I don’t think negativism as in “I’ve always told you this is a bad idea” helps in any way. You could reinforce all windows with steel bars, but that would make your 14yo daughter, rightfully so, feel like in prison. You could buy a 10 000€ lock for your front door, but maybe then a burglar would just throw in a window. For a garden shed/ garage door/ bike lock, the proximity-based opening is a great idea, because it trades a lot of inconvenience for a little less security, in theory (no one’s going to sneak into your garden shed and steal your fertilizer why you’re 5m away).įor front-door mechanisms, this might be different, indeed.Īnyway, any lock’s function is *always*, and has always been, a trade-off between security, convenience and cost. That’s a completely different use case than the types of locks depicted in this article’s header. Posted in Security Hacks, Slider Tagged bluetooth, DEF CON, lock, lockpicking, security Post navigation ’s work going forward will concentrate expanding his library of scripts to exploit these locks, and evaluate the Bluetooth locks on ATMs. The majority of Bluetooth smart locks are not built with security in mind, which, by the way, is the entire point of a lock. Twelve of the sixteen locks tested could be easily broken. These locks use proper AES encryption, a truly random nonce, two factor authentication, no hard-coded keys, allow the use of long passwords, and cannot be opened with a screwdriver. What was the takeaway from this talk? Secure Bluetooth locks can be made. Even locks with ‘patented security’ (read: custom crypto, bad) were terrible this patented security was just an XOR with a hardcoded key. When all else fails, brute forcing locks works surprisingly well, with quite a few models of smart lock using eight digit pins. The attacks on these Bluetooth locks varied, from sniffing the password sent in plain text to the lock (!), replay attacks, to more advanced techniques such as decompiling the APK used to unlock these smart locks. This entire setup can be powered by a single battery, making it very stealthy. The tools used for these wireless lockpicking investigations included the Ubertooth One, a Bluetooth device for receive-only promiscuous sniffing, a cantenna, a Bluetooth USB dongle, and a Raspberry Pi. Other Bluetooth ‘smart locks’ are made of plastic. The Kwikset Kevo Doorlock – a $200 deadbolt – can be opened with a flathead screwdriver. Although these devices should be designed with security in mind, most aren’t, making the state of Bluetooth smart locks one of the most inexplicable trends in recent memory.Īt this year’s DEF CON, have given a talk on compromising BTLE locks from a quarter-mile away. Actually, that ‘quarter mile’ qualifier is a bit of a misnomer – some of these Bluetooth locks are terrible locks, period. Manufacturers of physical security paraphernalia are wont to add the Internet of Things label to their packaging, it seems. Bluetooth devices are everywhere these days, and nothing compromises your opsec more than a bevy of smartphones, smart watches, fitbits, strange electronic conference badges, and other electronic ephemera we adorn ourselves with to make us better people, happier, and more productive members of society.īluetooth isn’t limited to wearables, either deadbolts, garage door openers, and security systems are shipping with Bluetooth modules.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |