picking bluetooth low energy locks from a quarter mile away con 24/def con 24... · >>>...
TRANSCRIPT
>>> Picking Bluetooth Low EnergyLocks from a Quarter Mile Away
Anthony Rose & Ben Ramsey
[1/42]
>>> whoami
[2/42]
* Anthony Rose
- Researcher,Merculite Security
- Lockpicking hobbyist- BS in ElectricalEngineering
- Prior work:Wireless videotraffic analysis
- Currently focused onBLE security
* Ben Ramsey
- Research Director,Merculite Security
- Wireless geek- PhD in ComputerScience
- Recent work:Z-Wave attacks-DerbyCon 2015-ShmooCon 2016-PoC||GTFO 12
>>> Overview
1. Goals
2. What is Bluetooth Low Energy?
3. Why Should I Care?
4. Exploits
5. Demo
6. Takeaways & Future Work
7. Questions
[3/42]
>>> Goals
[4/42]
* Identify vulnerabilities in BLE smart locks
* Release proof of concept exploits
* Put pressure on vendors to improve security
* Raise consumer awareness
>>> What is Bluetooth Low Energy?
[5/42]
* Designed for apps thatdon’t need to exchangelarge amounts of data
* Minimal powerconsumption
* Operates at 2.4 GHz(same as BluetoothClassic)
* Short range (<100m)
>>> What is Bluetooth Low Energy?
[6/42]
* GATT (Generic AttributeProfile)
- Client sendsrequests to GATTserver
- Server storesattributes
>>> Why Should I Care?
[7/42]
* Widely used and gaining popularity
* Securing homes and valuables
* Current BLE "security" products:
- Deadbolts- Bike locks- Lockers- Gun Cases- Safes- ATMs- Airbnb
>>> Who is Using BLE?
[8/42]
>>> Bluetooth Hacking is Affordable
[9/42]
* Ubertooth One - $100
* Bluetooth Smart USB dongle - $15
* Raspberry Pi - $40
* High gain directional antenna - $50
>>> Ubertooth One
[10/42]
* Created by Michael Ossmann
* Open source Bluetooth tool
* First affordable Bluetooth monitoring anddevelopment platform
* Promiscuous sniffing
* BLE receive only capability (with current firmware)
>>> Wardriving
[11/42]
* Ubertooth + high gaindirectional antenna
* Bluetooth dongle
* Easy deployment
* Long range (1/4+ mile)
* Concealable
* Warflying with drones...
>>> Wardriving
[12/42]
>>> Wardriving
[12/42]
>>> Uncracked Locks
[13/42]
* Noke Padlock
* Masterlock Padlock
* August Doorlock
* Kwikset Kevo Doorlock
>>> Uncracked Locks
[13/42]
* Noke Padlock
* Masterlock Padlock
* August Doorlock - hard-coded key
* Kwikset Kevo Doorlock
Discovered by Paul Lariviere & Stephen Hall
>>> Uncracked Locks
[13/42]
* Noke Padlock
* Masterlock Padlock
* August Doorlock
* Kwikset Kevo Doorlock - fragile
>>> Features of "Uncrackable" Locks
[14/42]
* Proper AES Encryption
* Truly random nonce (8-16 bytes)
* 2-factor authentication
* No hard-coded passwords
* Long passwords allowed
- 16-20 characters
>>> Vulnerable Devices
[15/42]
* Plain Text Password
- Quicklock Doorlock & Padlock v1.5- iBluLock Padlock v1.9- Plantraco Phantomlock v1.6
* Replay Attack
- Ceomate Bluetooth Smart Doorlock v2.0.1- Elecycle EL797 & EL797G Smart Padlock v1.8- Vians Bluetooth Smart Doorlock v1.1.1- Lagute Sciener Smart Doorlock v3.3.0
>>> Vulnerable Devices
[16/42]
* Fuzzing
- Okidokey Smart Doorlock v2.4
* Decompiliing APKs
- Poly-Control Danalock Doorlock v3.0.8
* Device Spoofing
- Mesh Motion Bitlock Padlock v1.4.9
>>> Connection Sniffing
[17/42]
* Ubertooth used for sniffing
* Must be listening on anadvertisement channel (37,38, 39) and follow aconnection
- Use 3 Ubertooths(Uberteeth?), 1 on eachadvertisement channel
* Passively listen toconversation between theApp and Lock
User
Device
>>> Python Implementation
[18/42]
* Communicates directly tothe HCI
* Allows implementation ofadditional commands andfunctions- 20+ commands thusfar
* Spoofing (BD Addr andHost Name)
* Role reversal* Connection oriented
channels* ...and more!
>>> Plain Text Passwords
[19/42]
* Are they even trying?
* Found on 4 separate locks
- Quicklock Doorlock- Quicklock Padlock- iBluLock Padlock- Plantraco Phantomlock
001234567812345678Opcode Current Password New Password
>>> Plain Text Passwords
[19/42]
* Are they even trying?
* Found on 4 separate locks
- Quicklock Doorlock- Quicklock Padlock- iBluLock Padlock- Plantraco Phantomlock
001234567812345678Opcode Current Password New Password
>>> Admin Privileges
[20/42]
* Can change admin password
>>> Admin Privileges
[20/42]
* Can change admin password
- 011234567866666666
>>> Admin Privileges
[20/42]
* Can change admin password
- 011234567866666666
* Locks out owner with new password
>>> Admin Privileges
[20/42]
* Can change admin password
- 011234567866666666
* Locks out owner with new password
* Requires hard reset (battery removal)
>>> Admin Privileges
[20/42]
* Can change admin password
- 011234567866666666
* Locks out owner with new password
* Requires hard reset (battery removal)
- Only possible if lock is already open
>>> Admin Privileges
[20/42]
* Can change admin password
- 011234567866666666
* Locks out owner with new password
* Requires hard reset (battery removal)
- Only possible if lock is already open
>>> A Wild Plain Text Password Appears
[21/42]
>>> A Wild Plain Text Password Appears
[21/42]
>>> A Wild Plain Text Password Appears
[21/42]
>>> A Wild Plain Text Password Appears
[21/42]
Password is 69696969???
>>> A Wild Plain Text Password Appears
[21/42]
Password is 69696969???
>>> Brute Forcing
[22/42]
* When all else fails, throweverything at it
* Quicklock
- 8 digit pin- 100,000,000 combos
* iBluLock
- 6 character password- A LOT!
* Solution
- Common pins (11111111,12345678, 69696969, ...)
- Phone numbers- Street address- Wordlists
>>> Replay Attacks
[23/42]
* Claim "encryption" is being used
>>> Replay Attacks
[23/42]
* Claim "encryption" is being used
* Who cares what they are sending as long as it opens!
>>> Replay Attacks
[23/42]
* Claim "encryption" is being used
* Who cares what they are sending as long as it opens!
* Vulnerable Devices
- Ceomate Bluetooth Smartlock- Elecycle Smart Padlock- Vians Bluetooth Smart Doorlock- Lagute Sciener Smart Doorlock
>>> Replay Attacks
[23/42]
* Claim "encryption" is being used
* Who cares what they are sending as long as it opens!
* Vulnerable Devices
- Ceomate Bluetooth Smartlock- Elecycle Smart Padlock- Vians Bluetooth Smart Doorlock- Lagute Sciener Smart Doorlock
>>> Fuzzing Devices
[24/42]
* Change bytes of a valid command
* See if we can get lock to enter "error state"
* Vulnerable Device
- Okidokey Smart Doorlock
>>> Fuzzing Devices
[25/42]
* Okidokey’s claim of "security"
- "uses highly secure encryption technologies,similar to banking and military standards(including AES 256-bit and 3D Secure login),combined with proven and patented cryptographicsolutions"
>>> Fuzzing Devices
[25/42]
* Okidokey’s claim of "security"
- "uses highly secure encryption technologies,similar to banking and military standards(including AES 256-bit and 3D Secure login),combined with proven and patented cryptographicsolutions"
>>> Fuzzing Devices
[25/42]
* Sniff a valid command
- The key is not "unique"
9348b6cad7299ec1481791303d7c90d549352398Opcode? "Unique" key
Valid
Command
>>> Fuzzing Devices
[25/42]
* Sniff a valid command
* Intricate fuzzing script (days? weeks? months?!?)
9348b6cad7299ec1481791303d7c90d549352398Opcode? "Unique" key
Valid
Command
>>> Fuzzing Devices
[25/42]
* Sniff a valid command
* Intricate fuzzing script (days? weeks? months?!?)
