Hacking BLE Bicycle Locks for Fun and a Small Profit

Video thumbnail (Frame 0) Video thumbnail (Frame 2407) Video thumbnail (Frame 3152) Video thumbnail (Frame 9048) Video thumbnail (Frame 9714) Video thumbnail (Frame 10938) Video thumbnail (Frame 12706) Video thumbnail (Frame 13886) Video thumbnail (Frame 18934) Video thumbnail (Frame 19860) Video thumbnail (Frame 20617) Video thumbnail (Frame 22222) Video thumbnail (Frame 23872) Video thumbnail (Frame 24737) Video thumbnail (Frame 25987) Video thumbnail (Frame 26827) Video thumbnail (Frame 29609) Video thumbnail (Frame 32102) Video thumbnail (Frame 33110) Video thumbnail (Frame 33687) Video thumbnail (Frame 35089) Video thumbnail (Frame 36179) Video thumbnail (Frame 39845) Video thumbnail (Frame 40952) Video thumbnail (Frame 41567) Video thumbnail (Frame 45125)
Video in TIB AV-Portal: Hacking BLE Bicycle Locks for Fun and a Small Profit

Formal Metadata

Title
Hacking BLE Bicycle Locks for Fun and a Small Profit
Title of Series
Author
License
CC Attribution 3.0 Unported:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor.
Identifiers
Publisher
Release Date
2018
Language
English

Content Metadata

Subject Area
Abstract
Hack a lock and get free rides! (No free beer yet though...). This talk will explore the ever growing ride sharing economy and look at how the BLE "Smart" locks on shared bicycles work. The entire solution will be deconstructed and examined, from the mobile application to its supporting web services and finally communications with the lock. We will look at how to go about analysing communications between a mobile device and the lock, what works, what doesn't. Previous talks on attacking BLE targeted the protocol itself using various hardware and software such as Ubertooth and Wireshark, which could be potentially difficult for someone new wanting to explore BLE and the ever connected IoT world. I'll simplify and stupidify the entire process such that anyone with a mobile phone and basic experience with Frida can go about breaking locks and hacking BLE the world over.
Mobile app Key (cryptography) Demo (music) Building Multiplication sign Demo (music) Plastikkarte Information technology consulting Goodness of fit Telecommunication Right angle Hacker (term) Freeware Information security Physical system
Scaling (geometry) View (database) Line (geometry) Coma Berenices Software testing Food energy Hacker (term) Plastikkarte Information security Open set Firmware
Group action Multiplication sign Duality (mathematics) Mechanism design Bit rate Hash function Encryption QR code Drum memory Information security Service (economics) Valuation (algebra) Shared memory Attribute grammar Bit Food energy Open set User profile Category of being Process (computing) Website Peripheral Cycle (graph theory) Hacker (term) Laptop Point (geometry) Mobile app Service (economics) Characteristic polynomial Valuation (algebra) Inclined plane Plastikkarte Generic programming 2 (number) Attribute grammar Centralizer and normalizer Peripheral Profil (magazine) Operator (mathematics) Fingerprint Operations research Characteristic polynomial Generic programming Plastikkarte Group action Component-based software engineering Personal digital assistant Spherical cap Computing platform Point cloud Codec Local ring
Game controller Game controller Logic Cellular automaton Helmholtz decomposition Logic QR code Videoconferencing
Personal identification number Presentation of a group Mobile app Multiplication sign Mountain pass Plastikkarte Hacker (term) Connected space
Email Presentation of a group Service (economics) Dependent and independent variables Characteristic polynomial Motion capture Analogy Plastikkarte Telecommunication Communications protocol Execution unit Dependent and independent variables Point (geometry) Length Attribute grammar Food energy Motion capture Video game Figurate number Musical ensemble Whiteboard Hacker (term) Ramsey theory Writing Resultant Address space
Greatest element View (database) Set (mathematics) Real-time operating system Hooking Network socket QR code Cuboid Information security Social class Service (economics) Token ring Menu (computing) Category of being Message passing Googol Process (computing) Telecommunication output Right angle Peripheral Encryption Resultant Writing Row (database) Mobile app Server (computing) Functional (mathematics) Service (economics) Characteristic polynomial Maxima and minima Login Bit Peripheral Authorization Computer-assisted translation Computing platform Dependent and independent variables Key (cryptography) Characteristic polynomial Server (computing) Code Coma Berenices Cartesian coordinate system Event horizon Personal digital assistant Codec Musical ensemble Routing
Dataflow Mobile app Service (economics) Characteristic polynomial MIDI Maxima and minima Mereology Virtual memory Oscillation Invariant (mathematics) Operator (mathematics) Single-precision floating-point format Intrusion detection system Computer hardware Computer worm Drum memory YouTube Information management Execution unit Link (knot theory) Cellular automaton Menu (computing) System on a chip Telecommunication Design of experiments
Point (geometry) Source code Dataflow Server (computing) Dependent and independent variables Mobile app Key (cryptography) Token ring Server (computing) Characteristic polynomial Source code Shared memory Bit Content (media) Number Mechanism design Process (computing) Peripheral Revision control QR code Flag Quicksort Traffic reporting Data type
Source code Dependent and independent variables Mobile app Server (computing) Key (cryptography) Mountain pass Multiplication sign Source code Characteristic polynomial Database transaction Content (media) Uniform resource locator Personal digital assistant Core dump Revision control Right angle Error message Speicheradresse Form (programming) Data type
