WEBVTT

00:00:00.000 --> 00:00:14.029
<i>33c3 preroll music</i>

00:00:14.029 --> 00:00:16.880
Herald: Ray, are you ready?
Ray: I think I’m ready!

00:00:16.880 --> 00:00:19.840
Herald: Alright he’s ready…
Let me introduce you, Ray!

00:00:19.840 --> 00:00:23.630
“Lockpicking in the IoT”, or

00:00:23.630 --> 00:00:27.380
“Why adding a Bluetooth Low
Energy device sometimes

00:00:27.380 --> 00:00:30.330
isn’t a great idea”. Here we go!

00:00:30.330 --> 00:00:36.260
<i>applause</i>

00:00:36.260 --> 00:00:42.760
Ray: Okay, so, welcome everybody
to “Lockpicking in the IoT”,

00:00:42.760 --> 00:00:50.240
or the internet of things that were
never supposed to be on the internet.

00:00:50.240 --> 00:00:57.340
Okay. There’s a small overview of what
we’re doing. I’ll introduce a little bit

00:00:57.340 --> 00:01:05.019
what is this about, show you some hardware
porn – for the hardware lovers among you –

00:01:05.019 --> 00:01:11.000
then look a bit deeper in the PCBs of that
hardware – for the electronics guys –

00:01:11.000 --> 00:01:15.160
then we look into communication on
the internet – this is this modern thing

00:01:15.160 --> 00:01:18.740
everybody wants to have in his coffee
machine – and then we go for

00:01:18.740 --> 00:01:24.500
the wireless interface, and see
how difficult or not difficult it is

00:01:24.500 --> 00:01:30.530
to attack them. And last but not least
we will look into Android app hacking

00:01:30.530 --> 00:01:36.030
– I have to say I’m mainly focusing on
Android but I’m pretty sure if you’re more

00:01:36.030 --> 00:01:41.490
the Apple guy there’s similar techniques
available to go for your Apple app.

00:01:41.490 --> 00:01:46.439
But for most devices there’s both
– so even if you’re using iOS you can hack

00:01:46.439 --> 00:01:52.479
the Android app to get the infos.
And then the talk is over. Okay.

00:01:52.479 --> 00:01:58.729
The very important thing first: the
disclaimer. Basically I want to say

00:01:58.729 --> 00:02:03.380
I just tested this on my locks, I don’t
say it’s working on everything,

00:02:03.380 --> 00:02:08.320
I don’t say it’s a general mistake by
somebody, might have changed,

00:02:08.320 --> 00:02:14.160
I might be wrong, I just
show my research. Okay.

00:02:14.160 --> 00:02:20.090
This is basically what we’re talking
about. We have some kind of

00:02:20.090 --> 00:02:24.730
smart or not-so-smart device which is
talking over Bluetooth Low Energy

00:02:24.730 --> 00:02:30.940
to your smart, or not-so-smart phone.
Which is usually talking, using TLS

00:02:30.940 --> 00:02:36.620
and HTTP to the ‘Cloud’.

00:02:36.620 --> 00:02:39.870
So it’s not just locks. The talk is called
“Lockpicking” because that’s the thing

00:02:39.870 --> 00:02:43.120
we’re actually going to attack. But
the techniques here shown work

00:02:43.120 --> 00:02:46.000
for basically all of these
Bluetooth Low Energy devices.

00:02:46.000 --> 00:02:51.370
There are e.g. different light bulbs.
I found some interesting reports

00:02:51.370 --> 00:02:55.530
on light bulbs that don’t use
any form of authentication.

00:02:55.530 --> 00:02:58.329
So you can connect to your neighbor’s
light bulb and change a color, or

00:02:58.329 --> 00:03:01.970
turn it on or off. So, finally,
Blinkenlights in your neighborhood!

00:03:01.970 --> 00:03:03.640
<i>mumbles and laughter</i>

00:03:03.640 --> 00:03:07.639
Then of course there’s cars. Everybody’s
talking about cars today. I just heard

00:03:07.639 --> 00:03:11.709
a talk about cars. They’re not really
using Bluetooth Low Energy.

00:03:11.709 --> 00:03:14.310
But still they use an app and are
controlled over the internet, so,

00:03:14.310 --> 00:03:19.099
it’s kind of on-topic. Then there’s
vibrators. I mean, unsafer cyber sex

00:03:19.099 --> 00:03:24.580
never has been easier. Actually I don’t
have one of those, so, if anybody has,

00:03:24.580 --> 00:03:30.120
please bring one over to play with it.
But I’m pretty sure they have high-class

00:03:30.120 --> 00:03:33.290
security. <i>laughter</i>
And then there’s button pushers.

00:03:33.290 --> 00:03:38.769
I just learned of that yesterday and
I thought “WTF, a button pusher!?”

00:03:38.769 --> 00:03:42.039
<i>laughter</i>

00:03:42.039 --> 00:03:48.770
<i>applause</i>

00:03:48.770 --> 00:03:51.810
This is a Bluetooth Low Energy device
which you can communicate to and

00:03:51.810 --> 00:03:54.879
make it press a button. Here it’s pressing
the Delete key on my notebook.

00:03:54.879 --> 00:03:59.570
So finally I have a Bluetooth LE
enabled Delete key on my notebook.

00:03:59.570 --> 00:04:02.880
<i>laughter</i>
Very, very helpful. Of course, if you

00:04:02.880 --> 00:04:07.210
add that to your door opener at home
you can do it again – lockpicking.

00:04:07.210 --> 00:04:10.410
We haven’t hacked that yet because
I just saw it yesterday but it didn’t look

00:04:10.410 --> 00:04:15.129
very encrypted. It has some secret, some
shared string, we didn’t understand.

00:04:15.129 --> 00:04:20.708
But possibly this congress
we will look into it.

00:04:20.708 --> 00:04:23.870
Okay, then there’s cars. I’m not
sure, who read this message that

00:04:23.870 --> 00:04:29.850
Tesla had a big app hack? Nobody? Oh.
I thought, everybody read it because

00:04:29.850 --> 00:04:35.779
it even was on Heise. And it obviously is
a very big vulnerability, Elon Musk has

00:04:35.779 --> 00:04:39.940
to get better on this and
everybody’s stealing these things…

00:04:39.940 --> 00:04:47.260
how are they called…
oh yeah, these ‘smart cars’.

00:04:47.260 --> 00:04:50.750
And they even have colors! So who
wouldn’t want to steal one of those?

00:04:50.750 --> 00:04:53.760
<i>laughter</i>

00:04:53.760 --> 00:04:59.130
The bad news is actually that wasn’t
really a hack. What they showed is

00:04:59.130 --> 00:05:03.980
that the app is able to start the car.
That’s in the manual.

00:05:03.980 --> 00:05:09.599
So what they told is: “Yeah, but if I hack
your phone I can start your car!”

00:05:09.599 --> 00:05:13.790
Then they realized, “Oh, you also need the
password because for starting the car

00:05:13.790 --> 00:05:17.760
the app actually asks for the password
again.” – “Yeah but if I hack your phone

00:05:17.760 --> 00:05:21.070
I can install a fake app that asks for
the password; and if you enter it

00:05:21.070 --> 00:05:24.740
I can steal your car!” – Oh, surprise!
<i>laughter</i>

00:05:24.740 --> 00:05:27.979
I mean this is not the kind of hacking
we’re talking about. And they then

00:05:27.979 --> 00:05:32.900
suggested the app should be more
protected against reverse engineering.

00:05:32.900 --> 00:05:38.800
What would that change in this aspect?
I can create a fake app without even

00:05:38.800 --> 00:05:42.839
decompiling the original one. So,
of course if you don’t have security

00:05:42.839 --> 00:05:46.440
on your phone working, if you install
apps that are not secure your data

00:05:46.440 --> 00:05:50.980
is not secure, and your Teslas get stolen.
But I didn’t see anything in this ‘hack’

00:05:50.980 --> 00:05:56.620
actually being a hack.
So, while talking about…

00:05:56.620 --> 00:06:01.180
<i>applause</i>

00:06:01.180 --> 00:06:04.029
Spare your applause for this one!

00:06:04.029 --> 00:06:08.280
Talking about obfuscation. That’s really
a thing some people understand differently

00:06:08.280 --> 00:06:13.520
than I do. I try to say [to] people:
“security by obscurity does not work!”

00:06:13.520 --> 00:06:18.080
So if you obfuscate your app, possibly
it slows down researchers like us.

00:06:18.080 --> 00:06:22.099
But the people doing that for money, who
want to sell exploits, they will still put

00:06:22.099 --> 00:06:26.349
the energy into it. And sell their
exploits even more expensive.

00:06:26.349 --> 00:06:30.150
And the exploit will even be longer out
there because the independent researchers

00:06:30.150 --> 00:06:34.370
won’t find the vulnerabilities that fast.
The idea is: good crypto does not have

00:06:34.370 --> 00:06:39.890
to be secret to be secure. So, no, please
don’t obfuscate your apps better.

00:06:39.890 --> 00:06:44.630
Build your protocols better. But as said
before I didn’t see any aspects there

00:06:44.630 --> 00:06:48.490
in Tesla. Possibly they should make it
obvious that you can start the car with it

00:06:48.490 --> 00:06:50.781
and make it ‘disableable’, and
what… things like that, but

00:06:50.781 --> 00:06:55.230
it’s not a security issue. Okay.

00:06:55.230 --> 00:06:59.880
So let’s go back to locks. Because,
actually the talk is called “Lockpicking”.

00:06:59.880 --> 00:07:03.520
So what do these smart locks usually do?
Of course they can be opened.

00:07:03.520 --> 00:07:07.740
Usually your… with your phone near your
lock you put something on the lock

00:07:07.740 --> 00:07:11.290
and communicate – the lock opens.
Optionally you have to press

00:07:11.290 --> 00:07:16.091
something on the phone, so it’s
a 2-step process to unlock,

00:07:16.091 --> 00:07:20.070
which is actually a quite good idea
because of some obvious scenarios

00:07:20.070 --> 00:07:24.010
which will work otherwise. Then – and
this is different from normal locks –

00:07:24.010 --> 00:07:27.700
they can be shared to friends. It’s
a big feature. They try to convince you

00:07:27.700 --> 00:07:31.880
why these smart locks are so smart.
When I’m not at home I can send

00:07:31.880 --> 00:07:35.590
somebody the code, and give him the
possibility to open my bike shed

00:07:35.590 --> 00:07:41.360
for just one hour. Because I can, of
course, revoke that at time restrictions.

00:07:41.360 --> 00:07:44.770
So that’s what the big advantage is,
compared to a traditional lock.

00:07:44.770 --> 00:07:49.460
Except, of course, it’s to be much more
secure because you can’t pick it anymore.

