1 00:00:00,000 --> 00:00:14,029 *33c3 preroll music* 2 00:00:14,029 --> 00:00:16,880 Herald: Ray, are you ready? Ray: I think I’m ready! 3 00:00:16,880 --> 00:00:19,840 Herald: Alright he’s ready… Let me introduce you, Ray! 4 00:00:19,840 --> 00:00:23,630 “Lockpicking in the IoT”, or 5 00:00:23,630 --> 00:00:27,380 “Why adding a Bluetooth Low Energy device sometimes 6 00:00:27,380 --> 00:00:30,330 isn’t a great idea”. Here we go! 7 00:00:30,330 --> 00:00:36,260 *applause* 8 00:00:36,260 --> 00:00:42,760 Ray: Okay, so, welcome everybody to “Lockpicking in the IoT”, 9 00:00:42,760 --> 00:00:50,240 or the internet of things that were never supposed to be on the internet. 10 00:00:50,240 --> 00:00:57,340 Okay. There’s a small overview of what we’re doing. I’ll introduce a little bit 11 00:00:57,340 --> 00:01:05,019 what is this about, show you some hardware porn – for the hardware lovers among you – 12 00:01:05,019 --> 00:01:11,000 then look a bit deeper in the PCBs of that hardware – for the electronics guys – 13 00:01:11,000 --> 00:01:15,160 then we look into communication on the internet – this is this modern thing 14 00:01:15,160 --> 00:01:18,740 everybody wants to have in his coffee machine – and then we go for 15 00:01:18,740 --> 00:01:24,500 the wireless interface, and see how difficult or not difficult it is 16 00:01:24,500 --> 00:01:30,530 to attack them. And last but not least we will look into Android app hacking 17 00:01:30,530 --> 00:01:36,030 – I have to say I’m mainly focusing on Android but I’m pretty sure if you’re more 18 00:01:36,030 --> 00:01:41,490 the Apple guy there’s similar techniques available to go for your Apple app. 19 00:01:41,490 --> 00:01:46,439 But for most devices there’s both – so even if you’re using iOS you can hack 20 00:01:46,439 --> 00:01:52,479 the Android app to get the infos. And then the talk is over. Okay. 21 00:01:52,479 --> 00:01:58,729 The very important thing first: the disclaimer. Basically I want to say 22 00:01:58,729 --> 00:02:03,380 I just tested this on my locks, I don’t say it’s working on everything, 23 00:02:03,380 --> 00:02:08,320 I don’t say it’s a general mistake by somebody, might have changed, 24 00:02:08,320 --> 00:02:14,160 I might be wrong, I just show my research. Okay. 25 00:02:14,160 --> 00:02:20,090 This is basically what we’re talking about. We have some kind of 26 00:02:20,090 --> 00:02:24,730 smart or not-so-smart device which is talking over Bluetooth Low Energy 27 00:02:24,730 --> 00:02:30,940 to your smart, or not-so-smart phone. Which is usually talking, using TLS 28 00:02:30,940 --> 00:02:36,620 and HTTP to the ‘Cloud’. 29 00:02:36,620 --> 00:02:39,870 So it’s not just locks. The talk is called “Lockpicking” because that’s the thing 30 00:02:39,870 --> 00:02:43,120 we’re actually going to attack. But the techniques here shown work 31 00:02:43,120 --> 00:02:46,000 for basically all of these Bluetooth Low Energy devices. 32 00:02:46,000 --> 00:02:51,370 There are e.g. different light bulbs. I found some interesting reports 33 00:02:51,370 --> 00:02:55,530 on light bulbs that don’t use any form of authentication. 34 00:02:55,530 --> 00:02:58,329 So you can connect to your neighbor’s light bulb and change a color, or 35 00:02:58,329 --> 00:03:01,970 turn it on or off. So, finally, Blinkenlights in your neighborhood! 36 00:03:01,970 --> 00:03:03,640 *mumbles and laughter* 37 00:03:03,640 --> 00:03:07,639 Then of course there’s cars. Everybody’s talking about cars today. I just heard 38 00:03:07,639 --> 00:03:11,709 a talk about cars. They’re not really using Bluetooth Low Energy. 