Picking Bluetooth Low Energy Locks from a Quarter Mille Away
This is a modal window.
Das Video konnte nicht geladen werden, da entweder ein Server- oder Netzwerkfehler auftrat oder das Format nicht unterstützt wird.
Formale Metadaten
Titel |
| |
Serientitel | ||
Anzahl der Teile | 93 | |
Autor | ||
Lizenz | CC-Namensnennung 3.0 Unported: Sie dürfen das Werk bzw. den Inhalt zu jedem legalen Zweck nutzen, verändern und in unveränderter oder veränderter Form vervielfältigen, verbreiten und öffentlich zugänglich machen, sofern Sie den Namen des Autors/Rechteinhabers in der von ihm festgelegten Weise nennen. | |
Identifikatoren | 10.5446/36217 (DOI) | |
Herausgeber | ||
Erscheinungsjahr | ||
Sprache |
Inhaltliche Metadaten
Fachgebiet | ||
Genre | ||
Abstract |
|
DEF CON 2488 / 93
4
6
7
11
15
20
26
33
34
35
36
39
40
46
49
53
58
62
63
66
68
72
79
90
92
93
00:00
Ramsey-TheorieEnergiedichteComputersicherheitMultiplikationsoperatorProzess <Informatik>HackerMereologieGruppenoperationEnergiedichteVorlesung/Konferenz
00:57
Ramsey-TheorieVerzeichnisdienstDrahtloses lokales NetzComputerComputersicherheitVideokonferenzAnalysisDrahtloses lokales NetzComputersicherheitPlastikkarteDatenkompressionZählenInformatikCodeRechter WinkelKälteerzeugungExpertensystemFamilie <Mathematik>InstantiierungFokalpunktOffene MengeGruppenoperationSystemaufrufEnergiedichteUmwandlungsenthalpie
02:24
ExploitEnergiedichteBeweistheoriePlastikkarteSystemidentifikationComputersicherheitLESExploitPhysikalischer EffektEnergiedichteComputersicherheitExogene VariableAuswahlaxiomSoftwareschwachstelleEntscheidungstheorieComputeranimation
03:52
GamecontrollerSpannweite <Stochastik>PlastikkarteVerschlingungEnergiedichteJust-in-Time-CompilerSpielkonsoleAbstandDonglePunktspektrumAggregatzustandZellularer AutomatLeistung <Physik>MeterCASE <Informatik>Lokales MinimumEinsPasswortProtokoll <Datenverarbeitungssystem>Spannweite <Stochastik>Klassische PhysikWort <Informatik>Rechenschieber
04:59
VerknüpfungsgliedPlastikkarteMIDI <Musikelektronik>Spannweite <Stochastik>VerbindungsschichtBenutzerprofilGenerizitätAttributierte GrammatikClientServerComputerunterstützte ÜbersetzungAttributierte GrammatikInterface <Schaltung>GamecontrollerGenerizitätProfil <Aerodynamik>Schreiben <Datenverarbeitung>ServerInformationPasswortLesen <Datenverarbeitung>Offene Menge
05:39
Produkt <Mathematik>ATMComputersicherheitFreewareProgrammierungGemeinsamer SpeicherATMComputersicherheitCodeCASE <Informatik>Spannweite <Stochastik>SchätzfunktionEnergiedichte
06:43
HackerDonglePlastikkarteSpannweite <Stochastik>Produkt <Mathematik>ComputersicherheitRechter WinkelPhysikalischer EffektSystemplattformDongleHook <Programmierung>Minkowski-MetrikNotebook-ComputerAbstandKonfiguration <Informatik>Regulärer GraphMobiles InternetQuick-SortFlussdiagramm
08:05
Open SourceFirmwareMereologieKonfiguration <Informatik>FirmwareInformationDongleEnergiedichte
08:42
Spannweite <Stochastik>DongleMultiplikationsoperatorProjektive EbeneBildschirmfensterSoftwareHook <Programmierung>PasswortNachbarschaft <Mathematik>EinsViereckPi <Zahl>Hyperbelverfahren
09:40
PlastikkarteExploitTopologischer VektorraumNachbarschaft <Mathematik>Grundsätze ordnungsmäßiger DatenverarbeitungPhysikalischer EffektPunktKontrollstrukturEins
10:17
BitrateEinsExploitPasswortApp <Programm>SchnittmengeKartesische KoordinatenWeb logComputersicherheitVersionsverwaltungRechter WinkelEntscheidungstheorieMereologieZweiProdukt <Mathematik>Gesetz <Physik>YouTubeOffene MengePhysikalischer Effekt
11:15
Wort <Informatik>PasswortEigentliche AbbildungAdvanced Encryption StandardChiffrierungZufallszahlenAuthentifikationElementare ZahlentheorieKontrollstrukturCASE <Informatik>ChiffrierungMinkowski-MetrikQuick-SortAuthentifikationPasswortEinsForcingZufallsgeneratorTeilbarkeit
11:51
PasswortPlastikkarteKontrollstrukturVerklemmungHash-AlgorithmusSpannweite <Stochastik>Kategorie <Mathematik>ZahlenbereichSoftwareschwachstelleFirmwareRechenschieberCASE <Informatik>VersionsverwaltungSymboltabellePasswortApp <Programm>Metropolitan area networkFehlermeldungAggregatzustand
12:31
PasswortInformationDrahtloses lokales NetzElektronische PublikationCASE <Informatik>Energiedichte
13:08
ImplementierungSocketPolstellePasswortEnergiedichteVerbindungsschichtRahmenproblemVersionsverwaltungWurm <Informatik>Attributierte GrammatikBefehlscodeBitrateInklusion <Mathematik>GraphiktablettSocketSocket-SchnittstelleSchnelltasteRechter WinkelDongleAdressraumMaskierung <Informatik>EntscheidungstheorieQuaderGesetz <Physik>SystemverwaltungPasswortRPCCodeBefehlscodep-BlockProgramm/QuellcodeJSON
14:50
PasswortMathematikNP-hartes ProblemPasswortSystemverwaltungKartesische KoordinatenBefehlscodesinc-FunktionCodeProgramm/QuellcodeJSON
15:30
PasswortKartesische KoordinatenPunktPasswortPhysikalischer Effekt
16:20
TesselationPunktMultiplikationsoperatorPasswort
16:55
PasswortAttributierte GrammatikBefehlscodePasswortZoomMessage-PassingBitsinc-FunktionKontrollstrukturComputeranimation
17:30
DigitalsignalPasswortEin-AusgabeZahlzeichenAdressraumInverser LimesMinkowski-MetrikAdressraumPasswortEinsLokales MinimumMessage-PassingWort <Informatik>CASE <Informatik>ZahlenbereichMailing-ListeForcingDigitalisierungDemo <Programm>Physikalischer EffektJSONFlussdiagramm
18:15
Demo <Programm>Demo <Programm>Drahtloses lokales NetzElektronische PublikationSkriptspracheInformationPasswort
19:05
ChiffrierungPlastikkarteBitChiffrierungWeb SitePasswortFront-End <Software>CodeMultiplikationsoperator
20:25
PlastikkarteGraphiktablettMathematikComputersicherheitChiffrierungÄhnlichkeitsgeometrieStandardabweichungAdvanced Encryption StandardLoginAggregatzustandChiffrierungQuick-SortFehlermeldungWeb SiteMereologieGesetz <Physik>KryptologieGüte der AnpassungComputersicherheitJSON
21:28
EindeutigkeitSummandBefehlscodeMathematikMultiplikationsoperatorSchaltnetzMusterspracheSchlüsselverwaltungSkriptspracheFuzzy-LogikPhysikalischer EffektAggregatzustandFehlermeldung
22:05
MathematikSkriptspracheEindeutigkeitBefehlscodeBenutzerfreundlichkeitSchlüsselverwaltungGruppoidKryptologieSchlüsselverwaltungKartesische KoordinatenSynchronisierungFehlermeldungKryptologieQuick-SortMessage-PassingDisjunktion <Logik>JSON
22:39
MathematikSkriptspracheExogene VariableWeb SiteKartesische KoordinatenPasswortMathematikPunktSkriptspracheStrömungsrichtung
23:47
BenutzeroberflächeGraphische BenutzeroberflächeByte-CodeHill-DifferentialgleichungZeichenketteChiffrierungPasswortCodeByte-CodeProgrammierungKartesische KoordinatenViewerDateiformatDifferenteHumanoider RoboterPasswortProgramm/Quellcode
24:28
ZeichenketteChiffrierungPasswortPasswortTabelleCASE <Informatik>Physikalischer Effekt
25:00
ServerInternetworkingPasswortPlastikkarteNotebook-ComputerLESServerPasswortBenutzerbeteiligungKartesische KoordinatenQuick-SortProgrammierungTabelleGemeinsamer SpeicherNotebook-ComputerDienst <Informatik>Metropolitan area networkKeller <Informatik>Physikalischer EffektBitFlussdiagrammJSON