00:07:49.460 --> 00:07:53.260
And then those obviously have some
failsafe mode in case your phone breaks

00:07:53.260 --> 00:07:57.330
and whatever. You can enter a click code,
and can enter a code by some buttons

00:07:57.330 --> 00:08:01.770
or something to open it without the
phone. But that is nothing we’re going

00:08:01.770 --> 00:08:08.830
to look into today. So from these basic
ideas, of course, there come some basic

00:08:08.830 --> 00:08:12.390
attack vectors. What I could
try to do: I could try to bypass

00:08:12.390 --> 00:08:18.600
the sharing restrictions. So possibly
go in a different time window.

00:08:18.600 --> 00:08:21.320
I could change the time on my phone,
probably. Would that work?

00:08:21.320 --> 00:08:25.210
Things like that. Open the lock after
it was revoked. Of course then

00:08:25.210 --> 00:08:28.250
that’s what everybody thinks about when
talking about Bluetooth: I could try

00:08:28.250 --> 00:08:32.830
to get the keys. From sniffing
somebody’s Bluetooth LE connection.

00:08:32.830 --> 00:08:37.720
That’s something we’re going to do today.
Then this is what I was talking about

00:08:37.720 --> 00:08:41.610
why the ‘2-button-press’ is a good idea.
You could relay opening codes.

00:08:41.610 --> 00:08:45.010
If you have the ‘instant-open’ feature
I could approach you, pretend to be

00:08:45.010 --> 00:08:48.550
your lock, your phone sends me an OPEN
command, I could relay it to your lock,

00:08:48.550 --> 00:08:52.560
completely somewhere else, and it would
open. So I think this is something

00:08:52.560 --> 00:08:56.890
you can’t really stop except with
some very tricky mechanisms.

00:08:56.890 --> 00:09:01.511
Possibly ‘timing’ or some… things like
that. So this ‘instant open’ feature

00:09:01.511 --> 00:09:07.390
is possibly not the best idea. Then
we have the option to attack the lock

00:09:07.390 --> 00:09:13.640
or app software directly. I mean, it’s
software. So it will have buffer overflows.

00:09:13.640 --> 00:09:18.240
It might have other weaknesses. It could
just do not verify some things. If I tell

00:09:18.240 --> 00:09:21.960
I’m another person - does it really check
if I have the rights, and everything?

00:09:21.960 --> 00:09:26.890
But this is something – I think the only
thing – I don’t have in this talk today.

00:09:26.890 --> 00:09:33.290
Because the other methods
worked already. Okay.

00:09:33.290 --> 00:09:38.340
Going to look at the hardware.
So, basically, if you’re

00:09:38.340 --> 00:09:43.030
a lockpicker or some other reverse-
engineer, if you get a new hardware

00:09:43.030 --> 00:09:45.830
you want to take it apart. If you
can’t take it apart, you can’t open it

00:09:45.830 --> 00:09:49.980
you don’t own it. And here’s – if you
want to do it yourself – these tips

00:09:49.980 --> 00:09:54.720
how to open it. The NOKE is very nicely
built. When you have legally or

00:09:54.720 --> 00:09:58.470
legitimately unlocked your NOKE you can
disassemble it without doing any damage

00:09:58.470 --> 00:10:03.040
to it. [You] just need a screw driver and
it completely comes apart. Very nice design.

00:10:03.040 --> 00:10:06.720
The Master Lock – you have to
drill out 4 rivets. This is a bit sad

00:10:06.720 --> 00:10:11.251
because after that it won’t be a very good
lock anymore. But it’s not a problem

00:10:11.251 --> 00:10:15.750
because it isn’t before,
from my experience.

00:10:15.750 --> 00:10:20.762
<i>applause and some laughter</i>

00:10:20.762 --> 00:10:25.090
And then there’s the Dog & Bone lock,
which is a lock I just got recently.

00:10:25.090 --> 00:10:28.690
Its a little bit tricky to open but you
don’t have to do a lot of damage.

00:10:28.690 --> 00:10:32.360
If you have it opened you can pull out
a pin in the back – thank Jan (?)

00:10:32.360 --> 00:10:36.130
for finding that out. And then you can
remove screws and it really comes apart

00:10:36.130 --> 00:10:40.420
nicely. So how do these locks
look, now? This is the NOKE.

00:10:40.420 --> 00:10:45.590
So basically you see a PCB, you
see a normal lock body like here,

00:10:45.590 --> 00:10:49.721
with a shackle. There’s a motor at the
PCB. The motor turns some locking element

00:10:49.721 --> 00:10:53.260
in here. And if it’s in the right position
the lock opens. For the NOKE there’s

00:10:53.260 --> 00:10:59.080
a very nice paper by the SSDeV member
Michael Hübler. I have a link at the end

00:10:59.080 --> 00:11:05.900
of the presentation.
And neither he nor me did find

00:11:05.900 --> 00:11:11.540
any mechanical bypasses for that lock.
So the mechanics look okay.

00:11:11.540 --> 00:11:15.680
Then there’s the Master Lock. It is very
similar, but I have to say they invented

00:11:15.680 --> 00:11:20.890
this mechanism with the motor in this
locking element first. It has 4 buttons

00:11:20.890 --> 00:11:26.640
on the PCB which you can use to enter
a code. Has 2 CPUs, pretty standard design.

00:11:26.640 --> 00:11:31.600
And here are the rivets you have
to drill out to make it open.

00:11:31.600 --> 00:11:36.670
The Dog & Bone is a little bit more
clumsy. It’s a bigger lock. It comes apart

00:11:36.670 --> 00:11:41.900
in quite some pieces. What I really liked
was that motor with that gear box. I think

00:11:41.900 --> 00:11:47.360
it’s like 1:2000 or something. So it
really gets a lot of power from the

00:11:47.360 --> 00:11:53.780
very small motor. So what does it do with
it? It turns this element, and this element

00:11:53.780 --> 00:11:59.260
retracts these 2 spring loaded locking
elements which are locking the shackle.

00:11:59.260 --> 00:12:05.100
If you’re a lockpicker you will ask:
“Spring loaded? Seriously?

00:12:05.100 --> 00:12:09.550
Have you ever heard about the term
‘Shimming a lock’?” ‘Shimming a lock’

00:12:09.550 --> 00:12:16.180
is inserting some metal at the shackle,
and pushing back the springs.

00:12:16.180 --> 00:12:22.550
It’s a very standard method for padlocks
in the 5 Dollar range, I would say.

00:12:22.550 --> 00:12:26.670
Locks starting at 10..15 Dollars
or Euros or whatever, in that area

00:12:26.670 --> 00:12:32.340
usually can’t be shimmed anymore.
When I opened the Dog & Bone lock

00:12:32.340 --> 00:12:36.010
I instantly realized: it’s
spring loaded, it is shimmable.

00:12:36.010 --> 00:12:40.480
A short search on Google
found out that Mr. Locksmith,

00:12:40.480 --> 00:12:43.460
a lockpicker from the U.S. who
does some good Youtube videos,

00:12:43.460 --> 00:12:48.040
found [that] out months before.
And of course, it’s shimmable!

00:12:48.040 --> 00:12:52.250
You put in some thin metal sheets
– he built them from a cutaway

00:12:52.250 --> 00:12:56.190
of a soda can, puts them
in and the lock opens.

00:12:56.190 --> 00:13:01.520
But this is not a 5 Dollar lock. This is
an 80..100 Dollar Bluetooth padlock.

00:13:01.520 --> 00:13:05.990
And you shim it with cut metal.
Okay. No need to go into

00:13:05.990 --> 00:13:11.520
the Bluetooth Low Energy for that one.
<i>laughter</i>

00:13:11.520 --> 00:13:15.591
And, as a small teaser: I also didn’t
say there’s no mechanical bypass

00:13:15.591 --> 00:13:18.860
for the Master Locks. But
we’ll come back to that.

00:13:18.860 --> 00:13:22.270
Okay. The electronics. This is the
electronics of the NOKE. Basically

00:13:22.270 --> 00:13:26.240
you see there’s one CPU, and something
that’s called an ‘H bridge’ which is

00:13:26.240 --> 00:13:31.570
used to control a motor. All the rest
is pretty standard electronics, so,

00:13:31.570 --> 00:13:36.790
very simple design.
The Master Lock has 2 CPUs,

00:13:36.790 --> 00:13:41.871
has the buttons on the PCB,
also quite simple electronics.

00:13:41.871 --> 00:13:45.790
And this is the MCUs. The interesting
thing I see is there’s a very common chip.

00:13:45.790 --> 00:13:50.470
It’s the Nordic nRF51822.
I find it basically everywhere.

00:13:50.470 --> 00:13:54.250
It’s in light bulbs, it’s
in 3 of the locks I have here.

00:13:54.250 --> 00:13:58.279
Or 4, if you count the Ivation
and Nathlock [not] as the same.

00:13:58.279 --> 00:14:01.460
Only the Master Lock
uses MSP430, which is…

00:14:01.460 --> 00:14:08.600
The nRF is a… basically ARM core.
The MSP430 is a much smaller chip,

00:14:08.600 --> 00:14:13.029
it’s from Texas Instruments, and it’s
a very low power consumption chip.

00:14:13.029 --> 00:14:18.660
It was also used in the previous
non-Bluetooth LE electronic lock.

00:14:18.660 --> 00:14:22.500
But it’s basically also a normal
microcontroller, and you can program it.

00:14:22.500 --> 00:14:27.279
So, program it. That means you can
just use any ARM Flash board.

00:14:27.279 --> 00:14:32.460
I used the ST-Link interface from an
STM32 dev board we had in our hackerspace.

00:14:32.460 --> 00:14:38.180
And interfaced it to the chip
of the NOKE padlock here.

00:14:38.180 --> 00:14:41.900
So e.g. using OpenOCD, but…
there are different tool chains (?) but

00:14:41.900 --> 00:14:46.710
this is one where you find some info on
the internet, how to use it with the nRF.

00:14:46.710 --> 00:14:50.200
Using OpenOCD you get an
interface to connect to the chip,

00:14:50.200 --> 00:14:54.540
and then you can issue commands
like ‘Probe the Flash in it’;

00:14:54.540 --> 00:14:58.330
you could read the Flash, you
could write a new firmware to it,

00:14:58.330 --> 00:15:01.820
and stuff like that.

00:15:01.820 --> 00:15:06.200
With the old Master dialSpeed padlock
which is pre-Bluetooth-LE but

00:15:06.200 --> 00:15:10.600
already electronic, a few years ago,
I think 4 years ago we presented

00:15:10.600 --> 00:15:14.380
about that one, that was not read
protected, you could change the firmware,

00:15:14.380 --> 00:15:18.470
you could actually get the codes from
reading the flash, and you could access

00:15:18.470 --> 00:15:22.400
the Flash content without opening
the lock. So that was really funny.

00:15:22.400 --> 00:15:25.540
Not usable as a lock, but I re-flashed
it to a Simon Says style game where

00:15:25.540 --> 00:15:30.790
you have to repeat the sequence it shows
you. Funny lock for your hackerspace.

