails/38.jpg)
>>> Replay Attacks
[23/42]
* Claim "encryption" is being used
* Who cares what they are sending as long as it opens!
* Vulnerable Devices
- Ceomate Bluetooth Smartlock- Elecycle Smart Padlock- Vians Bluetooth Smart Doorlock- Lagute Sciener Smart Doorlock
![Page 39: Picking Bluetooth Low Energy Locks from a Quarter Mile Away CON 24/DEF CON 24... · >>> What is Bluetooth Low Energy? [5/42] * Designed for apps that don’t need to exchange large](https://reader033.vdocument.in/reader033/viewer/2022042402/5f13c78273160e36ef570825/html5/thumbnails/39.jpg)
>>> Replay Attacks
[23/42]
* Claim "encryption" is being used
* Who cares what they are sending as long as it opens!
* Vulnerable Devices
- Ceomate Bluetooth Smartlock- Elecycle Smart Padlock- Vians Bluetooth Smart Doorlock- Lagute Sciener Smart Doorlock
![Page 40: Picking Bluetooth Low Energy Locks from a Quarter Mile Away CON 24/DEF CON 24... · >>> What is Bluetooth Low Energy? [5/42] * Designed for apps that don’t need to exchange large](https://reader033.vdocument.in/reader033/viewer/2022042402/5f13c78273160e36ef570825/html5/thumbnails/40.jpg)
>>> Fuzzing Devices
[24/42]
* Change bytes of a valid command
* See if we can get lock to enter "error state"
* Vulnerable Device
- Okidokey Smart Doorlock
![Page 41: Picking Bluetooth Low Energy Locks from a Quarter Mile Away CON 24/DEF CON 24... · >>> What is Bluetooth Low Energy? [5/42] * Designed for apps that don’t need to exchange large](https://reader033.vdocument.in/reader033/viewer/2022042402/5f13c78273160e36ef570825/html5/thumbnails/41.jpg)
>>> Fuzzing Devices
[25/42]
* Okidokey’s claim of "security"
- "uses highly secure encryption technologies,similar to banking and military standards(including AES 256-bit and 3D Secure login),combined with proven and patented cryptographicsolutions"
![Page 42: Picking Bluetooth Low Energy Locks from a Quarter Mile Away CON 24/DEF CON 24... · >>> What is Bluetooth Low Energy? [5/42] * Designed for apps that don’t need to exchange large](https://reader033.vdocument.in/reader033/viewer/2022042402/5f13c78273160e36ef570825/html5/thumbnails/42.jpg)
>>> Fuzzing Devices
[25/42]
* Okidokey’s claim of "security"
- "uses highly secure encryption technologies,similar to banking and military standards(including AES 256-bit and 3D Secure login),combined with proven and patented cryptographicsolutions"
![Page 43: Picking Bluetooth Low Energy Locks from a Quarter Mile Away CON 24/DEF CON 24... · >>> What is Bluetooth Low Energy? [5/42] * Designed for apps that don’t need to exchange large](https://reader033.vdocument.in/reader033/viewer/2022042402/5f13c78273160e36ef570825/html5/thumbnails/43.jpg)
>>> Fuzzing Devices
[25/42]
* Sniff a valid command
- The key is not "unique"
9348b6cad7299ec1481791303d7c90d549352398Opcode? "Unique" key
Valid
Command
![Page 44: Picking Bluetooth Low Energy Locks from a Quarter Mile Away CON 24/DEF CON 24... · >>> What is Bluetooth Low Energy? [5/42] * Designed for apps that don’t need to exchange large](https://reader033.vdocument.in/reader033/viewer/2022042402/5f13c78273160e36ef570825/html5/thumbnails/44.jpg)
>>> Fuzzing Devices
[25/42]
* Sniff a valid command
* Intricate fuzzing script (days? weeks? months?!?)
