0:00:00.000,0:00:14.029
<i>33c3 preroll music</i>

0:00:14.029,0:00:16.880
Herald: Ray, are you ready?[br]Ray: I think I’m ready!

0:00:16.880,0:00:19.840
Herald: Alright he’s ready…[br]Let me introduce you, Ray!

0:00:19.840,0:00:23.630
“Lockpicking in the IoT”, or

0:00:23.630,0:00:27.380
“Why adding a Bluetooth Low[br]Energy device sometimes

0:00:27.380,0:00:30.330
isn’t a great idea”. Here we go!

0:00:30.330,0:00:36.260
<i>applause</i>

0:00:36.260,0:00:42.760
Ray: Okay, so, welcome everybody[br]to “Lockpicking in the IoT”,

0:00:42.760,0:00:50.240
or the internet of things that were[br]never supposed to be on the internet.

0:00:50.240,0:00:57.340
Okay. There’s a small overview of what[br]we’re doing. I’ll introduce a little bit

0:00:57.340,0:01:05.019
what is this about, show you some hardware[br]porn – for the hardware lovers among you –

0:01:05.019,0:01:11.000
then look a bit deeper in the PCBs of that[br]hardware – for the electronics guys –

0:01:11.000,0:01:15.160
then we look into communication on[br]the internet – this is this modern thing

0:01:15.160,0:01:18.740
everybody wants to have in his coffee[br]machine – and then we go for

0:01:18.740,0:01:24.500
the wireless interface, and see[br]how difficult or not difficult it is

0:01:24.500,0:01:30.530
to attack them. And last but not least[br]we will look into Android app hacking

0:01:30.530,0:01:36.030
– I have to say I’m mainly focusing on[br]Android but I’m pretty sure if you’re more

0:01:36.030,0:01:41.490
the Apple guy there’s similar techniques[br]available to go for your Apple app.

0:01:41.490,0:01:46.439
But for most devices there’s both[br]– so even if you’re using iOS you can hack

0:01:46.439,0:01:52.479
the Android app to get the infos.[br]And then the talk is over. Okay.

0:01:52.479,0:01:58.729
The very important thing first: the[br]disclaimer. Basically I want to say

0:01:58.729,0:02:03.380
I just tested this on my locks, I don’t[br]say it’s working on everything,

0:02:03.380,0:02:08.320
I don’t say it’s a general mistake by[br]somebody, might have changed,

0:02:08.320,0:02:14.160
I might be wrong, I just[br]show my research. Okay.

0:02:14.160,0:02:20.090
This is basically what we’re talking[br]about. We have some kind of

0:02:20.090,0:02:24.730
smart or not-so-smart device which is[br]talking over Bluetooth Low Energy

0:02:24.730,0:02:30.940
to your smart, or not-so-smart phone.[br]Which is usually talking, using TLS

0:02:30.940,0:02:36.620
and HTTP to the ‘Cloud’.

0:02:36.620,0:02:39.870
So it’s not just locks. The talk is called[br]“Lockpicking” because that’s the thing

0:02:39.870,0:02:43.120
we’re actually going to attack. But[br]the techniques here shown work

0:02:43.120,0:02:46.000
for basically all of these[br]Bluetooth Low Energy devices.

0:02:46.000,0:02:51.370
There are e.g. different light bulbs.[br]I found some interesting reports

0:02:51.370,0:02:55.530
on light bulbs that don’t use[br]any form of authentication.

0:02:55.530,0:02:58.329
So you can connect to your neighbor’s[br]light bulb and change a color, or

0:02:58.329,0:03:01.970
turn it on or off. So, finally,[br]Blinkenlights in your neighborhood!

0:03:01.970,0:03:03.640
<i>mumbles and laughter</i>

0:03:03.640,0:03:07.639
Then of course there’s cars. Everybody’s[br]talking about cars today. I just heard

0:03:07.639,0:03:11.709
a talk about cars. They’re not really[br]using Bluetooth Low Energy.

0:03:11.709,0:03:14.310
But still they use an app and are[br]controlled over the internet, so,

0:03:14.310,0:03:19.099
it’s kind of on-topic. Then there’s[br]vibrators. I mean, unsafer cyber sex

0:03:19.099,0:03:24.580
never has been easier. Actually I don’t[br]have one of those, so, if anybody has,

0:03:24.580,0:03:30.120
please bring one over to play with it.[br]But I’m pretty sure they have high-class

0:03:30.120,0:03:33.290
security. <i>laughter</i>[br]And then there’s button pushers.

0:03:33.290,0:03:38.769
I just learned of that yesterday and[br]I thought “WTF, a button pusher!?”

0:03:38.769,0:03:42.039
<i>laughter</i>

0:03:42.039,0:03:48.770
<i>applause</i>

0:03:48.770,0:03:51.810
This is a Bluetooth Low Energy device[br]which you can communicate to and

0:03:51.810,0:03:54.879
make it press a button. Here it’s pressing[br]the Delete key on my notebook.

0:03:54.879,0:03:59.570
So finally I have a Bluetooth LE[br]enabled Delete key on my notebook.

0:03:59.570,0:04:02.880
<i>laughter</i>[br]Very, very helpful. Of course, if you

0:04:02.880,0:04:07.210
add that to your door opener at home[br]you can do it again – lockpicking.

0:04:07.210,0:04:10.410
We haven’t hacked that yet because[br]I just saw it yesterday but it didn’t look

0:04:10.410,0:04:15.129
very encrypted. It has some secret, some[br]shared string, we didn’t understand.

0:04:15.129,0:04:20.708
But possibly this congress[br]we will look into it.

0:04:20.708,0:04:23.870
Okay, then there’s cars. I’m not[br]sure, who read this message that

0:04:23.870,0:04:29.850
Tesla had a big app hack? Nobody? Oh.[br]I thought, everybody read it because

0:04:29.850,0:04:35.779
it even was on Heise. And it obviously is[br]a very big vulnerability, Elon Musk has

0:04:35.779,0:04:39.940
to get better on this and[br]everybody’s stealing these things…

0:04:39.940,0:04:47.260
how are they called…[br]oh yeah, these ‘smart cars’.

0:04:47.260,0:04:50.750
And they even have colors! So who[br]wouldn’t want to steal one of those?

0:04:50.750,0:04:53.760
<i>laughter</i>

0:04:53.760,0:04:59.130
The bad news is actually that wasn’t[br]really a hack. What they showed is

0:04:59.130,0:05:03.980
that the app is able to start the car.[br]That’s in the manual.

0:05:03.980,0:05:09.599
So what they told is: “Yeah, but if I hack[br]your phone I can start your car!”

0:05:09.599,0:05:13.790
Then they realized, “Oh, you also need the[br]password because for starting the car

0:05:13.790,0:05:17.760
the app actually asks for the password[br]again.” – “Yeah but if I hack your phone

0:05:17.760,0:05:21.070
I can install a fake app that asks for[br]the password; and if you enter it

0:05:21.070,0:05:24.740
I can steal your car!” – Oh, surprise![br]<i>laughter</i>

0:05:24.740,0:05:27.979
I mean this is not the kind of hacking[br]we’re talking about. And they then

0:05:27.979,0:05:32.900
suggested the app should be more[br]protected against reverse engineering.

0:05:32.900,0:05:38.800
What would that change in this aspect?[br]I can create a fake app without even

0:05:38.800,0:05:42.839
decompiling the original one. So,[br]of course if you don’t have security

0:05:42.839,0:05:46.440
on your phone working, if you install[br]apps that are not secure your data

0:05:46.440,0:05:50.980
is not secure, and your Teslas get stolen.[br]But I didn’t see anything in this ‘hack’

0:05:50.980,0:05:56.620
actually being a hack.[br]So, while talking about…

0:05:56.620,0:06:01.180
<i>applause</i>

0:06:01.180,0:06:04.029
Spare your applause for this one!

0:06:04.029,0:06:08.280
Talking about obfuscation. That’s really[br]a thing some people understand differently

0:06:08.280,0:06:13.520
than I do. I try to say [to] people:[br]“security by obscurity does not work!”

0:06:13.520,0:06:18.080
So if you obfuscate your app, possibly[br]it slows down researchers like us.

0:06:18.080,0:06:22.099
But the people doing that for money, who[br]want to sell exploits, they will still put

0:06:22.099,0:06:26.349
the energy into it. And sell their[br]exploits even more expensive.

0:06:26.349,0:06:30.150
And the exploit will even be longer out[br]there because the independent researchers

0:06:30.150,0:06:34.370
won’t find the vulnerabilities that fast.[br]The idea is: good crypto does not have

0:06:34.370,0:06:39.890
to be secret to be secure. So, no, please[br]don’t obfuscate your apps better.

0:06:39.890,0:06:44.630
Build your protocols better. But as said[br]before I didn’t see any aspects there

0:06:44.630,0:06:48.490
in Tesla. Possibly they should make it[br]obvious that you can start the car with it

0:06:48.490,0:06:50.781
and make it ‘disableable’, and[br]what… things like that, but

0:06:50.781,0:06:55.230
it’s not a security issue. Okay.

0:06:55.230,0:06:59.880
So let’s go back to locks. Because,[br]actually the talk is called “Lockpicking”.

0:06:59.880,0:07:03.520
So what do these smart locks usually do?[br]Of course they can be opened.

0:07:03.520,0:07:07.740
Usually your… with your phone near your[br]lock you put something on the lock

0:07:07.740,0:07:11.290
and communicate – the lock opens.[br]Optionally you have to press

0:07:11.290,0:07:16.091
something on the phone, so it’s[br]a 2-step process to unlock,

0:07:16.091,0:07:20.070
which is actually a quite good idea[br]because of some obvious scenarios

0:07:20.070,0:07:24.010
which will work otherwise. Then – and[br]this is different from normal locks –

0:07:24.010,0:07:27.700
they can be shared to friends. It’s[br]a big feature. They try to convince you

0:07:27.700,0:07:31.880
why these smart locks are so smart.[br]When I’m not at home I can send

0:07:31.880,0:07:35.590
somebody the code, and give him the[br]possibility to open my bike shed

0:07:35.590,0:07:41.360
for just one hour. Because I can, of[br]course, revoke that at time restrictions.

0:07:41.360,0:07:44.770
So that’s what the big advantage is,[br]compared to a traditional lock.

0:07:44.770,0:07:49.460
Except, of course, it’s to be much more[br]secure because you can’t pick it anymore.