00:15:30.790 --> 00:15:33.310
Unfortunately, or fortunately…
No, I would say ‘unfortunately’,

00:15:33.310 --> 00:15:36.810
the NOKE firmware was read protected.
Because there’s no need for it.

00:15:36.810 --> 00:15:40.370
The NOKE firmware Flash ports can’t
be accessed without opening the lock.

00:15:40.370 --> 00:15:44.180
So you don’t lock somebody out
by read protecting it, except for

00:15:44.180 --> 00:15:48.040
the legitimate owner. But okay, it was
read protected, and I was saying: “Oh,

00:15:48.040 --> 00:15:52.040
decompiling firmware, that’s hard
work anyway, let’s skip that one.”

00:15:52.040 --> 00:15:55.149
But of course you could use these flash
interfaces to write own firmwares

00:15:55.149 --> 00:15:58.710
to these locks. Possibly make them open
source one day. Or do something else.

00:15:58.710 --> 00:16:03.050
Or just use them as cool dev
boards. With some actors on it.

00:16:03.050 --> 00:16:08.560
So, let’s go for the first
interesting thing, I would say.

00:16:08.560 --> 00:16:13.570
The communication with the ‘Cloud’.

00:16:21.900 --> 00:16:24.870
So your phone speaks to some servers
which is provided by the vendor

00:16:24.870 --> 00:16:30.120
of your hardware usually. And
it’s usually a TLS encrypted link

00:16:30.120 --> 00:16:36.140
using HTTP. Over this link the application
on your phone sends login data,

00:16:36.140 --> 00:16:39.980
gets back from the cloud the information
about the lock. So you can install

00:16:39.980 --> 00:16:42.820
your app on a new phone, enter your
login credentials and instantly use

00:16:42.820 --> 00:16:47.380
all your locks. Or the locks that were
shared to you. Usually these apps also

00:16:47.380 --> 00:16:51.040
send events to the cloud, when you open
your locks. So if you share the lock

00:16:51.040 --> 00:16:55.170
with someone you can see on your other
phone that he opened it, and possibly

00:16:55.170 --> 00:16:59.710
where he opened it. And things like that.
And of course also data is edited,

00:16:59.710 --> 00:17:04.670
if you add a new code to it or something.
So this is sent over the link.

00:17:04.670 --> 00:17:09.189
So, some people would say: “Oh,
but TLS encryption is secure, isn’t it?”

00:17:09.189 --> 00:17:13.049
Of course, usually it is. There are flaws
which you hear about from time to time

00:17:13.049 --> 00:17:17.089
at these conferences. But that’s not the
problem here. The problem is – but

00:17:17.089 --> 00:17:20.540
it’s not a problem, it’s nice for us
researchers – you own the phone

00:17:20.540 --> 00:17:25.699
with the app. You control the app. You can
even modify the app. But owning the phone

00:17:25.699 --> 00:17:29.890
you control the TLS trust store,
with the certificate authorities. So

00:17:29.890 --> 00:17:35.770
you can install a new CA and trust your
own servers. People could try to

00:17:35.770 --> 00:17:39.700
prevent this using key pinning in the app.
But, again, you also control the app.

00:17:39.700 --> 00:17:43.559
You can change the app, you can remove
the key pinning. So, basically, breaking

00:17:43.559 --> 00:17:47.650
into this TLS is something the vendor
has to expect. It’s your device,

00:17:47.650 --> 00:17:51.940
it’s your communication. You can
listen to it. So, and the nice thing

00:17:51.940 --> 00:17:55.530
– and this is what I’m trying to tell all
of you here in this talk – these things

00:17:55.530 --> 00:17:58.840
are not difficult. There are nice
available tools; and if you have some apps

00:17:58.840 --> 00:18:03.520
which do some things you want to know –
install such a tool, watch your app doing

00:18:03.520 --> 00:18:07.600
transferring data, and look what your
apps actually communicate. Actually it’s

00:18:07.600 --> 00:18:11.890
quite interesting to see what your phone
communicates to Google all the time.

00:18:11.890 --> 00:18:15.530
I realized it: one of these apps is
telling Facebook when I started,

00:18:15.530 --> 00:18:21.760
every time. What the Fuck?? But you easily
see it. What you do is you install e.g.

00:18:21.760 --> 00:18:25.620
mitmproxy, it’s a small hell of Python
dependencies, but it’s usually installable

00:18:25.620 --> 00:18:29.220
on a Linux, and even on a Mac machine.
Haven’t tried it on Windows but

00:18:29.220 --> 00:18:33.240
I’m pretty sure there’s options for that.
And you install it as a web proxy, so,

00:18:33.240 --> 00:18:37.630
you change the internet connection of your
phone, and say: “Oh, this Wi-Fi has to use

00:18:37.630 --> 00:18:43.580
a proxy, enter the IP of your proxy…”
And mitmproxy creates fake certificates

00:18:43.580 --> 00:18:47.410
on the fly. So whatever side you access
it creates a new certificate looking

00:18:47.410 --> 00:18:52.000
the same, signs it with the fake CA, and
you can install the fake CA just

00:18:52.000 --> 00:18:55.770
by going to http://mitm.it/
So, man-in-the-middle it.

00:18:55.770 --> 00:18:59.180
And there’s a link to install a fake CA
on your phone. So that’s actually really

00:18:59.180 --> 00:19:03.640
[done] in, like, 5..10 minutes, with
compiling of the Python stuff 15 minutes,

00:19:03.640 --> 00:19:07.400
and you have a working man-in-the-middle
setup and can watch your communication.

00:19:07.400 --> 00:19:11.390
This is what the app looks like. So
we see here a few POST requests

00:19:11.390 --> 00:19:17.130
to the NOKE app. We get replies;
actually we see funny 403’s here.

00:19:17.130 --> 00:19:21.250
I’m not sure why it’s doing that. But
okay. But this is what the NOKE app

00:19:21.250 --> 00:19:25.160
does on startup. And of course we can
not just see the requests, we can look

00:19:25.160 --> 00:19:30.180
into the request itself. And it’s e.g.
a good way to recover your password.

00:19:30.180 --> 00:19:34.600
Possibly I should have blurred it here.
So if you have forgotten your password

00:19:34.600 --> 00:19:38.530
you just sniff your communication. It
also works for your Play Store password,

00:19:38.530 --> 00:19:43.460
usually. Usually they use a token
but some time it’s renewed.

00:19:43.460 --> 00:19:46.710
So every app that has a password
and sends it to the cloud – you can

00:19:46.710 --> 00:19:53.370
recover it with that. And from
this login you get data back.

00:19:53.370 --> 00:19:57.280
And in the NOKE app it’s
usually done like I send

00:19:57.280 --> 00:20:00.050
login, with user and password,
and I get a token back.

00:20:00.050 --> 00:20:02.920
And then all following your request
I just have to send this token, and

00:20:02.920 --> 00:20:08.530
then I’m authenticated. So that’s
an okay mechanism I would say.

00:20:08.530 --> 00:20:11.460
So. What do we get also? We
have a GETLOCKS key, and

00:20:11.460 --> 00:20:15.080
when we call ‘getlocks’ we get
the information about our locks.

00:20:15.080 --> 00:20:18.580
So this basically is an ID of the lock.
This is a lock key. There’s something

00:20:18.580 --> 00:20:22.100
to remember: 0137 – we’ll see that later.

00:20:22.100 --> 00:20:25.200
You see the MAC of the lock,
you see a picture URL

00:20:25.200 --> 00:20:29.001
where the application shows me
the lock – if I have multiple locks

00:20:29.001 --> 00:20:34.059
I can assign different pictures
to it. And this is a quick open code

00:20:34.059 --> 00:20:37.110
where I can push on the
shackle to open this lock.

00:20:37.110 --> 00:20:40.590
So this is all no hacking because
this data I’m supposed to know.

00:20:40.590 --> 00:20:44.240
It’s my lock, I can know the information,
then it’s not a big problem.

00:20:44.240 --> 00:20:47.870
But it’s interesting to see what it’s
doing to understand how it’s working.

00:20:47.870 --> 00:20:50.880
Then we have the next
thing, the ‘shared locks’.

00:20:50.880 --> 00:20:55.690
This is more interesting, possibly because
I see: “Oh, I’m allowed to use it all day,

00:20:55.690 --> 00:20:59.170
starting at that day,
starting at that time,

00:20:59.170 --> 00:21:03.990
ending at that date, at that time”.
And this lock has a key,

00:21:03.990 --> 00:21:08.470
and there’s another key.
And another MAC.

00:21:08.470 --> 00:21:12.760
So, the nice thing is, the
lock does not have a time.

00:21:12.760 --> 00:21:16.580
The lock does not know
when I’m allowed to open it.

00:21:16.580 --> 00:21:21.520
So all I need is this key. And the nice
thing also is I don’t have to manipulate

00:21:21.520 --> 00:21:27.050
the app in any way. I can use Mitmproxy
to change the data on the fly.

00:21:27.050 --> 00:21:33.260
So I just tell Mitmproxy,
please change 2016 to 2066,

00:21:33.260 --> 00:21:36.830
then the reply comes back, and then the
NOKE app thinks “Oh, he’s still allowed

00:21:36.830 --> 00:21:42.420
to use that”. Of course the NOKE people
were clever and do an online check.

00:21:42.420 --> 00:21:47.160
Which actually means you can only
unlock a lock if you have a shared lock.

00:21:47.160 --> 00:21:50.640
Your own lock you can use offline. But a
shared lock you can only use when you

00:21:50.640 --> 00:21:55.470
have internet. Not good if it’s the cellar
or something. But it does an online check,

00:21:55.470 --> 00:22:01.610
it asks: “Can unlock?” and the cloud
answers: “Yes, success, can unlock”.

00:22:01.610 --> 00:22:06.920
Of course I can also fake that! So this
is completely bogus; it’s unnecessary

00:22:06.920 --> 00:22:09.920
to be online. I could do it offline. If
I want to hack the lock I can do it

00:22:09.920 --> 00:22:14.510
in the cellar. Only the legitimate
user has to be online.

00:22:14.510 --> 00:22:21.759
So the sharing feature of the NOKE already
is broken just with the Mitmproxy tool.

00:22:21.759 --> 00:22:27.670
Really, that’s not big hacking. They
could have thought about that. But okay.

00:22:27.670 --> 00:22:33.580
So, once somebody shares
a lock to you, a NOKE to you,

00:22:33.580 --> 00:22:36.770
you have this key and you can
use this key from then forever on.

00:22:36.770 --> 00:22:43.230
Using the original app. That’s the nice
thing. You don’t have to change it.

00:22:43.230 --> 00:22:47.660
One thing which is positive about the
architecture here, the key that they use

00:22:47.660 --> 00:22:51.750
for sharing is a different key than you
have to operate your lock. That means

00:22:51.750 --> 00:22:56.860
with this sharing key I can not
modify the lock. I can’t re-key it,

00:22:56.860 --> 00:23:02.050
or change the click code, or things
like that. So I just can open it.