Mobile app Server (computing) Algorithm Length Mountain pass Multiplication sign Characteristic polynomial Motion capture Combinational logic Price index Drop (liquid) Content (media) Mereology Number Revision control Advanced Encryption Standard Fluid statics Programmer (hardware) Exclusive or String (computer science) Core dump Message passing Form (programming) Data type Algorithm Email Key (cryptography) Length Cartesian coordinate system Timestamp Subject indexing Message passing Fluid statics Revision control Right angle Authorization Encryption Musical ensemble Fingerprint Session Initiation Protocol
Server (computing) Mobile app Existence INTEGRAL Mountain pass Multiplication sign Content (media) Revision control Advanced Encryption Standard String (computer science) Encryption Message passing Form (programming) Data type Mapping Software developer Hecke operator Cartesian coordinate system Message passing Personal digital assistant Telecommunication Revision control Encryption Authorization Quicksort
Mobile app Server (computing) Telecommunication Videoconferencing Musical ensemble
Server (computing) Core dump Connected space Firmware
Algorithm Server (computing) Dependent and independent variables Mobile app Key (cryptography) Server (computing) Multiplication sign Characteristic polynomial MIDI Bit Mechanism design Process (computing) QR code Musical ensemble Firmware
Ocean current Trail Server (computing) Mobile app Hecke operator Algorithm INTEGRAL Multiplication sign Set (mathematics) Price index Parameter (computer programming) Function (mathematics) Content (media) Number Sign (mathematics) Different (Kate Ryan album) String (computer science) Intrusion detection system QR code Software testing Message passing Condition number RSA (algorithm) Data integrity Data type Dependent and independent variables Email Key (cryptography) Server (computing) Software developer Cartesian coordinate system Message passing Uniform resource locator Process (computing) Hash function Personal digital assistant Computing platform Convex hull Encryption
Latent heat Arithmetic mean Dependent and independent variables Server (computing) Token ring Directed set Musical ensemble Numbering scheme
Server (computing) Mobile app Service (economics) Computer file Dependent and independent variables Multiplication sign Characteristic polynomial Numbering scheme Set (mathematics) Function (mathematics) Client (computing) Type theory Peripheral Hooking Directed set Process (computing) Office suite Service (economics) Dependent and independent variables Dot product Server (computing) Characteristic polynomial Projective plane Token ring Motion capture Numbering scheme Type theory Message passing Process (computing) Telecommunication Musical ensemble Freeware Software protection dongle Writing Reading (process)
Musical ensemble
okay so good afternoon Def Con thank you very much for taking the time to be here and I hope you'll walk away from this talk having learned something interesting and new and if you have please do let me know about it so what this talk is about with the introduction of shared bicycles and its rise in popularity all around well I've seen bicycles all over the place regularly used by people who hear talking some to use them this got me wondering how the lock system worked and how secure I would be would it be possible to hack the lock and get free rights it doesn't cost much to rent a shared bike but wouldn't it be fun to hack a lock my name is Vincent I'm from sunny Singapore company a security consultant at MWR and hacking mobile and wireless is my thing in this talk I'll first give a quick overview of the bike sharing economy and the locks used on shared bicycles I'll do a quick recap of ble for those of you who unfamiliar then I'll move on to walking you through how I analyze communications between my iOS device and the ble look what worked what didn't and how a key can be built from what I've learned and a small demo of an app I've built to get rights for free so I'm sure
by now we all know that smart locks are rubbish the spirit of security now is terrible because and I could be wrong company's only care about features and getting the market as soon as possible they don't care about designing a scale lock and the end performing any test to
validate the security of that solution take for example tap lock the latest
smart lock to be hacked it talks about having all these incredible security features such as encrypted fingerprint reader AES hundred twenty eight bit encryption anti-theft alarm but ultimately it compact in two seconds so
what is the situation of these guys these are the three largest bike sharing companies in Singapore all fo and mo bike being companies from China and all bike a local Singapore startup which unfortunately has just filed for bankruptcy not too long ago these guys have operations all over the world and have pretty high valuations across all companies the cost of renting a bike is 0.50 single s per half hour which roughly equates to 37 cents USD so before all the juicy bits a quick refresher on what Bluetooth Low Energy aka ble s there are two key things to know to navigate your way around um the first is gap or generic access profile this basically defines what the device is devices are split into two categories peripheral device and central device a peripheral device is a low power device it could be a bicycle lock or a pacemaker and the central device is your high powered device such as your mobile phone or your laptop then comes the generic attribute profile or get this defines the way that two Bluetooth low-energy devices communicate with each other each ble device will have one or more services and within each service it will have one or more characteristic services groups of characteristics and characteristic is a data point both of which are identified by a 16-bit or 128 new UID in the case of a treadmill for example a data point can be the steppe climate data speed inclination or heart rate and in the case of a Bluetooth