0:07:49.460,0:07:53.260
And then those obviously have some[br]failsafe mode in case your phone breaks

0:07:53.260,0:07:57.330
and whatever. You can enter a click code,[br]and can enter a code by some buttons

0:07:57.330,0:08:01.770
or something to open it without the[br]phone. But that is nothing we’re going

0:08:01.770,0:08:08.830
to look into today. So from these basic[br]ideas, of course, there come some basic

0:08:08.830,0:08:12.390
attack vectors. What I could[br]try to do: I could try to bypass

0:08:12.390,0:08:18.600
the sharing restrictions. So possibly[br]go in a different time window.

0:08:18.600,0:08:21.320
I could change the time on my phone,[br]probably. Would that work?

0:08:21.320,0:08:25.210
Things like that. Open the lock after[br]it was revoked. Of course then

0:08:25.210,0:08:28.250
that’s what everybody thinks about when[br]talking about Bluetooth: I could try

0:08:28.250,0:08:32.830
to get the keys. From sniffing[br]somebody’s Bluetooth LE connection.

0:08:32.830,0:08:37.720
That’s something we’re going to do today.[br]Then this is what I was talking about

0:08:37.720,0:08:41.610
why the ‘2-button-press’ is a good idea.[br]You could relay opening codes.

0:08:41.610,0:08:45.010
If you have the ‘instant-open’ feature[br]I could approach you, pretend to be

0:08:45.010,0:08:48.550
your lock, your phone sends me an OPEN[br]command, I could relay it to your lock,

0:08:48.550,0:08:52.560
completely somewhere else, and it would[br]open. So I think this is something

0:08:52.560,0:08:56.890
you can’t really stop except with[br]some very tricky mechanisms.

0:08:56.890,0:09:01.511
Possibly ‘timing’ or some… things like[br]that. So this ‘instant open’ feature

0:09:01.511,0:09:07.390
is possibly not the best idea. Then[br]we have the option to attack the lock

0:09:07.390,0:09:13.640
or app software directly. I mean, it’s[br]software. So it will have buffer overflows.

0:09:13.640,0:09:18.240
It might have other weaknesses. It could[br]just do not verify some things. If I tell

0:09:18.240,0:09:21.960
I’m another person - does it really check[br]if I have the rights, and everything?

0:09:21.960,0:09:26.890
But this is something – I think the only[br]thing – I don’t have in this talk today.

0:09:26.890,0:09:33.290
Because the other methods[br]worked already. Okay.

0:09:33.290,0:09:38.340
Going to look at the hardware.[br]So, basically, if you’re

0:09:38.340,0:09:43.030
a lockpicker or some other reverse-[br]engineer, if you get a new hardware

0:09:43.030,0:09:45.830
you want to take it apart. If you[br]can’t take it apart, you can’t open it

0:09:45.830,0:09:49.980
you don’t own it. And here’s – if you[br]want to do it yourself – these tips

0:09:49.980,0:09:54.720
how to open it. The NOKE is very nicely[br]built. When you have legally or

0:09:54.720,0:09:58.470
legitimately unlocked your NOKE you can[br]disassemble it without doing any damage

0:09:58.470,0:10:03.040
to it. [You] just need a screw driver and[br]it completely comes apart. Very nice design.

0:10:03.040,0:10:06.720
The Master Lock – you have to[br]drill out 4 rivets. This is a bit sad

0:10:06.720,0:10:11.251
because after that it won’t be a very good[br]lock anymore. But it’s not a problem

0:10:11.251,0:10:15.750
because it isn’t before,[br]from my experience.

0:10:15.750,0:10:20.762
<i>applause and some laughter</i>

0:10:20.762,0:10:25.090
And then there’s the Dog & Bone lock,[br]which is a lock I just got recently.

0:10:25.090,0:10:28.690
Its a little bit tricky to open but you[br]don’t have to do a lot of damage.

0:10:28.690,0:10:32.360
If you have it opened you can pull out[br]a pin in the back – thank Jan (?)

0:10:32.360,0:10:36.130
for finding that out. And then you can[br]remove screws and it really comes apart

0:10:36.130,0:10:40.420
nicely. So how do these locks[br]look, now? This is the NOKE.

0:10:40.420,0:10:45.590
So basically you see a PCB, you[br]see a normal lock body like here,

0:10:45.590,0:10:49.721
with a shackle. There’s a motor at the[br]PCB. The motor turns some locking element

0:10:49.721,0:10:53.260
in here. And if it’s in the right position[br]the lock opens. For the NOKE there’s

0:10:53.260,0:10:59.080
a very nice paper by the SSDeV member[br]Michael Hübler. I have a link at the end

0:10:59.080,0:11:05.900
of the presentation.[br]And neither he nor me did find

0:11:05.900,0:11:11.540
any mechanical bypasses for that lock.[br]So the mechanics look okay.

0:11:11.540,0:11:15.680
Then there’s the Master Lock. It is very[br]similar, but I have to say they invented

0:11:15.680,0:11:20.890
this mechanism with the motor in this[br]locking element first. It has 4 buttons

0:11:20.890,0:11:26.640
on the PCB which you can use to enter[br]a code. Has 2 CPUs, pretty standard design.

0:11:26.640,0:11:31.600
And here are the rivets you have[br]to drill out to make it open.

0:11:31.600,0:11:36.670
The Dog & Bone is a little bit more[br]clumsy. It’s a bigger lock. It comes apart

0:11:36.670,0:11:41.900
in quite some pieces. What I really liked[br]was that motor with that gear box. I think

0:11:41.900,0:11:47.360
it’s like 1:2000 or something. So it[br]really gets a lot of power from the

0:11:47.360,0:11:53.780
very small motor. So what does it do with[br]it? It turns this element, and this element

0:11:53.780,0:11:59.260
retracts these 2 spring loaded locking[br]elements which are locking the shackle.

0:11:59.260,0:12:05.100
If you’re a lockpicker you will ask:[br]“Spring loaded? Seriously?

0:12:05.100,0:12:09.550
Have you ever heard about the term[br]‘Shimming a lock’?” ‘Shimming a lock’

0:12:09.550,0:12:16.180
is inserting some metal at the shackle,[br]and pushing back the springs.

0:12:16.180,0:12:22.550
It’s a very standard method for padlocks[br]in the 5 Dollar range, I would say.

0:12:22.550,0:12:26.670
Locks starting at 10..15 Dollars[br]or Euros or whatever, in that area

0:12:26.670,0:12:32.340
usually can’t be shimmed anymore.[br]When I opened the Dog & Bone lock

0:12:32.340,0:12:36.010
I instantly realized: it’s[br]spring loaded, it is shimmable.

0:12:36.010,0:12:40.480
A short search on Google[br]found out that Mr. Locksmith,

0:12:40.480,0:12:43.460
a lockpicker from the U.S. who[br]does some good Youtube videos,

0:12:43.460,0:12:48.040
found [that] out months before.[br]And of course, it’s shimmable!

0:12:48.040,0:12:52.250
You put in some thin metal sheets[br]– he built them from a cutaway

0:12:52.250,0:12:56.190
of a soda can, puts them[br]in and the lock opens.

0:12:56.190,0:13:01.520
But this is not a 5 Dollar lock. This is[br]an 80..100 Dollar Bluetooth padlock.

0:13:01.520,0:13:05.990
And you shim it with cut metal.[br]Okay. No need to go into

0:13:05.990,0:13:11.520
the Bluetooth Low Energy for that one.[br]<i>laughter</i>

0:13:11.520,0:13:15.591
And, as a small teaser: I also didn’t[br]say there’s no mechanical bypass

0:13:15.591,0:13:18.860
for the Master Locks. But[br]we’ll come back to that.

0:13:18.860,0:13:22.270
Okay. The electronics. This is the[br]electronics of the NOKE. Basically

0:13:22.270,0:13:26.240
you see there’s one CPU, and something[br]that’s called an ‘H bridge’ which is

0:13:26.240,0:13:31.570
used to control a motor. All the rest[br]is pretty standard electronics, so,

0:13:31.570,0:13:36.790
very simple design.[br]The Master Lock has 2 CPUs,

0:13:36.790,0:13:41.871
has the buttons on the PCB,[br]also quite simple electronics.

0:13:41.871,0:13:45.790
And this is the MCUs. The interesting[br]thing I see is there’s a very common chip.

0:13:45.790,0:13:50.470
It’s the Nordic nRF51822.[br]I find it basically everywhere.

0:13:50.470,0:13:54.250
It’s in light bulbs, it’s[br]in 3 of the locks I have here.

0:13:54.250,0:13:58.279
Or 4, if you count the Ivation[br]and Nathlock [not] as the same.

0:13:58.279,0:14:01.460
Only the Master Lock[br]uses MSP430, which is…

0:14:01.460,0:14:08.600
The nRF is a… basically ARM core.[br]The MSP430 is a much smaller chip,

0:14:08.600,0:14:13.029
it’s from Texas Instruments, and it’s[br]a very low power consumption chip.

0:14:13.029,0:14:18.660
It was also used in the previous[br]non-Bluetooth LE electronic lock.

0:14:18.660,0:14:22.500
But it’s basically also a normal[br]microcontroller, and you can program it.

0:14:22.500,0:14:27.279
So, program it. That means you can[br]just use any ARM Flash board.

0:14:27.279,0:14:32.460
I used the ST-Link interface from an[br]STM32 dev board we had in our hackerspace.

0:14:32.460,0:14:38.180
And interfaced it to the chip[br]of the NOKE padlock here.

0:14:38.180,0:14:41.900
So e.g. using OpenOCD, but…[br]there are different tool chains (?) but

0:14:41.900,0:14:46.710
this is one where you find some info on[br]the internet, how to use it with the nRF.

0:14:46.710,0:14:50.200
Using OpenOCD you get an[br]interface to connect to the chip,

0:14:50.200,0:14:54.540
and then you can issue commands[br]like ‘Probe the Flash in it’;

0:14:54.540,0:14:58.330
you could read the Flash, you[br]could write a new firmware to it,

0:14:58.330,0:15:01.820
and stuff like that.

0:15:01.820,0:15:06.200
With the old Master dialSpeed padlock[br]which is pre-Bluetooth-LE but

0:15:06.200,0:15:10.600
already electronic, a few years ago,[br]I think 4 years ago we presented

0:15:10.600,0:15:14.380
about that one, that was not read[br]protected, you could change the firmware,

0:15:14.380,0:15:18.470
you could actually get the codes from[br]reading the flash, and you could access

0:15:18.470,0:15:22.400
the Flash content without opening[br]the lock. So that was really funny.

0:15:22.400,0:15:25.540
Not usable as a lock, but I re-flashed[br]it to a Simon Says style game where

0:15:25.540,0:15:30.790
you have to repeat the sequence it shows[br]you. Funny lock for your hackerspace.

