Alright, let's get started. So, I'm Anthony Rose. Nice to meet everyone. This is actually
my first talk at DEF CON. It's also my first time at DEF CON, so this is really exciting.
So if you made it here, I'm giving a talk on Bluetooth Low Energy. If you're not interested
in that, this is your last chance really to leave, so otherwise you're stuck here. Um, so my
talk is uh, picking Bluetooth locks from a quarter mile away, or what I want to call it, is
smart locks made by dumb people. So what I found uh, is a lot of manufacturers decided to
make user convenience over security, and my job was to, you know, take advantage of that. So
I want to steal your passwords and get in your house. So uh, let's get started. So,
uh, I'm Anthony Rose, uh, I'm part of a little packing group that we call MercuLight. Uh, you
might have seen a couple of their talks, uh, around here. Like some Insteon stuff that's
happening later today. Uh, refrigerators, smart refrigerators, and then another Bluetooth talk.
Uh, I'm the lock picking hobbyist. I'm by no stretch of the imagination an expert, but uh,
definitely a hobbyist. Uh, and my background is electrical engineering, uh, and you'll notice
that when you look at my code. Because uh, I don't code very well. I don't know how to work it. I'm
well. So uh when you think like why the hell did he code it this way? Yeah it's because I'm
not good at coding so I'm sorry. Uh my background actually uh I did research at Arizona
State. Go Sun Devils if anybody's here. Sun Devil. He doesn't count cause he's my brother.
My background's uh wireless video compression so I did some wireless uh stuff prior but
really my main focus right now is uh bluetooth security uh bluetooth low energy security
specifically. Uh Ben uh he was the other person that's supposed to be here. He could have made
it uh he had his appendix removed so uh probably wasn't safe for him to travel. Uh but his
background uh he's got a PhD in computer science uh and he's done some previous work uh you
can actually look at some of his stuff at SmooCon, DerbyCon and he has a POC GTFO coming
out so uh keep an eye open for that.
Quick overview. Uh I've been working for a while now. I've been working for a while now.
Overview of what we're gonna talk about. Um some goals that we set out when we actually
wanted to look at bluetooth. Uh what is bluetooth low energy cause not everyone might
actually know what it is. Uh why should you even care what I'm talking about. Uh some
exploits that we found and then some takeaways for consumers and for vendors and then some
future work that we actually wanna work on. And then finally open up the floor for some
questions. Hopefully you don't throw anything at me so let's uh let's get started. So our
goals uh really we wanted to find vulnerabilities in bluetooth locks uh and once we started to
find vulnerabilities we figured hey we might want to contact vendors and let them know that
their locks aren't safe. And it turns out that vendors actually don't care. Uh we contacted
twelve vendors and only one of them actually responded. And their response was yeah we think
it's a problem but we're not gonna fix it. So we figured next we might want to release this
stuff to the public so that way at least we don't have to worry about it. And then we
figured at least the consumers know what the issue is. So they can make a decision of hey
should I buy this lock or maybe I should stay away from it. Uh I'm also a big movie buff so if
you can name all those good on you. Uh but if you trust uh Newman for your security you're
making a really bad choice. Yeah. And also if you can actually recognize my t-shirt cause I'm a
huge movie buff. Uh I'm pretty impressed then. So uh awesome. Oh I forgot to mention the
uh yeah sorry. Maybe you can check it out afterwards then. So what is bluetooth low
energy? Uh really it was designed to be a really low power uh protocol and it's designed to
really send minimal amount of uh data. So you're looking at very small amounts of data mostly
like state updates so like passwords, am I open or closed for a door, things like that. Uh it
still operates in the same spectrum as bluetooth classic. Uh still at 2.4 gigahertz spectrum
that everything uses. Uh and really the big thing about bluetooth low energy is that it's not a
single battery. Uh it's a single battery. Uh it's a single battery. So the only thing for it is
it's really short range cause the power consumption is very very minimal. You're talking like cell
battery size. Uh so you're looking at really for short range about 100 meters in most cases.
Uh actually really when you're talking about these locks 20 to 30 meters is really where they
cap out. And what we wanted to do was take advantage of this so uh actually if you use a USB
dongle that has an antenna hookup and you actually get one of ones that actually has a decent
amount of power on it you can actually start communicating with these devices at like a
quarter, half mile distance. So that's actually what we did which was pretty cool. Uh oh I
shouldn't have changed slides yet. Uh well actually all the commands that we're going to be
sending is going to be going to this host controller interface. And that's actually what we
send on Linux. Uh and that actually gets interpreted up to this GAT. This is the generic
attribute profile. And what this does is actually sitting both on your lock and on your phone or
whatever user device you're using. This is how they actually communicate. Uh there's things
called attributes on on the server. And we actually send read and write requests as a user to
this server to actually learn information or send information. So that's how I send my password to
a lock and that's how the lock responds with now I'm open. So all those attributes are actually
sitting on this GAT server. Now you're probably thinking why should I even care what this guy's
talking about. Well turns out these things are really popular. Uh the recent estimates for how
many of these devices are being built a year is like 3 billion a year. So that's a lot of
money. So there's tons and tons of Bluetooth low energy devices. I mean if you look at your
phone it probably has Bluetooth low energy in it. So they're everywhere. And they're being used
for security purposes. So they're being used to secure your homes and your valuables. And
there's a wide range of these devices. There's deadbolts, bike sharing programs use these
locks. Uh lockers, gun cases, ATM locks. Yes uh ATM locks where they actually lock up the money
with a Bluetooth low energy lock. Surprisingly. And then Airbnb. Does everybody know what
Airbnb is?