lock the data could be the battery life or the unlock mechanism so let me give you an example an idea of what the bicycle lock is how it looks like and how it operates how do you pick a lock when you don't actually owned lock my first title came when it was time to figure out properly how a bike lock would work since I have pretty much zero experience in Bluetooth or lock mechanisms I decided I should go buy one instead quick search on China's beloved shopping site cow power quickly came upon this for 30 Singh dollars I could have my own smart bike lock appears to operate the same way and apparently the company also owns the entire solution to bike sharing companies maybe one of my targets would use it in essence this is how the entire process of renting a bike works you download one of the apps all for mobile or by whatever you enable bluetooth find your account scan the QR code on the bike and the bike will automatically unlock these bikes have a small solar panel to charge the battery in the lock and most of the locks do not come with built-in GPS GPS data is provided by your phone wherever you cycle to and finally got the bike and the app will record it and send it off to the cloud via HTTP there of course more expensive locks which do have inbuilt GPS so the first
thing I did like any good lack of this is to tear apart upon receiving it this is a tear down the lock with the QR code on the left and the four cell battery inside this lock charges via USB this is
the logic controller with bluetooth video and the motor that releases the lock so it's a spring-loaded lock and
the lock is held in place with a pin in the notch when the unlock command is received the motor were then engaged to release lock so time to actually look at
how the lock and app were communicating again I had no idea where to begin how bluetooth what etc it sends a great presentation by slow Mia jzuk sorry if I mispronounced your name where it was effectively men in the milling the Bluetooth connection thus allowing the modification of packets unfortunately I wasn't able to get the setup working for that then I found another fantastic
presentation by Anthony Rose and Ben Ramsey from DEFCON 24 where they used an uber tooth one to sniff really packets and then use the Wireshark to figure out what was going on but for the life of me I couldn't figure out what was happening [Music]
so this is a example capture that I took this shows a capture from the uber tooth one and the ble write requests in response again didn't understand what was going on but after this packet was sent the lock opened so I basically replayed the bytes on this packet with no result again I have no idea what's going on [Music] so back the drawing board I figured I needed two things to be able to help me figure out what was going on first I needed to figure out how to yet communicated with the lock what were the endpoints that I communicate with what were the services and characteristics that yet communicate with and second how I could intercept the ble traffic to understand what was going on for the first problem I needed
a way to figure out and understand how to get communicated with the login via bluetooth after doing a little more googling I found a tool written by evil socket blare you may know even socket as the author of the more famous better cat toolkit so what bled this is that it essentially enumerates the services and characteristics of any ble device this allows one to see in a practical manner what services they are on a device and what characteristics can be written or read from in this screenshot you can see at the bottom the different characteristics that can be read from or written to for my second problem since I
have yet and I have the lock it all comes down to understanding the process of what ble messages are sent to unlock I turn the Frida and Frieda trace tool which would allow me to view in real time what the app was processing for those of you who have not used Frieda before it is a wonderful tool to allow instrumentation of applications across various platforms in particular the Frida tool used on the iOS platform allows users in essence to log in relatively real time on objective-c classes and methods and C functions which are access and executed by the application since we can use Frida to hook and view methods and messages we now need a way to we now need to find which one's the hook in iOS the Cobb Bluetooth frame-up is used to perform route of communications the CB peripheral and C beeper for delegate classes the most interesting and the reat value right value and set notify value our methods of interest it is quite obvious what these methods suh-weet value with the value from the characteristic right value writes a value and another interesting property of ble II is that it is possible to get a peripheral in this case a lock so push messages to the application this is done through the notify property of the characteristic and it can be enabled by the set notify value we can then capture the post push message by tracing the update methods of the CB peripheral delegate class so after a lot of reversing of the app boxing of traffic and recording of ble weeds and rights I've come up with the following process to unlock the bicycle lock that I bought from China obviously you scan a QR code yep again will then get a lock key for the server that makes a the servo respond to dock key the app makes a request to the lock for an encrypted token by sending the write request lock responds with the encrypted token through the notify property the app decrypts the token with the key from the server sends a write request and it unlocks so this is a challenge response process where the lock will provide a token and if you have the corresponding key you'll be able to decrypt the token and send a result back to the lock by the way if it isn't already clear the security of the lock-based orrible I can retrieve any key for any lock from the server by just incrementing lock ID for this company and they make a whole bunch of locks [Applause] [Music] [Applause] so let's try this against a real wall [Music]
