The Terrible Security Of Bluetooth Locks

Bluetooth devices are everywhere these days, and nothing compromises your opsec more than a bevy of smartphones, smart watches, fitbits, strange electronic conference badges, and other electronic ephemera we adorn ourselves with to make us better people, happier, and more productive members of society.

Bluetooth isn’t limited to wearables, either; deadbolts, garage door openers, and security systems are shipping with Bluetooth modules. Manufacturers of physical security paraphernalia are wont to add the Internet of Things label to their packaging, it seems. Although these devices should be designed with security in mind, most aren’t, making the state of Bluetooth smart locks one of the most inexplicable trends in recent memory.

At this year’s DEF CON, [Anthony Rose] have given a talk on compromising BTLE locks from a quarter-mile away. Actually, that ‘quarter mile’ qualifier is a bit of a misnomer – some of these Bluetooth locks are terrible locks, period. The Kwikset Kevo Doorlock – a $200 deadbolt – can be opened with a flathead screwdriver. Other Bluetooth ‘smart locks’ are made of plastic.

The tools [Anthony] used for these wireless lockpicking investigations included the Ubertooth One, a Bluetooth device for receive-only promiscuous sniffing, a cantenna, a Bluetooth USB dongle, and a Raspberry Pi. This entire setup can be powered by a single battery, making it very stealthy.

The attacks on these Bluetooth locks varied, from sniffing the password sent in plain text to the lock (!), replay attacks, to more advanced techniques such as decompiling the APK used to unlock these smart locks. When all else fails, brute forcing locks works surprisingly well, with quite a few models of smart lock using eight digit pins. Even locks with ‘patented security’ (read: custom crypto, bad) were terrible; this patented security was just an XOR with a hardcoded key.

What was the takeaway from this talk? Secure Bluetooth locks can be made. These locks use proper AES encryption, a truly random nonce, two factor authentication, no hard-coded keys, allow the use of long passwords, and cannot be opened with a screwdriver. These locks are rare. Twelve of the sixteen locks tested could be easily broken. The majority of Bluetooth smart locks are not built with security in mind, which, by the way, is the entire point of a lock.

[Anthony]’s work going forward will concentrate expanding his library of scripts to exploit these locks, and evaluate the Bluetooth locks on ATMs. Yes, ATMs also use Bluetooth locks. The mind reels.

LastPass Happily Forfeits Passwords to Simple Javascript

Lastpass is a great piece of software when it comes to convenience, but a recent simple hack shows just how insecure software like it can be. [Mathias Karlsson] nabbed a nice $1000 bounty for its discovery.

Lastpass’s auto-fill works by injecting some html into the website you’re visiting. It runs a bit of Javascript to parse the URL. However, the parsing script was laughably vague. By changing the URL of the page, inserting a few meaningless-to-the server slugs into the URL, an attacker could get Lastpass to give it a password and username combo for any website.

The discussion in the HackerNews comment section more-or-less unilaterally agreed that most systems like this have their glaring flaws, but that the overall benefits of having secure passwords generated and managed by software was still worth the risk when compared to having a few commonly reused passwords over multiple sites.

One could get a more secure key manager by using software like KeePass, but it’s missing some of the convenience factor of remote-based services and relies on a user protecting their key files adequately.

Still, as scary as they are, openly discussing hacks like this after responsible disclosure is good because they force companies like Lastpass, who have some very big name clients, to take their code review and transparency more seriously.

“IoT Security” is an Empty Buzzword

As buzzwords go, the “Internet of Things” is pretty clever, and at the same time pretty loathsome, and both for the same reason. “IoT” can mean basically anything, so it’s a big-tent, inclusive trend. Every company, from Mattel to Fiat Chrysler, needs an IoT business strategy these days. But at the same time, “IoT” is vacuous — a name that applies to everything fails to clarify anything.

That’s a problem because “IoT Security” is everywhere in the news these days. Above and beyond the buzz, there are some truly good-hearted security professionals who are making valiant attempts to prevent what they see as a repeat of 1990s PC security fiascos. And I applaud them.

But I’m going to claim that a one-size-fits-all “IoT Security” policy is doomed to failure. OK, that’s a straw-man argument; any one-size-fits-all security policy is bound for the scrap heap. More seriously, I think that the term “IoT” is doing more harm than good by lumping entirely different devices and different connection modes together, and creating an implicit suggestion that they can all be treated similarly. “Internet of Things Security” is a thing, but the problem is that it’s everything, and that means that it’s useful for nothing.

What’s wrong with the phrase “Internet of Things” from a security perspective? Only two words: “Internet” and “Things”.

Continue reading ““IoT Security” is an Empty Buzzword”

Minimal MQTT: Power and Privacy

In this installment of Minimal MQTT, I’m going to cover two loose ends: one on the sensor node side, and one on the MQTT server side. Specifically, I’ll tackle the NodeMCU’s sleep mode to reduce power and step you through bridging MQTT servers to get your data securely out of your home server and into “the cloud”, which is really just other people’s servers.

