 All right, let's get started. So I'm Anthony Rose. Nice to meet everyone. This is actually my first talk at Def Con. It's also my first time at Def Con. So this is really exciting. So if you made it here, I'm giving a talk on Bluetooth low energy. If you're not interested in that, this is your last chance for way to leave. So otherwise, you're stuck here. So my talk is picking Bluetooth locks from a quarter mile away. Or what I want to call it is smart locks made by dumb people. So what I found is a lot of manufacturers decided to make user convenience over security. And my job was to take advantage of that. So I want to steal your passwords and get in your house. So let's get started. So I'm Anthony Rose. I'm part of a little hacking group that we call Merkulite. You might have seen a couple of their talks around here, like some Insteon stuff that's happening later today. Refrigerators, smart refrigerators, and then another Bluetooth talk. I'm the lock picking hobbyist. I'm by no stretch of the imagination and expert, but definitely a hobbyist. And my background is electrical engineering. And you'll notice that when you look at my code. Because I don't code very well. So when you think like, why the hell did he code it this way? Yeah, it's because I'm not good at coding. So I'm sorry. My background, actually, I did research at Arizona State. Go Sun Devils, if anybody's here. Sun Devils. He doesn't count because he's my brother. My background is wireless video compression. So I did some wireless stuff prior. But really my main focus right now is Bluetooth security, Bluetooth low energy security specifically. Ben, he was the other person I was supposed to be here. He couldn't made it. He had his appendix removed, so it probably wasn't safe for him to travel. But his background, he's got a PhD in computer science. And he's done some previous work. You can actually look at some of this stuff at Smookon, Derby Con, and he has a POC GTFO coming out. So keep an eye open for that. Quick overview of what we're going to talk about. Some goals that we set out when we actually wanted to look at Bluetooth. What is Bluetooth low energy because not everyone might actually know what it is? Why should you even care what I'm talking about? Some exploits that we found and then some takeaways for consumers and for vendors and then some future work that we actually want to work on. And then finally open up the floor for some questions. Hopefully you don't throw anything at me, so let's get started. So our goals. Really we wanted to find vulnerabilities in Bluetooth locks. And once we started to find vulnerabilities, we figured, hey, we might want to contact vendors and let them know that their locks aren't safe. And it turns out that vendors actually don't care. We contacted 12 vendors and only one of them actually responded. And their response was, yeah, we think it's a problem, but we're not going to fix it. So we figured next we might want to release this stuff to the public so that way at least the consumers know what the issue is. So they can make the decision of, hey, should I buy this lock or maybe a shirt should stay away from it. I'm also a big movie buff. So if you can name all those good on you. But if you trust Newman for your security, you're making a really bad choice. Yeah. And also, if you can actually recognize my t-shirt because I'm a huge movie buff, I'm pressed then. So awesome. Oh, yeah, sorry. Maybe you can check it out afterwards then. So what is Bluetooth Low Energy? Really designed to be a really low power protocol and it's designed to really send minimal amount of data. So you're looking at very small amounts of data, mostly like state updates. So like passwords, am I open or closed for a door, things like that. It still operates in the same spectrum as Bluetooth Classic, still that 2.4 gigahertz spectrum that everything uses. And really the big thing for it is it's really short range because the power consumption is very, very minimal. You're talking like cell battery size. So you're looking at really for short range, about 100 meters in most cases. Actually really when you talk about these locks, 20 to 30 meters is really where they cap out. And what we wanted to do was take advantage of this. So actually if you use a USB dongle that has an antenna hookup and you actually get one of the ones that actually has a decent amount of power on it. You can actually start communicating with these devices at like a quarter, half mile distance. So that's actually what we did, which was pretty cool. Oh, I shouldn't have changed sides yet. Actually all the commands that we're going to be sending is going to be going to this host controller interface. And that's what we send on Linux and that actually gets interpreted up to this GAT. This is the generic attribute profile. And what this does is actually sitting both on your lock and on your phone or whatever user device you're using. This is how they actually communicate. There's things called attributes on the server and we actually send read and write requests as a user to the server to actually learn information or send information. So that's how I send my password to a lock and that's how the lock responds with now I'm open. So all those attributes are actually sitting on this GAT server. Now you're probably thinking why should I even care what this guy's talking about? Well, turns out these things are really popular. The recent estimates for how many of these devices are being built a year is like three billion a year. So there's tons and tons of Bluetooth low energy devices. I mean, if you look at your phone, it probably