39 00:03:11,709 --> 00:03:14,310 But still they use an app and are controlled over the internet, so, 40 00:03:14,310 --> 00:03:19,099 it’s kind of on-topic. Then there’s vibrators. I mean, unsafer cyber sex 41 00:03:19,099 --> 00:03:24,580 never has been easier. Actually I don’t have one of those, so, if anybody has, 42 00:03:24,580 --> 00:03:30,120 please bring one over to play with it. But I’m pretty sure they have high-class 43 00:03:30,120 --> 00:03:33,290 security. *laughter* And then there’s button pushers. 44 00:03:33,290 --> 00:03:38,769 I just learned of that yesterday and I thought “WTF, a button pusher!?” 45 00:03:38,769 --> 00:03:42,039 *laughter* 46 00:03:42,039 --> 00:03:48,770 *applause* 47 00:03:48,770 --> 00:03:51,810 This is a Bluetooth Low Energy device which you can communicate to and 48 00:03:51,810 --> 00:03:54,879 make it press a button. Here it’s pressing the Delete key on my notebook. 49 00:03:54,879 --> 00:03:59,570 So finally I have a Bluetooth LE enabled Delete key on my notebook. 50 00:03:59,570 --> 00:04:02,880 *laughter* Very, very helpful. Of course, if you 51 00:04:02,880 --> 00:04:07,210 add that to your door opener at home you can do it again – lockpicking. 52 00:04:07,210 --> 00:04:10,410 We haven’t hacked that yet because I just saw it yesterday but it didn’t look 53 00:04:10,410 --> 00:04:15,129 very encrypted. It has some secret, some shared string, we didn’t understand. 54 00:04:15,129 --> 00:04:20,708 But possibly this congress we will look into it. 55 00:04:20,708 --> 00:04:23,870 Okay, then there’s cars. I’m not sure, who read this message that 56 00:04:23,870 --> 00:04:29,850 Tesla had a big app hack? Nobody? Oh. I thought, everybody read it because 57 00:04:29,850 --> 00:04:35,779 it even was on Heise. And it obviously is a very big vulnerability, Elon Musk has 58 00:04:35,779 --> 00:04:39,940 to get better on this and everybody’s stealing these things… 59 00:04:39,940 --> 00:04:47,260 how are they called… oh yeah, these ‘smart cars’. 60 00:04:47,260 --> 00:04:50,750 And they even have colors! So who wouldn’t want to steal one of those? 61 00:04:50,750 --> 00:04:53,760 *laughter* 62 00:04:53,760 --> 00:04:59,130 The bad news is actually that wasn’t really a hack. What they showed is 63 00:04:59,130 --> 00:05:03,980 that the app is able to start the car. That’s in the manual. 64 00:05:03,980 --> 00:05:09,599 So what they told is: “Yeah, but if I hack your phone I can start your car!” 65 00:05:09,599 --> 00:05:13,790 Then they realized, “Oh, you also need the password because for starting the car 66 00:05:13,790 --> 00:05:17,760 the app actually asks for the password again.” – “Yeah but if I hack your phone 67 00:05:17,760 --> 00:05:21,070 I can install a fake app that asks for the password; and if you enter it 68 00:05:21,070 --> 00:05:24,740 I can steal your car!” – Oh, surprise! *laughter* 69 00:05:24,740 --> 00:05:27,979 I mean this is not the kind of hacking we’re talking about. And they then 70 00:05:27,979 --> 00:05:32,900 suggested the app should be more protected against reverse engineering. 