00:23:02.050 --> 00:23:06.890
And they have an option to change the
key of the lock. So I can go to my lock

00:23:06.890 --> 00:23:12.299
and say “Re-key!”, and the they do a new
key. But for that I have to go to my lock.

00:23:12.299 --> 00:23:16.030
So that’s nothing if I share the lock to
you from Congress, and the lock is

00:23:16.030 --> 00:23:22.060
somewhere in… Salzburg! Then that
doesn’t work. So not really helping.

00:23:22.060 --> 00:23:25.549
Possibly one time keys or something like
that would be a better option, or just

00:23:25.549 --> 00:23:29.820
some challenge/response mechanism.
If you have to be online, why not.

00:23:29.820 --> 00:23:34.390
But that’s something for the future.
Currently lock sharing is not very secure,

00:23:34.390 --> 00:23:39.770
and I would advise you to keep that in
mind when you use the Sharing feature.

00:23:39.770 --> 00:23:44.070
Oh, regarding dumping firmware: as I said
before a firmware was not dumpable

00:23:44.070 --> 00:23:47.820
from the NOKE. The Dog & Bone I didn’t
even try to dump the firmware because

00:23:47.820 --> 00:23:52.380
it was shimmable. But they sent me
an URL in the CONNECT where I can

00:23:52.380 --> 00:23:58.510
download the firmware.
And if you… <i>laughs</i>

00:23:58.510 --> 00:24:04.240
<i>laughter and applause</i>

00:24:04.240 --> 00:24:07.381
Again, I don’t consider this
a vulnerability. I think if I own the lock

00:24:07.381 --> 00:24:11.011
I should be allowed to read the firmware.
If you download that it’s an actual

00:24:11.011 --> 00:24:15.340
hex dump of the firmware. It looks like
directly what you would flash on the chip.

00:24:15.340 --> 00:24:17.980
So if you want to do some firmware
reverse engineering that’s a very easy

00:24:17.980 --> 00:24:21.799
starting point to get the firmware from
the internet, disassemble it, play with it,

00:24:21.799 --> 00:24:24.161
flash it possibly to your own dev
board without even owning the lock,

00:24:24.161 --> 00:24:29.850
to play with it. Why not. Okay, so,
so much for the app communication.

00:24:29.850 --> 00:24:33.780
You can do quite a lot with it already.
But we want to go a little deeper.

00:24:33.780 --> 00:24:37.880
We want to go for the Bluetooth Low
Energy level. So the communication

00:24:37.880 --> 00:24:44.400
between my phone and my lock.
Or my vibrator. Or whatever.

00:24:44.400 --> 00:24:49.380
So Bluetooth Low Energy is newer, but
actually easier to sniff than Bluetooth.

00:24:49.380 --> 00:24:53.240
There’s a talk called “With Low
Energy comes Low Security”

00:24:53.240 --> 00:24:57.600
if you want to have an introduction to
that. You find it on Youtube. Basically,

00:24:57.600 --> 00:25:02.460
it has 3 security modes. But the most
common used are NON and ADHOC

00:25:02.460 --> 00:25:07.250
which is like almost none security. And
the third one would be pairing with a code

00:25:07.250 --> 00:25:10.900
which is usually a 6-digit number.
If you listen to that pairing you also

00:25:10.900 --> 00:25:16.130
own everything. This improved with
Bluetooth Low Energy 4.2, or Bluetooth 4.2

00:25:16.130 --> 00:25:20.710
which includes a new Low Energy standard.
But this is not implemented very commonly

00:25:20.710 --> 00:25:25.330
today, and won’t be in the
very near future. Because

00:25:25.330 --> 00:25:30.110
not so many devices support it. So for now
Bluetooth Low Energy is an easy target

00:25:30.110 --> 00:25:34.440
to get into research. There’s available
tools for it like the Ubertooth One

00:25:34.440 --> 00:25:38.799
by Mike Ossmann. The Adafruit
BTLE sniffer for… very cheap.

00:25:38.799 --> 00:25:42.510
And you can build your own one by flashing
a firmware available from Nordic

00:25:42.510 --> 00:25:46.830
directly to any dev board
with this chip you have.

00:25:46.830 --> 00:25:50.610
So this is the hackerspace entry point.
If you have this stuff lying around…

00:25:50.610 --> 00:25:54.760
Otherwise I would recommend going
for the Adafruit Sniffer. It’s orderable

00:25:54.760 --> 00:25:59.080
even in Europe, very easily.
So not a big problem.

00:25:59.080 --> 00:26:03.090
But the very cheap option is:
get a 3..5 Euros dev board

00:26:03.090 --> 00:26:06.590
like this from China,
use your STM32 programmer.

00:26:06.590 --> 00:26:10.220
I have another board here which is
a serial interface. But you could use

00:26:10.220 --> 00:26:15.429
your normal FTDI USB-to-Serial,
also. And then this board

00:26:15.429 --> 00:26:21.560
is identical to the Adafruit Bluetooth
LE Sniffer, for like 5 bucks.

00:26:21.560 --> 00:26:26.320
Okay. Talking about this research.
This is nothing nobody did before.

00:26:26.320 --> 00:26:31.160
Somebody like e.g. Rose & Ramsey did it at
DEF CON and presented quite a nice talk

00:26:31.160 --> 00:26:36.840
where he analyzed a lot of locks. He had
like 15 locks of it, and 12 of them broken.

00:26:36.840 --> 00:26:40.639
So it was really plain text passwords
on the Bluetooth LE, for the Quicklock,

00:26:40.639 --> 00:26:45.190
iBluLock, Plantraco Phantomlock.
I hope that’s correct.

00:26:45.190 --> 00:26:49.330
I don’t claim that to be true. But he told
[it] in the talk. He found replay attacks

00:26:49.330 --> 00:26:53.860
on these locks. So you can just resend
the same code that you saw before,

00:26:53.860 --> 00:26:57.190
even without understanding it. But he
stopped where it became interesting.

00:26:57.190 --> 00:27:01.679
And instead of that posted
this slide. Which I hate.

00:27:01.679 --> 00:27:07.090
He wrote about uncracked locks. And
the first one was the NOKE padlock.

00:27:07.090 --> 00:27:11.590
And for the time line: at that point
I already had disclosed to NOKE

00:27:11.590 --> 00:27:16.470
our findings. Which you will see today.
So the NOKE company knew about

00:27:16.470 --> 00:27:20.720
the lock being completely broken on the
crypto layer [at that time]. But they see

00:27:20.720 --> 00:27:24.210
this talk by Rose & Ramsey and post
a blog post: “NOKE just one of the few

00:27:24.210 --> 00:27:30.460
Bluetooth locks to pass hacker testing”…
SERIOUSLY?? They were notified!

00:27:30.460 --> 00:27:34.400
And they… we had active communication
about them changing the crypto protocol.

00:27:34.400 --> 00:27:39.100
Possibly the social network people are
not so close with the technical people.

00:27:39.100 --> 00:27:44.850
But okay. So, let’s crack it. Using the
Nordic Bluetooth LE sniffer firmware,

00:27:44.850 --> 00:27:48.679
which is… unfortunately the easiest way
to use is on Windows. But you can use it

00:27:48.679 --> 00:27:52.860
with Python also on Linux. And
Wireshark integration isn’t that nice…

00:27:52.860 --> 00:27:58.030
So if you have a Windows, or Windows
VM it’s the more easy entry point.

00:27:58.030 --> 00:28:01.770
Here you have a text interface where
you say: “I want to sniff to this device”,

00:28:01.770 --> 00:28:05.100
then you get a lot of lot of lot of packets
here. Mostly ‘discovery, discovery, discovery’.

00:28:05.100 --> 00:28:09.160
You have to look for the bigger packets.
This was a bigger packet with some payload,

00:28:09.160 --> 00:28:14.210
and it contains a very long string
which looks completely random.

00:28:14.210 --> 00:28:19.270
So I see from phone to NOKE there’s
random; from NOKE to phone there’s random.

00:28:19.270 --> 00:28:25.450
Looks actually encrypted. And NOKE
is claiming they are using AES128.

00:28:25.450 --> 00:28:29.170
So I didn’t even try to understand
what I see here because

00:28:29.170 --> 00:28:33.350
if it’s AES encrypted you
won’t find any meaning in it.

00:28:33.350 --> 00:28:37.380
So let’s put the sniffing aside for
a moment. We can’t sniff to the data.

00:28:37.380 --> 00:28:41.429
We can get this communication off the air.
But for the NOKE we can’t do anything

00:28:41.429 --> 00:28:47.780
with that. So let’s go for app hacking.

00:28:47.780 --> 00:28:52.140
There are different approaches. One
– the easiest… not the easiest but

00:28:52.140 --> 00:28:58.870
the first one we did –
is manipulating the apps.

00:28:58.870 --> 00:29:03.610
So you can get an APK from your phone very
easily with ADB. You don’t have to have

00:29:03.610 --> 00:29:08.450
a rooted device for that. You can just
enable Devel mode and copy the APK over.

00:29:08.450 --> 00:29:11.780
There’s lots of tutorials on the internet
how to do it. It’s basically 3 calls

00:29:11.780 --> 00:29:17.090
on the shell. And those APKs can easily
be disassembled with a tool like SMALI.

00:29:17.090 --> 00:29:21.290
You can change things in it, like
a URL. You can change values.

00:29:21.290 --> 00:29:25.919
Then you can re-assemble it, self-sign it,
and put it again on your phone.

00:29:25.919 --> 00:29:29.590
One thing you can do with that is
change the app to use a different URL

00:29:29.590 --> 00:29:34.280
for its communication. And that’s actually
quite a nice idea. Because we saw before

00:29:34.280 --> 00:29:37.500
we can completely understand this
protocol. It’s not a complicated protocol.

00:29:37.500 --> 00:29:40.710
It’s sending some requests, and it’s
getting some JSON responses. I can

00:29:40.710 --> 00:29:45.070
write this in a Python script with a few
100 lines, and fake their server.

00:29:45.070 --> 00:29:50.860
So I actually could run my NOKE lock – if
it would be having good crypto, but okay –

00:29:50.860 --> 00:29:55.020
on my own server. Not connected to their
cloud, but build my own NOKE app and

00:29:55.020 --> 00:30:01.039
have it communicate with my NOKE server.
Why not. Possibly in the far future

00:30:01.039 --> 00:30:04.630
NOKE doesn’t exist anymore, who knows?
It happened before to other companies:

00:30:04.630 --> 00:30:08.380
the servers are gone – your hardware is
gone. If you understand the protocol,

00:30:08.380 --> 00:30:11.370
if you have sniffed it before you can
reimplement it and continue using

00:30:11.370 --> 00:30:15.820
your hardware. Except for that I wouldn’t
like to have my locks in the cloud!

00:30:15.820 --> 00:30:19.520
We actually used this method during
the analysis of the NOKE lock

00:30:19.520 --> 00:30:23.260
to change a random number generator
in the app to always return ‘42’.