Anybody? Okay. Uh so surprisingly you can actually rent houses with this program. And they
use smart locks. You actually get the code from them and then you actually open up the lock and
go into there. Uh I had a friend who traveled Europe recently who actually saw a bunch of the
locks that we're going to talk about. And he was like really look at this. Oh. Could you break
into them and get me free house? And I'm like eh probably not. So uh there's a wide range of
companies that actually built these products. Uh a lot of big companies and a lot of small
startups. And we found is a lot of the small companies actually built these products. And we
found that a lot of our companies just didn't have the funding to actually build security in. At
least robust security. And that's something that we focused on. But still even the big companies
still had some holes in a lot of the things they developed. So to actually hack Bluetooth what
you need is a sniffer. I'm sure everybody's familiar with the Ubertooth. Uh pretty affordable
option about a hundred dollars. Obviously there's some uh cheaper options but this is actually
what I prefer. You need something to be able to send commands after you sniff them. So you need a
USB dongle of some sort. You can get a USB cable. You can get a USB cable. You can get a
cheap regular USB dongle for fifteen dollars. I really like the uh the UD100. Uh if you're
familiar with that platform it's got an antenna hook up. So you can hook up a really high gain
antenna on it. And then you can really have fun at really long distances. Uh Raspberry Pi is
great cause they actually run all this stuff mobily. And when you actually use that kind of
platform uh you can kind of set it up and leave it and not have to worry about somebody stealing
it. Uh a laptop obviously somebody might walk away with. But a Raspberry Pi you're only out
forty bucks. So it's not a big deal.
Uh the high gain antenna that I use. Fifteen DB Yagi if you're an electrical engineer like
me. Uh that's actually all my stuff right there. My wife gets really upset cause it takes up a
lot of space. And she gets pretty pissed so. The Ubertooth One uh if you're all familiar. Created
by Michael Osmond a couple years back. You can look up a lot of information on it. But really
the important part of it. It was really the first uh Bluetooth sniffing tool that was really
out. Prior to this a lot of the uh other devices that were out there were actually Bluetooth
and other options were really really expensive. Like ten thousand dollars. So this made it
really affordable for the average user like us. Uh this does all passive sniffing. Uh and it
really only has a receive capability. Uh you can modify the firmware to do other things. But
really for low energy it's really only receiving uh commands. Which is good because the user
has no idea this is happening. Uh you can use that with like a USB dongle and you actually go
war driving with it. So I like to drive around my neighborhood and pick out all the things that
my uh neighbors have. Or I set up like a USB dongle and I can go to work with it. So I like to drive
around my neighborhood and pick out all the things that my neighbors have. Or I set up my
antenna out my window and then my neighbors knock on my door and they wonder what the hell I'm
doing. So you know you can drive around. You can pick up passwords from or actually pick out
networks from people. Then you set up a high gain antenna in the back of your jeep like I do.
Park it at McDonalds and then I sniff your password from your house. From like a half mile and
then guess what I can get in your house if I wanted to. Uh and it's really concealable. I mean
no one's gonna be looking in the back of my truck at least. Which I hope not. And it's it's
great. Uh so uh one of the uh the uh the uh the uh the uh the uh the uh the uh the uh the uh the uh the
cool things that we've actually thought of uh were flying. So take like a quadcopter, hook up a
raspberry pi to it, uh fly it around, use the onboard GPS to actually plot where devices are
and actually find where they are and then you can actually go back later. Uh I haven't had time
to build it but you know it's a cool project maybe somebody could build and then I could play
around with it. So I did a recent trip around my neighborhood. I drove around for like an hour.