has Bluetooth low energy in it. So they're everywhere and they're being used for security purposes. So they're being used to secure your homes and your valuables. And there's a wide range of these devices. There's dead bolts, bike sharing programs, use these locks, lockers, gun cases, ATM locks. Yes, ATM locks where they actually lock up the money with a Bluetooth low energy lock, surprisingly. And then Airbnb, does everybody know what Airbnb is? Anybody? Okay. So surprisingly, you can actually rent houses with this program and they use smart locks. You actually get the code from them and then you actually open up the lock and go into there. I had a friend who traveled Europe recently who actually saw a bunch of locks that we're going to talk about. And he was like, really, look at this. Oh, could you break into them and get me free house? And I'm like, eh, probably not. So there's a wide range of companies that actually built these products. A lot of big companies and a lot of small startups. And we found a lot of the smaller companies just didn't have the funding to actually build security in, at least robust security. And that's something that we focused on. But still even the big companies still had some holes in a lot of the things they developed. So to actually hack Bluetooth, what you need is a sniffer. I'm sure everybody's familiar with the Ubertooth. Pretty affordable option, about $100. Obviously there's some cheaper options, but this is actually what I prefer. You need something to be able to send commands after you sniff them. So you need a USB dongle of some sort. You can get a cheap, regular USB dongle for $15. I really like the UD100. For a minute with that platform, it's got an antenna hookup. So you can hook up a really high gain antenna on it. And then you can really have fun at really long distances. Raspberry Pi is great because they actually run all this stuff mobile. And when you actually use that kind of platform, you kind of set it up and leave it. And I have to worry about somebody stealing it. A laptop, obviously somebody might walk away with, but a Raspberry Pi, you're only out 40 bucks. So it's not a big deal. The high gain antenna that I use, 15 dB Yaggy, if you're an electrical engineer like me. That's actually all my stuff right there. My wife gets really upset because it takes up a lot of space and she gets pretty pissed. So the Ubertooth one, if you're all familiar, created by Michael Osman a couple years back. You can look up a lot of information on it, but really the important part of it, it was really the first Bluetooth sniffing tool that was really out. Prior to this, a lot of the other options were really, really expensive, like $10,000. So this made it really affordable for the average user like us. This does all passive sniffing and it really only has a received capability. You can modify the firmware to do other things, but really for low energy, it's really only receiving commands, which is good because the user has no idea this is happening. You can use that with like a USB dongle and you actually go war driving with it. So I like to drive around my neighborhood and pick out all the things that my neighbors have, or I set up my antenna out my window and then my neighbors knock on my door and they wonder what the hell I'm doing. So, you know, you can drive around, you can pick up passwords or actually pick out networks from people. Then you set up a high gain antenna in the back of your Jeep like I do, park it at McDonald's and then I sniff your password from your house from like a half mile and then guess what, I can get in your house if I wanted to. And it's really conceivable. I mean, no one's going to be looking in the back of my truck at least, at least I hope not, and it's great. So one of the cool things that we've actually thought of war flying, so take like a quadcopter, hook up a raspberry pi to it, fly it around, use the onboard GPS to actually plot where devices are and actually find where they are and then you can actually go back later. I haven't had time to build it, but you know, it's a cool project and maybe somebody could build and then I could play around with it. So I did a recent trip around my neighborhood. I drove around for like an hour. I picked out a lot of really cool things, smart TVs, smart, like for cookers, toasters, Fitbits, God knows what people have, but I actually found four locks that people actually had within about 40 minutes, which is pretty cool because actually all four of those locks actually know and actually two of them actually have exploits for. So probably should have told them, but yeah, whatever. Before I go through all the locks I broke. I want to point out like four of them actually couldn't break. I've had some ideas actually how to break them. I just haven't had a chance to do it yet, but let's go through the ones I couldn't break. The first one's the August lock. There's some exploits that I think I could use by having a chance to use yet, but about a year ago, a couple of individuals actually posted on their blog of a hard-coded password actually built into their application. So this password isn't used really for much besides settings, but still the practice of having a hard-coded password in your application is really not a good thing. The next one actually is really surprising. So the quick set lock actually, they had a really interesting design decision. They built fantastic Bluetooth security on it. It's really hard to break. However, their lock, at least the older versions, you actually use a screwdriver actually to open up the lock. So it takes about 10 seconds