71 00:05:32,900 --> 00:05:38,800 What would that change in this aspect? I can create a fake app without even 72 00:05:38,800 --> 00:05:42,839 decompiling the original one. So, of course if you don’t have security 73 00:05:42,839 --> 00:05:46,440 on your phone working, if you install apps that are not secure your data 74 00:05:46,440 --> 00:05:50,980 is not secure, and your Teslas get stolen. But I didn’t see anything in this ‘hack’ 75 00:05:50,980 --> 00:05:56,620 actually being a hack. So, while talking about… 76 00:05:56,620 --> 00:06:01,180 *applause* 77 00:06:01,180 --> 00:06:04,029 Spare your applause for this one! 78 00:06:04,029 --> 00:06:08,280 Talking about obfuscation. That’s really a thing some people understand differently 79 00:06:08,280 --> 00:06:13,520 than I do. I try to say [to] people: “security by obscurity does not work!” 80 00:06:13,520 --> 00:06:18,080 So if you obfuscate your app, possibly it slows down researchers like us. 81 00:06:18,080 --> 00:06:22,099 But the people doing that for money, who want to sell exploits, they will still put 82 00:06:22,099 --> 00:06:26,349 the energy into it. And sell their exploits even more expensive. 83 00:06:26,349 --> 00:06:30,150 And the exploit will even be longer out there because the independent researchers 84 00:06:30,150 --> 00:06:34,370 won’t find the vulnerabilities that fast. The idea is: good crypto does not have 85 00:06:34,370 --> 00:06:39,890 to be secret to be secure. So, no, please don’t obfuscate your apps better. 86 00:06:39,890 --> 00:06:44,630 Build your protocols better. But as said before I didn’t see any aspects there 87 00:06:44,630 --> 00:06:48,490 in Tesla. Possibly they should make it obvious that you can start the car with it 88 00:06:48,490 --> 00:06:50,781 and make it ‘disableable’, and what… things like that, but 89 00:06:50,781 --> 00:06:55,230 it’s not a security issue. Okay. 90 00:06:55,230 --> 00:06:59,880 So let’s go back to locks. Because, actually the talk is called “Lockpicking”. 91 00:06:59,880 --> 00:07:03,520 So what do these smart locks usually do? Of course they can be opened. 92 00:07:03,520 --> 00:07:07,740 Usually your… with your phone near your lock you put something on the lock 93 00:07:07,740 --> 00:07:11,290 and communicate – the lock opens. Optionally you have to press 94 00:07:11,290 --> 00:07:16,091 something on the phone, so it’s a 2-step process to unlock, 95 00:07:16,091 --> 00:07:20,070 which is actually a quite good idea because of some obvious scenarios 96 00:07:20,070 --> 00:07:24,010 which will work otherwise. Then – and this is different from normal locks – 97 00:07:24,010 --> 00:07:27,700 they can be shared to friends. It’s a big feature. They try to convince you 98 00:07:27,700 --> 00:07:31,880 why these smart locks are so smart. When I’m not at home I can send 99 00:07:31,880 --> 00:07:35,590 somebody the code, and give him the possibility to open my bike shed 100 00:07:35,590 --> 00:07:41,360 for just one hour. Because I can, of course, revoke that at time restrictions. 101 00:07:41,360 --> 00:07:44,770 So that’s what the big advantage is, compared to a traditional lock. 102 00:07:44,770 --> 00:07:49,460 Except, of course, it’s to be much more secure because you can’t pick it anymore. 103 00:07:49,460 --> 00:07:53,260 And then those obviously have some failsafe mode in case your phone breaks 104 00:07:53,260 --> 00:07:57,330 and whatever. You can enter a click code, and can enter a code by some buttons 105 00:07:57,330 --> 00:08:01,770 or something to open it without the phone. But that is nothing we’re going 106 00:08:01,770 --> 00:08:08,830 to look into today. So from these basic ideas, of course, there come some basic 107 00:08:08,830 --> 00:08:12,390 attack vectors. What I could try to do: I could try to bypass 108 00:08:12,390 --> 00:08:18,600 the sharing restrictions. So possibly go in a different time window. 109 00:08:18,600 --> 00:08:21,320 I could change the time on my phone, probably. Would that work? 110 00:08:21,320 --> 00:08:25,210 Things like that. Open the lock after it was revoked. Of course then 111 00:08:25,210 --> 00:08:28,250 that’s what everybody thinks about when talking about Bluetooth: I could try 112 00:08:28,250 --> 00:08:32,830 to get the keys. From sniffing somebody’s Bluetooth LE connection. 