9348b6cad7299ec1481791303d7c90d549352398Opcode? "Unique" key
Valid
Command
![Page 45: Picking Bluetooth Low Energy Locks from a Quarter Mile Away CON 24/DEF CON 24... · >>> What is Bluetooth Low Energy? [5/42] * Designed for apps that don’t need to exchange large](https://reader033.vdocument.in/reader033/viewer/2022042402/5f13c78273160e36ef570825/html5/thumbnails/45.jpg)
>>> Fuzzing Devices
[25/42]
* Sniff a valid command
* Intricate fuzzing script (days? weeks? months?!?)
* Change 3rd byte to 0x00
9348b6cad7299ec1481791303d7c90d549352398Opcode? "Unique" key
Valid
Command
Modified
Command
![Page 46: Picking Bluetooth Low Energy Locks from a Quarter Mile Away CON 24/DEF CON 24... · >>> What is Bluetooth Low Energy? [5/42] * Designed for apps that don’t need to exchange large](https://reader033.vdocument.in/reader033/viewer/2022042402/5f13c78273160e36ef570825/html5/thumbnails/46.jpg)
>>> Fuzzing Devices
[25/42]
* Sniff a valid command
* Intricate fuzzing script (days? weeks? months?!?)
* Change 3rd byte to 0x00
* Lock enters error state and opens
9348b6cad7299ec1481791303d7c90d549352398Opcode? "Unique" key
Valid
Command
Modified
Command
![Page 47: Picking Bluetooth Low Energy Locks from a Quarter Mile Away CON 24/DEF CON 24... · >>> What is Bluetooth Low Energy? [5/42] * Designed for apps that don’t need to exchange large](https://reader033.vdocument.in/reader033/viewer/2022042402/5f13c78273160e36ef570825/html5/thumbnails/47.jpg)
>>> Fuzzing Devices
[25/42]
* Sniff a valid command
* Intricate fuzzing script (days? weeks? months?!?)
* Change 3rd byte to 0x00
* Lock enters error state and opens
* Unusable to user while in error state
![Page 48: Picking Bluetooth Low Energy Locks from a Quarter Mile Away CON 24/DEF CON 24... · >>> What is Bluetooth Low Energy? [5/42] * Designed for apps that don’t need to exchange large](https://reader033.vdocument.in/reader033/viewer/2022042402/5f13c78273160e36ef570825/html5/thumbnails/48.jpg)
>>> Fuzzing Devices
[25/42]
* Sniff a valid command
* Intricate fuzzing script (days? weeks? months?!?)
* Change 3rd byte to 0x00
* Lock enters error state and opens
* Unusable to user while in error state
* "Patented" crypto is XOR?
![Page 49: Picking Bluetooth Low Energy Locks from a Quarter Mile Away CON 24/DEF CON 24... · >>> What is Bluetooth Low Energy? [5/42] * Designed for apps that don’t need to exchange large](https://reader033.vdocument.in/reader033/viewer/2022042402/5f13c78273160e36ef570825/html5/thumbnails/49.jpg)
>>> Fuzzing Devices
[25/42]
* Sniff a valid command
* Intricate fuzzing script (days? weeks? months?!?)
* Change 3rd byte to 0x00
* Lock enters error state and opens
* Unusable to user while in error state
* "Patented" crypto is XOR?