actually to break the lock open. I really wanted to try it, but I had one of the newer models and I really didn't feel like breaking a $300 lock because I really don't have that much money. So I didn't break my lock, but there's YouTube videos all over the place. So go check them out. They're pretty cool. And yeah, that's a great design decision on their part, right? What do they all have in common? They all use AES encryption. They use some sort of nonce value, a random number, and then they actually send that value and get it encrypted and then they send it back. That's normally how a lot of these locks work. They use all the ones I couldn't break, had two-factor authentication. At least they're not using hard-coded passwords anymore, at least I hope not, and then they use a really long password space, 16 to 20 characters in most cases. Some of the ones I actually found use six to eight characters surprisingly. I don't know why you would ever choose that, but that makes brute forcing easy and I actually put out some tools for you guys that actually be able to brute force things. There's a wide range of vulnerable devices. So before you get overwhelmed by this slide, I broke them into categories. So you're able to see the categories and each category is a lock. The firmware number in case they update it, so that way at least you know which version actually can exploit. And then a symbol for if it's a padlock or a door lock. So we're going to go over plain text passwords, replay attacks, actually fuzzing a device to get it into an error state. One where you actually decompile an app actually to get something out of it that's interesting. And then finally device spoofing, pretty much a man in the middle attack so I can pretend to be the lock and then actually get the user to send me a password so that way I can unlock their device. To be able to do this, you need to be able to sniff first. So we use that ubertooth and the way Bluetooth low energy actually works. You have three advertisement channels. If I want to steal your password on the first try, I need to be able to sit on each of those advertisement channels. So I need to have three uber teeth in this case. One set up on each advertisement channel. That way I know I can actually get the information. Obviously I'm sniffing wireless, so there's no guarantee I'm going to get it, but at least I'm increasing my chances. Once I have all that information, I can compile it all to one file, I can filter out all the duplicate stuff, and then I can actually filter for your password. Now that I have your password, I need to be able to send it somewhere. So what we do is we use Scapey. Actually has some sockets built into it that are pretty cool. I can bind right to the Bluetooth socket and actually send commands to the dongle and actually go to devices. So that's what we actually, that's what we use. And then I built some commands that we use pretty often into Python so that way I can actually be able to use them. So I can do connect, read, write commands. I can do spoofing, actually change my address and my device name all through these sockets, which is great. So now that I have all that in place, I actually start attacking locks. So that's what we're going to do now. So I wanted to say this was the first lock I actually broke, but turns out it's not. I found out this morning actually from my dad that apparently like 15 years ago, you know, the remotes actually block like TV channels on cable boxes. So I actually guessed his password I guess 15 years ago when I started watching inappropriate things. So turns out that's actually the first lock I broke. So I broke into his remote and decided to watch late night HBO. So this is the second lock I ever broke. This is the quick set lock and they had a really interesting design decision. So what they do actually with this lock is they send your password in plain text. Not only do they send your password in plain text, they actually send it twice. So they double it up and then they throw an op code at the beginning. So I thought to myself, well, why would they do this? Turns out that they do this because you can actually change the password by using the same command of the same handle. So that's actually what we're going to do. So right now this lock is broken. So let's cross off this. I can get into this lock, but I want to do more than just breaking this lock. I want to be able to take advantage of the fact that I can actually change that admin password. So I'm going to change the admin password now. And how do I do that? I take that op code and actually I change it to zero one and then I set the password to be all sixes. So you're thinking, oh, cool, you know, the admin's now locked out. The user's locked out. They can't use their device. It actually gets a little better than that. Turns out the user actually can't reset the device without removing the battery. So they have to remove the battery from the device to reset it. And guess what? The battery is actually behind a panel that can't be removed unless the lock is already open. So really they're completely locked out of the device. And since I'm doing this outside of the application, the application doesn't even know what to do. So it actually pleads with you like, hey, please help me. I don't know what to do. The right password. So I've locked the user out both in the application and physically from their device. So that's pretty cool. Really, actually, really interesting story. This actually, I actually found this device pretty recently and I'll tell you a little story. So I went to a car dealership recently and I actually