26:47
PasswortNotebook-ComputerDienst <Informatik>Einfach zusammenhängender RaumDienst <Informatik>BitServerCharakteristisches PolynomAttributierte GrammatikKontrollstrukturBenutzerbeteiligungPasswortMultiplikationsoperatorJSON
28:07
Einfach zusammenhängender RaumServerPasswortTabelleBitProzess <Informatik>Ganze FunktionMereologieVersionsverwaltungFlussdiagrammDiagramm
28:41
ServerEinfach zusammenhängender RaumPasswortt-TestFlächeninhaltGrundraumDiagramm
29:18
KanalkapazitätGrundraumKartesische KoordinatenURLGemeinsamer SpeicherProgrammierungMultiplikationsoperatorInformationComputeranimation
30:03
Data Encryption StandardPrototypingInformationPasswortt-TestXMLUML
30:49
ServerApp <Programm>ComputersicherheitKontrollstrukturProzess <Informatik>PasswortInformationProjektive Ebenesinc-FunktionEchtzeitsystemFastring
32:23
Open SourceATMMeterMeterBitrateProdukt <Mathematik>Güte der AnpassungGraphSpannweite <Stochastik>FehlermeldungProgrammierungDemo <Programm>RichtungHook <Programmierung>Programm/QuellcodeJSONDiagramm
33:15
TabellePunktMagnetbandlaufwerkBesprechung/Interview
33:49
ComputersicherheitFunktion <Mathematik>ATMWeb logMusterspracheMaßerweiterungPasswortEntscheidungstheoriePhysikalischer EffektComputersicherheitServerPhysikalismusSurjektivitätDruckverlaufLoginAusnahmebehandlungDifferenteZeitstempelDrahtloses lokales NetzSchlüsselverwaltungZahlenbereich
35:58
ComputersicherheitCodeKonstanteEinsProxy ServerPasswortServerGrundsätze ordnungsmäßiger DatenverarbeitungIndexberechnungKryptologieHyperbelverfahrenPhysikalischer Effekt
37:39
CodeKonstanteFirmwarePasswortCASE <Informatik>Physikalischer EffektSoftwareschwachstelleMultiplikationsoperatorPhysikalisches SystemComputersicherheitCodeMereologieEchtzeitsystemPunktApp <Programm>SchlüsselverwaltungSchaltnetzEinsAbstandDrahtloses lokales NetzURL
40:40
CodeKonstanteProtokoll <Datenverarbeitungssystem>CASE <Informatik>VerschlingungPunktChiffrierungWellenlehreKonfiguration <Informatik>App <Programm>t-TestTelekommunikationMultiplikationsoperatorSignifikanztestVorlesung/Konferenz
Transkript: Englisch(automatisch erzeugt)
00:00
let's get started. So I'm Anthony Rose. Nice to meet everyone. Uh this is actually my first talk at Def Con. It's also my first time at Def Con so this is really exciting. So if you
00:24
made it here uh I'm giving a talk on Bluetooth low energy. Uh if you're not interested in that this is your last chance for you to leave so otherwise you're stuck here. Um so my talk is uh picking Bluetooth locks from a quarter mile away or what I want to call it is smart locks made by dumb people. So what I found is a lot of
00:44
manufacturers decided to make user convenience over security and my job was to you know take advantage of that. So I want to steal your passwords and get in your house. So uh let's get started. So uh I'm Anthony Rose. Uh I'm part of a little hacking group that we
01:02
call Merculite. Uh you might have seen a couple other talks uh around here like some Insteon stuff that's happening later today. Uh refrigerators, smart refrigerators and then another Bluetooth talk. Uh I'm the lock picking hobbyist. I'm by no stretch of the imagination an expert but uh definitely a hobbyist. Uh and my background is
01:22
electrical engineering. Uh and you'll notice that when you look at my code because uh I don't code very well. So uh when you think like why the hell did he code it this way? Yeah it's because I'm not good at coding so I'm sorry. Uh my background actually I did research at Arizona State. Go Sun Devils if anybody's here. Sun Devil. He doesn't
01:45
count because he's my brother. My background's uh wireless video compression so I did some wireless uh stuff prior but really my main focus right now is uh Bluetooth security uh Bluetooth low energy security specifically. Uh Ben uh he was the other person
02:03
that's supposed to be here. He could have made it. Uh he had his appendix removed so uh probably wasn't safe for him to travel. Uh but his background uh he's got a PhD in computer science. Uh and he's done some previous work. Uh you can actually look at some of his stuff at SchmooCon, DerbyCon and he has a POC GTFO coming out so uh keep
02:22
an eye open for that. Quick overview of what we're gonna talk about. Um some goals that we set out when we actually wanted to look at Bluetooth. Uh what is Bluetooth low energy cause not everyone might actually know what it is. Uh why should he even care what I'm talking about. Uh some exploits that we found and then some takeaways for
02:41
consumers and for vendors and then some future work that we actually wanna work on. And then finally open up the floor for some questions. Hopefully you don't throw anything at me so. Let's uh let's get started. So our goals. Uh really we wanted to find vulnerabilities in Bluetooth locks. Uh and once we started to find
03:00
vulnerabilities we figured hey we might wanna contact vendors and let them know that their locks aren't safe. And it turns out that vendors actually don't care. Uh we contacted 12 vendors and only one of them actually responded. And their response was yeah we think it's a problem but we're not gonna fix it. So we figured next we might wanna release
03:22
this stuff to the public so that way at least the consumers know what the issue is so they can make a decision of hey should I buy this lock or maybe I should stay away from it. Uh I'm also a big movie buff so if you can name all those good on you. Uh but if you trust uh Newman for your security you're making a really bad choice. Yeah. And also
03:44
if you can actually recognize my t-shirt I cause I'm a huge movie buff uh I'm compressed then. So uh awesome. Oh yeah sorry. Maybe you can check it out after words then. So what is Bluetooth low energy? Uh really it was designed to be a really low
04:02
power uh protocol and it's designed to really send minimal amount of uh data. So you're looking at very small amounts of data mostly like state updates so like passwords, am I open or close for a door, things like that. Uh it still operates in the same spectrum as Bluetooth classic. Uh still at 2.4 gigahertz spectrum that
04:21
everything uses. Uh and really the big thing for it is it's really short range. Cause the power consumption is very very minimal. You're talking like cell battery size. Uh so you're looking at really for short range about 100 meters in most cases. Uh actually really when you talk about these locks 20 to 30 meters is really where they
04:40
cap out. And what we wanted to do was take advantage of this so uh if you use a USB dongle that has an antenna hookup and you actually get one of the ones that actually has a decent amount of power on it. You can actually start communicating with these devices at like a quarter half mile distance. So that's actually what we did which was pretty cool. Uh oh I shouldn't have changed slides yet. Uh well actually all the
05:02