* Change 3rd byte to 0x00
9348b6cad7299ec1481791303d7c90d549352398Opcode? "Unique" key
Valid
Command
Modified
Command
>>> Fuzzing Devices
[25/42]
* Sniff a valid command
* Intricate fuzzing script (days? weeks? months?!?)
* Change 3rd byte to 0x00
* Lock enters error state and opens
9348b6cad7299ec1481791303d7c90d549352398Opcode? "Unique" key
Valid
Command
Modified
Command
>>> Fuzzing Devices
[25/42]
* Sniff a valid command
* Intricate fuzzing script (days? weeks? months?!?)
* Change 3rd byte to 0x00
* Lock enters error state and opens
* Unusable to user while in error state
>>> Fuzzing Devices
[25/42]
* Sniff a valid command
* Intricate fuzzing script (days? weeks? months?!?)
* Change 3rd byte to 0x00
* Lock enters error state and opens
* Unusable to user while in error state
* "Patented" crypto is XOR?
>>> Fuzzing Devices
[25/42]
* Sniff a valid command
* Intricate fuzzing script (days? weeks? months?!?)
* Change 3rd byte to 0x00
* Lock enters error state and opens
* Unusable to user while in error state
* "Patented" crypto is XOR?
>>> Decompiling APKs
[26/42]
* Download APKs from Android device
* Convert dex to jar
* Decompile jar
- JD-GUI- Krakatau- Bytecode Viewer
>>> Decompiling APKs
[27/42]
* Vulnerable Device
- Danalock Doorlock
>>> Decompiling APKs
[27/42]
* Vulnerable Device
- Danalock Doorlock
* Reveals encryption method andhard coded password
- "thisisthesecret"
>>> Decompiling APKs
[27/42]
* Vulnerable Device
- Danalock Doorlock
* Reveals encryption method andhard coded password
- "thisisthesecret"
* XOR(password,thisisthesecret)
>>> Decompiling APKs
[27/42]
* Vulnerable Device
- Danalock Doorlock
* Reveals encryption method andhard coded password
- "thisisthesecret"
* XOR(password,thisisthesecret)
>>> Web Servers
User
Lock
WebServer
[28/42]
* Utilizes a Web Server to generatepasswords
* Requires internet to communicateand retrieve passwords
* Becoming more widely used
- Kwikset Kevo Doorlock- Noke Smart Padlock- Masterlock Smart Padlock- August Smart Doorlock- Mesh Motion Bitlock Padlock
>>> Rogue Devices
[29/42]
* Impersonate lock to steal password from user
* Requires:
- Raspberry Pi or Laptop- Bluez- Bleno- LightBlue Explorer
* Mobile and (Somewhat) Undetectable
* Vulnerable Device- Mesh Motion Bitlock Padlock
* This is possible due to a predictable nonce* App is running in the background and sends commands
without user interaction
>>> How Did We Do It?
Attacker
Bitlock
(1)
Connect
[30/42]
* Connect to Bitlock
* Scan for PrimaryServices &Characteristics
* Build copy of device inBleno
>>> How Did We Do It?
Attacker
Bitlock
(1)
Connect
[30/42]
* Connect to Bitlock
* Scan for PrimaryServices &Characteristics
* Build copy of device inBleno
>>> How Did We Do It?
Attacker
Bitlock
(1)
Connect
(2)
n
[30/42]
* Read current nonce fromnotification
* Send invalid password
>>> How Did We Do It?
Attacker
Bitlock
(1)
Connect
(2)
n
(3)
n+1
[30/42]
* Invalid passwordincrements nonce again
>>> How Did We Do It?
Attacker
Bitlock
(1)
Connect
(2)
n
(3)
n+1
User
(4) Connect
[30/42]
* Follow target and setupimpersonated lock
* Receive connection fromuser
>>> How Did We Do It?
Attacker
Bitlock
(1)
Connect
(2)
n
(3)
n+1
User
(4) Connect
(5) n+2
[30/42]
* Send nonce notificationto user
* Value doesn’t have to beonly n+2, it could ben+10 or n+100
>>> How Did We Do It?