I picked out a lot of really cool things. Smart TVs, smart like butcher cookers, uh toasters,
Fitbits, God knows what people have. But I actually found uh four locks that people actually had
within about 40 minutes. Which is pretty cool cause actually all four of those locks actually
know and actually two of them actually have exploits for. So uh probably should have told
them but eh whatever. Before I go through all the locks I broke I want to point out like four
of them I actually couldn't break. Um I've had some ideas actually how to break them I just
haven't had a chance to do it yet. But let's go uh go through the ones I couldn't break. The
first one's the August lock. Um there's some exploits that I think I could use but I haven't had a
chance to use yet. But about a year ago a couple individuals actually posted on their blog of a
hard coded password actually built into their application. So this password isn't used really
for much besides settings. But still the practice of having a hard coded password in your
application is really not a good thing. The next one actually is really surprising. So the
Kwikset lock actually uh they uh had a really interesting design decision. They built fantastic
designs on it. Uh it's really hard to break. However their lock actually at least the older
versions you can actually use a screw driver actually to open up the lock. So it takes about 10
seconds actually to break the lock open. I really wanted to try it but I had one of the newer
models and I really didn't feel like breaking a $300 lock cause I really don't have that much
money. So I didn't break my lock but there's YouTube videos all over the place so go check them
out they're pretty cool. And yeah that's that's a great design decision on their part right? Uh
what do they all have in common? Uh they all use the same password. They all use the same password.
They all use AES encryption. They use some sort of nonce value, a random number. And then they
actually send that value and get it encrypted and then they send it back. That's normally how a lot
of these locks work. They use all the ones I couldn't break had two factor authentication. At
least they're not using hard coded passwords anymore. At least I hope not. And then they use a
really long password space. Uh 16 to 20 characters in most cases. Some of the ones I actually
found use 6 to 8 characters surprisingly. I don't know why you would ever choose that but that
makes brute forcing easy. And I actually put out the code for that one. So it's really easy to
get some tools for you guys that actually be able to brute force things. Uh there's a wide range of
vulnerable devices. So uh before you get overwhelmed by this slide I broke them into categories.
Uh so you'll be able to see the categories and each category is a lock, the firmware number in
case they update it so that way at least you know which version actually you can exploit. And
then a symbol for if it's a padlock or a door lock. So we're going to go over uh plain text
passwords, replay attacks, actually fuzzing a device to get it into an error state. And then
finally device spoofing. Pretty much a man in the middle attack so I can pretend to be the lock
and then actually get the user to send me a password so that way I can unlock their device. To
be able to do this you need to be able to sniff first so we use that uber tooth. And uh the way
bluetooth low energy actually works you have 3 advertisement channels. Now if I want to steal
your password on the first try I need to be able to sit on each of those advertisement channels.
So I need to have 3 uber teeth in this case. Uh one set up on each advertisement channel that
way I know I can actually get the information. Obviously I'm sniffing wireless so there's no
guarantee I'm going to get it but at least I'm increasing my chances. Once I have all that
information I can compile it all to one file, I can filter out all the duplicate stuff and then I
can actually filter for your password. Now that I have your password I need to be able to send it
somewhere. So what we do is we use scapy um actually has some sockets built into it that are
pretty cool. Um I can bind right to the bluetooth and then I can actually get the message out to the
socket and actually send commands to the dongle to actually go to devices. So that's what we
actually that's what we use and then I built some commands that we use pretty often into
Python so that way I can actually be able to use them. So I can do connect, read write
commands, um I can do spoofing, actually change my address and my device name all through these
sockets which is great. So now that I have all that in place I actually start attacking locks.
So that's what we're going to do now. So uh I wanted to say this was the first lock I actually
broke but uh turns out it's not. I found out this morning actually from my dad that uh
apparently like 15 years ago um you know the remotes actually block like TV channels on uh on uh
cable boxes. So I actually guessed his password I guess 15 years ago and I started uh watching
uh inappropriate things. So uh turns out that's actually the first lock I broke. So I broke into
his remote and uh decided to watch late night HBO. So this is the second lock I ever broke. Uh
this is the the quicksand lock. So I broke into his remote and uh decided to watch late night HBO.
So this is the the quicksand lock and uh they had a really interesting design decision. So what
they do actually with this lock is they send your password in plain text. Uh not only do they send
your password in plain text they actually send it twice so they double it up and then they throw
an opcode at the beginning. So I thought to myself well why would they do this? Turns out that
they do this because uh you can actually change the password by using the same command at the
same handle. So that's actually what uh we're going to do. So right now this this lock is
broken so uh let's cross off this. I can get into this lock but I want to do more than just
breaking this lock. I want to be able to take advantage of the fact that I can actually change
that admin password. So uh I'm going to change the admin password now. And how do I do that? I
take that opcode and actually I change it to zero one and then I set the password to be all
sixes. So you're thinking oh cool you know the admin's now locked out, the user's locked out,
they can't use their device. It actually gets a little better than that. Uh turns out the user
actually can't um reset the device without removing the battery. So you have to remove the
battery from the device to reset it. And guess what the battery's actually behind a panel that
can't be removed unless the lock is already open. So really they're they're completely locked
out of the device and since I'm doing this outside of the application the application doesn't
even know what to do. So it actually pleads with you like hey please help me I don't know what to
do. The right password. So I've locked the user out both in the application and physically from
their device. So that's pretty cool.