commands that we're going to be sending is going to be going to this host controller interface. And that's actually what we send on Linux. Uh and that actually gets interpreted up to this gat. This is the generic attribute profile. And what this does is actually sitting both on your lock and on your phone or whatever user device you're using. This is how they actually communicate. Uh there's things called
05:21
attributes on on the server. And we actually send read and write requests as a user to this server to actually learn information or send information. So that's how I send my password to a lock and that's how the lock responds with now I'm open. So all those attributes are actually sitting on this gat server. And now you're probably thinking why should I even care what this guy's talking about? Well turns out these
05:44
things are really popular. Uh the recent estimates for how many of these devices are being built a year is like 3 billion a year. So there's tons and tons of Bluetooth low energy devices. I mean if you look at your phone it probably has Bluetooth low energy in it so they're everywhere. And they're being used for security purposes. So they're
06:01
being used to secure your homes and your valuables. And there's a wide range of these devices. There's deadbolts, bike sharing programs use these locks, uh lockers, gun cases, ATM locks, yes uh ATM locks where they actually lock up the money with a Bluetooth low energy lock surprisingly. And then AirBnB, does everybody know what AirBnB
06:20
is? Anybody? Okay. Uh so surprisingly you can actually rent houses with this program and they use smart locks. You actually get the code from them and then you actually open up the lock and go into there. Uh I had a friend who traveled Europe recently who actually saw a bunch of locks that we're gonna talk about and he was like really look at this. Oh could you break into them and get me free house? And I'm like eh probably
06:42
not. So uh there's a wide range of companies that actually built these products. A lot of big companies and a lot of small startups. And we found that a lot of the smaller companies just didn't have the funding to actually build security in. At least robust security. And that's something that we focused on. But still even the big companies still had some holes in a lot of the things they developed. So if you
07:04
actually hack Bluetooth what you need is a sniffer. I'm sure everybody's familiar with the Ubertooth. Uh pretty affordable option about $100. Obviously there's some uh cheaper options but this is actually what I prefer. You need something to be able to send commands after you sniff them. So you need a USB dongle of some sort. You can get a
07:21
cheap regular USB dongle for $15. I really like the uh UD100. Uh if you're familiar with that platform it's got an antenna hookup so you can hook up a really high gain antenna on it. And then you can really have fun at really long distances. Uh when you actually use that kind of platform uh you can kind of set it up and leave it and not
07:43
have to worry about somebody stealing it. Uh a laptop obviously somebody might walk away with but a raspberry pi you're only out 40 bucks so it's not a big deal. Uh the high gain antenna that I use 15 db yaggy if you're an electrical engineer like me. Uh that's actually all my stuff right there. My wife gets really upset cause it takes up a
08:01
lot of space and she gets pretty pissed so. The Ubertooth 1 uh if you're all familiar created by Michael Osman a couple years back you can look up a lot of information on it. But really the important part of it it was really the first uh bluetooth sniffing tool that was really out. Prior to this a lot of the other
08:21
options were really really expensive like $10,000. So this made it really affordable for the average user like us. Uh this does all passive sniffing uh and it really only has a receive capability. Uh you can modify the firmware to do other things but really for low energy it's really only receiving uh commands which is good because the user has no idea
08:40
this is happening. Uh you can use that with like a USB dongle and you actually go wardriving with it. So I like to drive around my neighborhood and pick out all the things that my neighbors have or I set up my antenna out my window and then my neighbors knock on my door and they wonder what the hell I'm doing. So you know you can drive around you can pick up passwords from or actually pick out networks from
09:01
people then you set up a high gain antenna in the back of your jeep like I do park at a McDonalds and then I sniff your password from your house from like a half mile and then guess what I can get in your house if I wanted to. Uh and it's really concealable I mean no one's gonna be looking in the back of my truck at least. At least I hope not. And it's it's great. Uh so uh one of the cool things that we've
09:22
actually thought of uh were flying. So take like a quad copter, hook up a raspberry pie to it, uh fly it around, use the onboard GPS to actually plot where devices are and actually find where they are and then you can actually go back later. Uh I haven't had time to build it but you know it's a cool project maybe somebody can build and then I can play around with it. So I did a recent trip around my neighborhood. I
09:42
drove around for like an hour. I picked out a lot of really cool things. Smart TVs, smart like butcher cookers, uh toasters, Fitbits, god knows what people have. But I actually found uh 4 locks that people actually had within about 40 minutes. Which is pretty cool cause actually all 4 of those locks actually know and actually 2 of them
10:00
actually have exploits for. So uh probably should have told them but eh whatever. Before I go through all the locks I broke, I want to point out like 4 of them actually couldn't break. Um I've had some ideas actually how to break them. I just haven't had a chance to do it yet. But let's go uh go through the ones I couldn't break. The first one's the August lock. Um there's some exploits that I think I could use by having a
10:22
chance to use yet. But about a year ago a couple individuals actually posted on their blog of a hard coded password actually built into their application. So this password isn't used really for much besides settings. But still the practice of having a hard coded password in your application is really not a good thing. The next one actually is really surprising. So the quick set lock actually uh they uh had a really
10:44
interesting design decision. They built fantastic bluetooth security on it. Uh it's really hard to break. However their lock actually at least the older versions, you actually use a screwdriver actually to open up the lock. So it takes about 10 seconds actually to break the lock open. I really wanted to try it but I had one of the newer
11:01