0:15:30.790,0:15:33.310
Unfortunately, or fortunately…[br]No, I would say ‘unfortunately’,

0:15:33.310,0:15:36.810
the NOKE firmware was read protected.[br]Because there’s no need for it.

0:15:36.810,0:15:40.370
The NOKE firmware Flash ports can’t[br]be accessed without opening the lock.

0:15:40.370,0:15:44.180
So you don’t lock somebody out[br]by read protecting it, except for

0:15:44.180,0:15:48.040
the legitimate owner. But okay, it was[br]read protected, and I was saying: “Oh,

0:15:48.040,0:15:52.040
decompiling firmware, that’s hard[br]work anyway, let’s skip that one.”

0:15:52.040,0:15:55.149
But of course you could use these flash[br]interfaces to write own firmwares

0:15:55.149,0:15:58.710
to these locks. Possibly make them open[br]source one day. Or do something else.

0:15:58.710,0:16:03.050
Or just use them as cool dev[br]boards. With some actors on it.

0:16:03.050,0:16:08.560
So, let’s go for the first[br]interesting thing, I would say.

0:16:08.560,0:16:13.570
The communication with the ‘Cloud’.

0:16:21.900,0:16:24.870
So your phone speaks to some servers[br]which is provided by the vendor

0:16:24.870,0:16:30.120
of your hardware usually. And[br]it’s usually a TLS encrypted link

0:16:30.120,0:16:36.140
using HTTP. Over this link the application[br]on your phone sends login data,

0:16:36.140,0:16:39.980
gets back from the cloud the information[br]about the lock. So you can install

0:16:39.980,0:16:42.820
your app on a new phone, enter your[br]login credentials and instantly use

0:16:42.820,0:16:47.380
all your locks. Or the locks that were[br]shared to you. Usually these apps also

0:16:47.380,0:16:51.040
send events to the cloud, when you open[br]your locks. So if you share the lock

0:16:51.040,0:16:55.170
with someone you can see on your other[br]phone that he opened it, and possibly

0:16:55.170,0:16:59.710
where he opened it. And things like that.[br]And of course also data is edited,

0:16:59.710,0:17:04.670
if you add a new code to it or something.[br]So this is sent over the link.

0:17:04.670,0:17:09.189
So, some people would say: “Oh,[br]but TLS encryption is secure, isn’t it?”

0:17:09.189,0:17:13.049
Of course, usually it is. There are flaws[br]which you hear about from time to time

0:17:13.049,0:17:17.089
at these conferences. But that’s not the[br]problem here. The problem is – but

0:17:17.089,0:17:20.540
it’s not a problem, it’s nice for us[br]researchers – you own the phone

0:17:20.540,0:17:25.699
with the app. You control the app. You can[br]even modify the app. But owning the phone

0:17:25.699,0:17:29.890
you control the TLS trust store,[br]with the certificate authorities. So

0:17:29.890,0:17:35.770
you can install a new CA and trust your[br]own servers. People could try to

0:17:35.770,0:17:39.700
prevent this using key pinning in the app.[br]But, again, you also control the app.

0:17:39.700,0:17:43.559
You can change the app, you can remove[br]the key pinning. So, basically, breaking

0:17:43.559,0:17:47.650
into this TLS is something the vendor[br]has to expect. It’s your device,

0:17:47.650,0:17:51.940
it’s your communication. You can[br]listen to it. So, and the nice thing

0:17:51.940,0:17:55.530
– and this is what I’m trying to tell all[br]of you here in this talk – these things

0:17:55.530,0:17:58.840
are not difficult. There are nice[br]available tools; and if you have some apps

0:17:58.840,0:18:03.520
which do some things you want to know –[br]install such a tool, watch your app doing

0:18:03.520,0:18:07.600
transferring data, and look what your[br]apps actually communicate. Actually it’s

0:18:07.600,0:18:11.890
quite interesting to see what your phone[br]communicates to Google all the time.

0:18:11.890,0:18:15.530
I realized it: one of these apps is[br]telling Facebook when I started,

0:18:15.530,0:18:21.760
every time. What the Fuck?? But you easily[br]see it. What you do is you install e.g.

0:18:21.760,0:18:25.620
mitmproxy, it’s a small hell of Python[br]dependencies, but it’s usually installable

0:18:25.620,0:18:29.220
on a Linux, and even on a Mac machine.[br]Haven’t tried it on Windows but

0:18:29.220,0:18:33.240
I’m pretty sure there’s options for that.[br]And you install it as a web proxy, so,

0:18:33.240,0:18:37.630
you change the internet connection of your[br]phone, and say: “Oh, this Wi-Fi has to use

0:18:37.630,0:18:43.580
a proxy, enter the IP of your proxy…”[br]And mitmproxy creates fake certificates

0:18:43.580,0:18:47.410
on the fly. So whatever side you access[br]it creates a new certificate looking

0:18:47.410,0:18:52.000
the same, signs it with the fake CA, and[br]you can install the fake CA just

0:18:52.000,0:18:55.770
by going to http://mitm.it/[br]So, man-in-the-middle it.

0:18:55.770,0:18:59.180
And there’s a link to install a fake CA[br]on your phone. So that’s actually really

0:18:59.180,0:19:03.640
[done] in, like, 5..10 minutes, with[br]compiling of the Python stuff 15 minutes,

0:19:03.640,0:19:07.400
and you have a working man-in-the-middle[br]setup and can watch your communication.

0:19:07.400,0:19:11.390
This is what the app looks like. So[br]we see here a few POST requests

0:19:11.390,0:19:17.130
to the NOKE app. We get replies;[br]actually we see funny 403’s here.

0:19:17.130,0:19:21.250
I’m not sure why it’s doing that. But[br]okay. But this is what the NOKE app

0:19:21.250,0:19:25.160
does on startup. And of course we can[br]not just see the requests, we can look

0:19:25.160,0:19:30.180
into the request itself. And it’s e.g.[br]a good way to recover your password.

0:19:30.180,0:19:34.600
Possibly I should have blurred it here.[br]So if you have forgotten your password

0:19:34.600,0:19:38.530
you just sniff your communication. It[br]also works for your Play Store password,

0:19:38.530,0:19:43.460
usually. Usually they use a token[br]but some time it’s renewed.

0:19:43.460,0:19:46.710
So every app that has a password[br]and sends it to the cloud – you can

0:19:46.710,0:19:53.370
recover it with that. And from[br]this login you get data back.

0:19:53.370,0:19:57.280
And in the NOKE app it’s[br]usually done like I send

0:19:57.280,0:20:00.050
login, with user and password,[br]and I get a token back.

0:20:00.050,0:20:02.920
And then all following your request[br]I just have to send this token, and

0:20:02.920,0:20:08.530
then I’m authenticated. So that’s[br]an okay mechanism I would say.

0:20:08.530,0:20:11.460
So. What do we get also? We[br]have a GETLOCKS key, and

0:20:11.460,0:20:15.080
when we call ‘getlocks’ we get[br]the information about our locks.

0:20:15.080,0:20:18.580
So this basically is an ID of the lock.[br]This is a lock key. There’s something

0:20:18.580,0:20:22.100
to remember: 0137 – we’ll see that later.

0:20:22.100,0:20:25.200
You see the MAC of the lock,[br]you see a picture URL

0:20:25.200,0:20:29.001
where the application shows me[br]the lock – if I have multiple locks

0:20:29.001,0:20:34.059
I can assign different pictures[br]to it. And this is a quick open code

0:20:34.059,0:20:37.110
where I can push on the[br]shackle to open this lock.

0:20:37.110,0:20:40.590
So this is all no hacking because[br]this data I’m supposed to know.

0:20:40.590,0:20:44.240
It’s my lock, I can know the information,[br]then it’s not a big problem.

0:20:44.240,0:20:47.870
But it’s interesting to see what it’s[br]doing to understand how it’s working.

0:20:47.870,0:20:50.880
Then we have the next[br]thing, the ‘shared locks’.

0:20:50.880,0:20:55.690
This is more interesting, possibly because[br]I see: “Oh, I’m allowed to use it all day,

0:20:55.690,0:20:59.170
starting at that day,[br]starting at that time,

0:20:59.170,0:21:03.990
ending at that date, at that time”.[br]And this lock has a key,

0:21:03.990,0:21:08.470
and there’s another key.[br]And another MAC.

0:21:08.470,0:21:12.760
So, the nice thing is, the[br]lock does not have a time.

0:21:12.760,0:21:16.580
The lock does not know[br]when I’m allowed to open it.

0:21:16.580,0:21:21.520
So all I need is this key. And the nice[br]thing also is I don’t have to manipulate

0:21:21.520,0:21:27.050
the app in any way. I can use Mitmproxy[br]to change the data on the fly.

0:21:27.050,0:21:33.260
So I just tell Mitmproxy,[br]please change 2016 to 2066,

0:21:33.260,0:21:36.830
then the reply comes back, and then the[br]NOKE app thinks “Oh, he’s still allowed

0:21:36.830,0:21:42.420
to use that”. Of course the NOKE people[br]were clever and do an online check.

0:21:42.420,0:21:47.160
Which actually means you can only[br]unlock a lock if you have a shared lock.

0:21:47.160,0:21:50.640
Your own lock you can use offline. But a[br]shared lock you can only use when you

0:21:50.640,0:21:55.470
have internet. Not good if it’s the cellar[br]or something. But it does an online check,

0:21:55.470,0:22:01.610
it asks: “Can unlock?” and the cloud[br]answers: “Yes, success, can unlock”.

0:22:01.610,0:22:06.920
Of course I can also fake that! So this[br]is completely bogus; it’s unnecessary

0:22:06.920,0:22:09.920
to be online. I could do it offline. If[br]I want to hack the lock I can do it

0:22:09.920,0:22:14.510
in the cellar. Only the legitimate[br]user has to be online.

0:22:14.510,0:22:21.759
So the sharing feature of the NOKE already[br]is broken just with the Mitmproxy tool.

0:22:21.759,0:22:27.670
Really, that’s not big hacking. They[br]could have thought about that. But okay.

0:22:27.670,0:22:33.580
So, once somebody shares[br]a lock to you, a NOKE to you,

0:22:33.580,0:22:36.770
you have this key and you can[br]use this key from then forever on.

0:22:36.770,0:22:43.230
Using the original app. That’s the nice[br]thing. You don’t have to change it.

0:22:43.230,0:22:47.660
One thing which is positive about the[br]architecture here, the key that they use

0:22:47.660,0:22:51.750
for sharing is a different key than you[br]have to operate your lock. That means

0:22:51.750,0:22:56.860
with this sharing key I can not[br]modify the lock. I can’t re-key it,

0:22:56.860,0:23:02.050
or change the click code, or things[br]like that. So I just can open it.