00:30:23.260 --> 00:30:27.500
Thanks to Sec for that one. He did
a binary patch on the MIPS binary on it.

00:30:27.500 --> 00:30:31.980
We just put it in and had a nice
random number to spot it easier

00:30:31.980 --> 00:30:37.870
on the communication. The other thing
is you can decompile these app APKs.

00:30:37.870 --> 00:30:42.340
You get it, again with ADB. Run it through
a decompiler like Jadx which you can

00:30:42.340 --> 00:30:45.880
install on your PC. You can download
it from Github. Or if you just want

00:30:45.880 --> 00:30:50.269
an easy decompile you go to
an online decompilation service.

00:30:50.269 --> 00:30:54.360
They say: “Please only use it for
legitimate purposes”, but we do!

00:30:54.360 --> 00:31:00.460
And yesterday Sec was very annoyed
by the Adblocker blocker they have.

00:31:00.460 --> 00:31:04.460
But if you ignore that then it’s
very easy to just upload an APK,

00:31:04.460 --> 00:31:08.130
get back the source code. And then,
basically, you have Java source

00:31:08.130 --> 00:31:15.520
which you can read, you can search,
you can grep… Oh! You can grep.

00:31:15.520 --> 00:31:21.479
So. We were looking for AES!
<i>laughter</i>

00:31:21.479 --> 00:31:30.730
<i>applause</i>

00:31:30.730 --> 00:31:34.809
Yeah, everybody is laughing at that
slide. But there’s 2 things to mention.

00:31:34.809 --> 00:31:38.690
First of all this is not all of our
research. This is just the beginning.

00:31:38.690 --> 00:31:42.670
Then it became difficult. The other
thing is this key of course is very silly.

00:31:42.670 --> 00:31:47.270
They actually use 01 to 15
as an AES encryption key.

00:31:47.270 --> 00:31:50.610
But if they would have used a real random
pre-shared key I still would have found it

00:31:50.610 --> 00:31:55.080
that way. So, actually, it’s not really
less secure. It’s just possibly left over

00:31:55.080 --> 00:31:59.820
from development. I have no idea
why you would use that key! But still

00:31:59.820 --> 00:32:02.529
– even a better key, I would have found
it in the source code. Because it’s

00:32:02.529 --> 00:32:06.770
a pre-shared key. The lock knows it.
The app knows it – has to know it

00:32:06.770 --> 00:32:11.299
because it’s pre-shared. So, yeah…
But still it’s very funny that they have

00:32:11.299 --> 00:32:15.880
this silly key in there. And we were
actually wondering quite a lot:

00:32:15.880 --> 00:32:20.080
“Oh, but what blockchaining mode
do they use? How do they use AES?

00:32:20.080 --> 00:32:24.020
Is there an initialization vector?”.
I don’t know.

00:32:24.020 --> 00:32:29.210
Took us quite a while until we realized:
it’s simply just one block! If we use

00:32:29.210 --> 00:32:34.740
that thing that we sniffed earlier
and just run one AES decryption

00:32:34.740 --> 00:32:39.570
with the key 0001 etc. we get something

00:32:39.570 --> 00:32:43.749
which includes our 42 numbers. Oh!
Our ‘random’ numbers turn up!

00:32:43.749 --> 00:32:48.590
How are the chances for that? No.
So, actually this key decrypted the thing

00:32:48.590 --> 00:32:52.900
we got from the wire. So we thought:
“Success!” and NOKE is cracked!

00:32:52.900 --> 00:32:56.160
Unfortunately it only worked for the
first 2 messages, and all we saw

00:32:56.160 --> 00:32:59.550
in these 2 messages is our ‘random’
number, and in the answer

00:32:59.550 --> 00:33:03.990
another obviously real random number,
because we didn’t patch the lock.

00:33:03.990 --> 00:33:10.480
The next messages from that on
again were completely scrambled.

00:33:10.480 --> 00:33:15.270
So we had to do some
more reverse-engineering.

00:33:15.270 --> 00:33:20.909
Unfortunately, or fortunately – to make
it a little more interesting for us –

00:33:20.909 --> 00:33:25.180
this APK from NOKE doesn’t
only include the Java source.

00:33:25.180 --> 00:33:29.080
It has some shared object files.
So, binaries, which are compiled

00:33:29.080 --> 00:33:34.160
with some other compiler, probably C.
Luckily those were in there for Android,

00:33:34.160 --> 00:33:38.289
for multiple architectures. And one of
those – I don’t know who is using Android

00:33:38.289 --> 00:33:44.249
on x86, but obviously it exists – so
we had all the libraries also in x86.

00:33:44.249 --> 00:33:48.090
Which we could run through a commonly
available disassembler. I started doing

00:33:48.090 --> 00:33:51.760
this object dump, and things (?) a little
bit. But it’s really hard to read, and

00:33:51.760 --> 00:33:57.310
you don’t come so far with it. So,
big thanks again to Sec and to e7p

00:33:57.310 --> 00:34:01.210
who helped me a lot during Easterhegg
this year, which was a quite nice event,

00:34:01.210 --> 00:34:06.000
where we did some lock hacking. And they
were staring with me at IDA Pro dumps

00:34:06.000 --> 00:34:11.639
all the time to find the key exchange,
and finally, it worked out.

00:34:11.639 --> 00:34:16.460
So, all the assembler is very hard
to read, I think. But we see there’s

00:34:16.460 --> 00:34:20.580
a parseCmd function we found.
Actually they had the labels in there!

00:34:20.580 --> 00:34:23.540
Which again is not the vulnerability,
it just made it easier for us

00:34:23.540 --> 00:34:29.530
to spot the stuff. I don’t think
that’s bad from them. It’s okay.

00:34:29.530 --> 00:34:35.248
So we found this parseCmd. It actually
calls an AES decrypt function.

00:34:35.248 --> 00:34:39.639
It gets a little bigger and bigger
and bigger. There we find

00:34:39.639 --> 00:34:44.339
– I actually can’t read it from here very
good – this was the Create Session key.

00:34:44.339 --> 00:34:49.329
This sounds very promising. It was
called ‘CreateSessionKey’. Hm.

00:34:49.329 --> 00:34:54.409
Might have something to do with the things
we saw before. And it has this in a loop.

00:34:54.409 --> 00:34:58.249
And this loop is actually something people
could understand if they can read some

00:34:58.249 --> 00:35:03.339
x86 assembler. It’s a loop of
4 iterations. And it’s XORing values

00:35:03.339 --> 00:35:09.490
from one array to another.
So it’s basically XORing 4 values.

00:35:09.490 --> 00:35:14.029
And this is the core component of the key
exchange. This is the 4 byte numbers

00:35:14.029 --> 00:35:20.320
that we saw earlier. My 42 42 42 42…
and the other one coming from the lock,

00:35:20.320 --> 00:35:25.440
are XORed together, and then there’s
some more magic done. So basically

00:35:25.440 --> 00:35:29.380
the app sends a random number to the lock,
the lock sends a random number to the app.

00:35:29.380 --> 00:35:34.430
And from that there’s a session
key calculated by adding XOR

00:35:34.430 --> 00:35:40.299
of these 2 numbers to the
middle of the original key.

00:35:40.299 --> 00:35:45.200
So you have this original
key which we saw before.

00:35:45.200 --> 00:35:49.140
And you add this result onto it. So.

00:35:49.140 --> 00:35:54.410
We saw from the app our 42 44 42.
Of course if you have the real app

00:35:54.410 --> 00:35:58.799
running that would be still real random.
But this doesn’t make a difference.

00:35:58.799 --> 00:36:01.950
It just was easier for us to see
it’s the same every time, so…

00:36:01.950 --> 00:36:06.450
It helped a little bit, but not too much.
So the lock sends the key, those 2 values

00:36:06.450 --> 00:36:12.680
are XORed together; and then they are
added onto this silly pre-shared key.

00:36:12.680 --> 00:36:17.329
I don’t know why they’re doing that!
I mean, they could have at least added it

00:36:17.329 --> 00:36:21.430
to different parts of it, and they
would have more entropy in it, or…

00:36:21.430 --> 00:36:24.140
I’m not sure who sits in the cell and
does some coding, and thinks:

00:36:24.140 --> 00:36:30.160
“This is a good key exchange!”?
You can’t really look into these minds.

00:36:30.160 --> 00:36:34.260
But okay, so, we can do something
in our head. We see here is 0xFD,

00:36:34.260 --> 00:36:39.069
we add 0x05 to it. So it rolls over. This
is why here’s the Modulo operation.

00:36:39.069 --> 00:36:43.609
And get the 0x02. We have 0xBB
here. We add 0x06 to 0xBB.

00:36:43.609 --> 00:36:48.900
If you can calculate hex you see it comes
to 0xC1. Etc. So everything that changed

00:36:48.900 --> 00:36:55.660
in the key is the middle 4 bytes.
Which is actually another vulnerability.

00:36:55.660 --> 00:37:00.220
Because it means even if for some reason,
which I really can’t imagine because

00:37:00.220 --> 00:37:04.400
this exchange is done everytime you
open your lock. It’s not something done

00:37:04.400 --> 00:37:08.839
on the first time or done once per phone
or something. Everytime somebody opens

00:37:08.839 --> 00:37:12.440
this NOKE this whole sequence is run
through. It connects to the lock, sends

00:37:12.440 --> 00:37:19.469
a random number, receives a random number,
the session key is calculated, and using

00:37:19.469 --> 00:37:23.539
the new session key the rest of the
communication is done. But just in case

00:37:23.539 --> 00:37:27.420
you did miss the first packets for some
reason: if you have a real attack scenario

00:37:27.420 --> 00:37:31.089
where you can’t replay it it might happen
that it’s scrambled. Then it’s still

00:37:31.089 --> 00:37:34.290
4 bytes changed in the key, so we can
brute-force the new key. By knowing

00:37:34.290 --> 00:37:39.079
the old one and brute-forcing those
4 bytes. So I think that’s doable

00:37:39.079 --> 00:37:43.390
on a modern machine without
bigger problem. So really,

00:37:43.390 --> 00:37:47.809
not the cleverest key exchange.
But even if it would be better

00:37:47.809 --> 00:37:51.059
it wouldn’t really help. Because there’s
no asymmetric crypto in it, there’s

00:37:51.059 --> 00:37:54.869
nothing preventing us from following it.
If you exchange a session key

00:37:54.869 --> 00:37:58.630
over a pre-shared secret, somebody
knowing the pre-shared secret

00:37:58.630 --> 00:38:03.349
will always be able to follow it.
So, they have to do some big changes

00:38:03.349 --> 00:38:08.250
there to make it proof against sniffing.

00:38:08.250 --> 00:38:13.489
We have this new session key and of course
we have to verify what is happening.

00:38:13.489 --> 00:38:18.870
We have the next message on our
wire. We’re decoding it with the new

00:38:18.870 --> 00:38:21.819
– very cool – key we have. And we
get something that doesn’t look

00:38:21.819 --> 00:38:25.849
completely random. We do it with multiple
ones and see some structure in it.