had to get an oil change for my car and they told me, hey, you know, it's going to be like two hours, you know, go have a seat. And I was like, you told me 30 minutes on the phone. What the fuck? So I figure, hey, you know what? It's not that big of a deal. And they're like, just go have a seat. So at that point, I'm actually kind of pissed because they keep telling me just to go sit down and shut up. So I walk away and I'm thinking to myself, you know what? Fuck you. I'm going to go hack your shit. So I start scanning. So I start scanning all the stuff they have available. And I'm seeing like cars pop up, people, iPhones, Fitbits, a couple of tiles. Actually, if you know anything about the tiles, I started actually to start sniffing stuff and I wanted to send commands to make them randomly go off just to piss them off. So I started doing that. And then actually this lock popped up and I got really excited because this is actually that quick lock that we actually just talked about. So 30 minutes goes by. I'm waiting. I'm waiting. I'm waiting. It's about the time I would have been home already at this point. And then I get the guy's password. So I'm really excited at this point. So let me show you his password. Here it is. Actually, let me zoom it in. Yeah, he said his password to be 69s. Actually, and remember, I'm at a car dealership. So the guy looks like this. So I mean, you think about a user. He sets his password. He thinks nobody's going to guess it, but little does he know I can actually sniff your password and point text and I actually, I can see it. So yeah, he's a bit of a pervert. I'm sorry. So I have his password now. I didn't break into his lock, but at least I have his password. So that's kind of cool. Since we're doing the plain text passwords, we can brute force them. Figure, you know, with me, I figure, you know, when all else fails, brute force it. And a lot of the things that a lot of these manufacturers do is they limit those password spaces. So what I found is a lot of them use minimal password spaces. So eight digits in some cases or six characters exactly. So those password spaces are very easy to brute force because they're very small. Still, it could take a while. So you can use word lists. Obviously, you can use ones, one through eight, sixty nine, phone numbers, street addresses, or a word list with actually six characters, exactly words and use that to brute force. All that's on our GitHub. You guys can check it out at the end. If you break into things, send me a message. It'd be pretty cool. So here's a little demo of the Quick Lock, pretty, pretty simple little lock actually. You have to click the button on it to actually connect to it. I start sniffing with Ubertooth. I get, actually get a PCAP file that I'll then put into a script that actually parses all the information and actually pulls out the password for me and then sends it to the lock. And I'm not really a nice guy. So I decided that I should also add in where after I unlock the lock, I also change your password. So you're actually locked out after I get into your house. So that's pretty cool. Originally, I wanted to do a wireless demo, but everybody here has Bluetooth. It is fucking crazy. If you do a quick scan, there's like a thousand something devices and there's no way in hell I'm going to be able to actually be able to sniff here. So I opted to do videos instead. So, just so everybody knows. Next, actually some companies actually opted to actually do encryption and you think, oh great, they're going to use encryption. Their websites advertise crazy things. They advertise, oh yeah, we're using 256 bit AES encryption. You know, the military uses it. So it's got to be great, right? Well, turns out they actually don't use encryption the way it really should be used. So it turns out if I just sniff it and I send it back to the device, it opens, which kind of sucks for them. It's great for me, but it really sucks for these companies. Even better than that, so all four of these locks actually have more in common than just replay attacks. Actually, if I send my password to be password, for example, and I set it on one of these devices, it actually encrypts it the exact same way in all four of them. And they actually use the same method of actually opening up as the other ones. So it turns out a lot of these locks, like they're sold on Amazon, Newegg, a couple other websites, and they go up like two or three at a time and then they pull them off. So they end up using the same code as the back end for all of them and they just keep repackaging them as something else. So it makes it really easy, actually, if you just sniff it and then replay it to open them. And oh yeah, by the way, they're all made by Chinese manufacturers. I'm not bashing anything, but yeah, they all have stickers on them that are written in Chinese and the manuals are actually written by somebody who cannot speak English. It is absolutely awful to figure out how to set these things up. So these are broken, pretty cool. Now next, actually, after this one is actually a completely different thing. We were looking for companies that actually used encryption, but maybe develop their own sort of encryption. So we want to see, hey, can we actually fuzz it? We fuzz a device. We get it to enter an error state and see what happens when it's in that error state. That's actually where we found this lock, Okie Dokie. If you're familiar with it, it's made of all plastic. I don't know why you use a plastic lock for your house, but you know, cool. So we've actually went to their website and we started looking at how they claim