models and I really didn't feel like breaking a $300 lock cause I really don't have that much money. So I didn't break my lock but there's YouTube videos all over the place so go check them out they're pretty cool. And yeah that's that's a great design decision on their part right? Uh what do they all have in common? Uh they all use AES encryption, they use some sort of nonce value, a random number and then they
11:22
actually send that value and get it encrypted and then they send it back. That's normally how a lot of these locks work. They use all the ones I couldn't break, had 2 factor authentication, at least they're not using hard coded passwords anymore, at least I hope not. And then they use a really long password space. Uh 16 to 20 characters in most cases. Some of the ones I actually found use 6 to 8 characters surprisingly. I
11:44
don't know why you would ever choose that but that makes brute forcing easy and I actually put out some tools for you guys that actually be able to brute force things. Uh there's a wide range of vulnerable devices so uh before you get overwhelmed by this slide, I broke them into categories. Uh so you'll be able to see the categories and each
12:01
category is a lock, the firmware number in case they update it so that way at least you know which version actually you can exploit and then a symbol for if it's a padlock or a door lock. So we're gonna go over uh plain text passwords, replay attacks, actually fuzzing a device to get it into an error state. Uh one where you actually decompile an app and actually to get something out of it that's interesting. And then
12:23
finally device spoofing, pretty much a man in the middle attack so I can pretend to be the lock and then actually get the user to send me a password so that way I can unlock their device. To be able to do this you need to be able to sniff first so we use that ubertooth and uh the way bluetooth low energy actually works you have 3 advertisement channels. Now if I want to steal your password on the first try I need to
12:43
be able to sit on each of those advertisement channels so I need to have 3 uber teeth in this case. Uh one setup on each advertisement channel that way I know I can actually get the information. Obviously I'm sniffing wireless so there's no guarantee I'm gonna get it but at least I'm increasing my chances. Once I have all that information I can compile it all to
13:00
one file, I can filter out all the duplicate stuff and then I can actually filter for your password. Now that I have your password I need to be able to send it somewhere. So what we do is we use scapey um it actually has some sockets built into it that are pretty cool. Um I can bind right to the bluetooth socket and actually send commands to the dongle and actually go to devices. So that's what we actually that's what
13:20
we use and then I built some commands that we use pretty often into python so that way I can actually be able to use them. So I can do connect read write commands um I can do spoofing actually change my address and my device name all through these sockets which is great. So now that I have all that in place I actually start attacking locks so that's what we're gonna do now. So uh I wanted to say this was the first lock I
13:43
actually broke but uh turns out it's not. I found out this morning actually from my dad that uh apparently like 15 years ago um you know the remotes uh actually block like tv channels on uh on uh cable boxes. So I actually guessed his password I guess 15 years ago and I started uh watching uh inappropriate things. So uh turns out that's actually the
14:05
first lock I broke so I broke into his remote and uh decided to watch late night HBO. So this is the second lock I ever broke. Uh this is the the quickset lock and uh they had a really interesting design decision. So what they do actually with this lock is they send your password in plain text. Uh not only do they send your password in plain text they
14:23
actually send it twice so they double it up and then they throw an opcode at the beginning. So I thought to myself well why would they do this? Turns out that they do this because uh you can actually change the password by using the same command to the same handle. So that's actually what uh we're gonna do. So right now this this lock's broken so uh let's cross off this. I can get into this lock but I want to do more
14:43
than just break into this lock. I want to be able to take advantage of the fact that I can actually change that admin password. So uh I'm gonna change the admin password now. And how do I do that? I take that opcode and actually I change it to 01 and then I set the password to be all sixes. So you're thinking oh cool you know the admin's now locked
15:02
out the user's locked out they can't use their device. It actually gets a little better than that. Uh turns out the user actually can't um reset the device without removing the battery. So you have to remove the battery from the device to reset it. And guess what? The battery's actually behind a panel that can't be removed unless the lock
15:21
is already open. So really they're they're completely locked out of the device. And since I'm doing this outside of the application, the application doesn't even know what to do. So it actually pleads with you like hey please help me I don't know what to do. The right password. So I've locked the user out both in the application and
15:41
physically from their device. So that's pretty cool. Um really actually really interesting story. This actually ha I actually found this device pretty recently and I'll tell you a little story. So I went to a a car dealership recently and uh I actually had to get an oil change for for my car. And they told me hey you know it's gonna be like 2 hours you know go have a seat. And I was like you told me 30 minutes on the phone what the
16:02
fuck? So I figure hey you know what it's not that big of a deal and they're like just go have a seat. So at that point I'm actually kinda pissed cause they keep telling me just to go sit down and shut up. So I I I walk away and I'm thinking to myself you know what? Fuck you I'm gonna go hack your shit. So I start scanning. So I start scanning all
16:21
the stuff they have available. And I'm seeing like cars pop up, people iPhones, Fitbits, couple tiles actually if you know anything about the tiles. So I started actually to start sniffing stuff and I wanted to send commands to make them randomly go off. Just to piss them off. Uh so I started doing that and then actually this lock popped up. And I got really excited cause this is actually that quick lock that we actually just talked
16:43
about. So 30 minutes goes by, I'm waiting, I'm waiting, I'm waiting. It's about the time I would have been home already at this point. And then I get the guys password. So uh I'm really excited at this point. So let me show you his password. Here it is actually let me zoom it in. Yeah he said his password would be 69's. Um actually and remember I'm in a car