![Page 50: Picking Bluetooth Low Energy Locks from a Quarter Mile Away CON 24/DEF CON 24... · >>> What is Bluetooth Low Energy? [5/42] * Designed for apps that don’t need to exchange large](https://reader033.vdocument.in/reader033/viewer/2022042402/5f13c78273160e36ef570825/html5/thumbnails/50.jpg)
>>> Decompiling APKs
[26/42]
* Download APKs from Android device
* Convert dex to jar
* Decompile jar
- JD-GUI- Krakatau- Bytecode Viewer
![Page 51: Picking Bluetooth Low Energy Locks from a Quarter Mile Away CON 24/DEF CON 24... · >>> What is Bluetooth Low Energy? [5/42] * Designed for apps that don’t need to exchange large](https://reader033.vdocument.in/reader033/viewer/2022042402/5f13c78273160e36ef570825/html5/thumbnails/51.jpg)
>>> Decompiling APKs
[27/42]
* Vulnerable Device
- Danalock Doorlock
![Page 52: Picking Bluetooth Low Energy Locks from a Quarter Mile Away CON 24/DEF CON 24... · >>> What is Bluetooth Low Energy? [5/42] * Designed for apps that don’t need to exchange large](https://reader033.vdocument.in/reader033/viewer/2022042402/5f13c78273160e36ef570825/html5/thumbnails/52.jpg)
>>> Decompiling APKs
[27/42]
* Vulnerable Device
- Danalock Doorlock
* Reveals encryption method andhard coded password
- "thisisthesecret"
![Page 53: Picking Bluetooth Low Energy Locks from a Quarter Mile Away CON 24/DEF CON 24... · >>> What is Bluetooth Low Energy? [5/42] * Designed for apps that don’t need to exchange large](https://reader033.vdocument.in/reader033/viewer/2022042402/5f13c78273160e36ef570825/html5/thumbnails/53.jpg)
>>> Decompiling APKs
[27/42]
* Vulnerable Device
- Danalock Doorlock
* Reveals encryption method andhard coded password
- "thisisthesecret"
* XOR(password,thisisthesecret)
![Page 54: Picking Bluetooth Low Energy Locks from a Quarter Mile Away CON 24/DEF CON 24... · >>> What is Bluetooth Low Energy? [5/42] * Designed for apps that don’t need to exchange large](https://reader033.vdocument.in/reader033/viewer/2022042402/5f13c78273160e36ef570825/html5/thumbnails/54.jpg)
>>> Decompiling APKs
[27/42]
* Vulnerable Device
- Danalock Doorlock
* Reveals encryption method andhard coded password
- "thisisthesecret"
* XOR(password,thisisthesecret)
![Page 55: Picking Bluetooth Low Energy Locks from a Quarter Mile Away CON 24/DEF CON 24... · >>> What is Bluetooth Low Energy? [5/42] * Designed for apps that don’t need to exchange large](https://reader033.vdocument.in/reader033/viewer/2022042402/5f13c78273160e36ef570825/html5/thumbnails/55.jpg)
>>> Web Servers
User
Lock
WebServer
[28/42]
* Utilizes a Web Server to generatepasswords
* Requires internet to communicateand retrieve passwords
* Becoming more widely used
- Kwikset Kevo Doorlock- Noke Smart Padlock- Masterlock Smart Padlock- August Smart Doorlock- Mesh Motion Bitlock Padlock
![Page 56: Picking Bluetooth Low Energy Locks from a Quarter Mile Away CON 24/DEF CON 24... · >>> What is Bluetooth Low Energy? [5/42] * Designed for apps that don’t need to exchange large](https://reader033.vdocument.in/reader033/viewer/2022042402/5f13c78273160e36ef570825/html5/thumbnails/56.jpg)
>>> Rogue Devices
[29/42]
* Impersonate lock to steal password from user
* Requires:
- Raspberry Pi or Laptop- Bluez- Bleno- LightBlue Explorer
* Mobile and (Somewhat) Undetectable
* Vulnerable Device- Mesh Motion Bitlock Padlock
* This is possible due to a predictable nonce* App is running in the background and sends commands
without user interaction
![Page 57: Picking Bluetooth Low Energy Locks from a Quarter Mile Away CON 24/DEF CON 24... · >>> What is Bluetooth Low Energy? [5/42] * Designed for apps that don’t need to exchange large](https://reader033.vdocument.in/reader033/viewer/2022042402/5f13c78273160e36ef570825/html5/thumbnails/57.jpg)
>>> How Did We Do It?