0:23:02.050,0:23:06.890
And they have an option to change the[br]key of the lock. So I can go to my lock

0:23:06.890,0:23:12.299
and say “Re-key!”, and the they do a new[br]key. But for that I have to go to my lock.

0:23:12.299,0:23:16.030
So that’s nothing if I share the lock to[br]you from Congress, and the lock is

0:23:16.030,0:23:22.060
somewhere in… Salzburg! Then that[br]doesn’t work. So not really helping.

0:23:22.060,0:23:25.549
Possibly one time keys or something like[br]that would be a better option, or just

0:23:25.549,0:23:29.820
some challenge/response mechanism.[br]If you have to be online, why not.

0:23:29.820,0:23:34.390
But that’s something for the future.[br]Currently lock sharing is not very secure,

0:23:34.390,0:23:39.770
and I would advise you to keep that in[br]mind when you use the Sharing feature.

0:23:39.770,0:23:44.070
Oh, regarding dumping firmware: as I said[br]before a firmware was not dumpable

0:23:44.070,0:23:47.820
from the NOKE. The Dog & Bone I didn’t[br]even try to dump the firmware because

0:23:47.820,0:23:52.380
it was shimmable. But they sent me[br]an URL in the CONNECT where I can

0:23:52.380,0:23:58.510
download the firmware.[br]And if you… <i>laughs</i>

0:23:58.510,0:24:04.240
<i>laughter and applause</i>

0:24:04.240,0:24:07.381
Again, I don’t consider this[br]a vulnerability. I think if I own the lock

0:24:07.381,0:24:11.011
I should be allowed to read the firmware.[br]If you download that it’s an actual

0:24:11.011,0:24:15.340
hex dump of the firmware. It looks like[br]directly what you would flash on the chip.

0:24:15.340,0:24:17.980
So if you want to do some firmware[br]reverse engineering that’s a very easy

0:24:17.980,0:24:21.799
starting point to get the firmware from[br]the internet, disassemble it, play with it,

0:24:21.799,0:24:24.161
flash it possibly to your own dev[br]board without even owning the lock,

0:24:24.161,0:24:29.850
to play with it. Why not. Okay, so,[br]so much for the app communication.

0:24:29.850,0:24:33.780
You can do quite a lot with it already.[br]But we want to go a little deeper.

0:24:33.780,0:24:37.880
We want to go for the Bluetooth Low[br]Energy level. So the communication

0:24:37.880,0:24:44.400
between my phone and my lock.[br]Or my vibrator. Or whatever.

0:24:44.400,0:24:49.380
So Bluetooth Low Energy is newer, but[br]actually easier to sniff than Bluetooth.

0:24:49.380,0:24:53.240
There’s a talk called “With Low[br]Energy comes Low Security”

0:24:53.240,0:24:57.600
if you want to have an introduction to[br]that. You find it on Youtube. Basically,

0:24:57.600,0:25:02.460
it has 3 security modes. But the most[br]common used are NON and ADHOC

0:25:02.460,0:25:07.250
which is like almost none security. And[br]the third one would be pairing with a code

0:25:07.250,0:25:10.900
which is usually a 6-digit number.[br]If you listen to that pairing you also

0:25:10.900,0:25:16.130
own everything. This improved with[br]Bluetooth Low Energy 4.2, or Bluetooth 4.2

0:25:16.130,0:25:20.710
which includes a new Low Energy standard.[br]But this is not implemented very commonly

0:25:20.710,0:25:25.330
today, and won’t be in the[br]very near future. Because

0:25:25.330,0:25:30.110
not so many devices support it. So for now[br]Bluetooth Low Energy is an easy target

0:25:30.110,0:25:34.440
to get into research. There’s available[br]tools for it like the Ubertooth One

0:25:34.440,0:25:38.799
by Mike Ossmann. The Adafruit[br]BTLE sniffer for… very cheap.

0:25:38.799,0:25:42.510
And you can build your own one by flashing[br]a firmware available from Nordic

0:25:42.510,0:25:46.830
directly to any dev board[br]with this chip you have.

0:25:46.830,0:25:50.610
So this is the hackerspace entry point.[br]If you have this stuff lying around…

0:25:50.610,0:25:54.760
Otherwise I would recommend going[br]for the Adafruit Sniffer. It’s orderable

0:25:54.760,0:25:59.080
even in Europe, very easily.[br]So not a big problem.

0:25:59.080,0:26:03.090
But the very cheap option is:[br]get a 3..5 Euros dev board

0:26:03.090,0:26:06.590
like this from China,[br]use your STM32 programmer.

0:26:06.590,0:26:10.220
I have another board here which is[br]a serial interface. But you could use

0:26:10.220,0:26:15.429
your normal FTDI USB-to-Serial,[br]also. And then this board

0:26:15.429,0:26:21.560
is identical to the Adafruit Bluetooth[br]LE Sniffer, for like 5 bucks.

0:26:21.560,0:26:26.320
Okay. Talking about this research.[br]This is nothing nobody did before.

0:26:26.320,0:26:31.160
Somebody like e.g. Rose & Ramsey did it at[br]DEF CON and presented quite a nice talk

0:26:31.160,0:26:36.840
where he analyzed a lot of locks. He had[br]like 15 locks of it, and 12 of them broken.

0:26:36.840,0:26:40.639
So it was really plain text passwords[br]on the Bluetooth LE, for the Quicklock,

0:26:40.639,0:26:45.190
iBluLock, Plantraco Phantomlock.[br]I hope that’s correct.

0:26:45.190,0:26:49.330
I don’t claim that to be true. But he told[br][it] in the talk. He found replay attacks

0:26:49.330,0:26:53.860
on these locks. So you can just resend[br]the same code that you saw before,

0:26:53.860,0:26:57.190
even without understanding it. But he[br]stopped where it became interesting.

0:26:57.190,0:27:01.679
And instead of that posted[br]this slide. Which I hate.

0:27:01.679,0:27:07.090
He wrote about uncracked locks. And[br]the first one was the NOKE padlock.

0:27:07.090,0:27:11.590
And for the time line: at that point[br]I already had disclosed to NOKE

0:27:11.590,0:27:16.470
our findings. Which you will see today.[br]So the NOKE company knew about

0:27:16.470,0:27:20.720
the lock being completely broken on the[br]crypto layer [at that time]. But they see

0:27:20.720,0:27:24.210
this talk by Rose & Ramsey and post[br]a blog post: “NOKE just one of the few

0:27:24.210,0:27:30.460
Bluetooth locks to pass hacker testing”…[br]SERIOUSLY?? They were notified!

0:27:30.460,0:27:34.400
And they… we had active communication[br]about them changing the crypto protocol.

0:27:34.400,0:27:39.100
Possibly the social network people are[br]not so close with the technical people.

0:27:39.100,0:27:44.850
But okay. So, let’s crack it. Using the[br]Nordic Bluetooth LE sniffer firmware,

0:27:44.850,0:27:48.679
which is… unfortunately the easiest way[br]to use is on Windows. But you can use it

0:27:48.679,0:27:52.860
with Python also on Linux. And[br]Wireshark integration isn’t that nice…

0:27:52.860,0:27:58.030
So if you have a Windows, or Windows[br]VM it’s the more easy entry point.

0:27:58.030,0:28:01.770
Here you have a text interface where[br]you say: “I want to sniff to this device”,

0:28:01.770,0:28:05.100
then you get a lot of lot of lot of packets[br]here. Mostly ‘discovery, discovery, discovery’.

0:28:05.100,0:28:09.160
You have to look for the bigger packets.[br]This was a bigger packet with some payload,

0:28:09.160,0:28:14.210
and it contains a very long string[br]which looks completely random.

0:28:14.210,0:28:19.270
So I see from phone to NOKE there’s[br]random; from NOKE to phone there’s random.

0:28:19.270,0:28:25.450
Looks actually encrypted. And NOKE[br]is claiming they are using AES128.

0:28:25.450,0:28:29.170
So I didn’t even try to understand[br]what I see here because

0:28:29.170,0:28:33.350
if it’s AES encrypted you[br]won’t find any meaning in it.

0:28:33.350,0:28:37.380
So let’s put the sniffing aside for[br]a moment. We can’t sniff to the data.

0:28:37.380,0:28:41.429
We can get this communication off the air.[br]But for the NOKE we can’t do anything

0:28:41.429,0:28:47.780
with that. So let’s go for app hacking.

0:28:47.780,0:28:52.140
There are different approaches. One[br]– the easiest… not the easiest but

0:28:52.140,0:28:58.870
the first one we did –[br]is manipulating the apps.

0:28:58.870,0:29:03.610
So you can get an APK from your phone very[br]easily with ADB. You don’t have to have

0:29:03.610,0:29:08.450
a rooted device for that. You can just[br]enable Devel mode and copy the APK over.

0:29:08.450,0:29:11.780
There’s lots of tutorials on the internet[br]how to do it. It’s basically 3 calls

0:29:11.780,0:29:17.090
on the shell. And those APKs can easily[br]be disassembled with a tool like SMALI.

0:29:17.090,0:29:21.290
You can change things in it, like[br]a URL. You can change values.

0:29:21.290,0:29:25.919
Then you can re-assemble it, self-sign it,[br]and put it again on your phone.

0:29:25.919,0:29:29.590
One thing you can do with that is[br]change the app to use a different URL

0:29:29.590,0:29:34.280
for its communication. And that’s actually[br]quite a nice idea. Because we saw before

0:29:34.280,0:29:37.500
we can completely understand this[br]protocol. It’s not a complicated protocol.

0:29:37.500,0:29:40.710
It’s sending some requests, and it’s[br]getting some JSON responses. I can

0:29:40.710,0:29:45.070
write this in a Python script with a few[br]100 lines, and fake their server.

0:29:45.070,0:29:50.860
So I actually could run my NOKE lock – if[br]it would be having good crypto, but okay –

0:29:50.860,0:29:55.020
on my own server. Not connected to their[br]cloud, but build my own NOKE app and

0:29:55.020,0:30:01.039
have it communicate with my NOKE server.[br]Why not. Possibly in the far future

0:30:01.039,0:30:04.630
NOKE doesn’t exist anymore, who knows?[br]It happened before to other companies:

0:30:04.630,0:30:08.380
the servers are gone – your hardware is[br]gone. If you understand the protocol,

0:30:08.380,0:30:11.370
if you have sniffed it before you can[br]reimplement it and continue using

0:30:11.370,0:30:15.820
your hardware. Except for that I wouldn’t[br]like to have my locks in the cloud!

0:30:15.820,0:30:19.520
We actually used this method during[br]the analysis of the NOKE lock

0:30:19.520,0:30:23.260
to change a random number generator[br]in the app to always return ‘42’.