17:14
and I'm like what? So you think about a user, he sets his password, he thinks nobody's gonna guess it, but little does he know I can actually sniff your password in plain text. And
17:21
actually I can see it so uh yeah he's a bit of a pervert, I'm sorry. So I have his password now, I didn't break into his lock but at least I have his password so that's kinda cool. Uh since we're dealing with plain text passwords we can brute force them. Uh for you know with me I figure you know when all else fails, brute force it. Uh but a lot of the things that a lot of these manufacturers do is they limit those password
17:42
spaces. So what I found is a lot of them use um minimal password spaces. So 8 digits in some cases or 6 characters exactly. So those password spaces are very easy to brute force cause they're very small. Still it could take a while. So uh you could use word lists obviously, you could use 1's, 1 through 8, 69, uh phone numbers, uh street
18:04
addresses or a word list with actually 6 characters exactly words and use that to brute force. Uh all that's on our github, you guys can check it out at the end. Uh if you break into things send me a message it'd be pretty cool so. Alright here's a little demo of a quick lock. Uh pretty pretty simple little lock actually. Um you know you have to click
18:21
the button on it to actually connect to it. Uh I start sniffing with ubertooth, I get actually get a pcap file that I'll then put into a script that actually parses all the information and actually pulls out the password for me and then sends it to the lock. And I'm not really a nice guy so uh I decided that I should also add in where uh after I unlock
18:41
the lock I also change your password so you're actually locked out after I get into your house. So that's pretty cool. Originally I wanted to do a wireless demo but uh everybody here has bluetooth. It is fucking crazy. Uh if you do a quick scan there's like a thousand something devices and there's no way in hell I'm going to be able to actually be able to sniff here. So I opted to do videos instead so, just so everybody knows. Uh
19:06
next actually some companies actually opted to actually do encryption. And you think oh great they're going to use encryption their websites advertise crazy things. Or they advertise oh yeah we're using 256 bit AES encryption you know the military uses it so it's got to be great right? Well turns out they actually don't use encryption the way it
19:24
really should be used. So it turns out if I just sniff it and I send it back to the device it opens. Which kind of sucks for them. It's great for me but it really sucks for these companies. Uh even better than that so all 4 of these locks actually have more in common than just replay attacks. Uh if actually if I sent my password to be password for
19:43
example and I sent it on one of these devices it actually encrypts it the exact same way on all 4 of them. And they actually use the same method of actually opening up as the other ones. So it turns out a lot of these locks like they're sold on Amazon, Newegg, couple other websites and they go up like 2 or 3 at a time and then they pull them off. So they end up using the same code as the back end for all of them and they just
20:05
keep repackaging them as something else. So it makes it really easy actually if you just sniff it and then replay it to open them. And oh yeah by the way they're all made by Chinese manufacturers. I'm not bashing anything but yeah they all have stickers on them that are written in Chinese. And the manuals are actually written by somebody who cannot
20:21
speak English. It is absolutely awful to figure out how to set these things up. So next actually after this one is actually a completely different thing. We were looking for companies that actually used encryption but maybe developed their own sort of encryption. So we want to see hey can we actually fuzz it, can we fuzz a device, can we get it to
20:41
enter an error state and then see what happens when it's in that error state. And that's actually where we found this lock. Uh okie dokie uh if you're familiar with it uh it's made of all plastic. I don't know why you use a plastic lock for your house but you know cool. So uh we've actually went to their website and we started looking at how they claimed their security. So actually uh the interesting parts to
21:03
us was hey we developed something that was similar to AES encryption. We're like oh cool. And they combine it with a patented cryptographic solution. So if you know anything about crypto, proprietary crypto is not usually a good idea. Uh it usually means it's not tried and tested and there's usually things that you can take
21:22
advantage of. Which is actually what we actually did. So we figured hey let's take a lock, let's see what we can find out about it. So we started sniffing a bunch of things on it. Uh we sniffed like a bunch of packets and we started noticing that keys really weren't that unique. Um you started seeing patterns in them. And you figure like oh cool you know maybe I'll be able to fuzz it. So we came up with this intricate
21:43
fuzzing script. You know it was going to do one byte at a time, it was going to come up with combinations, it could take days, weeks, months, who knows how long it was going to take. Boy were we wrong. Uh turns out it took about 3 seconds. Cause if I take the third byte and I change it to 0, the lock enters an error state. Not only does it
22:04
enter an error state, it opens. Oh it gets better. Um it goes actually sends up an error message in the application saying the keys are out of sync. So I started to think to
22:23
myself well why would this happen? Why would the keys be out of sync? Well remember that patent crypto we talked about earlier? Yeah it might be some sort of XOR. Because they use a previous key to actually generate future keys. And now that they're out of sync, uh oh. So yeah that really wasn't a good idea. So uh really funny story actually about
22:42
them. We contacted them to let them know that they uh had some problems with their lock. And then they turned off their website. So uh I'm not claiming responsibility for anything. But uh yeah they turned off their website after we told them that there was an issue. And you can still buy their stuff though. They're still selling it on Amazon. So you
23:01
can go check it out. But it may not be supported much longer. And then actually here's a video of it. Uh pretty cool. So they use the application actually to unlock it. So you swipe it. It actually unlocks. I skip the the password that's current. And I'll take that. I'll actually run it through my script. Where it actually pulls out the password, changes that third byte to 0. And then unlocks. At some point. And there it goes.