Attacker
Bitlock
(1)
Connect
[30/42]
* Connect to Bitlock
* Scan for PrimaryServices &Characteristics
* Build copy of device inBleno
![Page 58: Picking Bluetooth Low Energy Locks from a Quarter Mile Away CON 24/DEF CON 24... · >>> What is Bluetooth Low Energy? [5/42] * Designed for apps that don’t need to exchange large](https://reader033.vdocument.in/reader033/viewer/2022042402/5f13c78273160e36ef570825/html5/thumbnails/58.jpg)
>>> How Did We Do It?
Attacker
Bitlock
(1)
Connect
[30/42]
* Connect to Bitlock
* Scan for PrimaryServices &Characteristics
* Build copy of device inBleno
![Page 59: Picking Bluetooth Low Energy Locks from a Quarter Mile Away CON 24/DEF CON 24... · >>> What is Bluetooth Low Energy? [5/42] * Designed for apps that don’t need to exchange large](https://reader033.vdocument.in/reader033/viewer/2022042402/5f13c78273160e36ef570825/html5/thumbnails/59.jpg)
>>> How Did We Do It?
Attacker
Bitlock
(1)
Connect
(2)
n
[30/42]
* Read current nonce fromnotification
* Send invalid password
![Page 60: Picking Bluetooth Low Energy Locks from a Quarter Mile Away CON 24/DEF CON 24... · >>> What is Bluetooth Low Energy? [5/42] * Designed for apps that don’t need to exchange large](https://reader033.vdocument.in/reader033/viewer/2022042402/5f13c78273160e36ef570825/html5/thumbnails/60.jpg)
>>> How Did We Do It?
Attacker
Bitlock
(1)
Connect
(2)
n
(3)
n+1
[30/42]
* Invalid passwordincrements nonce again
![Page 61: Picking Bluetooth Low Energy Locks from a Quarter Mile Away CON 24/DEF CON 24... · >>> What is Bluetooth Low Energy? [5/42] * Designed for apps that don’t need to exchange large](https://reader033.vdocument.in/reader033/viewer/2022042402/5f13c78273160e36ef570825/html5/thumbnails/61.jpg)
>>> How Did We Do It?
Attacker
Bitlock
(1)
Connect
(2)
n
(3)
n+1
User
(4) Connect
[30/42]
* Follow target and setupimpersonated lock
* Receive connection fromuser
![Page 62: Picking Bluetooth Low Energy Locks from a Quarter Mile Away CON 24/DEF CON 24... · >>> What is Bluetooth Low Energy? [5/42] * Designed for apps that don’t need to exchange large](https://reader033.vdocument.in/reader033/viewer/2022042402/5f13c78273160e36ef570825/html5/thumbnails/62.jpg)
>>> How Did We Do It?
Attacker
Bitlock
(1)
Connect
(2)
n
(3)
n+1
User
(4) Connect
(5) n+2
[30/42]
* Send nonce notificationto user
* Value doesn’t have to beonly n+2, it could ben+10 or n+100
![Page 63: Picking Bluetooth Low Energy Locks from a Quarter Mile Away CON 24/DEF CON 24... · >>> What is Bluetooth Low Energy? [5/42] * Designed for apps that don’t need to exchange large](https://reader033.vdocument.in/reader033/viewer/2022042402/5f13c78273160e36ef570825/html5/thumbnails/63.jpg)
>>> How Did We Do It?
Attacker
Bitlock
(1)
Connect
(2)
n
(3)
n+1
User
(4) Connect
(5) n+2
WebServer
(6)
n+2
[30/42]
* Nonce sent fromuser to Bitlock’sserver
![Page 64: Picking Bluetooth Low Energy Locks from a Quarter Mile Away CON 24/DEF CON 24... · >>> What is Bluetooth Low Energy? [5/42] * Designed for apps that don’t need to exchange large](https://reader033.vdocument.in/reader033/viewer/2022042402/5f13c78273160e36ef570825/html5/thumbnails/64.jpg)
>>> How Did We Do It?