0:30:23.260,0:30:27.500
Thanks to Sec for that one. He did[br]a binary patch on the MIPS binary on it.

0:30:27.500,0:30:31.980
We just put it in and had a nice[br]random number to spot it easier

0:30:31.980,0:30:37.870
on the communication. The other thing[br]is you can decompile these app APKs.

0:30:37.870,0:30:42.340
You get it, again with ADB. Run it through[br]a decompiler like Jadx which you can

0:30:42.340,0:30:45.880
install on your PC. You can download[br]it from Github. Or if you just want

0:30:45.880,0:30:50.269
an easy decompile you go to[br]an online decompilation service.

0:30:50.269,0:30:54.360
They say: “Please only use it for[br]legitimate purposes”, but we do!

0:30:54.360,0:31:00.460
And yesterday Sec was very annoyed[br]by the Adblocker blocker they have.

0:31:00.460,0:31:04.460
But if you ignore that then it’s[br]very easy to just upload an APK,

0:31:04.460,0:31:08.130
get back the source code. And then,[br]basically, you have Java source

0:31:08.130,0:31:15.520
which you can read, you can search,[br]you can grep… Oh! You can grep.

0:31:15.520,0:31:21.479
So. We were looking for AES![br]<i>laughter</i>

0:31:21.479,0:31:30.730
<i>applause</i>

0:31:30.730,0:31:34.809
Yeah, everybody is laughing at that[br]slide. But there’s 2 things to mention.

0:31:34.809,0:31:38.690
First of all this is not all of our[br]research. This is just the beginning.

0:31:38.690,0:31:42.670
Then it became difficult. The other[br]thing is this key of course is very silly.

0:31:42.670,0:31:47.270
They actually use 01 to 15[br]as an AES encryption key.

0:31:47.270,0:31:50.610
But if they would have used a real random[br]pre-shared key I still would have found it

0:31:50.610,0:31:55.080
that way. So, actually, it’s not really[br]less secure. It’s just possibly left over

0:31:55.080,0:31:59.820
from development. I have no idea[br]why you would use that key! But still

0:31:59.820,0:32:02.529
– even a better key, I would have found[br]it in the source code. Because it’s

0:32:02.529,0:32:06.770
a pre-shared key. The lock knows it.[br]The app knows it – has to know it

0:32:06.770,0:32:11.299
because it’s pre-shared. So, yeah…[br]But still it’s very funny that they have

0:32:11.299,0:32:15.880
this silly key in there. And we were[br]actually wondering quite a lot:

0:32:15.880,0:32:20.080
“Oh, but what blockchaining mode[br]do they use? How do they use AES?

0:32:20.080,0:32:24.020
Is there an initialization vector?”.[br]I don’t know.

0:32:24.020,0:32:29.210
Took us quite a while until we realized:[br]it’s simply just one block! If we use

0:32:29.210,0:32:34.740
that thing that we sniffed earlier[br]and just run one AES decryption

0:32:34.740,0:32:39.570
with the key 0001 etc. we get something

0:32:39.570,0:32:43.749
which includes our 42 numbers. Oh![br]Our ‘random’ numbers turn up!

0:32:43.749,0:32:48.590
How are the chances for that? No.[br]So, actually this key decrypted the thing

0:32:48.590,0:32:52.900
we got from the wire. So we thought:[br]“Success!” and NOKE is cracked!

0:32:52.900,0:32:56.160
Unfortunately it only worked for the[br]first 2 messages, and all we saw

0:32:56.160,0:32:59.550
in these 2 messages is our ‘random’[br]number, and in the answer

0:32:59.550,0:33:03.990
another obviously real random number,[br]because we didn’t patch the lock.

0:33:03.990,0:33:10.480
The next messages from that on[br]again were completely scrambled.

0:33:10.480,0:33:15.270
So we had to do some[br]more reverse-engineering.

0:33:15.270,0:33:20.909
Unfortunately, or fortunately – to make[br]it a little more interesting for us –

0:33:20.909,0:33:25.180
this APK from NOKE doesn’t[br]only include the Java source.

0:33:25.180,0:33:29.080
It has some shared object files.[br]So, binaries, which are compiled

0:33:29.080,0:33:34.160
with some other compiler, probably C.[br]Luckily those were in there for Android,

0:33:34.160,0:33:38.289
for multiple architectures. And one of[br]those – I don’t know who is using Android

0:33:38.289,0:33:44.249
on x86, but obviously it exists – so[br]we had all the libraries also in x86.

0:33:44.249,0:33:48.090
Which we could run through a commonly[br]available disassembler. I started doing

0:33:48.090,0:33:51.760
this object dump, and things (?) a little[br]bit. But it’s really hard to read, and

0:33:51.760,0:33:57.310
you don’t come so far with it. So,[br]big thanks again to Sec and to e7p

0:33:57.310,0:34:01.210
who helped me a lot during Easterhegg[br]this year, which was a quite nice event,

0:34:01.210,0:34:06.000
where we did some lock hacking. And they[br]were staring with me at IDA Pro dumps

0:34:06.000,0:34:11.639
all the time to find the key exchange,[br]and finally, it worked out.

0:34:11.639,0:34:16.460
So, all the assembler is very hard[br]to read, I think. But we see there’s

0:34:16.460,0:34:20.580
a parseCmd function we found.[br]Actually they had the labels in there!

0:34:20.580,0:34:23.540
Which again is not the vulnerability,[br]it just made it easier for us

0:34:23.540,0:34:29.530
to spot the stuff. I don’t think[br]that’s bad from them. It’s okay.

0:34:29.530,0:34:35.248
So we found this parseCmd. It actually[br]calls an AES decrypt function.

0:34:35.248,0:34:39.639
It gets a little bigger and bigger[br]and bigger. There we find

0:34:39.639,0:34:44.339
– I actually can’t read it from here very[br]good – this was the Create Session key.

0:34:44.339,0:34:49.329
This sounds very promising. It was[br]called ‘CreateSessionKey’. Hm.

0:34:49.329,0:34:54.409
Might have something to do with the things[br]we saw before. And it has this in a loop.

0:34:54.409,0:34:58.249
And this loop is actually something people[br]could understand if they can read some

0:34:58.249,0:35:03.339
x86 assembler. It’s a loop of[br]4 iterations. And it’s XORing values

0:35:03.339,0:35:09.490
from one array to another.[br]So it’s basically XORing 4 values.

0:35:09.490,0:35:14.029
And this is the core component of the key[br]exchange. This is the 4 byte numbers

0:35:14.029,0:35:20.320
that we saw earlier. My 42 42 42 42…[br]and the other one coming from the lock,

0:35:20.320,0:35:25.440
are XORed together, and then there’s[br]some more magic done. So basically

0:35:25.440,0:35:29.380
the app sends a random number to the lock,[br]the lock sends a random number to the app.

0:35:29.380,0:35:34.430
And from that there’s a session[br]key calculated by adding XOR

0:35:34.430,0:35:40.299
of these 2 numbers to the[br]middle of the original key.

0:35:40.299,0:35:45.200
So you have this original[br]key which we saw before.

0:35:45.200,0:35:49.140
And you add this result onto it. So.

0:35:49.140,0:35:54.410
We saw from the app our 42 44 42.[br]Of course if you have the real app

0:35:54.410,0:35:58.799
running that would be still real random.[br]But this doesn’t make a difference.

0:35:58.799,0:36:01.950
It just was easier for us to see[br]it’s the same every time, so…

0:36:01.950,0:36:06.450
It helped a little bit, but not too much.[br]So the lock sends the key, those 2 values

0:36:06.450,0:36:12.680
are XORed together; and then they are[br]added onto this silly pre-shared key.

0:36:12.680,0:36:17.329
I don’t know why they’re doing that![br]I mean, they could have at least added it

0:36:17.329,0:36:21.430
to different parts of it, and they[br]would have more entropy in it, or…

0:36:21.430,0:36:24.140
I’m not sure who sits in the cell and[br]does some coding, and thinks:

0:36:24.140,0:36:30.160
“This is a good key exchange!”?[br]You can’t really look into these minds.

0:36:30.160,0:36:34.260
But okay, so, we can do something[br]in our head. We see here is 0xFD,

0:36:34.260,0:36:39.069
we add 0x05 to it. So it rolls over. This[br]is why here’s the Modulo operation.

0:36:39.069,0:36:43.609
And get the 0x02. We have 0xBB[br]here. We add 0x06 to 0xBB.

0:36:43.609,0:36:48.900
If you can calculate hex you see it comes[br]to 0xC1. Etc. So everything that changed

0:36:48.900,0:36:55.660
in the key is the middle 4 bytes.[br]Which is actually another vulnerability.

0:36:55.660,0:37:00.220
Because it means even if for some reason,[br]which I really can’t imagine because

0:37:00.220,0:37:04.400
this exchange is done everytime you[br]open your lock. It’s not something done

0:37:04.400,0:37:08.839
on the first time or done once per phone[br]or something. Everytime somebody opens

0:37:08.839,0:37:12.440
this NOKE this whole sequence is run[br]through. It connects to the lock, sends

0:37:12.440,0:37:19.469
a random number, receives a random number,[br]the session key is calculated, and using

0:37:19.469,0:37:23.539
the new session key the rest of the[br]communication is done. But just in case

0:37:23.539,0:37:27.420
you did miss the first packets for some[br]reason: if you have a real attack scenario

0:37:27.420,0:37:31.089
where you can’t replay it it might happen[br]that it’s scrambled. Then it’s still

0:37:31.089,0:37:34.290
4 bytes changed in the key, so we can[br]brute-force the new key. By knowing

0:37:34.290,0:37:39.079
the old one and brute-forcing those[br]4 bytes. So I think that’s doable

0:37:39.079,0:37:43.390
on a modern machine without[br]bigger problem. So really,

0:37:43.390,0:37:47.809
not the cleverest key exchange.[br]But even if it would be better

0:37:47.809,0:37:51.059
it wouldn’t really help. Because there’s[br]no asymmetric crypto in it, there’s

0:37:51.059,0:37:54.869
nothing preventing us from following it.[br]If you exchange a session key

0:37:54.869,0:37:58.630
over a pre-shared secret, somebody[br]knowing the pre-shared secret

0:37:58.630,0:38:03.349
will always be able to follow it.[br]So, they have to do some big changes

0:38:03.349,0:38:08.250
there to make it proof against sniffing.

0:38:08.250,0:38:13.489
We have this new session key and of course[br]we have to verify what is happening.

0:38:13.489,0:38:18.870
We have the next message on our[br]wire. We’re decoding it with the new

0:38:18.870,0:38:21.819
– very cool – key we have. And we[br]get something that doesn’t look

0:38:21.819,0:38:25.849
completely random. We do it with multiple[br]ones and see some structure in it.