23:37
And then this is where the user comes back. They want to lock their door. They want to
23:41
unlock it. Whatever they want to do. And then guess what? It doesn't work. Sorry. That kind of sucks. So uh kind of a different thing uh to talk about. If you're familiar with Android applications. Um you actually pull off those applications in APK format. You actually decompile them actually into readable code. Um so I actually like to use this
24:01
program called bytecode viewer. It allows me to view it in a bunch of different ways. And actually view what they coded in as as if it's readable. So that's what I did for this lock. Uh the Dana lock. I actually broke this lock down into readable code. Just actually see what they put in there. Um turns out they had this hard coded password in there. Um yeah
24:22
you think this password's cool. Guess what? So they don't just put this password in there. This is on every device. They actually store your password also. So my password in this case was password. And they actually XOR that with this super secret password that they have. And then they store it into a table. So every user's uh
24:40
password is actually stored in this table. And I actually know the method that they actually use to store these passwords. Uh I haven't had a chance to actually break this lock. So I'm pretty sure this is what this is used for. But I'm not 100% sure. I want to go back and actually do it. But I haven't had a chance. So it's kind of kind of pwned. Cause I haven't really broke into it yet. But I have almost all the tools I need to be able to do that. Uh a big thing that a lot of companies are moving
25:02
towards is like a web server back end. Um that way you can't pull passwords off of actual applications. So what they do is they store it on a web server and you ping that server with some sort of value. They encrypt it. They send it back. Uh this is great because a lot of the companies are using it. It's a lot more secure. Uh however if you fake the
25:21
device you can actually trick the user into giving you a password and that's what we do. So we actually take a device. We impersonate it. And we trick the user into giving us a password. And to do that it doesn't really take much equipment. Uh a raspberry pi, maybe a laptop. Uh you need something to run BlueZ, that bluetooth stack. Uh you need something to actually build the GAT server on your device. So Bliino is a great
25:42
program. If you saw some of the other talks they actually talk about Bliino. Uh with the man in the middle attacks. And then you need something to actually pull uh services off of devices. And I like light blue explorer. Great program you can run on your phone. The reason why I like it is because if you walk around with your phone out nobody looks at you funny. But if you walk around with a laptop everybody gives you a
26:02
really really nasty look. So it's great to use it on your phone cause nobody looks at you twice. And this is really mobile. Um if you set up on a raspberry pi you can set it up really anywhere. And it's somewhat undetectable. And I say that because if these applications are running in the background the user has no idea that they're connecting to you and giving you a password. But the web servers might know. So
26:24
that's kind of where it's somewhat. However these web servers usually don't give a shit. Uh you can ping them a thousand times and they'll give you a thousand passwords and you can build a whole table of passwords from this. And guess what? These servers don't care because they think you're actually the right person. So you keep getting passwords I can do whatever I want with them. And we found actually one of the devices that we're
26:41
gonna talk about in a second. Uh bit lock. If you're familiar with this lock it's actually a padlock they use for bike sharing programs. And they're pretty widely used. They're in like 20 different countries. Uh all over the actually all over the United States as well. And that's actually what we'll be looking at because they actually use a notes value that they send and we actually found a way to predict what the next value is going to be. And I'll show you that here. So this is actually how we
27:04
break into the lock. We connect to the bit lock first. We actually scan for all those attributes. All the primary services, the characteristics. And we build a copy of the server into Bleno. And there's all the attributes right there. So I uh connect to the
27:20
lock. Uh I actually get a notes value and I send a invalid password. Doesn't matter what I send to them. Because I just want to know what it's going to do next. Next it actually increments it by one. And the reason why it does that, that's actually the method it uses actually to generate a random value. That random notes is actually only incrementing. And that's it. That's all they do. So I actually have what every
27:43
value is going to be from this point on because they're just going to increment it every other time. So I'm done with them. I have everything I need. I just need to find the user. So I wait for them to park their bike. They lock it up. They go somewhere. And then I set up my device and they connect to it. I actually send them that value, that N plus two value that I was talking about. They send it to their web
28:03
server. They get it encrypted. They send it back to me. And now I have their password. Pretty easy process. And that's all because of that note. Now I go back to that bit lock. And here's the best part about all of it. This value that I'm talking about, it doesn't matter what I set it to. So I can get N plus ten. I can get N plus
28:21
a hundred. I can get N plus a thousand. I can build an entire table of passwords because they're only incrementing that value and I know how to force the bit lock to actually increment. So now I go back to the bit lock, whatever value they're at, I force it to increment. So I connect to it. It sends me this random value that I would never guess. I send the encrypted version to it and then guess what? It opens. Yeah. So
28:50
now, so now I have their bike. I'm riding around on it. Woo. Um, so this is pretty deployable. Pretty easy to use because you want to look, really your targets for this are
29:01
really high traffic areas. So you want to look for like coffee shops because hipsters love bikes. So if you find a coffee shop, there's probably somebody using one of these locks nearby. Or you can look for a university because some universities might want their students to use bikes. And guess what? We found one that uses this. Um, I'm not
29:21
going to tell you what university, but if you open up the application actually, uh, there's a really cool feature built into it. So you can actually look at, um, any bike share program that's out there without actually being subscribed to their bike sharing program. So I travel to this random university and I can actually find where all their bikes are actually located. I just actually have to go to one of those locations. So I go
29:43
to one of those locations and look, there's a bike. And then I get out my phone and I start scanning because guess what? I have my phone out, nobody thinks twice. I curse a couple times, I kick the bike and everybody just thinks I'm stupid and I can't open the lock. But I have all the information I need now. So I go sit down at like a park bench
30:02
nearby and I start entering all the information that I collected with light blue. So I take that information and actually put it into Bleno. So I actually have the device name now. And I have the notes value. And then I start advertising. And I wait for a user to come by to connect to me and then I'll get their password. Well, there
30:22
happens to be one problem. If you know anything about college students, they don't like to hang around during the summer. And that's when I decided to actually go there so there was nobody around. So yeah, that was a little upsetting. But I do plan on going back during the fall when I actually know there's people around to test this out again. At least so I can get passwords. I'm not going to steal any bikes, I promise I won't. But
30:44
if you guys do, it has no bearing on me. So, you know, whatever you want to do. A take advantage of things is you actually do like a relay attack with this. And the reason why we thought of this is because we contacted Bitlock originally and we told them, hey, you
31:01
might want to change your value that you're sending out because guess what, it's just incrementing and I can predict that. So they came back and they said, hey, you know, we'll fix it. That was 3 months ago and it's still not fixed. But, you know, maybe they'll get to it eventually. But a lot of the other locks that we can't break into actually use a similar process. So we figure, hey, let's take advantage of this and see if we
31:23
can do an attack like this on other locks that we couldn't break. So that's where this attack actually came in. So what I do is I stand near the lock with a device and the lock sends me a nonce value. I take that value, I send it to another device that's sitting near the user. I use cellular wifi, something to send that information. This
31:42
device is like taped underneath their car, or however high tech method you want to use. But as long as it's near them, it doesn't really matter. Because I'm going to send that value to them and they're going to get it encrypted for me and send it back to me, all because this app is running in the background. And that's really the big problem, is that these apps are constantly running for user convenience. And since they're focusing on
32:03
convenience and not security, I'm going to take advantage of that. So they send that password back to me while I'm standing at the lock and I open it. And this is all done real time, real quickly. And this is actually what we want to develop next. This is kind of our next project we want to work on. Is I'll be able to do this. And you're probably thinking, well how do I find these rogue devices? Well, actually, sadly, uh,
32:23
it actually saw the Blue Hydra talk. They actually did something similar to us. So this is kind of another one of those programs. But it's a blue finder, it's just a program that we built that allows us to track devices. So what we did was we actually tested a range of devices and actually found out what their signal strength was at a
32:41
3 meter. And then we actually built a model behind that to actually, uh, track devices. And we actually put a pretty good error rate on it, 24%. So within 3 meters I can figure out where your device is. And, uh, here's actually a graph of it. If you take that, uh, UD100 device, hook up a high gain antenna to it, I can actually track your device up to about 700 meters or almost a half mile. So I can follow you pretty well
33:05
with a pretty good idea of which direction it is, because these antennas are directional. So I can be like, oh, yeah, it's definitely that way, maybe 600 meters away. So let me actually give you a demo of this. This is actually, uh, me tracking a target. I'm sitting in my home, just, just relaxing, tracking a target. Um, so my very high tech
33:32
method was, uh, taking a Fitbit and duct taping it to my child. Yeah, my wife wasn't very thrilled about this one. Do you think that table was bad? This was worse. So, you
33:46
can track targets pretty far with that kind of equipment. That's really the point. Um, and really the overall, the thing that we really wanted to make clear was that vendors overall just did not prioritize the right thing. They were prioritizing physical security over wireless security. Um, obviously there's exceptions. Quickset decided that a, uh,
34:06
a screwdriver could be a second key. Um, probably not the best design decision. But overall, um, we evaluated a lot of devices and we found that 12 out of 16 of them were broken. Um, and that's a really high number. I went into this thinking, hey, maybe I'll
34:21
find one or two devices that are broken. No, I felt 12. So overall, they're pretty, pretty bad. Um, and really wanted to let vendors know there's a problem so that we can actually fix it. And then finally, um, we wanted to put some out of recommendation to users. Um, what we wanted to tell you guys was, hey, turn off your Bluetooth when it's not in use. Uh, especially here at DefCon. Please turn off your
34:42
Bluetooth. Uh, cause people are walking around and I'm like, oh, Gary's iPhone. Hi, Gary. I'm gonna connect you to your stuff now. Um, so turn it off when it's not in use. Cause that's why that relay attack works is because you're constantly advertising and looking for these devices and that's how I take advantage of it. Um,
35:01
some of the big future work that we want to work on, um, I found a really surprising thing with history logs. So people, or a lot of these lock companies actually built history logs into their devices, which is great. But they didn't hide it behind a password. So I can actually connect to your device and see everything about your lock. And it gets even better. Uh, they're actually storing usernames and
35:22
passwords. So let's think of a hypothetical situation where we have users, mom, dad, Jimmy and Sally, and we have time stamps associated with when they come home and they leave. So now I know when mom and dad are home, I know when Jimmy and Sally are home, I know when they're not home. So if I'm a bad person, I can take advantage of this. And really we want to put some pressure onto vendors so that way they would
35:43
fix this problem. Uh, next, uh, using rogue devices, do a dynamic profile. I want to advertise 20 different advertisement packets so I can connect, so I can advertise 20 different devices. So that way if somebody connects to me, I serve up my GAT server to match whatever they're looking for. So that way I can steal your password. Uh, next,
36:03
there's a lot more commands out on those GAT servers that we want to implement into Python. Uh, more than just the connect read and write. And then finally, actually I'm most excited for this, we bought one of those Bluetooth ATM locks and we're actually going to tear it apart and see if we can break into it. If these things, if these locks are no indication already, um, it should be pretty easy, but I'm hoping it's
36:23
better than we think it is. Uh, that's really it. Um, I wanted to open up the floor for some questions. So if you have any questions, uh, come up to the microphone, uh, and hopefully I can answer them. Thank you. Yep. Yeah, hello, first thanks for looking
36:45
into this hell of a lot of devices. Really interesting. I did some similar research and I want to add on your two unbreakable first ones, because I looked into three devices and broke three of them. And two of them being the Nogue and the Master Lock.