Attacker
Bitlock
(1)
Connect
(2)
n
(3)
n+1
User
(4) Connect
(5) n+2
WebServer
(6)
n+2
(7)
Enc(n+2)
[30/42]
* Encrypted nonce issent back to theuser
![Page 65: Picking Bluetooth Low Energy Locks from a Quarter Mile Away CON 24/DEF CON 24... · >>> What is Bluetooth Low Energy? [5/42] * Designed for apps that don’t need to exchange large](https://reader033.vdocument.in/reader033/viewer/2022042402/5f13c78273160e36ef570825/html5/thumbnails/65.jpg)
>>> How Did We Do It?
Attacker
Bitlock
(1)
Connect
(2)
n
(3)
n+1
User
(4) Connect
(5) n+2
WebServer
(6)
n+2
(7)
Enc(n+2)
(8) Enc(n+2)
[30/42]
* Encrypted nonce issent to attacker
![Page 66: Picking Bluetooth Low Energy Locks from a Quarter Mile Away CON 24/DEF CON 24... · >>> What is Bluetooth Low Energy? [5/42] * Designed for apps that don’t need to exchange large](https://reader033.vdocument.in/reader033/viewer/2022042402/5f13c78273160e36ef570825/html5/thumbnails/66.jpg)
>>> How Did We Do It?
Attacker
Bitlock
(1)
Connect
(2)
n
(3)
n+1
User
(4) Connect
(5) n+2
WebServer
(6)
n+2
(7)
Enc(n+2)
(8) Enc(n+2)
[30/42]
![Page 67: Picking Bluetooth Low Energy Locks from a Quarter Mile Away CON 24/DEF CON 24... · >>> What is Bluetooth Low Energy? [5/42] * Designed for apps that don’t need to exchange large](https://reader033.vdocument.in/reader033/viewer/2022042402/5f13c78273160e36ef570825/html5/thumbnails/67.jpg)
>>> How Did We Do It?
Attacker
Bitlock
(1)
Connect
(2)
n
(3)
n+1
User
(4) Connect
(5) n+2
WebServer
(6)
n+2
(7)
Enc(n+2)
(8) Enc(n+2)
(9)Connect
[30/42]
* Return to lock
![Page 68: Picking Bluetooth Low Energy Locks from a Quarter Mile Away CON 24/DEF CON 24... · >>> What is Bluetooth Low Energy? [5/42] * Designed for apps that don’t need to exchange large](https://reader033.vdocument.in/reader033/viewer/2022042402/5f13c78273160e36ef570825/html5/thumbnails/68.jpg)
>>> How Did We Do It?
Attacker
Bitlock
(1)
Connect
(2)
n
(3)
n+1
User
(4) Connect
(5) n+2
WebServer
(6)
n+2
(7)
Enc(n+2)
(8) Enc(n+2)
(9)Connect
(10)n+2
[30/42]
* Receive currentnonce
![Page 69: Picking Bluetooth Low Energy Locks from a Quarter Mile Away CON 24/DEF CON 24... · >>> What is Bluetooth Low Energy? [5/42] * Designed for apps that don’t need to exchange large](https://reader033.vdocument.in/reader033/viewer/2022042402/5f13c78273160e36ef570825/html5/thumbnails/69.jpg)
>>> How Did We Do It?
Attacker
Bitlock
(1)
Connect
(2)
n
(3)
n+1
User
(4) Connect
(5) n+2
WebServer
(6)
n+2
(7)
Enc(n+2)
(8) Enc(n+2)
(9)Connect
(10)n+2
(11)
Enc(n+2)
[30/42]
* ...and it opens
![Page 70: Picking Bluetooth Low Energy Locks from a Quarter Mile Away CON 24/DEF CON 24... · >>> What is Bluetooth Low Energy? [5/42] * Designed for apps that don’t need to exchange large](https://reader033.vdocument.in/reader033/viewer/2022042402/5f13c78273160e36ef570825/html5/thumbnails/70.jpg)
>>> How Did We Do It?