If you’re just stepping into this series now, you should really check out the other three posts, where I set up a server, then build up some sensor nodes, and then flesh-out a few ways to control everything from your phone or the web. That’s the coolest material, anyway. This last installment just refines what we’ve built on. Let’s go!

Continue reading “Minimal MQTT: Power and Privacy”

Secret Listening to Elevator Music

While we don’t think this qualifies as a “fail”, it’s certainly not a triumph. But that’s what happens when you notice something funny and start to investigate: if you’re lucky, it ends with “Eureka!”, but most of the time it’s just “oh”. Still, it’s good to record the “ohs”.

Gökberk [gkbrk] Yaltıraklı was staying in a hotel long enough that he got bored and started snooping around the network, like you do. Breaking out Wireshark, he noticed a lot of UDP traffic on a nonstandard port, so he thought he’d have a look.

Continue reading “Secret Listening to Elevator Music”

If You See Anything, Say Something? Math on a Plane

Remember September 2016 2015? That was the month that [Ahmed Mohamed] brought a modified clock to school and was accused of being a terrorist. The event divided people with some feeling like it was ignorance on the part of the school, some felt the school had to be cautious, some felt it was racial profiling, and others thought it was a deliberate provocation from his possibly politically active parents. In the end, [Ahmed] moved to Qatar.

Regardless of the truth behind the affair, this month we’ve seen something that is probably even less ambiguous. The Washington Post reports that a woman told an Air Wisconsin crew that she was too ill to fly. In reality, she was sitting next to a suspicious man and her illness was a ruse to report him to the crew.

Authorities questioned the man. What was his suspicious activity? Was he assembling a bomb? Carrying a weapon? Murmuring plans for destruction into a cell phone? No, he was writing math equations. University of Pennsylvania economics professor [Guido Menzio] was on his way to deliver a speech and was reviewing some differential equations related to his work.

[Menzio] says he was treated well, and the flight was only delayed two hours (which sounds better in a blog post then it does when you are flying). However, this–to me–highlights a very troubling indicator of the general public’s level of education about… well… everything. It is all too easy to imagine any Hackaday reader looking at a schematic or a hex dump or source code could have the same experience.

Some media has tried to tie the event to [Menzio’s] appearance (he’s Italian) but I was frankly surprised that someone would be afraid of an equation. The pen may be mightier than the sword, but a math equation won’t (by itself) down an aircraft. I’ve heard speculation that the woman might have thought the equations were Arabic. First of all, what? And secondly, what if it were? If a person is writing in Arabic on an airplane, that shouldn’t be cause for alarm.

It sounds like the airline (which is owned by American Airlines) and officials acted pretty reasonably if you took the threat as credible. The real problem is that the woman–and apparently, the pilot–either didn’t recognize the writing as equations or somehow feared equations?

Regardless of your personal feelings about the clock incident, you could at least make the argument that the school had a duty to act with caution. If they missed a real bomb, they would be highly criticized for not taking a threat seriously. However, it is hard to imagine how symbols on a piece of paper could be dangerous.

While the mainstream media will continue to focus on what this means for passenger safety and racial profiling, I see it as a barometer of the general public’s perception of science, math, and technology as dark arts.

Reverse Engineering An ATM Card Skimmer

While vacationing in Bali, [Matt South] walked into a nice, secure, air-conditioned cubicle housing an ATM. Knowing card skimmers are the bane of every traveller, [Matt] did the sensible thing and jiggled the card reader and the guard that hides your PIN when punching it into the numeric keypad. [Matt] found the PIN pad shield came off very easily and was soon the rightful owner of a block of injection molded plastic, a tiny camera, and a few bits of electronics.

The first thing that tipped [Matt] off to the existence of electronics in this brick of plastic was a single switch and a port with four contacts. These four pins could be anything, but guessing it was USB [Matt] eventually had access to a drive filled with 11GB of video taken from inside this PIN pad shield.

An investigation of the videos and the subsequent teardown of the device itself revealed exactly what you would expect. A tiny pinhole camera, probably taken from a ‘spy camera’ device, takes video whenever movement is detected. Oddly, there’s an audio track to these videos, but [Matt] says that makes sense; the scammers can hear the beeps made by the ATM with every keypress and correlate them to each button pressed.

Of course, the black hats behind this skimmer need two things: the card number, and the PIN. This tiny spy cam only gets the PIN, and there wasn’t a device over or in the card slot in the ATM. How did the scammers get the card number, then? Most likely, the thieves are getting the card number by sniffing the ATM’s connection to the outside world. It’s a bit more complex than sticking a magnetic card reader over the ATM’s card slot, but it’s harder to detect.