0:38:25.849,0:38:30.950
It’s always… <i>strange guttural noises</i>[br]I think I pasted the wrong thing here,

0:38:30.950,0:38:36.219
actually. Very sorry for that. You have[br]to imagine a different message here.

0:38:36.219,0:38:40.039
Encrypt that using that key and you[br]would see what would be up here.

0:38:40.039,0:38:44.279
But here would be this random we got[br]from the air. We de-crypt it with that,

0:38:44.279,0:38:49.869
and get this. And this dissects into an[br]op code which is always at the third byte.

0:38:49.869,0:38:53.640
And after the op code we actually see[br]the lock key which you remember from

0:38:53.640,0:38:58.589
one of the first slides – 013755 –[br]this is the key from my lock.

0:38:58.589,0:39:05.609
So we now got the key from the air,[br]and have full access to the lock.

0:39:05.609,0:39:08.249
Bad luck for NOKE.

0:39:08.249,0:39:16.430
<i>applause</i>

0:39:16.430,0:39:20.270
So 06 is just one of the op codes. When[br]you browse through the Java source

0:39:20.270,0:39:26.109
you see much more op codes that might[br]happen. So e.g. there’s the Rekey option

0:39:26.109,0:39:30.849
which you send to the lock, and the lock[br]starts to re-key to regenerate the key,

0:39:30.849,0:39:34.530
send back the new keys. You can[br]unlock – which is what we just saw.

0:39:34.530,0:39:38.910
Get the battery level. Set a new Quick[br]Opening Code. Can reset the lock.

0:39:38.910,0:39:42.890
Can do a firmware update. That looks[br]promising! I have the idea, we will see

0:39:42.890,0:39:48.770
this op code in the near future.[br]And you can enable ‘key fob’

0:39:48.770,0:39:52.640
which a small device is which you can[br]use to open the lock without a phone.

0:39:52.640,0:39:57.210
So you can send commands[br]to pair those, and add them,

0:39:57.210,0:40:00.789
and get locks of this (?). So this is just[br]a few, we haven’t played with all of them.

0:40:00.789,0:40:04.720
The SetQuickCode,[br]I think I sniffed a few…

0:40:04.720,0:40:09.260
Yeah, but that’s basically the things you[br]can do, and you can decode all of them

0:40:09.260,0:40:12.150
with the message shown before.

0:40:12.150,0:40:16.429
So some history of[br]the vendor notification.

0:40:16.429,0:40:20.099
We did this on the Easterhegg [2016].[br]Everybody knows Easterhegg is Easter.

0:40:20.099,0:40:23.440
So this was in April [2016].[br]Possibly it wasn’t

0:40:23.440,0:40:26.829
the best idea to send[br]them on April, 1st. But…

0:40:26.829,0:40:28.899
<i>laughter</i>

0:40:28.899,0:40:35.419
No, they replied and took it seriously. So[br]they actually very instantly told us they

0:40:35.419,0:40:39.369
like the research and everything.[br]They knew their crypto isn’t perfect,

0:40:39.369,0:40:42.469
but the product has to get out. And they[br]were working on a new protocol, they sent

0:40:42.469,0:40:47.579
a few details of that. We don’t have full[br]details so far, so we can’t really tell

0:40:47.579,0:40:52.709
if the new protocol is very good. But[br]it looked, from the idea, a little better.

0:40:52.709,0:40:57.200
They’re bringing out a Bike U-lock which[br]is not out yet. And it’s supposed to have

0:40:57.200,0:41:01.460
the new protocol from shipping.[br]We will see. A thing which I found

0:41:01.460,0:41:05.599
very funny is I downloaded a new [NOKE] app[br]in November, and it has a major update

0:41:05.599,0:41:10.550
in the screen: the ‘Rekey’[br]button is now hidden!

0:41:10.550,0:41:13.509
So, remember, that’s the only button[br]which saves you from someone

0:41:13.509,0:41:17.450
you shared a lock to, to lock him out.[br]So this button now is hidden.

0:41:17.450,0:41:21.200
Possibly not the best idea. Possibly[br]people weren’t understanding it.

0:41:21.200,0:41:25.079
But it can be enabled in the ‘Advanced[br]Settings’ menu. So, no problem.

0:41:25.079,0:41:28.680
But they just recently told me that[br]they’re planning to actually fix that

0:41:28.680,0:41:33.049
in January. So we’re actually[br]really in a Zeroday here.

0:41:33.049,0:41:37.540
So the locks are still vulnerable.[br]But 8 months, sorry… I…

0:41:37.540,0:41:41.960
the conference is now, we couldn’t[br]change that! <i>laughter</i>

0:41:41.960,0:41:53.450
<i>Ray laughs</i>[br]<i>applause</i>

0:41:53.450,0:41:58.299
If you use such a NOKE lock I still[br]want to say I like the hardware.

0:41:58.299,0:42:01.509
It’s quite a nice hardware. Possibly[br]write an open source firmware for it,

0:42:01.509,0:42:04.920
build your own crypto, during[br]the time. Or just don’t use it

0:42:04.920,0:42:09.420
for real valuable things. Or use your[br]Aluburka or other shielding while

0:42:09.420,0:42:15.049
opening it, I don’t know. But just be[br]aware if someone sniffs your communication

0:42:15.049,0:42:18.650
using his 5 Dollar dev board[br]he probably knows your codes.

0:42:18.650,0:42:25.300
So, yeah. So much for the NOKE.[br]This is not really the end, it’s just

0:42:25.300,0:42:31.680
the beginning of the end section. Because[br]we still have one mechanical bypass left.

0:42:31.680,0:42:36.529
You remember that earlier I mentioned[br]also the Master Lock doesn’t have

0:42:36.529,0:42:41.609
no mechanical bypass that we found. If you[br]remember Chaos Communication Congress

0:42:41.609,0:42:45.279
4 years ago – you can remember from[br]the Rocket standing exactly here –

0:42:45.279,0:42:48.190
<i>points to picture on slide</i> we did[br]a presentation on this first Bluetooth…

0:42:48.190,0:42:52.529
not Bluetooth, on this first electronic[br]padlock by Master Lock, where we had

0:42:52.529,0:42:56.109
a nice mechanical magnet attack,[br]which was found by Michael Hübler

0:42:56.109,0:43:01.829
by very cleverly drilling a hole,[br]observing the motors, acting with magnets…

0:43:01.829,0:43:07.829
and found this special move[br]which opens the old Master Lock.

0:43:07.829,0:43:11.200
And we reported that back then.[br]So 4 years ago we told Master Lock:

0:43:11.200,0:43:15.920
“Oh, your padlock can be opened[br]with a magnet, this is not very good”.

0:43:15.920,0:43:21.539
But this was a 30 Dollars padlock, and…[br]oh my god, could be done with a magnet.

0:43:21.539,0:43:25.309
So this is the new one, and they changed[br]something. Actually it’s something they

0:43:25.309,0:43:30.990
told us back then that they’re planning[br]to do. They added a shielding metal.

0:43:30.990,0:43:36.719
So, this very big, thick shielding[br]here which I would use to block

0:43:36.719,0:43:43.099
all the radiation from whatever[br]it is, around half of the motor

0:43:43.099,0:43:49.460
is supposed to help. Let’s have a look.

0:43:49.460,0:43:52.529
<i>silent video starts</i>[br]So this is the Master Lock.

0:43:52.529,0:43:56.259
We have a bigger magnet. I have to admit[br]you see it’s a much bigger magnet.

0:43:56.259,0:44:02.519
Those magnets are illegal to possess[br]all over Germany, I hope, soon!

0:44:02.519,0:44:05.750
And we have a different move. We’re[br]now rotating the magnet. We were

0:44:05.750,0:44:09.759
shifting it before. – And it’s open!

0:44:09.759,0:44:24.650
<i>laughter and applause</i>

0:44:24.650,0:44:28.249
This also is not really Zeroday because[br]as you saw before on the slide

0:44:28.249,0:44:33.540
by Rose & Ramsey he also told[br]the Master Lock is unpickable.

0:44:33.540,0:44:37.989
And after the talk at DEF CON I, in[br]the Q&A section somehow mentioned

0:44:37.989,0:44:42.690
that I doubt that. I didn’t tell[br]what to do exactly because

0:44:42.690,0:44:46.739
I wanted to give Master Lock some[br]response time. But directly after the talk

0:44:46.739,0:44:50.599
somebody approached me: “That’s very[br]interesting, I’m with Master Lock!” <i>laughs</i>

0:44:50.599,0:44:53.400
<i>laughter</i>[br]And I actually showed him this and he

0:44:53.400,0:44:59.090
filmed it with his mobile phone.[br]So I consider the vendor notified!

0:44:59.090,0:45:09.749
<i>laughs</i>[br]<i>laughter and applause</i>

0:45:09.749,0:45:13.019
So I would say: “Works for me!”

0:45:13.019,0:45:20.450
<i>laughter and applause</i>

0:45:20.450,0:45:25.010
So I have a message to all these vendors[br]and kickstarters and lock makers:

0:45:25.010,0:45:28.950
“Don’t try to be smart, be smart![br]And disclose your crypto protocols!”

0:45:28.950,0:45:32.150
There’s really no need to make[br]a secret crypto protocol. And if

0:45:32.150,0:45:35.609
your development department tells[br]you: ”No no, we can’t disclose that,

0:45:35.609,0:45:39.430
that’s a really silly idea to disclose our[br]crypto!” you probably have bad crypto,

0:45:39.430,0:45:42.709
and they know it![br]<i>laughter</i>

0:45:42.709,0:45:47.119
And, of course, if you build a new[br]thing like a hardware, like a lock e.g.

0:45:47.119,0:45:51.920
try to get your hardware in the hands of[br]experienced lockpickers, or locksmiths.

0:45:51.920,0:45:55.080
The shimming bypass, of the[br]Dog & Bone padlock, really,

0:45:55.080,0:45:58.460
every locksmith in the[br]U.S. would have told them:

0:45:58.460,0:46:04.530
“You can’t build a 100 Dollar padlock[br]which can be shimmed with a soda can!”

0:46:04.530,0:46:07.839
Especially if you’re an electronics[br]company what those Dog & Bone people

0:46:07.839,0:46:11.179
obviously are: Don’t trust on your[br]electronics knowledge. The hardware

0:46:11.179,0:46:16.049
also has to work. And please, if you give[br]this hardware to people don’t try to get

0:46:16.049,0:46:19.440
any NDA’s, or “Oh you can’t disclose”[br]– because then they won’t do it, and

0:46:19.440,0:46:24.479
you will wait just for the product to come[br]out, and disassemble it then. So really…

0:46:24.479,0:46:28.740
Actually, I must say the[br]NOKE people which I…

0:46:28.740,0:46:32.529
the lock isn’t working that good but[br]I think the company is doing quite well.