Attacker
Bitlock
(1)
Connect
(2)
n
(3)
n+1
User
(4) Connect
(5) n+2
WebServer
(6)
n+2
(7)
Enc(n+2)
(8) Enc(n+2)
(9)Connect
(10)n+2
(11)
Enc(n+2)
[30/42]
![Page 71: Picking Bluetooth Low Energy Locks from a Quarter Mile Away CON 24/DEF CON 24... · >>> What is Bluetooth Low Energy? [5/42] * Designed for apps that don’t need to exchange large](https://reader033.vdocument.in/reader033/viewer/2022042402/5f13c78273160e36ef570825/html5/thumbnails/71.jpg)
>>> Rogue Devices
[31/42]
* Deployment in high traffic areas (CoffeeShop or Universities)
* Theoretically possible to retrievepassword from user and steal bike beforethey return
![Page 72: Picking Bluetooth Low Energy Locks from a Quarter Mile Away CON 24/DEF CON 24... · >>> What is Bluetooth Low Energy? [5/42] * Designed for apps that don’t need to exchange large](https://reader033.vdocument.in/reader033/viewer/2022042402/5f13c78273160e36ef570825/html5/thumbnails/72.jpg)
>>> Test Run Bike
[32/42]
* University in Midwest
* 4 bikes on campus(Summertime)
* Capacity 88 bikes
* Any user can see bikeswithin a bikeshare
![Page 73: Picking Bluetooth Low Energy Locks from a Quarter Mile Away CON 24/DEF CON 24... · >>> What is Bluetooth Low Energy? [5/42] * Designed for apps that don’t need to exchange large](https://reader033.vdocument.in/reader033/viewer/2022042402/5f13c78273160e36ef570825/html5/thumbnails/73.jpg)
>>> Test Run Bike
[33/42]
![Page 74: Picking Bluetooth Low Energy Locks from a Quarter Mile Away CON 24/DEF CON 24... · >>> What is Bluetooth Low Energy? [5/42] * Designed for apps that don’t need to exchange large](https://reader033.vdocument.in/reader033/viewer/2022042402/5f13c78273160e36ef570825/html5/thumbnails/74.jpg)
>>> Test Run Bike
[34/42]
![Page 75: Picking Bluetooth Low Energy Locks from a Quarter Mile Away CON 24/DEF CON 24... · >>> What is Bluetooth Low Energy? [5/42] * Designed for apps that don’t need to exchange large](https://reader033.vdocument.in/reader033/viewer/2022042402/5f13c78273160e36ef570825/html5/thumbnails/75.jpg)
>>> Test Run Bike
[35/42]
![Page 76: Picking Bluetooth Low Energy Locks from a Quarter Mile Away CON 24/DEF CON 24... · >>> What is Bluetooth Low Energy? [5/42] * Designed for apps that don’t need to exchange large](https://reader033.vdocument.in/reader033/viewer/2022042402/5f13c78273160e36ef570825/html5/thumbnails/76.jpg)
>>> Test Run Bike
[35/42]
Device Name
![Page 77: Picking Bluetooth Low Energy Locks from a Quarter Mile Away CON 24/DEF CON 24... · >>> What is Bluetooth Low Energy? [5/42] * Designed for apps that don’t need to exchange large](https://reader033.vdocument.in/reader033/viewer/2022042402/5f13c78273160e36ef570825/html5/thumbnails/77.jpg)
>>> Test Run Bike
[35/42]
Device Name
![Page 78: Picking Bluetooth Low Energy Locks from a Quarter Mile Away CON 24/DEF CON 24... · >>> What is Bluetooth Low Energy? [5/42] * Designed for apps that don’t need to exchange large](https://reader033.vdocument.in/reader033/viewer/2022042402/5f13c78273160e36ef570825/html5/thumbnails/78.jpg)
>>> Test Run Bike
[35/42]
Device Name
Nonce
![Page 79: Picking Bluetooth Low Energy Locks from a Quarter Mile Away CON 24/DEF CON 24... · >>> What is Bluetooth Low Energy? [5/42] * Designed for apps that don’t need to exchange large](https://reader033.vdocument.in/reader033/viewer/2022042402/5f13c78273160e36ef570825/html5/thumbnails/79.jpg)
>>> Test Run Bike
[36/42]
* Disclaimer: We did not open any locksthat do not belong to us ...