their security. So actually the interesting parts to us was, hey, we developed something that was similar to AES encryption. We're like, oh, cool. And they combine it with a patented cryptographic solution. So if you know anything about crypto, proprietary crypto is not usually a good idea. It usually means it's not tried and tested and there's usually things that you can take advantage of, which is actually what we actually did. So we figure, hey, let's take a look at this lock. Let's see what we can find out about it. So we started sniffing a bunch of things on it. We sniffed like a bunch of packets and we started noticing that keys really weren't that unique. You started seeing patterns in them and you figure, like, oh, cool. You know, maybe I'll be able to fuzz it. So we came up with this intricate fuzzing script. You know, if we're going to do one byte at a time, it was going to come up with combinations. It could take days, weeks, months. Who knows how long it's going to take. Boy, were we wrong. Turns out, it took about three seconds. Because if I take the third byte and I change it to zero, the lock enters an error state. Not only does it enter an error state, it opens. Oh, it gets better. It goes, actually, sends up an error message in the application saying the keys are out of sync. So I started to think to myself, well, why would this happen? Why would the keys be out of sync? Well, remember that patent crypto we talked about earlier? Yeah, it might be some sort of XOR, because they use a previous key to actually generate future keys. And now that they're out of sync, uh-oh. So, yeah, that really wasn't a good idea. So a really funny story actually about them, we contacted them to let them know that they had some problems with their lock, and then they turned off their website. So I'm not claiming responsibility for anything, but yeah, they turned off their website after we told them that there was an issue. And you can still buy their stuff though. They're still selling it on Amazon, so you can go check it out, but it may not be supported much longer. And then actually here's a video of it, uh, pretty cool. So they use the application actually to unlock it. So you swipe it, it actually unlocks, I stiff the password that's current, and then I'll take that, I'll actually run it through my script, where I actually pulls out the password, changes that third byte to zero, and then unlocks at some point. And there it goes. And then this is where the user comes back, they want to lock their door, they want to unlock it, whatever they want to do, and then guess what, it doesn't work. Sorry, that kind of sucks. So, uh, kind of a different thing, uh, that we talk about, uh, if you're familiar with Android applications, um, you actually pull off those applications in APK format, and you actually decompile them, actually into readable code. Um, so I actually like to use this program called ByteCodeViewer. It allows me to view it in a bunch of different ways, and actually view what they coded as, as if it's readable. So that's what I did for this lock, uh, the Dana lock. I actually broke this lock down into readable code to actually see what they put in there. Uh, turns out, they had this hard coded password in there. Um, yeah, you think this password's cool, guess what? So they don't just put this password in there, this is on every device. They actually store your password also. So my password in this case was password, and they actually XOR that with this super secret password that they have, and then they stored into a table. So every user's, uh, password is actually stored in this table, and I actually know the method that they actually use to store these passwords. Uh, I haven't had a chance to actually break this lock, so I'm pretty sure this is what this is used for, but I'm not a hundred percent sure. I want to go back and actually do it, but I haven't had a chance. So it's kind of, kind of pwned, since I haven't really broken into it yet, but I have almost all the tools I need to be able to do that. Uh, a big thing that a lot of companies are moving towards is like a web server back end. Um, that way you can't pull passwords off of actual applications. So what they do is they store it on a web server and you ping that server with some sort of value, they encrypt it, they send it back. Uh, this is great because a lot of the companies are using it, it's a lot more secure. Uh, however, if you fake the device, you can actually trick the user into giving you a password, and that's what we do. So we actually take a device, we impersonate it, and we trick the user into giving us a password. And to do that, it doesn't really take much equipment, uh, a raspberry pie, maybe a laptop. Uh, you need something to run Bluezy, that Bluetooth stack. Uh, you need something to actually build the GAT server on your device. So, Bui No is a great program. Uh, if you saw some of the other talks, they actually talk about Bui No, uh, with the man in the middle of attacks. Uh, then you need something to actually pull, uh, services off of devices. And I like LightBlueExplore, great program they can run on your phone. The reason why I like it, is because if you walk around with your phone out, nobody looks at you funny. But if you walk around with a laptop, everybody gives you a really, really nasty look. So, it's great to use it on your phone cause nobody looks at you twice. And this is really mobile. Um, if you set up on a raspberry pie, you can set it up really anywhere. And it's somewhat undetectable. And I say that because if these applications are running in the background, the user