>>> Picking Bluetooth Low EnergyLocks from a Quarter Mile Away

Anthony Rose & Ben Ramsey

[1/42]

>>> whoami

[2/42]

* Anthony Rose

- Researcher,Merculite Security

- Lockpicking hobbyist- BS in ElectricalEngineering

- Prior work:Wireless videotraffic analysis

- Currently focused onBLE security

* Ben Ramsey

- Research Director,Merculite Security

- Wireless geek- PhD in ComputerScience

- Recent work:Z-Wave attacks-DerbyCon 2015-ShmooCon 2016-PoC||GTFO 12

>>> Overview

1. Goals

2. What is Bluetooth Low Energy?

3. Why Should I Care?

4. Exploits

5. Demo

6. Takeaways & Future Work

7. Questions

[3/42]

>>> Goals

[4/42]

* Identify vulnerabilities in BLE smart locks

* Release proof of concept exploits

* Put pressure on vendors to improve security

* Raise consumer awareness

>>> What is Bluetooth Low Energy?

[5/42]

* Designed for apps thatdon’t need to exchangelarge amounts of data

* Minimal powerconsumption

* Operates at 2.4 GHz(same as BluetoothClassic)

* Short range (<100m)

>>> What is Bluetooth Low Energy?

[6/42]

* GATT (Generic AttributeProfile)

- Client sendsrequests to GATTserver

- Server storesattributes

>>> Why Should I Care?

[7/42]

* Widely used and gaining popularity

* Securing homes and valuables

* Current BLE "security" products:

- Deadbolts- Bike locks- Lockers- Gun Cases- Safes- ATMs- Airbnb

>>> Who is Using BLE?

[8/42]

>>> Bluetooth Hacking is Affordable

[9/42]

* Ubertooth One - $100

* Bluetooth Smart USB dongle - $15

* Raspberry Pi - $40

* High gain directional antenna - $50

>>> Ubertooth One

[10/42]

* Created by Michael Ossmann

* Open source Bluetooth tool

* First affordable Bluetooth monitoring anddevelopment platform

* Promiscuous sniffing

* BLE receive only capability (with current firmware)

>>> Wardriving

[11/42]

* Ubertooth + high gaindirectional antenna

* Bluetooth dongle

* Easy deployment

* Long range (1/4+ mile)

* Concealable

* Warflying with drones...

>>> Wardriving

[12/42]

>>> Wardriving

[12/42]

>>> Uncracked Locks

[13/42]

* Noke Padlock

* Masterlock Padlock

* August Doorlock

* Kwikset Kevo Doorlock

>>> Uncracked Locks

[13/42]

* Noke Padlock

* Masterlock Padlock

* August Doorlock - hard-coded key

* Kwikset Kevo Doorlock

Discovered by Paul Lariviere & Stephen Hall

>>> Uncracked Locks

[13/42]

* Noke Padlock

* Masterlock Padlock

* August Doorlock

* Kwikset Kevo Doorlock - fragile

>>> Features of "Uncrackable" Locks

[14/42]

* Proper AES Encryption

* Truly random nonce (8-16 bytes)

* 2-factor authentication

* No hard-coded passwords

* Long passwords allowed

- 16-20 characters

>>> Vulnerable Devices

[15/42]

* Plain Text Password

- Quicklock Doorlock & Padlock v1.5- iBluLock Padlock v1.9- Plantraco Phantomlock v1.6

* Replay Attack

- Ceomate Bluetooth Smart Doorlock v2.0.1- Elecycle EL797 & EL797G Smart Padlock v1.8- Vians Bluetooth Smart Doorlock v1.1.1- Lagute Sciener Smart Doorlock v3.3.0

>>> Vulnerable Devices

[16/42]

* Fuzzing

- Okidokey Smart Doorlock v2.4

* Decompiliing APKs

- Poly-Control Danalock Doorlock v3.0.8

* Device Spoofing

- Mesh Motion Bitlock Padlock v1.4.9

>>> Connection Sniffing

[17/42]

* Ubertooth used for sniffing

* Must be listening on anadvertisement channel (37,38, 39) and follow aconnection

- Use 3 Ubertooths(Uberteeth?), 1 on eachadvertisement channel

* Passively listen toconversation between theApp and Lock

User

Device

>>> Python Implementation

[18/42]

* Communicates directly tothe HCI

* Allows implementation ofadditional commands andfunctions- 20+ commands thusfar

* Spoofing (BD Addr andHost Name)

* Role reversal* Connection oriented

channels* ...and more!

>>> Plain Text Passwords

[19/42]

* Are they even trying?

* Found on 4 separate locks

- Quicklock Doorlock- Quicklock Padlock- iBluLock Padlock- Plantraco Phantomlock

001234567812345678Opcode Current Password New Password

>>> Plain Text Passwords

[19/42]

* Are they even trying?

* Found on 4 separate locks

- Quicklock Doorlock- Quicklock Padlock- iBluLock Padlock- Plantraco Phantomlock

001234567812345678Opcode Current Password New Password

>>> Admin Privileges

[20/42]

* Can change admin password

>>> Admin Privileges

[20/42]

* Can change admin password

- 011234567866666666

>>> Admin Privileges

[20/42]

* Can change admin password

- 011234567866666666

* Locks out owner with new password

>>> Admin Privileges

[20/42]

* Can change admin password

- 011234567866666666

* Locks out owner with new password

* Requires hard reset (battery removal)

>>> Admin Privileges

[20/42]

* Can change admin password

- 011234567866666666

* Locks out owner with new password

* Requires hard reset (battery removal)

- Only possible if lock is already open

>>> Admin Privileges

[20/42]

* Can change admin password

- 011234567866666666

* Locks out owner with new password

* Requires hard reset (battery removal)

- Only possible if lock is already open

>>> A Wild Plain Text Password Appears

[21/42]

>>> A Wild Plain Text Password Appears

[21/42]

>>> A Wild Plain Text Password Appears

[21/42]

>>> A Wild Plain Text Password Appears

[21/42]

Password is 69696969???

>>> A Wild Plain Text Password Appears

[21/42]

Password is 69696969???

>>> Brute Forcing

[22/42]

* When all else fails, throweverything at it

* Quicklock

- 8 digit pin- 100,000,000 combos

* iBluLock

- 6 character password- A LOT!

* Solution

- Common pins (11111111,12345678, 69696969, ...)

- Phone numbers- Street address- Wordlists

>>> Replay Attacks

[23/42]

* Claim "encryption" is being used

>>> Replay Attacks

[23/42]

* Claim "encryption" is being used

* Who cares what they are sending as long as it opens!

>>> Replay Attacks

[23/42]

* Claim "encryption" is being used

* Who cares what they are sending as long as it opens!

* Vulnerable Devices

- Ceomate Bluetooth Smartlock- Elecycle Smart Padlock- Vians Bluetooth Smart Doorlock- Lagute Sciener Smart Doorlock

>>> Replay Attacks

[23/42]

* Claim "encryption" is being used

* Who cares what they are sending as long as it opens!

* Vulnerable Devices

- Ceomate Bluetooth Smartlock- Elecycle Smart Padlock- Vians Bluetooth Smart Doorlock- Lagute Sciener Smart Doorlock

>>> Fuzzing Devices

[24/42]

* Change bytes of a valid command

* See if we can get lock to enter "error state"

* Vulnerable Device

- Okidokey Smart Doorlock

>>> Fuzzing Devices

[25/42]

* Okidokey’s claim of "security"

- "uses highly secure encryption technologies,similar to banking and military standards(including AES 256-bit and 3D Secure login),combined with proven and patented cryptographicsolutions"

>>> Fuzzing Devices

[25/42]

* Okidokey’s claim of "security"

- "uses highly secure encryption technologies,similar to banking and military standards(including AES 256-bit and 3D Secure login),combined with proven and patented cryptographicsolutions"

>>> Fuzzing Devices

[25/42]

* Sniff a valid command

- The key is not "unique"

9348b6cad7299ec1481791303d7c90d549352398Opcode? "Unique" key

Valid

Command

>>> Fuzzing Devices

[25/42]

* Sniff a valid command

* Intricate fuzzing script (days? weeks? months?!?)

9348b6cad7299ec1481791303d7c90d549352398Opcode? "Unique" key

Valid

Command

>>> Fuzzing Devices

[25/42]

* Sniff a valid command

* Intricate fuzzing script (days? weeks? months?!?)

* Change 3rd byte to 0x00

9348b6cad7299ec1481791303d7c90d549352398Opcode? "Unique" key

Valid

Command

Modified

Command

>>> Fuzzing Devices

[25/42]

* Sniff a valid command

* Intricate fuzzing script (days? weeks? months?!?)

* Change 3rd byte to 0x00

* Lock enters error state and opens

9348b6cad7299ec1481791303d7c90d549352398Opcode? "Unique" key

Valid

Command

Modified

Command

>>> Fuzzing Devices

[25/42]

* Sniff a valid command

* Intricate fuzzing script (days? weeks? months?!?)

* Change 3rd byte to 0x00

* Lock enters error state and opens

* Unusable to user while in error state

>>> Fuzzing Devices

[25/42]

* Sniff a valid command

* Intricate fuzzing script (days? weeks? months?!?)

* Change 3rd byte to 0x00

* Lock enters error state and opens

* Unusable to user while in error state

* "Patented" crypto is XOR?

>>> Fuzzing Devices

[25/42]

* Sniff a valid command

* Intricate fuzzing script (days? weeks? months?!?)

* Change 3rd byte to 0x00

* Lock enters error state and opens

* Unusable to user while in error state

* "Patented" crypto is XOR?

>>> Decompiling APKs

[26/42]

* Download APKs from Android device

* Convert dex to jar

* Decompile jar

- JD-GUI- Krakatau- Bytecode Viewer

>>> Decompiling APKs

[27/42]

* Vulnerable Device

- Danalock Doorlock

>>> Decompiling APKs

[27/42]

* Vulnerable Device

- Danalock Doorlock

* Reveals encryption method andhard coded password

- "thisisthesecret"

>>> Decompiling APKs

[27/42]

* Vulnerable Device

- Danalock Doorlock

* Reveals encryption method andhard coded password

- "thisisthesecret"

* XOR(password,thisisthesecret)

>>> Decompiling APKs

[27/42]

* Vulnerable Device

- Danalock Doorlock

* Reveals encryption method andhard coded password

- "thisisthesecret"

* XOR(password,thisisthesecret)

>>> Web Servers

User

Lock

WebServer

[28/42]

* Utilizes a Web Server to generatepasswords

* Requires internet to communicateand retrieve passwords

* Becoming more widely used

- Kwikset Kevo Doorlock- Noke Smart Padlock- Masterlock Smart Padlock- August Smart Doorlock- Mesh Motion Bitlock Padlock

>>> Rogue Devices

[29/42]

* Impersonate lock to steal password from user

* Requires:

- Raspberry Pi or Laptop- Bluez- Bleno- LightBlue Explorer

* Mobile and (Somewhat) Undetectable

* Vulnerable Device- Mesh Motion Bitlock Padlock

* This is possible due to a predictable nonce* App is running in the background and sends commands

without user interaction

>>> How Did We Do It?

Attacker

Bitlock

(1)

Connect

[30/42]

* Connect to Bitlock

* Scan for PrimaryServices &Characteristics

* Build copy of device inBleno

>>> How Did We Do It?

Attacker

Bitlock

(1)

Connect

[30/42]

* Connect to Bitlock

* Scan for PrimaryServices &Characteristics

* Build copy of device inBleno

>>> How Did We Do It?

Attacker

Bitlock

(1)

Connect

(2)

n

[30/42]

* Read current nonce fromnotification

* Send invalid password

>>> How Did We Do It?

Attacker

Bitlock

(1)

Connect

(2)

n

(3)

n+1

[30/42]

* Invalid passwordincrements nonce again

>>> How Did We Do It?

Attacker

Bitlock

(1)

Connect

(2)

n

(3)

n+1

User

(4) Connect

[30/42]

* Follow target and setupimpersonated lock

* Receive connection fromuser

>>> How Did We Do It?

Attacker

Bitlock

(1)

Connect

(2)

n

(3)

n+1

User

(4) Connect

(5) n+2

[30/42]

* Send nonce notificationto user

* Value doesn’t have to beonly n+2, it could ben+10 or n+100

>>> How Did We Do It?

Attacker

Bitlock

(1)

Connect

(2)

n

(3)

n+1

User

(4) Connect

(5) n+2

WebServer

(6)

n+2

[30/42]

* Nonce sent fromuser to Bitlock’sserver

>>> How Did We Do It?