Um really actually really interesting story this actually I actually found this device pretty
recently and I'll tell you a little story. So I went to a car dealership recently and uh I
actually had to get an oil change for my car and they told me hey you know it's going to be like
two hours you know go have a seat and I was like you told me 30 minutes on the phone what the
fuck. So I figure hey you know what it's not that big of a deal and they're like just go have a
seat. So at that point I'm actually kind of pissed cause they keep telling me just to go sit
down and shut up. So I I I walk away and I'm like okay I'm going to go sit down and shut up. So I I I walk away and I'm
thinking to myself you know what fuck you I'm going to go hack your shit. So I start scanning so I I
start scanning all the stuff they have available and I'm seeing like cars pop up, people eyes
iPhones, Fitbits, couple tiles actually if you know anything about the tiles. So I started
actually to start sniffing stuff and I wanted to send commands to make them randomly go off just
to piss them off. Uh so I started doing that and then actually this lock popped up and I got
really excited cause this is actually that quick lock that we actually just talked about.
So 30 minutes goes by I'm waiting, I'm waiting, I'm waiting. It's about the time I would have
been home already at this point and then I get the guy's password. So uh I'm really excited at
this point. So let me actually show you his password. Here it is actually let me zoom it in.
Yeah he set his password to be 69s. Um actually and remember I'm in a car dealership so the guy
looks like this.
Uh so I mean you think about a user he sets his password he thinks nobody's gonna guess it but
little does he know I can actually sniff your password in plain text and I actually I can see it
so uh yeah he's a bit of a pervert I'm sorry. So I have his password now I didn't break into his
lock but at least I have his password so that's kind of cool. Uh since we're dealing with plain
text passwords we can brute force them. Uh figure you know with me I figure you know when all else
fails brute force it. Uh but a lot of the things that a lot of the things that a lot of the things
these manufacturers do is they limit those password spaces. So what I found is a lot of them
use um minimal password spaces. So 8 digits in some cases or 6 characters exactly. So those
password spaces are very easy to brute force cause they're very small. Still it could take a
while. So uh you can use word lists obviously. You can use ones, 1 through 8, 69. Uh phone numbers,
uh street addresses or a word list with actually 6 characters exactly words and use that to brute
force. Uh all that's on our gamepad. So I'm gonna show you guys how to do that. So I'm gonna
get a block here. And I'll show you how to do that. So I'm gonna go to my github you guys can
check it out at the end. Uh if you break into things send me a message it will be pretty cool
so. And here's a little demo of the quick lock. Uh pretty pretty simple little lock actually.
Um you know you have to click the button on it to actually connect to it. Uh I start sniffing
with uber tooth. I get actually get a pcap file that I'll then put into a script that actually
parses all the information. And actually pulls out the password for me. And then sends it to the
lock. And I'm not really a nice guy. So uh I decided that I should also add in where uh I could
after I unlock the lock I also change your password so you're actually locked out after I
get into your house. So that's pretty cool. Originally I wanted to do a wireless demo but
uh everybody here has bluetooth. It is fucking crazy. Uh if you do a quick scan there's like
a thousand something devices and there's no way in hell I'm going to be able to uh actually
be able to sniff here. So I opted to do videos instead so just so everybody knows. Uh next
actually some companies actually opted to actually do uh encryption. And you think oh great
they're going to use encryption. Their websites advertise crazy things. They advertise oh yeah
we're using 256 bit AES encryption. You know the military uses it so it's got to be great right?
Well turns out uh they actually don't use encryption the way it really should be used. So it
turns out if I just sniff it and I send it back to the device it opens. Which kind of sucks
for them. It's great for me but it really sucks for these companies. Uh even better than that so
all four of these locks actually have more in common than just replay attacks. Uh if actually if I
send my password to be password for example and I set it on one of these devices it actually
encrypts it the exact same way on all four of them. And they actually use the same method of
actually opening up as the other ones. So it turns out a lot of these locks like they're sold
on Amazon, Newegg, a couple other websites. And they go up like two or three at a time and then
they pull them off. So they end up using the same code as the back end for all of them and they
just keep repackaging them.