has no idea that they're connecting to you and giving you a password. But the web servers might know. So that's kind of where it's somewhat. However, these web servers usually don't give a shit. They give you a thousand passwords and you can build a whole table of passwords from this. And guess what? These servers don't care because they think you're actually the right person. So you keep getting passwords and you can do whatever I want with them. And we found actually one of the devices that we're going to talk about in a second. BitLock, if you're familiar with this lock, it's actually a padlock they use for bike sharing programs. And they're pretty widely used. They're in like 20 different countries all over the, actually all over the United States as well. And that's actually what we'll be looking at because they actually use a notes value that they send and we actually found a way to predict what the next value is going to be. And I'll show you that here. So this is actually how we break into the lock. We connect to the BitLock first. We actually scan for all those attributes, all the primary services, the characteristics. And we build a copy of the server in Dublino. And there's all the attributes right there. So I connect to the lock. I actually get a notes value and I send a invalid password. Doesn't matter what I send to them. Because I just want to know what's going to do next. Next it actually increments it by one. And the reason why it does that, that's actually the method it uses actually to generate a random value. That random notes is actually only incrementing. And that's it. That's all they do. So I actually have what every value is going to be from this point on because they're just going to increment it every other time. So I'm done with them. I have everything I need. I just need to find the user. So I wait for them to park their bike, they lock it up, they go somewhere. And then I set up I actually send them that value, that n plus 2 value that I was talking about. They send it to their web server. They get it encrypted. They send it back to me. And now I have their password. Pretty easy process. And that's all because of that notes. Now I go back to that bit lock. And here's the best part about all of it. This value that I'm talking about, it doesn't matter what I set it to. So I can get n plus 10, I can get n plus 100, I can get n plus 1,000. I can build an entire table of passwords. Because they're only incrementing that value and I know how to force the bit lock to actually increment. So now I go back to the bit lock, whatever value that I add, I force it to increment. So I connect to it. It sends me this random value that I would never guess. I send the encrypted version to it. And then guess what? It opens. So now, so now I have their bike. I'm riding around on it. So this is pretty deployable, pretty easy to use because you want to look really your targets for this are really high traffic areas. So you want to look for like coffee shops because hipsters love bikes. So if you find a coffee shop, there's probably somebody using one of these locks nearby. Or you can look for the university because some universities might want their students to use bikes. And guess what? We found one that uses this. I'm not going to tell you what university, but if you open up the application, actually, there's a really cool feature built into it. So you can actually look at any bike share program that's out there without actually being subscribed to their bike sharing program. So I travel this random university and I can actually find where all their bikes are actually located. I just actually have to go to one of those locations. So I go to one of those locations and look, there's a bike. And then I get out my phone and I start scanning because guess what? I have my phone out. Nobody thinks twice. I curse a couple of times. I kick the bike and everybody just thinks I'm stupid and I can't open the lock. But I have all the information I need now. So I go sit down at like a park bench nearby. And I start entering all the information that I collected with light blue. So I take that information and it's actually put it into Blino. So I actually have the device name now and I have the notes value and I start advertising and I wait for a user to come by to connect to me and then I'll get their password. Well, there happens to be one problem. You know anything about college students they don't like to hang around during the summer and that's when I decided to actually go there. So there was nobody around. Yeah, that was a little upsetting. But I do plan on going back during the fall when I actually know there's people around to test this out again. At least so I can get passwords. I'm not going to steal any bikes. I promise I won't. But if you guys do oh yeah, it has no bearing on me. So you know whatever you want to do. A cool thing you can actually do actually to take advantage of things is you actually do like a relay attack with this. And the reason why we thought of this is because we contacted BitLock originally and we told them hey, you might want to change your value that you're sending out because guess what? It's just incrementing and I can predict that. So they came back and they said hey, you know, we'll fix it. That was three months ago and it's still not fixed. But you know, maybe they'll get to it eventually. But a lot of the other locks that we can't break into actually use a similar process. So we figure hey, let's take advantage of this and see if we can do an attack like this on other locks that we couldn't break. So that's where this attack actually