This was originally posted as an INSIGHT for Wolf & Company, P.C. here
Continuing our series of takeaways from DEF CON 24 – last month we discussed How Hackers Are Attacking Mobile Devices – we’re turning the focus to Anthony Rose’s presentation, “Picking Bluetooth low Energy Locks from a Quarter Mile Away.” This presentation is particularly relevant as we’ve been seeing more and more “smart” devices enter the market. These devices come with wireless networking capabilities, including Wi-Fi and Bluetooth – and Bluetooth Low Energy (“BLE”). Anthony focused on the rise in security products involving BLE, and how the intended short range use-case can be exploited. Here’s what you need to know.
Consider the number of padlocks, deadbolts, safe and ATM locks that are now incorporating BLE as a convenience factor for end users. Anthony was able to use widely available tools to detect the presence of BLE locks within a quarter mile, much farther than the security-intended sub-100 meter range. Out of the eleven locks Anthony discovered, three of the locks were found to transmit plain text passwords, and four locks were found to be vulnerable to replay attacks, which consist of capturing the traffic of the legitimate user, then re-sending the data to the lock later by impersonating the legitimate user. What was really eye opening is that the presenter didn’t even depend on expensive technologies to perform all of the testing. Rather, Anthony used software freely available, and actually included in several Operating Systems, along with $205 worth of hardware.
With all that being said, there is hope for keeping your technology and ATMs secure! There were several target locks included in Anthony’s presentation that were not exploited or bypassed. These locks had some features in common, mainly being:
- The vendor used industry-approved Advanced Encryption Standard (“AES”) rather than propriety algorithms
- The vendor did not hard-code administrative passwords into the device firmware
- The vendor supported multifactor authentication (“MFA”)
- The vendor allowed users to select longer and more complex passwords that were upwards of twenty characters
If you are considering using locks with BLE features for any sensitive locations, documents, or technologies or ATMs, be sure to consider these aforementioned controls. There are also several options available to detecting rogue Bluetooth devices around your office. You should also enhance your periodic tests for rouge wireless access points (“WAP”) and consider scanning for Bluetooth as well.
The Personal Blog of Sean Goodwin 