113 00:08:32,830 --> 00:08:37,720 That’s something we’re going to do today. Then this is what I was talking about 114 00:08:37,720 --> 00:08:41,610 why the ‘2-button-press’ is a good idea. You could relay opening codes. 115 00:08:41,610 --> 00:08:45,010 If you have the ‘instant-open’ feature I could approach you, pretend to be 116 00:08:45,010 --> 00:08:48,550 your lock, your phone sends me an OPEN command, I could relay it to your lock, 117 00:08:48,550 --> 00:08:52,560 completely somewhere else, and it would open. So I think this is something 118 00:08:52,560 --> 00:08:56,890 you can’t really stop except with some very tricky mechanisms. 119 00:08:56,890 --> 00:09:01,511 Possibly ‘timing’ or some… things like that. So this ‘instant open’ feature 120 00:09:01,511 --> 00:09:07,390 is possibly not the best idea. Then we have the option to attack the lock 121 00:09:07,390 --> 00:09:13,640 or app software directly. I mean, it’s software. So it will have buffer overflows. 122 00:09:13,640 --> 00:09:18,240 It might have other weaknesses. It could just do not verify some things. If I tell 123 00:09:18,240 --> 00:09:21,960 I’m another person - does it really check if I have the rights, and everything? 124 00:09:21,960 --> 00:09:26,890 But this is something – I think the only thing – I don’t have in this talk today. 125 00:09:26,890 --> 00:09:33,290 Because the other methods worked already. Okay. 126 00:09:33,290 --> 00:09:38,340 Going to look at the hardware. So, basically, if you’re 127 00:09:38,340 --> 00:09:43,030 a lockpicker or some other reverse- engineer, if you get a new hardware 128 00:09:43,030 --> 00:09:45,830 you want to take it apart. If you can’t take it apart, you can’t open it 129 00:09:45,830 --> 00:09:49,980 you don’t own it. And here’s – if you want to do it yourself – these tips 130 00:09:49,980 --> 00:09:54,720 how to open it. The NOKE is very nicely built. When you have legally or 131 00:09:54,720 --> 00:09:58,470 legitimately unlocked your NOKE you can disassemble it without doing any damage 132 00:09:58,470 --> 00:10:03,040 to it. [You] just need a screw driver and it completely comes apart. Very nice design. 133 00:10:03,040 --> 00:10:06,720 The Master Lock – you have to drill out 4 rivets. This is a bit sad 134 00:10:06,720 --> 00:10:11,251 because after that it won’t be a very good lock anymore. But it’s not a problem 135 00:10:11,251 --> 00:10:15,750 because it isn’t before, from my experience. 136 00:10:15,750 --> 00:10:20,762 *applause and some laughter* 137 00:10:20,762 --> 00:10:25,090 And then there’s the Dog & Bone lock, which is a lock I just got recently. 138 00:10:25,090 --> 00:10:28,690 Its a little bit tricky to open but you don’t have to do a lot of damage. 139 00:10:28,690 --> 00:10:32,360 If you have it opened you can pull out a pin in the back – thank Jan (?) 140 00:10:32,360 --> 00:10:36,130 for finding that out. And then you can remove screws and it really comes apart 141 00:10:36,130 --> 00:10:40,420 nicely. So how do these locks look, now? This is the NOKE. 142 00:10:40,420 --> 00:10:45,590 So basically you see a PCB, you see a normal lock body like here, 143 00:10:45,590 --> 00:10:49,721 with a shackle. There’s a motor at the PCB. The motor turns some locking element 144 00:10:49,721 --> 00:10:53,260 in here. And if it’s in the right position the lock opens. For the NOKE there’s 145 00:10:53,260 --> 00:10:59,080 a very nice paper