As something else. So it makes it really easy actually if you just sniff it and then replay it to
open them. And oh yeah by the way they're all made by Chinese manufacturers. I'm not bashing
anything but yeah they all have stickers on them that are written in Chinese. And the manuals
are actually written by somebody who cannot speak English. It is absolutely awful to figure out
how to set these things up. So these are broken. Uh pretty cool. Now next actually after this one
is actually a completely different thing. We were looking for companies that actually used
encryption but maybe developed their own sort of encryption. So we wanted to see hey can we
actually fuzz it? Can we fuzz a device? Can we get it to enter an error state? And see what happens
when it's in that error state. And that's actually where we found this lock. Okie dokie. Uh if
you're familiar with it uh it's made of all plastic. I don't know why you use a plastic lock for
your house but you know cool. So uh we've actually went to their website and we started looking at
how they claim their security. So actually uh the interesting parts to us is that they actually
told us was hey we developed something that was similar to AES encryption. Like oh cool. And
they combine it with a patented cryptographic solution. So if you know anything about crypto,
proprietary crypto is not usually a good idea. Uh it usually means it's not tried and tested
and there's usually things that you can take advantage of. Which is actually what we actually
did. So we figured hey let's take a look at this lock. Let's see what we can find out about it. So
we started sniffing a bunch of things on it. Uh we sniffed like a bunch of packets and we started
noticing that keys really weren't that unique. Um you started seeing patterns in them. And you
figure like oh cool you know maybe I'll be able to fuzz it. So we came up with this intricate
fuzzing script. You know it was going to do one byte at a time. It was going to come up with
combinations. It could take days, weeks, months. Who knows how long it was going to take. Boy
were we wrong. Uh turns out it took about three seconds. Cause if I take the third byte and I
change it to zero. The lock enters an error state.
Not only does it enter an error state. It opens.
Oh it gets better. Um it goes actually sends up an error message in the application saying the
keys are out of sync. So I started thinking to myself well why would this happen? Why why would
the keys be out of sync? Well remember that patent crypto we talked about earlier? Yeah it
might be some sort of XOR. Because they use the XOR code. They use the XOR code. They use the
previous key to actually generate future keys. And now that they're out of sync. Uh oh. So
yeah that really wasn't a good idea. So uh really funny story actually about them. Uh we
contacted them to let them know that they uh had some problems with their lock. And then they
turned off their website. So uh I'm not claiming responsibility for anything. But uh yeah
they turned off their website after we told them that there was an issue. And you can still buy
their stuff though. They're still selling it on Amazon. So you can go check it out. But it may not be
supported much longer. And then actually here's a video of it. Uh pretty cool. So they use the
application actually to unlock it. So you swipe it. It actually unlocks. I skip the the password
that's current. And then I'll take that. I'll actually run it through my script. Where it
actually pulls out the password. Changes that third byte to zero. And then unlocks. At some
point. And there it goes. So that's how it works. So that's how it works. So that's how it
works. And then this is where the user comes back. They want to lock their door. They want to
unlock it. Whatever they want to do. And then guess what? It doesn't work. Sorry. That kinda
sucks. So uh kind of a different thing uh that we talk about. If you're familiar with
Android applications. Um you actually pull off those applications in APK format. You actually
decompile them actually into readable code. Um so I actually like to use this program called Bytecode Viewer. A lot of
people use it. It allows me to view it in a bunch of different ways. And actually view what they
coded and as if it's readable. So that's what I did for this lock. Uh the Dana lock. I actually broke
this lock down into readable code to actually see what they put in there. Um turns out they had
this hard coded password in there. Um yeah you think this password's cool. Guess what? So they
don't just put this password in there. This is on every device. They actually store your password
also. So my password in this case was password. And they actually export the password to the
APK. And they actually export that with this super secret password that they have. And then they
store it into a table. So every user's uh password is actually stored in this table. And I
actually know the method that they actually use to store these passwords. Uh I haven't had a
chance to actually break this lock. So I'm pretty sure this is what this is used for. But I'm
not 100% sure. I wanna go back and actually do it. But I haven't had a chance. So it's kinda
kinda pwned. Cause I haven't really broke into it yet. But I have almost all the tools I need to be
able to do that. Uh a big thing that a lot of companies are moving towards. Uh is that they're
using passwords as like a web server back end. Um that way you can't pull passwords off of
actual applications. So what they do is they store it on a web server and you ping that server with
some sort of value. They encrypt it. They send it back. Uh this is great because a lot of the
companies are using it. It's a lot more secure. Uh however if you fake the device you can
actually trick the user into giving you a password. And that's what we do. So we actually take
a device. We impersonate it. And we trick the user into giving us a password. And to do that it
doesn't really take much equipment. Uh a rabbit hole. Uh you can actually take the device and
put it in a Raspberry Pi. Maybe a laptop. Uh you need something to run BlueZ that Bluetooth
stack. Uh you need something to actually build the GAT server on your device. So Bluino is a
great program. If you saw some of the other talks they actually talk about Bluino. Uh with the
man in the middle attacks. Uh then you need something to actually pull uh services off of
devices. And I like light blue explorer. Great program that you can run on your phone. The
reason why I like it is because if you're walking around with your phone out nobody looks at
you funny. But if you're walking around with a laptop everybody gives you a really really nasty
look. So it's great to use it on your phone cause nobody looks at you twice. And this is
really mobile. Um if you set up on a Raspberry Pi you can set it up really anywhere. And it's
somewhat undetectable. And I say that because if these applications are running in the
background. The user has no idea that they're connecting to you and giving you a password. But
the web servers might know. So that's kinda where it's somewhat. However these web servers
usually don't give a shit. Uh you can ping them a thousand times and they'll give you a
thousand passwords. And you can build a whole table of passwords from this. And you can
do whatever you want with them. And guess what? These servers don't care because they think
you're actually the right person. So you keep getting passwords and I can do whatever I want
with them. And we found actually one of the devices that we're gonna talk about in a second.
Uh bit lock. If you're familiar with this lock. It's actually a padlock they use for bike
sharing programs. And they're pretty widely used. They're in like 20 different countries. Uh
all over the actually all over the United States as well. And that's actually what we'll be
looking at because they actually use a notes value that they send. And we actually found a way
to predict what the next value is going to be. And I'll show you here that here.
So this is actually how we break into the lock. We connect to the bit lock first. We actually
scan for all those attributes. All the primary services, the characteristics. And we build a
copy of the server into Blino. And there's all the attributes right there. So I uh connect to
the lock. Uh I actually get a notes value and I send a invalid password. Doesn't matter what I
send to them. Because I just want to know what it's gonna do next. Next it actually increments
it by one.
And the reason why it does that, that's actually the method it uses actually to generate a random
value. That random notes is actually only incrementing. And that's it. That's all they do. So
I actually have what every value is going to be from this point on because they're just going to
increment it every other time. So I'm done with them. I have everything I need. I just need to
find the user. So I wait for them to park their bike. They lock it up. They go somewhere. And
then I set up my device and they connect to it. I actually send them that value. That N plus 2
value that I was talking about.
I send it to their web server. They get it encrypted. They send it back to me. And now I have their
password. Pretty easy process. And that's all because of that notes. Now I go back to that bit
lock. And here's the best part about all of it. This value that I'm talking about. It doesn't
matter what I set it to. So I can get N plus 10. I can get N plus 100. I can get N plus 1000. I
can build an entire table of passwords. Because they're only incrementing that value and I know
how to force the bit lock to actually increment. So now I go back to the bit lock. Whatever value
they're at. I force it to increment. So I connect to it. It sends me this random value that I
would never guess. I send the encrypted version to it. And then guess what? It opens.
So now. So now I have their bike. I'm riding around on it. Woo. Um. So this is pretty
deployable. Pretty easy to use because you want to look. Really your targets for this are really
high traffic areas. So you want to look for like coffee shops because hipsters love bikes. So if
you find a coffee shop there's probably somebody using one of these locks nearby. Or you can
look for a university. Because uh some universities might want their students to use bikes.
And guess what. We found one that uses this. Um. I'm not going to tell you what university but
if you open up the application actually. Uh there's a really cool feature built into it. So you
can actually look at uh any bike share program that's out there. It has an older version of the
there without actually being subscribed to their bike sharing program. So I travel to this
random university and I can actually find where all their bikes are actually located. I just
actually have to go to one of those locations. So I go to one of those locations and look,
there's a bike. And then I get out my phone and I start scanning because guess what, I have
my phone out and nobody thinks twice. I curse a couple times, I kick the bike and everybody
just thinks I'm stupid and I can't open the lock. But I have all the information I need
now. So I go sit down at like a park bench nearby and I start entering all the information
that I collected with light blue. So I take that information and it's actually put it into
Blueno so I actually have the device name now and I have the notes value and then I start
advertising and I wait for a user to come by to connect to me and then I'll get their password.
Well there happens to be one problem. If you know anything about college students, they
don't like to hang around during the summer and that's when I decided to actually go there so
there was nobody around. So yeah, that was a little upsetting. Uh, but I do plan on going back
during the fall when I actually know there's people around to test this out again. Uh, at least
so I can get passwords. I'm not going to steal any bikes, I promise I won't. Uh, but if you guys
do, it has no bearing on me. So, you know, whatever you want to do. Uh, a cool thing you
actually do, uh, actually to take advantage of things is you actually do like a relay attack
with this. And the reason why we thought of this is because we contacted BitLock originally. And
we told them, hey, you might want to change your, your, your value that you're sending out
because, guess what, it's just incrementing and I can predict that. So they came back and they
said, hey, you know, we'll fix it. That was three months ago and it's still not fixed. But, you
know, maybe they'll get to it eventually. But a lot of the other locks that we can't break into
actually use a similar process. So we figure, hey, let's take advantage of this and see if we can
do an attack like this on other locks that we couldn't break. So that's where this attack
actually came in. Uh, so what I do is I say, hey, you know, I'm going to test this out and I'm
going to, I stand near the lock with a, a device. And the lock sends me a nonce value. I take
that value, I send it to another device that's sitting near the user. I use cellular wifi,
something to send that information. This device is like taped underneath their car, whatever
high tech method you want to use. But as long as it's near them it doesn't really matter.
Because I'm going to send that value to them and they're going to get it encrypted for me and
send it back to me. All because this app is running in the background. And that's really the
big problem, is that these apps are constantly running for years and years and years and years.