now we've seen how such a lock could work and the steps needed to understand how it works what methods look and what kind of operations the app and the lock may perform how does it compare to an actual lock used by oh bike for the most part the hardware looks pretty much the same someone did a YouTube video teardown of the lock as you can see here we have a single cell battery the lock hardware and a Texas Instruments CC 2 5 for an SOC chip now let's find the
service and characteristics EU IDs that could be of interest again with Blair we know what could be of interest but we don't know how they are used to figure this out I traced the entire flow of the yet so identify which characteristics was most used and as it turns out communications went to the FFF 6 characteristic to guide you through the
next couple slides I have laid out the flow here to show you the process in unlocking lock firstly scan the qr-code the app checks the lock status with the server and also sends it your coordinates the server responds with the lock status and if ok the app will then proceed to request and unlock token from the lock within the app and HTTP requests made to the server this is known as the key sauce so the app responds we have the key sauce sorry the lock respond to the key sauce the app then uses the key sauce to request an unlock key from the server so it replies with a lock key for the lock and yet uses it to unlock the lock so similar to the lock that I bought off top our it appears to use some sort of challenge response mechanism let's go to all that in a little more detail scanning the QR code provides yep
with the ID number of the lock and as seen in point one the QR code is essentially the URL with the bank ID at the end assuming you have used the Oba app to scan a QR code a request is made to the server with the lock ID and the current coordinates of where the lot more scanned the server responds to the status check with whether the lock is faulty or not based on reports on other users and if it's not the app will proceed to the next step share the request for a key source from the lock this can be a little bit confusing so let me explain as I mentioned earlier it is possible for a peripheral device to send push notifications also known as notify in ble back to the app as shown here the app is setting on modified flag in the ff6 characteristic next the app
sends a request for a key sauce to the lock by performing a ble right in this case a dump of the ble right at the memory location shows that the right command is in the form of the following bytes 67 7400 81 81 and it is being sent to the same ffff 6 characteristic so the app now waits if the command sent was correct and accepted by the lock the lock will respond with the token or a key source this is a response so we can
see the response through the trace of the update value for characteristic method and within a response the app picks out the key sauce as shown what the data means I have no idea but I don't need to know because every time this transaction happens the key sauce is always located in the same location it is always taken from the 9th to the right the key sauce is then sent to the server through the unlock pass API and assuming there are no errors the server responds with a pair of keys so now we've got the keys how are they used the
unlock message is constructed and sent to the ff6 characteristic in two parts as you can see the two right value messages and below is the dump of how the actual message is or what the actual message is this looks roughly like the message that I try to be playing earlier from the wireshark capture which didn't work so I dug a little deeper into how the unlock message was constructed and try and piece together what the different values meant after looking at
numerous unlock messages I found a following in the first two messages sorry in the first message the first two bytes static drop all messages sent from the app to the lock whether it's an unlock message or any other form of message these two bytes are used the next byte is the length of message which is also static for the unlock algorithm next byte could be a command byte so unlock the lock together with the key index then the subsequent six bytes aesthetic okay and I have no idea what they are useful and the final five bytes of the message at the timestamp message to contains the key from the server however this has been truncated to 12 bytes why this has be done I'm not sure and the last byte is a checksum this is done by performing an XOR of each byte across both messages now I have to jump through a couple of Hoops along my journey and the first was trying to understand what was sent from the app to the server and as you can see here the messages look to be encrypted why the programmers would encrypt the messages sent to the server is beyond me and I just wasting their time and my time [Music] we're Frieda hooking the right messages couldn't be easier I found that the messages when could using AES we have a combination of a static string and a version number of the application provided in the HTTP header as seen here
so okay encryption kill for those of you who have noticed there is a string tech sort of map tacked to the back of the message sent to the server what the heck is it again
the developers implemented some form of integrity check for some unknown reason to waste time with further assistance from Frieda that string I found was a show and some of the following values the data that's actually to be processed by the server a static string and the application version now you must be wondering how users get charged after the backness unlock the absense lock status to the server informing it it has been unlocked and to start a timer once you're done writing the app will then send lock status again to the server to stop the timer lastly you're built for the amount of time that has been used so if I actually write my own app to perform the unlock and halt all further communications with the server after unlocking the bike I get free weights after after jumping through the hoops