came in. So what I do is I stand near the lock with a device and the lock sends me a known value. I take that value, I send it to another device that's sitting near the user. I use cellular Wi-Fi something to send that information. This device is like taped underneath their car or whatever high tech method you want to use. But as long as it's near them, it doesn't really matter because I'm going to send that value to them and they're going to get encrypted for me and send it back to me all because this app is running in the background and that's really the big problem is that these apps are constantly running for user convenience. And since they're focusing on convenience and not security, I'm going to take advantage of that. So they send that password back to me while I'm standing at the lock and I open it. And this is all done real time, really quickly. And this is actually what we want to develop next. This is kind of our next project that we want to work on is I'll be able to do this. And you're probably thinking, well, how do I find these rogue devices? Well, actually, sadly, it actually saw the blue hydro talk. They actually did something similar to us. So this is kind of another one of those programs, but it's a blue finder it's just a program that we built that allows us to track devices. So what we did was we actually tested a range of devices and actually found out what their signal strength was at a meter. And then we actually built a model behind that to actually track devices. And we actually put a good error rate on it, 24%. So within three meters I can figure out where your device is. And here's actually a graph of it. If you take that UD100 device, hook up a high gain antenna to it, I can actually track your device up to about 700 meters or almost a half mile. So I can follow you pretty well with a pretty good idea of which direction it is because these antennas are directional. So I can be like, oh yeah, he's definitely that way. Maybe 600 meters away. So let me actually give you a demo of this. This is actually me tracking a target. I'm sitting in my home just just relaxing, tracking a target. So my very high tech method was taking a Fitbit and duct tape it to my child. Yeah, my wife wasn't very thrilled about this one. So you think that table was bad? This was worse. So you can track targets pretty far with that kind of equipment. That's really the point. And really the overall the thing that we really wanted to make clear was that vendors overall just did not prioritize the right thing. They're prioritizing physical security over wireless security. Obviously there's exceptions. Quickset decided that a screwdriver could be a second key. Probably not the best design decision. But overall, we evaluated a lot of devices and we found that 12 out of 16 of them were broken. And that's a really high number. I went into this thinking, hey, maybe I'll find one or two devices that are broken. No, I felt 12. So overall, they're pretty, pretty bad and really wanted to let vendors know there's a problem so that we can actually fix it. And then finally, we wanted to put some out of recommendation to users. What we wanted to tell you guys was, hey, turn off your Bluetooth when it's not in use. Especially here at DEF CON, please turn off your Bluetooth because people are walking around and I'm like, oh, Gary's iPhone. Hi, Gary. I'm going to connect to your stuff now. So turn it off when it's not in use because that's why that that relay attack works is because you're constantly advertising and looking for these devices. And that's how I take advantage of it. Some of the big future work that we want to work on, I found a really surprising thing with history logs. So people are a lot of these lock companies actually built history logs into their devices, which is great. But they didn't hide it behind a password. So I can actually connect to your device and see everything about your lock. And it gets even better. They're actually storing usernames and passwords. So let's think of a hypothetical situation where we have users, mom, dad, Jimmy and Sally and we have time stamps associated when they come home and when they leave. So now I know when mom and dad are home. I know when Jimmy and Sally are home. I know when they're not home. So if I'm a bad person, I can take advantage of this. And really, we want to put some pressure on the vendors. So that way they would fix this problem. Next, using road devices, do a dynamic profile. I want to advertise 20 different advertisement packets so I can connect so I can advertise 20 different devices. So that way if somebody connects to me, I serve up my GAT server to match whatever they're looking for. So that way I can steal your password. Next, there's a lot more commands out on those GAT servers that we want to implement in a Python, more than just to connect read and write. And then finally, actually, I'm most excited for this. We bought one of those Bluetooth ATM locks and we're actually going to tear it apart and see if we can break into it. If these locks are no indication already, it should be pretty easy. But I'm hoping it's better than we think it is. That's really it. I wanted to open up the floor for some questions. So if you have any questions, come up to the microphone and hopefully I can answer them. Thank you. Yeah, hello. First, thanks for looking into this hell of a lot of devices. Really interesting. I did some similar research and I want to add on your two unbreakable first ones because I looked into three devices and broke three of them. And two of them being the NOG and the MasterLog. So I'm not disclosing