00:38:25.849 --> 00:38:30.950
It’s always… <i>strange guttural noises</i>
I think I pasted the wrong thing here,

00:38:30.950 --> 00:38:36.219
actually. Very sorry for that. You have
to imagine a different message here.

00:38:36.219 --> 00:38:40.039
Encrypt that using that key and you
would see what would be up here.

00:38:40.039 --> 00:38:44.279
But here would be this random we got
from the air. We de-crypt it with that,

00:38:44.279 --> 00:38:49.869
and get this. And this dissects into an
op code which is always at the third byte.

00:38:49.869 --> 00:38:53.640
And after the op code we actually see
the lock key which you remember from

00:38:53.640 --> 00:38:58.589
one of the first slides – 013755 –
this is the key from my lock.

00:38:58.589 --> 00:39:05.609
So we now got the key from the air,
and have full access to the lock.

00:39:05.609 --> 00:39:08.249
Bad luck for NOKE.

00:39:08.249 --> 00:39:16.430
<i>applause</i>

00:39:16.430 --> 00:39:20.270
So 06 is just one of the op codes. When
you browse through the Java source

00:39:20.270 --> 00:39:26.109
you see much more op codes that might
happen. So e.g. there’s the Rekey option

00:39:26.109 --> 00:39:30.849
which you send to the lock, and the lock
starts to re-key to regenerate the key,

00:39:30.849 --> 00:39:34.530
send back the new keys. You can
unlock – which is what we just saw.

00:39:34.530 --> 00:39:38.910
Get the battery level. Set a new Quick
Opening Code. Can reset the lock.

00:39:38.910 --> 00:39:42.890
Can do a firmware update. That looks
promising! I have the idea, we will see

00:39:42.890 --> 00:39:48.770
this op code in the near future.
And you can enable ‘key fob’

00:39:48.770 --> 00:39:52.640
which a small device is which you can
use to open the lock without a phone.

00:39:52.640 --> 00:39:57.210
So you can send commands
to pair those, and add them,

00:39:57.210 --> 00:40:00.789
and get locks of this (?). So this is just
a few, we haven’t played with all of them.

00:40:00.789 --> 00:40:04.720
The SetQuickCode,
I think I sniffed a few…

00:40:04.720 --> 00:40:09.260
Yeah, but that’s basically the things you
can do, and you can decode all of them

00:40:09.260 --> 00:40:12.150
with the message shown before.

00:40:12.150 --> 00:40:16.429
So some history of
the vendor notification.

00:40:16.429 --> 00:40:20.099
We did this on the Easterhegg [2016].
Everybody knows Easterhegg is Easter.

00:40:20.099 --> 00:40:23.440
So this was in April [2016].
Possibly it wasn’t

00:40:23.440 --> 00:40:26.829
the best idea to send
them on April, 1st. But…

00:40:26.829 --> 00:40:28.899
<i>laughter</i>

00:40:28.899 --> 00:40:35.419
No, they replied and took it seriously. So
they actually very instantly told us they

00:40:35.419 --> 00:40:39.369
like the research and everything.
They knew their crypto isn’t perfect,

00:40:39.369 --> 00:40:42.469
but the product has to get out. And they
were working on a new protocol, they sent

00:40:42.469 --> 00:40:47.579
a few details of that. We don’t have full
details so far, so we can’t really tell

00:40:47.579 --> 00:40:52.709
if the new protocol is very good. But
it looked, from the idea, a little better.

00:40:52.709 --> 00:40:57.200
They’re bringing out a Bike U-lock which
is not out yet. And it’s supposed to have

00:40:57.200 --> 00:41:01.460
the new protocol from shipping.
We will see. A thing which I found

00:41:01.460 --> 00:41:05.599
very funny is I downloaded a new [NOKE] app
in November, and it has a major update

00:41:05.599 --> 00:41:10.550
in the screen: the ‘Rekey’
button is now hidden!

00:41:10.550 --> 00:41:13.509
So, remember, that’s the only button
which saves you from someone

00:41:13.509 --> 00:41:17.450
you shared a lock to, to lock him out.
So this button now is hidden.

00:41:17.450 --> 00:41:21.200
Possibly not the best idea. Possibly
people weren’t understanding it.

00:41:21.200 --> 00:41:25.079
But it can be enabled in the ‘Advanced
Settings’ menu. So, no problem.

00:41:25.079 --> 00:41:28.680
But they just recently told me that
they’re planning to actually fix that

00:41:28.680 --> 00:41:33.049
in January. So we’re actually
really in a Zeroday here.

00:41:33.049 --> 00:41:37.540
So the locks are still vulnerable.
But 8 months, sorry… I…

00:41:37.540 --> 00:41:41.960
the conference is now, we couldn’t
change that! <i>laughter</i>

00:41:41.960 --> 00:41:53.450
<i>Ray laughs</i>
<i>applause</i>

00:41:53.450 --> 00:41:58.299
If you use such a NOKE lock I still
want to say I like the hardware.

00:41:58.299 --> 00:42:01.509
It’s quite a nice hardware. Possibly
write an open source firmware for it,

00:42:01.509 --> 00:42:04.920
build your own crypto, during
the time. Or just don’t use it

00:42:04.920 --> 00:42:09.420
for real valuable things. Or use your
Aluburka or other shielding while

00:42:09.420 --> 00:42:15.049
opening it, I don’t know. But just be
aware if someone sniffs your communication

00:42:15.049 --> 00:42:18.650
using his 5 Dollar dev board
he probably knows your codes.

00:42:18.650 --> 00:42:25.300
So, yeah. So much for the NOKE.
This is not really the end, it’s just

00:42:25.300 --> 00:42:31.680
the beginning of the end section. Because
we still have one mechanical bypass left.

00:42:31.680 --> 00:42:36.529
You remember that earlier I mentioned
also the Master Lock doesn’t have

00:42:36.529 --> 00:42:41.609
no mechanical bypass that we found. If you
remember Chaos Communication Congress

00:42:41.609 --> 00:42:45.279
4 years ago – you can remember from
the Rocket standing exactly here –

00:42:45.279 --> 00:42:48.190
<i>points to picture on slide</i> we did
a presentation on this first Bluetooth…

00:42:48.190 --> 00:42:52.529
not Bluetooth, on this first electronic
padlock by Master Lock, where we had

00:42:52.529 --> 00:42:56.109
a nice mechanical magnet attack,
which was found by Michael Hübler

00:42:56.109 --> 00:43:01.829
by very cleverly drilling a hole,
observing the motors, acting with magnets…

00:43:01.829 --> 00:43:07.829
and found this special move
which opens the old Master Lock.

00:43:07.829 --> 00:43:11.200
And we reported that back then.
So 4 years ago we told Master Lock:

00:43:11.200 --> 00:43:15.920
“Oh, your padlock can be opened
with a magnet, this is not very good”.

00:43:15.920 --> 00:43:21.539
But this was a 30 Dollars padlock, and…
oh my god, could be done with a magnet.

00:43:21.539 --> 00:43:25.309
So this is the new one, and they changed
something. Actually it’s something they

00:43:25.309 --> 00:43:30.990
told us back then that they’re planning
to do. They added a shielding metal.

00:43:30.990 --> 00:43:36.719
So, this very big, thick shielding
here which I would use to block

00:43:36.719 --> 00:43:43.099
all the radiation from whatever
it is, around half of the motor

00:43:43.099 --> 00:43:49.460
is supposed to help. Let’s have a look.

00:43:49.460 --> 00:43:52.529
<i>silent video starts</i>
So this is the Master Lock.

00:43:52.529 --> 00:43:56.259
We have a bigger magnet. I have to admit
you see it’s a much bigger magnet.

00:43:56.259 --> 00:44:02.519
Those magnets are illegal to possess
all over Germany, I hope, soon!

00:44:02.519 --> 00:44:05.750
And we have a different move. We’re
now rotating the magnet. We were

00:44:05.750 --> 00:44:09.759
shifting it before. – And it’s open!

00:44:09.759 --> 00:44:24.650
<i>laughter and applause</i>

00:44:24.650 --> 00:44:28.249
This also is not really Zeroday because
as you saw before on the slide

00:44:28.249 --> 00:44:33.540
by Rose & Ramsey he also told
the Master Lock is unpickable.

00:44:33.540 --> 00:44:37.989
And after the talk at DEF CON I, in
the Q&A section somehow mentioned

00:44:37.989 --> 00:44:42.690
that I doubt that. I didn’t tell
what to do exactly because

00:44:42.690 --> 00:44:46.739
I wanted to give Master Lock some
response time. But directly after the talk

00:44:46.739 --> 00:44:50.599
somebody approached me: “That’s very
interesting, I’m with Master Lock!” <i>laughs</i>

00:44:50.599 --> 00:44:53.400
<i>laughter</i>
And I actually showed him this and he

00:44:53.400 --> 00:44:59.090
filmed it with his mobile phone.
So I consider the vendor notified!

00:44:59.090 --> 00:45:09.749
<i>laughs</i>
<i>laughter and applause</i>

00:45:09.749 --> 00:45:13.019
So I would say: “Works for me!”

00:45:13.019 --> 00:45:20.450
<i>laughter and applause</i>

00:45:20.450 --> 00:45:25.010
So I have a message to all these vendors
and kickstarters and lock makers:

00:45:25.010 --> 00:45:28.950
“Don’t try to be smart, be smart!
And disclose your crypto protocols!”

00:45:28.950 --> 00:45:32.150
There’s really no need to make
a secret crypto protocol. And if

00:45:32.150 --> 00:45:35.609
your development department tells
you: ”No no, we can’t disclose that,

00:45:35.609 --> 00:45:39.430
that’s a really silly idea to disclose our
crypto!” you probably have bad crypto,

00:45:39.430 --> 00:45:42.709
and they know it!
<i>laughter</i>

00:45:42.709 --> 00:45:47.119
And, of course, if you build a new
thing like a hardware, like a lock e.g.

00:45:47.119 --> 00:45:51.920
try to get your hardware in the hands of
experienced lockpickers, or locksmiths.

00:45:51.920 --> 00:45:55.080
The shimming bypass, of the
Dog & Bone padlock, really,

00:45:55.080 --> 00:45:58.460
every locksmith in the
U.S. would have told them:

00:45:58.460 --> 00:46:04.530
“You can’t build a 100 Dollar padlock
which can be shimmed with a soda can!”

00:46:04.530 --> 00:46:07.839
Especially if you’re an electronics
company what those Dog & Bone people

00:46:07.839 --> 00:46:11.179
obviously are: Don’t trust on your
electronics knowledge. The hardware

00:46:11.179 --> 00:46:16.049
also has to work. And please, if you give
this hardware to people don’t try to get

00:46:16.049 --> 00:46:19.440
any NDA’s, or “Oh you can’t disclose”
– because then they won’t do it, and

00:46:19.440 --> 00:46:24.479
you will wait just for the product to come
out, and disassemble it then. So really…

00:46:24.479 --> 00:46:28.740
Actually, I must say the
NOKE people which I…

00:46:28.740 --> 00:46:32.529
the lock isn’t working that good but
I think the company is doing quite well.