and understanding how the VLE communication works and how the unlock command is built I built my own key [Music]
sorry the video is a little bit dark but here I am entering the log ID into my app waiting for the server that's the Alex ow [Music] [Music]
so if you have you've not no doubt noticed opening the lot depends on connection to the server how can you then unlock it offline since all bank has recently gone bankrupt someone this meant or the lock from the bike retrieved the chip and sent it over to me okay my solution was to try and get the dump
of the firmware to figure out how the algorithm works offline unfortunately the readout fuse was set on the TI chip and it was not possible for me to done the firmware if anyone of you knows how to get around this I like to give up you okay it was relatively easy to unlock the lock from one bike sharing company should be relatively easy to do it for another no I tested this process against mobike same thing we start off by finding the services and characteristic you you IDs that could be of interest looks to be a lot simpler here only two characteristics and it is obvious which we need to write to to a lot the bike moving on for more bike the
process in unlocking the lock is much simpler Siemens before you scan the qr-code you get a bike ID app send lock status to the server also sends your coordinates so we respond to the lock status however this time if the lock is good the server will also set along the unlock key immediately the app then uses the key to unlock the lock so no challenge as a response mechanism here it's just a direct unlock as before let's go through all that in a little bit more detail [Music]
similar to a bike after the back is unlocked locks it are sent to the server timer starts when you're finished you lock the bike timer stops user account is charged again if we cut off the messages after the unlock you don't get charged similarly I encountered various crazy integrity checks implemented by the developers in this the HTTP messages for the Oba app there's a sign parameter and there's an IP data how are these formed in this case they used RSA encryption to and click a user ID string to get out the current date time and the output of that is used in messages sent to the server the sign parameter is then md5 hash of the data that's sent to the server after going through all of that again the process starts out the same user scans the QR code the QR code contains a URL with the back ID at the end assuming you've used the mobile app to scan the QR code a request is made to the server with the long ID and the current coordinates of where the lock is scanned however here's the difference the application server will respond with the faulty message if the lock has been reported faulty by a number of users or it will immediately respond with an unlock key if the lock is in good condition this differs from a bike in that it doesn't require a challenge response so what happens with the key from the server first according to the trace the app tells a lot to set up a notification by setting the set notify value to 1 seen here for the F F F 0 and F E 1 new UI IDs then the app breaks up the key into 3 9 byte pieces appends a 2 byte header to each and write it to the lab Bluetooth and it unlocks again to make it clearer the QA
sponsor on the server is working in 2 3 9 byte pieces an incremental header is then added and returned to the lock and it unlocks straightforward and simple in testing however I face one problem it seemed that the lock was able to keep track of time because every key received from the server for the same lock is always different additionally if there was a delay in sending a key to the lock it will not work so after all that trouble I modify my app and this time
around I only programmed this specific like ID so it would save means I'm in trouble let's play that again [Music]
[Music] so there were two types of lock schemes across three locks that I faced the first was a challenge response scheme where a challenge was requested from the lock this data was then sent to the server to process or data was processed on the clients I output from this processing was then sent to unlock the lock the other type was a direct and lock of the lot based on a key provided by the server so when I started this journey I had no idea how bialy worked and how one would begin looking at ble devices there was no process or one that I was away off when I started on how to look at ble stuff I hope given the following repeatable process anyone who has wanted to start working ble devices would have an easier time as we have any project we first need to in our tax office and I found this to be done easily with Blair as shown previously we can use Blair to integrate the services and characteristics of any ble device and understand what we communicate with then we find out if the device does send notifications to the app and if so we enable notifications by setting the set notify value lastly we hook into the appropriate read and write methods to figure out what messages are being read from and written to the ble device and we also hope we did update methods to find out what notifications if any the peripheral devices send through the central device [Music] so I didn't make use of any special hardware such as the uber tooth one or develop any special app many meddling app I use a file bluetooth dongle to animate a ble device I use my iPhone to help run the app and free dots who help with understanding the communications between the a and lock
that's all for me thank you for listening
[Music] [Applause]
Feedback