by the SSDeV member Michael Hübler. I have a link at the end 146 00:10:59,080 --> 00:11:05,900 of the presentation. And neither he nor me did find 147 00:11:05,900 --> 00:11:11,540 any mechanical bypasses for that lock. So the mechanics look okay. 148 00:11:11,540 --> 00:11:15,680 Then there’s the Master Lock. It is very similar, but I have to say they invented 149 00:11:15,680 --> 00:11:20,890 this mechanism with the motor in this locking element first. It has 4 buttons 150 00:11:20,890 --> 00:11:26,640 on the PCB which you can use to enter a code. Has 2 CPUs, pretty standard design. 151 00:11:26,640 --> 00:11:31,600 And here are the rivets you have to drill out to make it open. 152 00:11:31,600 --> 00:11:36,670 The Dog & Bone is a little bit more clumsy. It’s a bigger lock. It comes apart 153 00:11:36,670 --> 00:11:41,900 in quite some pieces. What I really liked was that motor with that gear box. I think 154 00:11:41,900 --> 00:11:47,360 it’s like 1:2000 or something. So it really gets a lot of power from the 155 00:11:47,360 --> 00:11:53,780 very small motor. So what does it do with it? It turns this element, and this element 156 00:11:53,780 --> 00:11:59,260 retracts these 2 spring loaded locking elements which are locking the shackle. 157 00:11:59,260 --> 00:12:05,100 If you’re a lockpicker you will ask: “Spring loaded? Seriously? 158 00:12:05,100 --> 00:12:09,550 Have you ever heard about the term ‘Shimming a lock’?” ‘Shimming a lock’ 159 00:12:09,550 --> 00:12:16,180 is inserting some metal at the shackle, and pushing back the springs. 160 00:12:16,180 --> 00:12:22,550 It’s a very standard method for padlocks in the 5 Dollar range, I would say. 161 00:12:22,550 --> 00:12:26,670 Locks starting at 10..15 Dollars or Euros or whatever, in that area 162 00:12:26,670 --> 00:12:32,340 usually can’t be shimmed anymore. When I opened the Dog & Bone lock 163 00:12:32,340 --> 00:12:36,010 I instantly realized: it’s spring loaded, it is shimmable. 164 00:12:36,010 --> 00:12:40,480 A short search on Google found out that Mr. Locksmith, 165 00:12:40,480 --> 00:12:43,460 a lockpicker from the U.S. who does some good Youtube videos, 166 00:12:43,460 --> 00:12:48,040 found [that] out months before. And of course, it’s shimmable! 167 00:12:48,040 --> 00:12:52,250 You put in some thin metal sheets – he built them from a cutaway 168 00:12:52,250 --> 00:12:56,190 of a soda can, puts them in and the lock opens. 169 00:12:56,190 --> 00:13:01,520 But this is not a 5 Dollar lock. This is an 80..100 Dollar Bluetooth padlock. 170 00:13:01,520 --> 00:13:05,990 And you shim it with cut metal. Okay. No need to go into 171 00:13:05,990 --> 00:13:11,520 the Bluetooth Low Energy for that one. *laughter* 172 00:13:11,520 --> 00:13:15,591 And, as a small teaser: I also didn’t say there’s no mechanical bypass 173 00:13:15,591 --> 00:13:18,860 for the Master Locks. But we’ll come back to that. 174 00:13:18,860 --> 00:13:22,270 Okay. The electronics. This is the electronics of the NOKE. Basically 175 00:13:22,270 --> 00:13:26,240 you see there’s one CPU, and something that’s called an ‘H bridge’ which is 176 00:13:26,240 --> 00:13:31,570 used to control a motor. All the rest is pretty standard electronics, so, 177 00:13:31,570 --> 00:13:36,790 very simple design. The Master Lock has 2 CPUs, 178 00:13:36,790 --> 00:13:41,871 has the buttons on the PCB, also quite simple electronics. 179 00:13:41,871 --> 00:13:45,790 And this is the MCUs. The interesting thing I see is there’s a very common chip. 180 00:13:45,790 --> 00:13:50,470 It’s the Nordic nRF51822. I find it basically everywhere. 