Attacker

Bitlock

(1)

Connect

(2)

n

(3)

n+1

User

(4) Connect

(5) n+2

WebServer

(6)

n+2

(7)

Enc(n+2)

[30/42]

* Encrypted nonce issent back to theuser

>>> How Did We Do It?

Attacker

Bitlock

(1)

Connect

(2)

n

(3)

n+1

User

(4) Connect

(5) n+2

WebServer

(6)

n+2

(7)

Enc(n+2)

(8) Enc(n+2)

[30/42]

* Encrypted nonce issent to attacker

>>> How Did We Do It?

Attacker

Bitlock

(1)

Connect

(2)

n

(3)

n+1

User

(4) Connect

(5) n+2

WebServer

(6)

n+2

(7)

Enc(n+2)

(8) Enc(n+2)

[30/42]

>>> How Did We Do It?

Attacker

Bitlock

(1)

Connect

(2)

n

(3)

n+1

User

(4) Connect

(5) n+2

WebServer

(6)

n+2

(7)

Enc(n+2)

(8) Enc(n+2)

(9)Connect

[30/42]

* Return to lock

>>> How Did We Do It?

Attacker

Bitlock

(1)

Connect

(2)

n

(3)

n+1

User

(4) Connect

(5) n+2

WebServer

(6)

n+2

(7)

Enc(n+2)

(8) Enc(n+2)

(9)Connect

(10)n+2

[30/42]

* Receive currentnonce

>>> How Did We Do It?

Attacker

Bitlock

(1)

Connect

(2)

n

(3)

n+1

User

(4) Connect

(5) n+2

WebServer

(6)

n+2

(7)

Enc(n+2)

(8) Enc(n+2)

(9)Connect

(10)n+2

(11)

Enc(n+2)

[30/42]

* ...and it opens

>>> How Did We Do It?

Attacker

Bitlock

(1)

Connect

(2)

n

(3)

n+1

User

(4) Connect

(5) n+2

WebServer

(6)

n+2

(7)

Enc(n+2)

(8) Enc(n+2)

(9)Connect

(10)n+2

(11)

Enc(n+2)

[30/42]

>>> Rogue Devices

[31/42]

* Deployment in high traffic areas (CoffeeShop or Universities)

* Theoretically possible to retrievepassword from user and steal bike beforethey return

>>> Test Run Bike

[32/42]

* University in Midwest

* 4 bikes on campus(Summertime)

* Capacity 88 bikes

* Any user can see bikeswithin a bikeshare

>>> Test Run Bike

[33/42]

>>> Test Run Bike

[34/42]

>>> Test Run Bike

[35/42]

>>> Test Run Bike

[35/42]

Device Name

>>> Test Run Bike

[35/42]

Device Name

>>> Test Run Bike

[35/42]

Device Name

Nonce

>>> Test Run Bike

[36/42]

* Disclaimer: We did not open any locksthat do not belong to us ...

>>> Rogue Device Way Ahead

RogueDevice 2

RogueDevice 1

User

LockWebServer

[37/42]

WiFi, LTE, Etc

>>> Locating Devices

[38/42]

* BlueFinder

- Open-source tool- Determines the distance (meters) to aBluetooth device through RSS

- Active or Passive Modes- ~100 samples/sec used to estimate distance- Mean error ~24% (e.g., +/- 3m at d = 12m)

>>> How do we find these devices?

[39/42]

0 100 200 300 400 500 600 700 800

Distance (m)

-90

-80

-70

-60

-50

-40

-30

-20

RS

S (

dB

m)

Model P = 2.0

Mean RSS

Wireless Demo

[40/42]

>>> Takeaways & Future Work

[41/42]

* Takeaways

- Vendors prioritized physical robustnessover wireless security

- 12/16 locks had insufficient BLE security- Recommendation: disable phone’s Bluetoothwhen not in use

* Future Work

- Extract pattern of life using history logs- Dynamic profiles for rogue device- Extended python functionality- Evaluate Bluetooth ATM locks

>>> Questions?

[42/42]

Code: github.com/merculite/BLE-Security

Have comments, compliments, or cash?

Contact us: team @ merculite.net