0:46:32.529,0:46:36.390
They sent us one of their[br]locks for mechanical analysis

0:46:36.390,0:46:40.569
after our Master Lock presentation.[br]So we tested their lock

0:46:40.569,0:46:43.909
on our magnetic attack and that didn’t[br]work. And still doesn’t work. So

0:46:43.909,0:46:47.249
that thing they did good. The other thing[br]is that they didn’t get the crypto right.

0:46:47.249,0:46:50.500
But okay. People are learning.[br]<i>some laughter</i>

0:46:50.500,0:46:53.969
So if someone really wants to be smart[br]– and we also tried to tell that [to] NOKE

0:46:53.969,0:46:57.219
in the kickstarter campaign –[br]try to become the first one.

0:46:57.219,0:47:01.289
And this is really ‘WTF’. Why is[br]there no – at all – open source lock?

0:47:01.289,0:47:06.099
Or light bulb? Or vibrator?[br]I have no idea. But…

0:47:06.099,0:47:09.059
I think you want to sell the hardware! Why[br]don’t make the software open source

0:47:09.059,0:47:10.980
and make it auditable?

0:47:10.980,0:47:21.679
<i>applause</i>

0:47:21.679,0:47:25.529
Oopf… What’s that slide? Oh[br]yeah, there’s Hacker Jeopardy!

0:47:25.529,0:47:29.720
If you want Hacker Jeopardy to happen[br]next year please send content!

0:47:29.720,0:47:35.740
<i>laughs</i>[br]<i>applause and cheers</i>

0:47:35.740,0:47:39.890
I heard from that Sec guy and that[br]Ray guy that they’re really old,

0:47:39.890,0:47:43.400
and they don’t know the things that the[br]young generation wants to have asked

0:47:43.400,0:47:46.549
in a Jeopardy. And what Pokémons[br]you have to ask, and stuff like that…

0:47:46.549,0:47:50.869
So send a few ideas! There’s a German[br]page, but Hacker Jeopardy will be German

0:47:50.869,0:47:55.130
next year. So, sorry for that. A German[br]page which tells you how to submit ideas,

0:47:55.130,0:47:59.410
how to make good ideas. And if you[br]send enough content possibly next year

0:47:59.410,0:48:03.749
there will be Hacker Jeopardy, again.

0:48:03.749,0:48:09.729
<i>applause</i>

0:48:09.729,0:48:14.359
So, we have some links. Actually, this[br]is the Zeroday tool we are releasing,

0:48:14.359,0:48:19.119
by e7p. It’s not on there yet, I think.[br]Or possibly he’s sitting in the audience

0:48:19.119,0:48:23.539
and uploading it right now. It’s a small[br]Python script. It needs Python3.

0:48:23.539,0:48:27.819
And it implements this crypto session[br]exchange. So what you basically do is

0:48:27.819,0:48:31.640
you get the values from your Wireshark,[br]which is all these Hex strings,

0:48:31.640,0:48:36.359
put them to a file, start the[br]decode-NOKE tool and it will tell you

0:48:36.359,0:48:40.229
what keycode is in there, what things are[br]set. Currently it only supports, I think,

0:48:40.229,0:48:43.899
the ‘Open’ command mainly, and the[br]‘Read Battery’ possibly. But we’ll try

0:48:43.899,0:48:48.289
to add a few more codes as we decode them.[br]But it’s enough to get the lock code

0:48:48.289,0:48:52.249
from the air. So with this tool[br]– but you could implement it yourself –

0:48:52.249,0:48:57.419
you easily can crack the locks.[br]And there’s a blog entry by MH

0:48:57.419,0:49:00.019
who did a nice paper about the NOKE’s[br]hardware and everything. If you really

0:49:00.019,0:49:04.039
want to look inside the lock look at this.[br]And then there’s of course the link

0:49:04.039,0:49:08.359
to the Nordic RF sniffer software.

0:49:08.359,0:49:12.589
This is one of the decompilers which[br]has the Adblocker blocker on it.

0:49:12.589,0:49:16.140
And there’s an article from Sec’s blog[br]telling you how to decompile and recompile

0:49:16.140,0:49:21.849
an app. Which I found quite[br]helpful during the working.

0:49:21.849,0:49:25.939
So okay. So, thanks for listening.

0:49:25.939,0:49:29.980
Please, if you have smart things[br]around, and want to play with that,

0:49:29.980,0:49:34.579
I have one of these dev boards left. So[br]I have 2, one for me and one I can lend

0:49:34.579,0:49:39.539
to someone who wants to sniff to his/her[br]hardware. Come to the MuCCC assembly

0:49:39.539,0:49:46.410
and tell me what you want to attack,[br]and I’ll give you my RF sniffer board.

0:49:46.410,0:49:49.549
Or leave the things there, and we play[br]during Congress. Not today, possibly,

0:49:49.549,0:49:53.499
but tomorrow I’ll be in the assembly, or[br]someone will be there. And I think

0:49:53.499,0:49:57.529
now I have basically exactly 10 minutes,[br]and I hope there are some questions.

0:49:57.529,0:50:00.179
Otherwise I was too quick! Thank you!

0:50:00.179,0:50:11.199
<i>applause</i>

0:50:11.199,0:50:14.340
Herald: <i>leise:</i> Hallo! Mikro wär’ schön![br]Rufender: Musst’ nur anmachen!

0:50:14.340,0:50:16.809
Herald: Is an![br]Ray: He wants a microphone for the questions!

0:50:16.809,0:50:19.469
<i>Herald is told how to switch on microphone</i>

0:50:19.469,0:50:21.959
Herald: Hah, wer lesen[br]kann ist klar im Vorteil!

0:50:21.959,0:50:26.759
Ray, thank you very much![br]Do you have some time later?

0:50:26.759,0:50:31.380
I might need to ask a favour! Did I told[br]you about that friend that I’m having

0:50:31.380,0:50:36.680
with the Bluetooth enabled coffee[br]machine? We, we speak later!

0:50:36.680,0:50:40.509
We have some questions, and we have some[br]questions from the internet. So here we go!

0:50:40.509,0:50:43.509
Signal Angel: Yes, thank[br]you. Ray, are you aware

0:50:43.509,0:50:47.699
of any secure Bluetooth locks?[br]With decent crypto?

0:50:47.699,0:50:52.160
Ray: Actually… not! What I can’t tell is

0:50:52.160,0:50:56.580
if the crypto of the Master Lock, or[br]the crypto of the Dog & Bone are good,

0:50:56.580,0:51:01.579
because we really haven’t looked into[br]it. But it wouldn’t really help because

0:51:01.579,0:51:05.990
the hardware is broken. The NOKE people,[br]as I said, are bringing out a new firmware

0:51:05.990,0:51:11.339
in January [2017]. I’ll try to make them[br]tell me what they’re doing. Because

0:51:11.339,0:51:14.630
I’m not really going to reverse-engineer[br]it again. I do that for a vendor once.

0:51:14.630,0:51:17.799
We don’t have to do it a second time. So I[br]hope they just tell me what they’re doing,

0:51:17.799,0:51:21.520
and we can have a look if it looks[br]promising. But at least they react.

0:51:21.520,0:51:25.619
So, possibly, the NOKE is becoming a[br]more secure padlock. But besides that

0:51:25.619,0:51:30.570
I don’t know any, so far. You can find the[br]talk by Rose & Ramsey on the internet.

0:51:30.570,0:51:36.039
It’s unusual for DEF CON talks but this[br]DEF CON talk is online. So you see lots of

0:51:36.039,0:51:39.419
locks there which he attacked, and they[br]all were worse than the ones we had here.

0:51:39.419,0:51:43.809
So, sorry, no. Which I could recommend.

0:51:43.809,0:51:46.480
And I wouldn’t recommend it, anyway,[br]because if it’s not open source you

0:51:46.480,0:51:50.890
don’t know if it’s secure! You just[br]know it’s currently uncracked. So,

0:51:50.890,0:51:53.599
possibly stick to your old ones![br]<i>laughs</i>

0:51:53.599,0:51:54.809
But thanks for the question.

0:51:54.809,0:51:58.599
Herald: Then we’re gonna[br]hop over to microphone no. 2!

0:51:58.599,0:52:03.199
Question: Thank you. That was quite[br]a bit of ‘Fremdschäming’. Fun talk. (?)

0:52:03.199,0:52:07.499
Just one thought: You said that[br]it’s about selling the hardware.

0:52:07.499,0:52:12.440
Well, maybe it’s not. Because from what[br]I understand most of those devices

0:52:12.440,0:52:17.799
are cloud-enabled. So I’m pretty[br]sure they collect all the data,

0:52:17.799,0:52:20.419
and maybe it’s about mining[br]that, for them. I don’t know.

0:52:20.419,0:52:25.619
Ray: Actually, yes. The NOKE has a Pro[br]version where they sell a company license

0:52:25.619,0:52:29.180
where you can have a company software[br]to the cloud, and have more features like

0:52:29.180,0:52:34.499
sharing other’s locks. But still you can[br]make it open source, and make a license

0:52:34.499,0:52:38.259
that disallows commercial use, or[br]something like that. Open source

0:52:38.259,0:52:43.140
doesn’t have to mean it’s free to use.[br]And if you have very complicated logic

0:52:43.140,0:52:48.339
for your company portal, or something,[br]possibly keep that closed-source.

0:52:48.339,0:52:52.031
But enable me to follow your[br]communication, to understand

0:52:52.031,0:52:55.759
how keys are generated, and stuff[br]like that. This is not your secret.

0:52:55.759,0:52:59.680
This is something… this[br]is the elementary function.

0:52:59.680,0:53:02.790
People should be able to understand an[br]audit. And especially in a commercial

0:53:02.790,0:53:06.980
environment, if you ask a locksmith[br]or some other security expert:

0:53:06.980,0:53:11.989
“Would you recommend this device?”, if he[br]can’t look into it he can’t recommend it.

0:53:11.989,0:53:16.849
So I think also for selling appliances, or[br]selling services open source algorithms

0:53:16.849,0:53:23.039
or open source protocols would be the best[br]solution. But especially in the lock industry

0:53:23.039,0:53:26.250
that’s very very uncommon. I had[br]really bad experience talking to

0:53:26.250,0:53:29.890
normal lock manufacturers about open[br]sourcing their stuff. It’s an idea they

0:53:29.890,0:53:34.299
don’t understand. They’re about secrets,[br]I don’t know. Let’s hope for the future!