too much right now because NOG actually responded to my request and they're fixing it. But just so much they have AAS and they're doing it wrong. So I broke their AAS crypto and the MasterLog has a physical bypass. So I'll talk about that after I released it to them. And the third one was shimmable. Oh my God. But thanks for your work and possibly exchange context later. Oh yeah, that's awesome. If you come grab me afterwards, I would love to talk with you because there's always so many devices out there that I haven't had a chance to break and there's always cool ways to do it. So thank you. You talked earlier about a Insteon talk that would be happening later. Where are the details of that? That's actually going to be a wireless village. My friend Caleb is actually going to be giving that up in the wireless village at 1220, I think, somewhere around there. So 1220 in the wireless village. Is it about Insteon door locks or anything? It's about Insteon devices overall. So he's mostly focusing on, I think, the lights, the camera and the hub. So go check it out. It would be really cool. Thank you. Great talk, by the way. These locks that you were taking apart, you said they were emphasizing physical security. Did you notice any tempered detection in the firmware at all? I did not notice any, but I wasn't actually specifically looking for it. But I mean all the locks that I used, at least wirelessly that I sent commands to, really a lot of them didn't care what I was sending because they thought I was the real device. So what I'm talking about is actually something where there's something in the firmware or a switch determines a case was opened or something that was being tampered with. Oh, I haven't looked for that. That's actually a very fascinating thing I can look into. So I'll have to check that out. Please do. Thank you. Yeah, thanks. Great question. So do you think the time dependent on the rolling code, like what are we using in the payment system? Will so some of the security issue you mentioned. You talked about a rolling code, is that? Yeah, time dependent on the rolling code like we see in the payment system. So I think that it helps the situation, but if I do a relay attack over long distances, it wouldn't matter because I'm pretty much convincing the user to send me a password and then I relay it over to the lock in real time. So really what they need to do is obviously geo locations, one of the things they can help with not allowing these apps to run continuously is a big deal. So there's a lot of a combination of things they need to actually implement to actually prevent these things from being vulnerable. So that's a big part of it though. Gotcha. Yeah, thanks. Thank you. Hi, regarding the uncrackable locks you showed at the beginning, why were you not able to crack the quick set Kivo or the August lock electronically? So part of its time. So I started finding vulnerabilities in other locks and I dedicated more time towards those ones. And then some of them just, I just haven't come up with creative ways to do it yet. I know other people have done things and I'm very fascinated by learning what they are. But yeah, currently at least those methods that I was using, they weren't able to break them yet. I think the relay method at least should be able to break some of those locks, but I just need to test it out at this point. Awesome, awesome talk. Thanks. Thanks. Yeah, great talk. Thanks. That was actually my question as well. But as a follow-up, have you looked at realtors, the tool they're using now to, so I just recently purchased a house, the realtor goes up and the little door lock thing they put, that's all Bluetooth now. That is awesome. So you had a code and it spits out the actual physical key to the house. So you might want to. I'm going to have to buy one of those. That's, that's awesome. Thanks, great, great talk. Thank you. Great talk. I wanted to ask you if you have looked into also medical devices, I mean, after all, if someone wants to break into your house, they can do it the old-fashioned way, but the body is, is like more difficult. So, so originally I wanted to focus on medical devices, specifically pacemakers and insulin pumps. And so I'm a student currently and all my fellow students looked at me like I was crazy and they're like, you're going to kill somebody. And I was like, that's not the point. I wanted to test devices and look for issues. But really what it comes down to it is getting a hold of these devices in most cases is very difficult. But I want to get to do that. I actually want to look into these devices. But finding them short of buying one off of a dead body, I'm really not going to be able to get one. Okay, great. Thanks. Thanks. So one of the things that allows these attacks to work is that you're able to sniff this plain text traffic off of the radio waves, I guess. Does BLE offer any option for encrypted communication other than implementing it yourself? So they actually have a link layer encryption in 4.1. But if you've ever if you looked into Mike Ryan's work, he actually breaks that. They actually have a it's very vulnerable. So they actually developed a new protocol 4.2 that actually implements link layer encryption that actually works better. But what we've found is most devices don't use it. It's not very common. So obviously if they could use the link layer encryption with a new protocol and top of an app layer encryption, that'd be more ideal. That might deter some people. So hopefully that's what we see in the future. Cool. Thank you. Thanks. I think I'm out of time. So thank you guys. Thank you very much.