They're running for user convenience. And since they're focusing on convenience and not
security, I'm going to take advantage of that. So they send that password back to me while I'm
standing at the lock and I open it. And this is all done real time, real quickly. And this is
actually what we want to develop next. This is kind of our next project that we want to work on.
Is I'll be able to do this. And you're probably thinking, well, how do I find these rogue
devices? Well, actually, sadly, uh, if you notice, you actually saw the Blue Hydra talk. They
actually did something similar to us. So this is kind of another one of those programs. But
it's, uh, Blue Finder. It's just a program that we built that allows us to track devices. So what
we did was we actually, uh, tested a, a range of devices, um, and actually found out what their
signal strength was at a meter. And then we actually built a model behind that to actually, uh,
track devices. And we actually put a good, uh, error rate on it, 24%. So within 3 meters I
could figure out where your device is. And, uh, here's actually a graph of it. If you take that,
uh, UD100 device, hook up a high gain antenna to it, I can actually track
your device up to about 700 meters or almost a half mile. So I can follow you pretty well with a
pretty good idea of which direction it is because these antennas are directional. So I can be
like, oh, yeah, it's definitely that way, maybe 600 meters away. So let me actually give you a
demo of this. This is actually, um, me tracking a target. I'm sitting in my home, just, just
relaxing, tracking a target. Um.
So my very high tech method was, uh, taking a Fitbit and duct taping it to my child.
Yeah, my wife wasn't very thrilled about this one. So if you think that table was bad, this was
worse. So you can track targets pretty far with that kind of equipment. That's really the point.
Um, and really the overall, the thing that we really wanted to make clear was that vendors
overall just did not prioritize the right thing. They were prioritizing,
physical security over wireless security. Um, obviously there's exceptions. Kwikset decided
that a, uh, a screwdriver could be a second key. Um, probably not the best design decision. But
overall, um, we evaluated a lot of devices. And we found that 12 out of 16 of them were broken.
Um, and that's a really high number. I went into this thinking, hey, maybe I'll find one or two
devices that are broken. No, I felt 12. So overall they're pretty, pretty bad. Um, and really
wanted to let vendors know that, you know, they're not going to be able to track a target. Um, and
vendors know there's a problem so that we can actually fix it. And then finally, um, we wanted to
put some out, a recommendation to users. Um, what we wanted to tell you guys was, hey, turn off
your Bluetooth when it's not in use. Uh, especially here at DEF CON. Please turn off your
Bluetooth. Uh, cause people are walking around and I'm like, oh, Gary's iPhone. Hi Gary. I'm
going to connect to your stuff now. Um, so turn it off when it's not in use. Cause that's why
that, that relay attack works is because you're constantly advertising and looking for these
devices and that's how I take advantage of it. Um, some of the big future work that we want to
work on, um, I found a really surprising thing with history logs. So people, or a lot of these
lock companies actually built history logs into their devices, which is great. But they didn't
hide it behind a password. So I can actually connect to your device and see everything about
your lock. And it gets even better. Uh, they're actually storing usernames and passwords. So
let's think of a hypothetical situation where we have users, mom, dad, Jimmy, and Sally. And
we have timestamps associated with when they come home and when they leave. So now I know when mom
and dad are home. I know when Jimmy and Sally are home. I know when they're not home. So if I'm a
bad person, I can take advantage of this. And really we want to put some pressure onto vendors
so that way they would fix this problem. Uh, next, uh, using rogue devices, do a dynamic
profile. I want to advertise 20 different advertisement packets so I can connect, so I can
advertise 20 different devices. So that way if somebody connects to me, I serve up my GAT server
to match whatever they're looking for. So I can steal your password. Uh, next, uh, there's a lot
more commands out on those GAT servers that we want to implement into Python. Uh, more than just
the connect read and write. And then finally, actually I'm most excited for this. We bought one
of those Bluetooth ATM locks. And we're actually going to tear it apart and see if we can break
into it. If these things, if these locks are no indication already, um, it should be pretty
easy. But I'm hoping it's better than we think it is. Uh, that's really it. Um, I wanted to open
up the floor for some questions. So if you have any questions, uh, come up to the microphone, uh,
and hopefully I can answer them. Thank you.
Yep. Yeah, hello. First, thanks for looking into this hell of a lot of devices. Really
interesting. I did some similar research and I want to add on your two unbreakable first ones.
Because I looked into three devices and broke three of them.
Oh.
And two of them being the NOOC and the master lock. So I'm not disclosing too much right now
because NOOC actually responded to my request and they're fixing it. But just so much, they have
AAS and they're doing it wrong. So I broke their AAS crypto. And the master lock has a physical
bypass. So I'll talk about that after I release it to them. And the third one was shimmable. Oh
my god.
Yeah.
But thanks for your work and possibly exchange contacts later.
Oh yeah, that's awesome. Um, if you come grab me afterwards, I would love to talk with you.