00:46:32.529 --> 00:46:36.390
They sent us one of their
locks for mechanical analysis

00:46:36.390 --> 00:46:40.569
after our Master Lock presentation.
So we tested their lock

00:46:40.569 --> 00:46:43.909
on our magnetic attack and that didn’t
work. And still doesn’t work. So

00:46:43.909 --> 00:46:47.249
that thing they did good. The other thing
is that they didn’t get the crypto right.

00:46:47.249 --> 00:46:50.500
But okay. People are learning.
<i>some laughter</i>

00:46:50.500 --> 00:46:53.969
So if someone really wants to be smart
– and we also tried to tell that [to] NOKE

00:46:53.969 --> 00:46:57.219
in the kickstarter campaign –
try to become the first one.

00:46:57.219 --> 00:47:01.289
And this is really ‘WTF’. Why is
there no – at all – open source lock?

00:47:01.289 --> 00:47:06.099
Or light bulb? Or vibrator?
I have no idea. But…

00:47:06.099 --> 00:47:09.059
I think you want to sell the hardware! Why
don’t make the software open source

00:47:09.059 --> 00:47:10.980
and make it auditable?

00:47:10.980 --> 00:47:21.679
<i>applause</i>

00:47:21.679 --> 00:47:25.529
Oopf… What’s that slide? Oh
yeah, there’s Hacker Jeopardy!

00:47:25.529 --> 00:47:29.720
If you want Hacker Jeopardy to happen
next year please send content!

00:47:29.720 --> 00:47:35.740
<i>laughs</i>
<i>applause and cheers</i>

00:47:35.740 --> 00:47:39.890
I heard from that Sec guy and that
Ray guy that they’re really old,

00:47:39.890 --> 00:47:43.400
and they don’t know the things that the
young generation wants to have asked

00:47:43.400 --> 00:47:46.549
in a Jeopardy. And what Pokémons
you have to ask, and stuff like that…

00:47:46.549 --> 00:47:50.869
So send a few ideas! There’s a German
page, but Hacker Jeopardy will be German

00:47:50.869 --> 00:47:55.130
next year. So, sorry for that. A German
page which tells you how to submit ideas,

00:47:55.130 --> 00:47:59.410
how to make good ideas. And if you
send enough content possibly next year

00:47:59.410 --> 00:48:03.749
there will be Hacker Jeopardy, again.

00:48:03.749 --> 00:48:09.729
<i>applause</i>

00:48:09.729 --> 00:48:14.359
So, we have some links. Actually, this
is the Zeroday tool we are releasing,

00:48:14.359 --> 00:48:19.119
by e7p. It’s not on there yet, I think.
Or possibly he’s sitting in the audience

00:48:19.119 --> 00:48:23.539
and uploading it right now. It’s a small
Python script. It needs Python3.

00:48:23.539 --> 00:48:27.819
And it implements this crypto session
exchange. So what you basically do is

00:48:27.819 --> 00:48:31.640
you get the values from your Wireshark,
which is all these Hex strings,

00:48:31.640 --> 00:48:36.359
put them to a file, start the
decode-NOKE tool and it will tell you

00:48:36.359 --> 00:48:40.229
what keycode is in there, what things are
set. Currently it only supports, I think,

00:48:40.229 --> 00:48:43.899
the ‘Open’ command mainly, and the
‘Read Battery’ possibly. But we’ll try

00:48:43.899 --> 00:48:48.289
to add a few more codes as we decode them.
But it’s enough to get the lock code

00:48:48.289 --> 00:48:52.249
from the air. So with this tool
– but you could implement it yourself –

00:48:52.249 --> 00:48:57.419
you easily can crack the locks.
And there’s a blog entry by MH

00:48:57.419 --> 00:49:00.019
who did a nice paper about the NOKE’s
hardware and everything. If you really

00:49:00.019 --> 00:49:04.039
want to look inside the lock look at this.
And then there’s of course the link

00:49:04.039 --> 00:49:08.359
to the Nordic RF sniffer software.

00:49:08.359 --> 00:49:12.589
This is one of the decompilers which
has the Adblocker blocker on it.

00:49:12.589 --> 00:49:16.140
And there’s an article from Sec’s blog
telling you how to decompile and recompile

00:49:16.140 --> 00:49:21.849
an app. Which I found quite
helpful during the working.

00:49:21.849 --> 00:49:25.939
So okay. So, thanks for listening.

00:49:25.939 --> 00:49:29.980
Please, if you have smart things
around, and want to play with that,

00:49:29.980 --> 00:49:34.579
I have one of these dev boards left. So
I have 2, one for me and one I can lend

00:49:34.579 --> 00:49:39.539
to someone who wants to sniff to his/her
hardware. Come to the MuCCC assembly

00:49:39.539 --> 00:49:46.410
and tell me what you want to attack,
and I’ll give you my RF sniffer board.

00:49:46.410 --> 00:49:49.549
Or leave the things there, and we play
during Congress. Not today, possibly,

00:49:49.549 --> 00:49:53.499
but tomorrow I’ll be in the assembly, or
someone will be there. And I think

00:49:53.499 --> 00:49:57.529
now I have basically exactly 10 minutes,
and I hope there are some questions.

00:49:57.529 --> 00:50:00.179
Otherwise I was too quick! Thank you!

00:50:00.179 --> 00:50:11.199
<i>applause</i>

00:50:11.199 --> 00:50:14.340
Herald: <i>leise:</i> Hallo! Mikro wär’ schön!
Rufender: Musst’ nur anmachen!

00:50:14.340 --> 00:50:16.809
Herald: Is an!
Ray: He wants a microphone for the questions!

00:50:16.809 --> 00:50:19.469
<i>Herald is told how to switch on microphone</i>

00:50:19.469 --> 00:50:21.959
Herald: Hah, wer lesen
kann ist klar im Vorteil!

00:50:21.959 --> 00:50:26.759
Ray, thank you very much!
Do you have some time later?

00:50:26.759 --> 00:50:31.380
I might need to ask a favour! Did I told
you about that friend that I’m having

00:50:31.380 --> 00:50:36.680
with the Bluetooth enabled coffee
machine? We, we speak later!

00:50:36.680 --> 00:50:40.509
We have some questions, and we have some
questions from the internet. So here we go!

00:50:40.509 --> 00:50:43.509
Signal Angel: Yes, thank
you. Ray, are you aware

00:50:43.509 --> 00:50:47.699
of any secure Bluetooth locks?
With decent crypto?

00:50:47.699 --> 00:50:52.160
Ray: Actually… not! What I can’t tell is

00:50:52.160 --> 00:50:56.580
if the crypto of the Master Lock, or
the crypto of the Dog & Bone are good,

00:50:56.580 --> 00:51:01.579
because we really haven’t looked into
it. But it wouldn’t really help because

00:51:01.579 --> 00:51:05.990
the hardware is broken. The NOKE people,
as I said, are bringing out a new firmware

00:51:05.990 --> 00:51:11.339
in January [2017]. I’ll try to make them
tell me what they’re doing. Because

00:51:11.339 --> 00:51:14.630
I’m not really going to reverse-engineer
it again. I do that for a vendor once.

00:51:14.630 --> 00:51:17.799
We don’t have to do it a second time. So I
hope they just tell me what they’re doing,

00:51:17.799 --> 00:51:21.520
and we can have a look if it looks
promising. But at least they react.

00:51:21.520 --> 00:51:25.619
So, possibly, the NOKE is becoming a
more secure padlock. But besides that

00:51:25.619 --> 00:51:30.570
I don’t know any, so far. You can find the
talk by Rose & Ramsey on the internet.

00:51:30.570 --> 00:51:36.039
It’s unusual for DEF CON talks but this
DEF CON talk is online. So you see lots of

00:51:36.039 --> 00:51:39.419
locks there which he attacked, and they
all were worse than the ones we had here.

00:51:39.419 --> 00:51:43.809
So, sorry, no. Which I could recommend.

00:51:43.809 --> 00:51:46.480
And I wouldn’t recommend it, anyway,
because if it’s not open source you

00:51:46.480 --> 00:51:50.890
don’t know if it’s secure! You just
know it’s currently uncracked. So,

00:51:50.890 --> 00:51:53.599
possibly stick to your old ones!
<i>laughs</i>

00:51:53.599 --> 00:51:54.809
But thanks for the question.

00:51:54.809 --> 00:51:58.599
Herald: Then we’re gonna
hop over to microphone no. 2!

00:51:58.599 --> 00:52:03.199
Question: Thank you. That was quite
a bit of ‘Fremdschäming’. Fun talk. (?)

00:52:03.199 --> 00:52:07.499
Just one thought: You said that
it’s about selling the hardware.

00:52:07.499 --> 00:52:12.440
Well, maybe it’s not. Because from what
I understand most of those devices

00:52:12.440 --> 00:52:17.799
are cloud-enabled. So I’m pretty
sure they collect all the data,

00:52:17.799 --> 00:52:20.419
and maybe it’s about mining
that, for them. I don’t know.

00:52:20.419 --> 00:52:25.619
Ray: Actually, yes. The NOKE has a Pro
version where they sell a company license

00:52:25.619 --> 00:52:29.180
where you can have a company software
to the cloud, and have more features like

00:52:29.180 --> 00:52:34.499
sharing other’s locks. But still you can
make it open source, and make a license

00:52:34.499 --> 00:52:38.259
that disallows commercial use, or
something like that. Open source

00:52:38.259 --> 00:52:43.140
doesn’t have to mean it’s free to use.
And if you have very complicated logic

00:52:43.140 --> 00:52:48.339
for your company portal, or something,
possibly keep that closed-source.

00:52:48.339 --> 00:52:52.031
But enable me to follow your
communication, to understand

00:52:52.031 --> 00:52:55.759
how keys are generated, and stuff
like that. This is not your secret.

00:52:55.759 --> 00:52:59.680
This is something… this
is the elementary function.

00:52:59.680 --> 00:53:02.790
People should be able to understand an
audit. And especially in a commercial

00:53:02.790 --> 00:53:06.980
environment, if you ask a locksmith
or some other security expert:

00:53:06.980 --> 00:53:11.989
“Would you recommend this device?”, if he
can’t look into it he can’t recommend it.

00:53:11.989 --> 00:53:16.849
So I think also for selling appliances, or
selling services open source algorithms

00:53:16.849 --> 00:53:23.039
or open source protocols would be the best
solution. But especially in the lock industry

00:53:23.039 --> 00:53:26.250
that’s very very uncommon. I had
really bad experience talking to

00:53:26.250 --> 00:53:29.890
normal lock manufacturers about open
sourcing their stuff. It’s an idea they

00:53:29.890 --> 00:53:34.299
don’t understand. They’re about secrets,
I don’t know. Let’s hope for the future!