Attacker
Bitlock
(1)
Connect
(2)
n
(3)
n+1
User
(4) Connect
(5) n+2
WebServer
(6)
n+2
[30/42]
* Nonce sent fromuser to Bitlock’sserver
>>> How Did We Do It?
Attacker
Bitlock
(1)
Connect
(2)
n
(3)
n+1
User
(4) Connect
(5) n+2
WebServer
(6)
n+2
(7)
Enc(n+2)
[30/42]
* Encrypted nonce issent back to theuser
>>> How Did We Do It?
Attacker
Bitlock
(1)
Connect
(2)
n
(3)
n+1
User
(4) Connect
(5) n+2
WebServer
(6)
n+2
(7)
Enc(n+2)
(8) Enc(n+2)
[30/42]
* Encrypted nonce issent to attacker
>>> How Did We Do It?
Attacker
Bitlock
(1)
Connect
(2)
n
(3)
n+1
User
(4) Connect
(5) n+2
WebServer
(6)
n+2
(7)
Enc(n+2)
(8) Enc(n+2)
[30/42]
>>> How Did We Do It?
Attacker
Bitlock
(1)
Connect
(2)
n
(3)
n+1
User
(4) Connect
(5) n+2
WebServer
(6)
n+2
(7)
Enc(n+2)
(8) Enc(n+2)
(9)Connect
[30/42]
* Return to lock
>>> How Did We Do It?
Attacker
Bitlock
(1)
Connect
(2)
n
(3)
n+1
User
(4) Connect
(5) n+2
WebServer
(6)
n+2
(7)
Enc(n+2)
(8) Enc(n+2)
(9)Connect
(10)n+2
[30/42]
* Receive currentnonce
>>> How Did We Do It?
Attacker
Bitlock
(1)
Connect
(2)
n
(3)
n+1
User
(4) Connect
(5) n+2
WebServer
(6)
n+2
(7)
Enc(n+2)
(8) Enc(n+2)
(9)Connect
(10)n+2
(11)
Enc(n+2)
[30/42]
* ...and it opens
>>> How Did We Do It?
Attacker
Bitlock
(1)
Connect
(2)
n
(3)
n+1
User
(4) Connect
(5) n+2
WebServer
(6)
n+2
(7)
Enc(n+2)
(8) Enc(n+2)
(9)Connect
(10)n+2
(11)
Enc(n+2)
[30/42]
>>> Rogue Devices
[31/42]
* Deployment in high traffic areas (CoffeeShop or Universities)
* Theoretically possible to retrievepassword from user and steal bike beforethey return
>>> Test Run Bike
[32/42]
* University in Midwest
* 4 bikes on campus(Summertime)
* Capacity 88 bikes
* Any user can see bikeswithin a bikeshare
>>> Test Run Bike
[33/42]
>>> Test Run Bike
[34/42]
>>> Test Run Bike
[35/42]
>>> Test Run Bike
[35/42]
Device Name
>>> Test Run Bike
[35/42]
Device Name
>>> Test Run Bike
[35/42]
Device Name
Nonce
>>> Test Run Bike
[36/42]
* Disclaimer: We did not open any locksthat do not belong to us ...
>>> Rogue Device Way Ahead
RogueDevice 2
RogueDevice 1
User
LockWebServer
[37/42]
WiFi, LTE, Etc
>>> Locating Devices
[38/42]
* BlueFinder
- Open-source tool- Determines the distance (meters) to aBluetooth device through RSS
- Active or Passive Modes- ~100 samples/sec used to estimate distance- Mean error ~24% (e.g., +/- 3m at d = 12m)
>>> How do we find these devices?
[39/42]
0 100 200 300 400 500 600 700 800
Distance (m)
-90
-80
-70
-60
-50
-40
-30
-20
RS
S (
dB
m)
Model P = 2.0
Mean RSS
Wireless Demo
[40/42]
>>> Takeaways & Future Work
[41/42]
* Takeaways
- Vendors prioritized physical robustnessover wireless security
- 12/16 locks had insufficient BLE security- Recommendation: disable phone’s Bluetoothwhen not in use
* Future Work
- Extract pattern of life using history logs- Dynamic profiles for rogue device- Extended python functionality- Evaluate Bluetooth ATM locks
>>> Questions?
[42/42]
Code: github.com/merculite/BLE-Security
Have comments, compliments, or cash?
Contact us: team @ merculite.net