Um, cause there's always so many devices out there that I haven't had a chance to, to break. And
there's always cool ways to do it. So, thank you.
You talked earlier about a Insteon talk that would be happening later. Where are the details of
that?
Yes. That's actually going to be in Wireless Village. Uh, my friend, uh, Caleb is actually
going to be giving that up in the Wireless Village at 1220, I think. Somewhere around there.
1220 at the Wireless Village. Is it about Insteon door locks or anything? It's about Insteon devices overall. So it's mostly fun.
Focusing on, I think, the lights, um, the camera and the hub. So, go check it out. It'll be really cool.
Thank you. Great talk, by the way.
Thank you.
These locks that you were taking apart, you said they were emphasizing physical security. Did you
notice any tamper, tamper detection in the firmware at all?
I did not notice any, but I wasn't actually specifically looking for it. Um, but, I mean, all the
locks that I used at least fit, uh, wirelessly that I sent commands to, really a lot of them did
care what I was sending, because they thought it was the real device. So.
What I'm talking about is actually something where there's a, something in the firmware or a switch
determines a case was opened or something that was being tampered with.
Oh, I haven't looked for that. That's actually a very fascinating thing I could look into. So, I'll have to
check that out.
Check, please do.
Thank you.
Yeah, thanks. Great talk. Uh, question, uh, so do you think the time depended on the rolling code?
Like, what are we using in the payment system will solve some of the security issues?
You mentioned.
You, you talk about a rolling code, is that right?
Yeah, time depended on the rolling code, like what we're seeing in the payment system.
So, I, I think that's, it helps the situation, but if I do a relay attack over long distances, it
wouldn't matter, because I'm, I'm pretty much convincing the user to send me a password, and
then I relay it over to the lock in real time. So, really what they need to do is, obviously
geolocation is one of the things they can help with. Not allowing these apps to run
continuously is a big deal. Um, so there's a lot, there's a combination of things they need to
actually implement to actually prevent these things from happening.
Being vulnerable. So, it, that, that's a big part of it though.
Gotcha. Yeah, thanks.
Thank you.
Hi. Um, regarding the uncrackable locks you showed at the beginning, why were you not able to
crack the, uh, Kwikset Kivo or the, uh, August lock, electronically?
So, part of it's time. So, I, I started finding vulnerabilities in other locks, and I
dedicated more time towards those ones. And then, some of them just, I just haven't come up
with creative ways to do it yet. I know other people have done things, and I'm very
fascinated by learning what they are. But, yeah, currently, at least the methods that I was
using, they weren't able to, to break them yet. I think the relay method, at least, should be able
to break some of those, uh, locks. But, I just need to test it out at this point.
Awesome. Awesome talk. Thanks.
Thanks.
Yeah, great talk. Thanks. That was actually my question as well. But, as a follow up, have
you looked at, uh, realtors? The tool they're using now to, uh, so I just recently purchased a
house, the realtor goes up, and the little door lock thing they put, that's all Bluetooth now.
That is awesome.
So, you hit a code, and it spits out the actual physical key to the house. So, you might
want to...
I'm gonna have to buy one of those. That's, that's awesome.
Thanks. Great key. Great talk.
Thank you.
Great talk. I, I wanted to ask you if you've looked into, also, medical devices? I mean,
after all, if someone wants to break into your house, they can do it the old-fashioned way.
But, with the body, it's like, more difficult.
So, so, originally, I wanted to focus on medical devices, specifically pacemakers and
insulin pumps. And, uh...
So, I'm a student currently, and all my fellow students looked at me like I was crazy. And
they're like, you're gonna kill somebody. And I was like, that's not the point. I wanted to test
devices and look for issues. But, really, what it comes down to is getting a hold of these
devices, in most cases, is very difficult. But, I want to get to do that. I actually want to
look into these devices. But, finding them, short of buying one off of a dead body, I'm really
not gonna be able to get one. Great. Thanks. Thanks. So, one of the things that allows
these attacks to work is that you're able to sniff this plain text traffic off of the radio waves,
I guess. Um, does BLE offer any option for encrypted communication, other than implementing it
yourself? So, they actually have a link layer encryption in 4.1. Um, but if you've ever, if
you've looked into Mike Ryan's work, he actually breaks that. Um, they actually have a, it's
very vulnerable. So, they actually developed a new protocol, 4.2, that actually implements link
layer encryption. Um, and, um, it's, it's, it's, it's, it's, it's, it's, it's, it's, it's, it's, it's
it's not a protocol that actually works better, but what we've found is most devices don't use
it. Uh, it's not very common. So, obviously, if they could use the link layer encryption with a
new protocol, on top of an app layer encryption, that'd be more ideal. That might deter some
people. So, hopefully, that's what we see in the future. Cool. Thank you. Thanks. Uh, I
think I'm out of time. So, thank you, guys. Thank you very much.