00:53:34.299 --> 00:53:36.959
<i>laughs</i> Another…
Herald: Okay, we had…

00:53:36.959 --> 00:53:41.119
No. 1 is just coming up! He was queuing
at ‘3’ but covering the camera, and then

00:53:41.119 --> 00:53:44.519
the camera man got a little bit disturbed,
and… it’s a long story. ‘1’, we go!

00:53:44.519 --> 00:53:47.930
Question: I was wondering if you knew
about the new locks which advertise

00:53:47.930 --> 00:53:51.269
their existence, like broadcast
things, or things like that?

00:53:51.269 --> 00:53:54.649
Could you like walk through the street and
know there are Bluetooth locks around you?

00:53:54.649 --> 00:53:59.229
Ray: No, those locks usually don’t broadcast
because it would use too much energy.

00:53:59.229 --> 00:54:02.789
So usually you have to push the
shackle of the lock or something.

00:54:02.789 --> 00:54:06.870
And then it broadcasts. There are actually
if you go back to this DEF CON talk

00:54:06.870 --> 00:54:11.170
I was talking about – and I think that’s
enough shaming of Master Lock here –

00:54:11.170 --> 00:54:16.180
<i>video playback stops</i>
if he has door locks and stuff like that,

00:54:16.180 --> 00:54:19.119
those possibly are connected to [the]
power [grid] and advertise all the time.

00:54:19.119 --> 00:54:23.410
So he did some lock wardriving.
But for the padlocks that doesn’t work.

00:54:23.410 --> 00:54:27.380
But of course you can go and click
them, and then… get the idea.

00:54:27.380 --> 00:54:30.510
And of course you can do the other thing:
you could walk around and pretend

00:54:30.510 --> 00:54:34.699
you’re a lock, and see if someone has the
app running, and connects back to you.

00:54:34.699 --> 00:54:37.030
That might work!

00:54:37.030 --> 00:54:39.690
Herald: And over to
microphone no. 2, please!

00:54:39.690 --> 00:54:45.779
Question: I was wondering
about that strong encryption,

00:54:45.779 --> 00:54:50.809
meaning AES, and on the other
hand the very weak, or vulnerable,

00:54:50.809 --> 00:54:56.529
or flawed key exchange: do you
think that might be due to out-tasking,

00:54:56.529 --> 00:55:01.780
like they have specified that they
want encryption, and have not specified

00:55:01.780 --> 00:55:05.980
how key exchange is to be handled,
and that might be the reason why

00:55:05.980 --> 00:55:10.709
it takes them 8 months
or more to fix that?

00:55:10.709 --> 00:55:14.130
Ray: This is basically 2 questions.
Of course I can only speculate.

00:55:14.130 --> 00:55:18.920
It might be out-tasking, it might
also be that they just had the time…

00:55:18.920 --> 00:55:22.400
if you follow the NOKE kickstarter
campaign – it was all funded

00:55:22.400 --> 00:55:25.869
in a kickstarter – they had a lot of
problems in delivering on time.

00:55:25.869 --> 00:55:29.809
So there’s lots and lots of comments
“I’m waiting for my lock, oh. Oh god,

00:55:29.809 --> 00:55:33.280
another delay, now you’re claiming
manufacturing is difficult…”, so, many,

00:55:33.280 --> 00:55:37.410
many people saying “you have to come out
with that”. So it might be time pressure,

00:55:37.410 --> 00:55:40.739
it might be out-tasking, and of course
it might be that they just specified:

00:55:40.739 --> 00:55:44.439
“Oh, we want to use AES”. And that’s
the other thing, everybody says:

00:55:44.439 --> 00:55:48.420
“We disclose what we’re using. We’re using
AES!” Here we have a very good example,

00:55:48.420 --> 00:55:51.979
yes, it really is using AES. And it’s
using a correct implementation.

00:55:51.979 --> 00:55:56.749
We actually found it’s a TI example
implementation of AES that they’re using.

00:55:56.749 --> 00:56:01.559
So it’s completely valid AES128,
but still it’s completely insecure.

00:56:01.559 --> 00:56:06.089
So people just claim they’re using AES, or
“We’re using SHA-somesing or somesing”.

00:56:06.089 --> 00:56:09.999
Isn’t enough. You have to know the whole
protocol. And that wasn’t the case here.

00:56:09.999 --> 00:56:12.579
<i>laughs</i>
Herald: Okay, then we’re gonna go over

00:56:12.579 --> 00:56:14.579
to the internet, again!
Ray: The internet… of…

00:56:14.579 --> 00:56:19.420
Signal Angel: Thank you. Actually it’s a
follow-up question for the previous one:

00:56:19.420 --> 00:56:22.809
would it be sufficient to have
a hardware-accelerated AES

00:56:22.809 --> 00:56:25.379
on these Bluetooth thingies?

00:56:25.379 --> 00:56:30.450
Ray: Actually hardware-accelerated AES
doesn’t have to do anything with that.

00:56:30.450 --> 00:56:34.009
That might be helpful if you have
a chip which is a crypto chip,

00:56:34.009 --> 00:56:37.900
if you have things like side channel
attacks. If you would have a key fob

00:56:37.900 --> 00:56:41.869
which has a secret key in it which should
not be extractable, those keys can be

00:56:41.869 --> 00:56:45.799
extracted with electronic attacks, side
channel attacks, power measurements.

00:56:45.799 --> 00:56:50.559
Against these attacks a crypto chip could
help because it has a good implementation.

00:56:50.559 --> 00:56:55.150
But for this… AES is AES. As I said
the implementation of AES is valid.

00:56:55.150 --> 00:56:59.189
So an accelerated chip wouldn’t help.
And they’re not doing bad crypto

00:56:59.189 --> 00:57:03.099
for performance reasons. It’s only one
AES operation. They’re doing it because

00:57:03.099 --> 00:57:06.730
it’s more difficult to do it right. And it
possibly would need asymmetric crypto.

00:57:06.730 --> 00:57:08.630
That could need acceleration,
on the other hand.

00:57:08.630 --> 00:57:11.879
But it doesn’t have to do with the chip.

00:57:11.879 --> 00:57:15.420
Herald: Are you queuing there, on ‘5’?
<i>lowered voice:</i> Well, then here we go!

00:57:15.420 --> 00:57:20.839
Question: Okay, two little questions,
more hardware related. First one:

00:57:20.839 --> 00:57:24.961
How could you build a lock which
isn’t susceptible to the attack

00:57:24.961 --> 00:57:28.999
you showed in the video,
like flipping the magnet?

00:57:28.999 --> 00:57:33.949
That’s the one, and the second one
is that Trelock, or ABUS I think,

00:57:33.949 --> 00:57:39.189
says they have an electronic bike
lock which doesn’t have any battery,

00:57:39.189 --> 00:57:43.719
and I’m quite confused how they
will do it. Have you any idea?

00:57:43.719 --> 00:57:48.420
Ray: Actually I don’t know – starting with
the second question – the ABUS lock

00:57:48.420 --> 00:57:52.739
at all, I must admit. But there are e.g.
also Cyberlock is it called, they have

00:57:52.739 --> 00:57:56.050
battery in the key, and you put the key to
it. If it’s a Bluetooth lock I don’t know

00:57:56.050 --> 00:58:00.249
how they’re doing it. It might be possible
that you push something and it starts

00:58:00.249 --> 00:58:04.809
a generator. I’ve seen buttons which you
press and they generate the energy to send

00:58:04.809 --> 00:58:07.990
while you press it. So it might be
that, but I don’t know the products.

00:58:07.990 --> 00:58:11.239
The other question, I must admit I didn’t
really understand what you want to know.

00:58:11.239 --> 00:58:14.749
Can you repeat the first one?

00:58:14.749 --> 00:58:18.289
Question: Of course. I was just
asking how to protect the lock

00:58:18.289 --> 00:58:22.109
so it can’t be opened by flipping
a magnet, like you did in the video.

00:58:22.109 --> 00:58:26.180
Ray: How to protect it, that’s a very
good question. I think we know

00:58:26.180 --> 00:58:30.479
how NOKE did it. And the thing is
I don’t think NOKE did it intentionally.

00:58:30.479 --> 00:58:34.609
It just happened to be in their design.
We can’t open the NOKE because

00:58:34.609 --> 00:58:38.809
the rotating actor they have is also
magnetic. So if I put my magnet there

00:58:38.809 --> 00:58:43.819
I lock the lock. In the Master Lock it’s
some cast metal which is not magnetic.

00:58:43.819 --> 00:58:47.239
So changing this to magnetic would
possibly help. Using a completely

00:58:47.239 --> 00:58:51.599
different approach, like the motor in The
Quicklock, or which needs more power,

00:58:51.599 --> 00:58:54.909
or works differently like a servo would
help. But would be a completely

00:58:54.909 --> 00:58:59.689
different design. But it’s really a tricky
part. There have lots of different locks

00:58:59.689 --> 00:59:04.339
in the past, also door locks, been
attackable by hardware attacks.

00:59:04.339 --> 00:59:10.589
So building a good, really good mechanic,
or electromechanic isn’t easy.

00:59:10.589 --> 00:59:15.259
Herald: And I think we have time
for the last one, at microphone 5.

00:59:15.259 --> 00:59:19.340
Question: So this isn’t a question,
it’s just a precision. At one point

00:59:19.340 --> 00:59:23.779
during the presentation you talked
about open source smart appliances,

00:59:23.779 --> 00:59:28.309
and you said, nobody really does
that. And you urge people

00:59:28.309 --> 00:59:34.190
to be the first to do e.g.
open source sex toys.

00:59:34.190 --> 00:59:38.779
And it happens that someone is doing that.

00:59:38.779 --> 00:59:43.119
So on Github it’s Q-dot,
if you want to learn more

00:59:43.119 --> 00:59:47.599
about what they’re doing.
They have, you know,

00:59:47.599 --> 00:59:52.959
several public repositories about
‘teledildonics’. So, you know, just,

00:59:52.959 --> 00:59:55.519
if anyone wants to check
that out, just saying.

00:59:55.519 --> 00:59:58.660
Ray: Okay, thanks for your
self-advertisement. <i>laughter</i>

00:59:58.660 --> 01:00:02.599
And I was mainly talking about locks, I
must admit. I don’t know the other fields

01:00:02.599 --> 01:00:05.560
so well. But locks is really difficult
to get open source. If you have

01:00:05.560 --> 01:00:09.270
more questions I’ll be at the MuCCC
assembly. I’m waiting for you to bring

01:00:09.270 --> 01:00:14.041
devices, get the dev board, hack the
stuff. And thanks again, for listening!

01:00:14.041 --> 01:00:16.501
<i>applause</i>

01:00:16.501 --> 01:00:21.771
<i>postroll music</i>

01:00:21.771 --> 01:00:40.389
<i>subtitles created by c3subtitles.de
in the year 2017. Join, and help us!</i>