0:53:34.299,0:53:36.959
<i>laughs</i> Another…[br]Herald: Okay, we had…

0:53:36.959,0:53:41.119
No. 1 is just coming up! He was queuing[br]at ‘3’ but covering the camera, and then

0:53:41.119,0:53:44.519
the camera man got a little bit disturbed,[br]and… it’s a long story. ‘1’, we go!

0:53:44.519,0:53:47.930
Question: I was wondering if you knew[br]about the new locks which advertise

0:53:47.930,0:53:51.269
their existence, like broadcast[br]things, or things like that?

0:53:51.269,0:53:54.649
Could you like walk through the street and[br]know there are Bluetooth locks around you?

0:53:54.649,0:53:59.229
Ray: No, those locks usually don’t broadcast[br]because it would use too much energy.

0:53:59.229,0:54:02.789
So usually you have to push the[br]shackle of the lock or something.

0:54:02.789,0:54:06.870
And then it broadcasts. There are actually[br]if you go back to this DEF CON talk

0:54:06.870,0:54:11.170
I was talking about – and I think that’s[br]enough shaming of Master Lock here –

0:54:11.170,0:54:16.180
<i>video playback stops</i>[br]if he has door locks and stuff like that,

0:54:16.180,0:54:19.119
those possibly are connected to [the][br]power [grid] and advertise all the time.

0:54:19.119,0:54:23.410
So he did some lock wardriving.[br]But for the padlocks that doesn’t work.

0:54:23.410,0:54:27.380
But of course you can go and click[br]them, and then… get the idea.

0:54:27.380,0:54:30.510
And of course you can do the other thing:[br]you could walk around and pretend

0:54:30.510,0:54:34.699
you’re a lock, and see if someone has the[br]app running, and connects back to you.

0:54:34.699,0:54:37.030
That might work!

0:54:37.030,0:54:39.690
Herald: And over to[br]microphone no. 2, please!

0:54:39.690,0:54:45.779
Question: I was wondering[br]about that strong encryption,

0:54:45.779,0:54:50.809
meaning AES, and on the other[br]hand the very weak, or vulnerable,

0:54:50.809,0:54:56.529
or flawed key exchange: do you[br]think that might be due to out-tasking,

0:54:56.529,0:55:01.780
like they have specified that they[br]want encryption, and have not specified

0:55:01.780,0:55:05.980
how key exchange is to be handled,[br]and that might be the reason why

0:55:05.980,0:55:10.709
it takes them 8 months[br]or more to fix that?

0:55:10.709,0:55:14.130
Ray: This is basically 2 questions.[br]Of course I can only speculate.

0:55:14.130,0:55:18.920
It might be out-tasking, it might[br]also be that they just had the time…

0:55:18.920,0:55:22.400
if you follow the NOKE kickstarter[br]campaign – it was all funded

0:55:22.400,0:55:25.869
in a kickstarter – they had a lot of[br]problems in delivering on time.

0:55:25.869,0:55:29.809
So there’s lots and lots of comments[br]“I’m waiting for my lock, oh. Oh god,

0:55:29.809,0:55:33.280
another delay, now you’re claiming[br]manufacturing is difficult…”, so, many,

0:55:33.280,0:55:37.410
many people saying “you have to come out[br]with that”. So it might be time pressure,

0:55:37.410,0:55:40.739
it might be out-tasking, and of course[br]it might be that they just specified:

0:55:40.739,0:55:44.439
“Oh, we want to use AES”. And that’s[br]the other thing, everybody says:

0:55:44.439,0:55:48.420
“We disclose what we’re using. We’re using[br]AES!” Here we have a very good example,

0:55:48.420,0:55:51.979
yes, it really is using AES. And it’s[br]using a correct implementation.

0:55:51.979,0:55:56.749
We actually found it’s a TI example[br]implementation of AES that they’re using.

0:55:56.749,0:56:01.559
So it’s completely valid AES128,[br]but still it’s completely insecure.

0:56:01.559,0:56:06.089
So people just claim they’re using AES, or[br]“We’re using SHA-somesing or somesing”.

0:56:06.089,0:56:09.999
Isn’t enough. You have to know the whole[br]protocol. And that wasn’t the case here.

0:56:09.999,0:56:12.579
<i>laughs</i>[br]Herald: Okay, then we’re gonna go over

0:56:12.579,0:56:14.579
to the internet, again![br]Ray: The internet… of…

0:56:14.579,0:56:19.420
Signal Angel: Thank you. Actually it’s a[br]follow-up question for the previous one:

0:56:19.420,0:56:22.809
would it be sufficient to have[br]a hardware-accelerated AES

0:56:22.809,0:56:25.379
on these Bluetooth thingies?

0:56:25.379,0:56:30.450
Ray: Actually hardware-accelerated AES[br]doesn’t have to do anything with that.

0:56:30.450,0:56:34.009
That might be helpful if you have[br]a chip which is a crypto chip,

0:56:34.009,0:56:37.900
if you have things like side channel[br]attacks. If you would have a key fob

0:56:37.900,0:56:41.869
which has a secret key in it which should[br]not be extractable, those keys can be

0:56:41.869,0:56:45.799
extracted with electronic attacks, side[br]channel attacks, power measurements.

0:56:45.799,0:56:50.559
Against these attacks a crypto chip could[br]help because it has a good implementation.

0:56:50.559,0:56:55.150
But for this… AES is AES. As I said[br]the implementation of AES is valid.

0:56:55.150,0:56:59.189
So an accelerated chip wouldn’t help.[br]And they’re not doing bad crypto

0:56:59.189,0:57:03.099
for performance reasons. It’s only one[br]AES operation. They’re doing it because

0:57:03.099,0:57:06.730
it’s more difficult to do it right. And it[br]possibly would need asymmetric crypto.

0:57:06.730,0:57:08.630
That could need acceleration,[br]on the other hand.

0:57:08.630,0:57:11.879
But it doesn’t have to do with the chip.

0:57:11.879,0:57:15.420
Herald: Are you queuing there, on ‘5’?[br]<i>lowered voice:</i> Well, then here we go!

0:57:15.420,0:57:20.839
Question: Okay, two little questions,[br]more hardware related. First one:

0:57:20.839,0:57:24.961
How could you build a lock which[br]isn’t susceptible to the attack

0:57:24.961,0:57:28.999
you showed in the video,[br]like flipping the magnet?

0:57:28.999,0:57:33.949
That’s the one, and the second one[br]is that Trelock, or ABUS I think,

0:57:33.949,0:57:39.189
says they have an electronic bike[br]lock which doesn’t have any battery,

0:57:39.189,0:57:43.719
and I’m quite confused how they[br]will do it. Have you any idea?

0:57:43.719,0:57:48.420
Ray: Actually I don’t know – starting with[br]the second question – the ABUS lock

0:57:48.420,0:57:52.739
at all, I must admit. But there are e.g.[br]also Cyberlock is it called, they have

0:57:52.739,0:57:56.050
battery in the key, and you put the key to[br]it. If it’s a Bluetooth lock I don’t know

0:57:56.050,0:58:00.249
how they’re doing it. It might be possible[br]that you push something and it starts

0:58:00.249,0:58:04.809
a generator. I’ve seen buttons which you[br]press and they generate the energy to send

0:58:04.809,0:58:07.990
while you press it. So it might be[br]that, but I don’t know the products.

0:58:07.990,0:58:11.239
The other question, I must admit I didn’t[br]really understand what you want to know.

0:58:11.239,0:58:14.749
Can you repeat the first one?

0:58:14.749,0:58:18.289
Question: Of course. I was just[br]asking how to protect the lock

0:58:18.289,0:58:22.109
so it can’t be opened by flipping[br]a magnet, like you did in the video.

0:58:22.109,0:58:26.180
Ray: How to protect it, that’s a very[br]good question. I think we know

0:58:26.180,0:58:30.479
how NOKE did it. And the thing is[br]I don’t think NOKE did it intentionally.

0:58:30.479,0:58:34.609
It just happened to be in their design.[br]We can’t open the NOKE because

0:58:34.609,0:58:38.809
the rotating actor they have is also[br]magnetic. So if I put my magnet there

0:58:38.809,0:58:43.819
I lock the lock. In the Master Lock it’s[br]some cast metal which is not magnetic.

0:58:43.819,0:58:47.239
So changing this to magnetic would[br]possibly help. Using a completely

0:58:47.239,0:58:51.599
different approach, like the motor in The[br]Quicklock, or which needs more power,

0:58:51.599,0:58:54.909
or works differently like a servo would[br]help. But would be a completely

0:58:54.909,0:58:59.689
different design. But it’s really a tricky[br]part. There have lots of different locks

0:58:59.689,0:59:04.339
in the past, also door locks, been[br]attackable by hardware attacks.

0:59:04.339,0:59:10.589
So building a good, really good mechanic,[br]or electromechanic isn’t easy.

0:59:10.589,0:59:15.259
Herald: And I think we have time[br]for the last one, at microphone 5.

0:59:15.259,0:59:19.340
Question: So this isn’t a question,[br]it’s just a precision. At one point

0:59:19.340,0:59:23.779
during the presentation you talked[br]about open source smart appliances,

0:59:23.779,0:59:28.309
and you said, nobody really does[br]that. And you urge people

0:59:28.309,0:59:34.190
to be the first to do e.g.[br]open source sex toys.

0:59:34.190,0:59:38.779
And it happens that someone is doing that.

0:59:38.779,0:59:43.119
So on Github it’s Q-dot,[br]if you want to learn more

0:59:43.119,0:59:47.599
about what they’re doing.[br]They have, you know,

0:59:47.599,0:59:52.959
several public repositories about[br]‘teledildonics’. So, you know, just,

0:59:52.959,0:59:55.519
if anyone wants to check[br]that out, just saying.

0:59:55.519,0:59:58.660
Ray: Okay, thanks for your[br]self-advertisement. <i>laughter</i>

0:59:58.660,1:00:02.599
And I was mainly talking about locks, I[br]must admit. I don’t know the other fields

1:00:02.599,1:00:05.560
so well. But locks is really difficult[br]to get open source. If you have

1:00:05.560,1:00:09.270
more questions I’ll be at the MuCCC[br]assembly. I’m waiting for you to bring

1:00:09.270,1:00:14.041
devices, get the dev board, hack the[br]stuff. And thanks again, for listening!

1:00:14.041,1:00:16.501
<i>applause</i>

1:00:16.501,1:00:21.771
<i>postroll music</i>

1:00:21.771,1:00:40.389
<i>subtitles created by c3subtitles.de[br]in the year 2017. Join, and help us!</i>