37:00
So, I'm not disclosing too much right now because Nogue actually responded to my request and they're fixing it. But just so much they have AAS and they're doing it wrong. So I broke their AAS crypto and the Master Lock has a physical bypass. So I'll talk about that after I release it to them. And the third one was shimmable. Oh my
37:23
god. But thanks for your work and possibly exchange contacts later. Oh yeah, that's awesome. Um, if you come grab me afterwards, I would love to talk with you. Um, cause there's always so many devices out there that I haven't had a chance to break and there's always cool ways to do it. So, thank you. You talked earlier about an Insteon talk that would be happening later. Yes. Where is the details of that? That's actually
37:43
going to be in Wireless Village. Uh, my friend Caleb is actually going to be giving that up in the Wireless Village at 1220 I think. Somewhere around there. 1220 in the Wireless Village. Is it about Insteon door locks or anything? It's about Insteon devices overall. So he's mostly focusing on I think the lights, um, the camera and the
38:04
talk by the way. Thank you. These locks that you were taking apart, you said they were emphasizing physical security. Did you notice any tamper detection in the firmware at all? I did not notice any, but I wasn't actually specifically looking for it. Um,
38:20
but, I mean all the locks that I used at least fit, uh, wirelessly that I sent commands to, really a lot of them didn't care what I was sending cause they thought I was the real device. So. What I'm talking about is actually something where there's something in the firmware or a switch determines a case was opened or something that was being tampered with. Oh, I haven't looked for that. That's actually a very fascinating thing I could look into. So, I'll have to check that out. Check, please do. Thank
38:43
you. Yeah, thanks. Great talk. Uh, question, uh, so do you think the time dependent rolling code, like what are we using in the payment system will solve some of the security issue you mentioned? Uh, you, you talk about a rolling code? Is
39:00
that right? Yeah, time dependent rolling code, like we've seen in the payment system. So, I think that it helps the situation, but if I do a relay attack over long distances, it wouldn't matter, because I'm, I'm pretty much convincing the user to send me a password and then I relay it over to the lock in real time. So really what they need to do is, obviously geolocation is one of the things they can help with. Not allowing these apps to run continuously is a big deal. Um, so there's a lot, there's a
39:24
combination of things they need to actually implement to actually prevent these things from being vulnerable. So, it, that's a big part of it though. Gotcha. Yeah, thanks. Thank you. Hi, um, regarding the uncrackable locks, you showed at the beginning, why were you not able to crack the, uh, Kwikset Kivo or the, uh, August lock, electronically? So,
39:43
part of it's time. So, I, I started finding vulnerabilities in other locks and I dedicated more time towards those ones. And then, some of them just, I just haven't come up with creative ways to do it yet. I know other people have done things and I'm very fascinated by learning what they are. But, yeah, currently, at least the methods that I
40:01
was using, they weren't able to break them yet. I think the relay method at least should be able to break some of those, uh, locks, but I just need to test it out at this point. Awesome, awesome talk, thanks. Thanks. Yeah, great talk, thanks. That was actually my question as well, but as a follow up, have you looked at, uh, realtors, the tool they're using now to, uh, so I just recently purchased a house,
40:22
the realtor goes up and the little door lock thing they put, that's all Bluetooth now. That is awesome. So, you hit a code and it spits out the actual physical key to the house. So, you might want to... I'm going to have to buy one of those, that's, that's awesome. Thanks, great talk. Thank you. Great talk. I wanted to ask you if you've looked
40:41
into also medical devices? I mean, after all, if someone wants to break into your house, they can do it the old fashioned way, but with the bodies, it's like more difficult. So, so originally I wanted to focus on medical devices, specifically pacemakers and insulin pumps, and, uh, so I'm a student currently, and all my fellow students looked at me like I was crazy, and they're like, you're going to kill
41:01
somebody. And I was like, that's not the point, I wanted to test devices and look for issues, but really what it comes down to is getting ahold of these devices in most cases is very difficult, but I want to get to do that, I actually want to look into these devices, but finding them short of buying one off of a dead body, I'm really not going to be able to get one. Okay, great. Thanks. Thanks. So, one of the things that
41:24
allows these attacks to work is that you're able to sniff this plain text traffic off of the radio waves, I guess. Um, does BLE offer any option for encrypted communication other than implementing it yourself? So they actually have a link layer encryption in 4.1,
41:43
um, but if you've ever, if you've looked into Mike Ryan's work, he actually breaks that, um, they actually have a, it's very vulnerable, so they actually developed a new protocol, 4.2, that actually implements link layer encryption that actually works better, but what we've found is most devices don't use it, it's not very common, so
42:01
obviously if they could use the link layer encryption with a new protocol on top of an app layer encryption, that'd be more ideal, that might deter some people, so hopefully that's what we see in the future. Cool, thank you. Thanks, and I think I'm out of time, so thank you guys, thank you very much.