![Page 80: Picking Bluetooth Low Energy Locks from a Quarter Mile Away CON 24/DEF CON 24... · >>> What is Bluetooth Low Energy? [5/42] * Designed for apps that don’t need to exchange large](https://reader033.vdocument.in/reader033/viewer/2022042402/5f13c78273160e36ef570825/html5/thumbnails/80.jpg)
>>> Rogue Device Way Ahead
RogueDevice 2
RogueDevice 1
User
LockWebServer
[37/42]
WiFi, LTE, Etc
![Page 81: Picking Bluetooth Low Energy Locks from a Quarter Mile Away CON 24/DEF CON 24... · >>> What is Bluetooth Low Energy? [5/42] * Designed for apps that don’t need to exchange large](https://reader033.vdocument.in/reader033/viewer/2022042402/5f13c78273160e36ef570825/html5/thumbnails/81.jpg)
>>> Locating Devices
[38/42]
* BlueFinder
- Open-source tool- Determines the distance (meters) to aBluetooth device through RSS
- Active or Passive Modes- ~100 samples/sec used to estimate distance- Mean error ~24% (e.g., +/- 3m at d = 12m)
![Page 82: Picking Bluetooth Low Energy Locks from a Quarter Mile Away CON 24/DEF CON 24... · >>> What is Bluetooth Low Energy? [5/42] * Designed for apps that don’t need to exchange large](https://reader033.vdocument.in/reader033/viewer/2022042402/5f13c78273160e36ef570825/html5/thumbnails/82.jpg)
>>> How do we find these devices?
[39/42]
0 100 200 300 400 500 600 700 800
Distance (m)
-90
-80
-70
-60
-50
-40
-30
-20
RS
S (
dB
m)
Model P = 2.0
Mean RSS
![Page 83: Picking Bluetooth Low Energy Locks from a Quarter Mile Away CON 24/DEF CON 24... · >>> What is Bluetooth Low Energy? [5/42] * Designed for apps that don’t need to exchange large](https://reader033.vdocument.in/reader033/viewer/2022042402/5f13c78273160e36ef570825/html5/thumbnails/83.jpg)
Wireless Demo
[40/42]
![Page 84: Picking Bluetooth Low Energy Locks from a Quarter Mile Away CON 24/DEF CON 24... · >>> What is Bluetooth Low Energy? [5/42] * Designed for apps that don’t need to exchange large](https://reader033.vdocument.in/reader033/viewer/2022042402/5f13c78273160e36ef570825/html5/thumbnails/84.jpg)
>>> Takeaways & Future Work
[41/42]
* Takeaways
- Vendors prioritized physical robustnessover wireless security
- 12/16 locks had insufficient BLE security- Recommendation: disable phone’s Bluetoothwhen not in use
* Future Work
- Extract pattern of life using history logs- Dynamic profiles for rogue device- Extended python functionality- Evaluate Bluetooth ATM locks
![Page 85: Picking Bluetooth Low Energy Locks from a Quarter Mile Away CON 24/DEF CON 24... · >>> What is Bluetooth Low Energy? [5/42] * Designed for apps that don’t need to exchange large](https://reader033.vdocument.in/reader033/viewer/2022042402/5f13c78273160e36ef570825/html5/thumbnails/85.jpg)
>>> Questions?
[42/42]
Code: github.com/merculite/BLE-Security
Have comments, compliments, or cash?
Contact us: team @ merculite.net