181 00:13:50,470 --> 00:13:54,250 It’s in light bulbs, it’s in 3 of the locks I have here. 182 00:13:54,250 --> 00:13:58,279 Or 4, if you count the Ivation and Nathlock [not] as the same. 183 00:13:58,279 --> 00:14:01,460 Only the Master Lock uses MSP430, which is… 184 00:14:01,460 --> 00:14:08,600 The nRF is a… basically ARM core. The MSP430 is a much smaller chip, 185 00:14:08,600 --> 00:14:13,029 it’s from Texas Instruments, and it’s a very low power consumption chip. 186 00:14:13,029 --> 00:14:18,660 It was also used in the previous non-Bluetooth LE electronic lock. 187 00:14:18,660 --> 00:14:22,500 But it’s basically also a normal microcontroller, and you can program it. 188 00:14:22,500 --> 00:14:27,279 So, program it. That means you can just use any ARM Flash board. 189 00:14:27,279 --> 00:14:32,460 I used the ST-Link interface from an STM32 dev board we had in our hackerspace. 190 00:14:32,460 --> 00:14:38,180 And interfaced it to the chip of the NOKE padlock here. 191 00:14:38,180 --> 00:14:41,900 So e.g. using OpenOCD, but… there are different tool chains (?) but 192 00:14:41,900 --> 00:14:46,710 this is one where you find some info on the internet, how to use it with the nRF. 193 00:14:46,710 --> 00:14:50,200 Using OpenOCD you get an interface to connect to the chip, 194 00:14:50,200 --> 00:14:54,540 and then you can issue commands like ‘Probe the Flash in it’; 195 00:14:54,540 --> 00:14:58,330 you could read the Flash, you could write a new firmware to it, 196 00:14:58,330 --> 00:15:01,820 and stuff like that. 197 00:15:01,820 --> 00:15:06,200 With the old Master dialSpeed padlock which is pre-Bluetooth-LE but 198 00:15:06,200 --> 00:15:10,600 already electronic, a few years ago, I think 4 years ago we presented 199 00:15:10,600 --> 00:15:14,380 about that one, that was not read protected, you could change the firmware, 200 00:15:14,380 --> 00:15:18,470 you could actually get the codes from reading the flash, and you could access 201 00:15:18,470 --> 00:15:22,400 the Flash content without opening the lock. So that was really funny. 202 00:15:22,400 --> 00:15:25,540 Not usable as a lock, but I re-flashed it to a Simon Says style game where 203 00:15:25,540 --> 00:15:30,790 you have to repeat the sequence it shows you. Funny lock for your hackerspace. 204 00:15:30,790 --> 00:15:33,310 Unfortunately, or fortunately… No, I would say ‘unfortunately’, 205 00:15:33,310 --> 00:15:36,810 the NOKE firmware was read protected. Because there’s no need for it. 206 00:15:36,810 --> 00:15:40,370 The NOKE firmware Flash ports can’t be accessed without opening the lock. 207 00:15:40,370 --> 00:15:44,180 So you don’t lock somebody out by read protecting it, except for 208 00:15:44,180 --> 00:15:48,040 the legitimate owner. But okay, it was read protected, and I was saying: “Oh, 209 00:15:48,040 --> 00:15:52,040 decompiling firmware, that’s hard work anyway, let’s skip that one.” 210 00:15:52,040 --> 00:15:55,149 But of course you could use these flash interfaces to write own firmwares 211 00:15:55,149 --> 00:15:58,710 to these locks. Possibly make them open source one day. Or do something else. 212 00:15:58,710 --> 00:16:03,050 Or just use them as cool dev boards. With some actors on it. 213 00:16:03,050 --> 00:16:08,560 So, let’s go for the first interesting thing, I would say. 214 00:16:08,560 --> 00:16:13,570 The communication with the ‘Cloud’. 215 00:16:21,900 --> 00:16:24,870 So your phone speaks to some servers which is provided by the vendor 216 00:16:24,870 --> 00:16:30,120 of your hardware usually. And it’s usually a TLS encrypted link 217 00:16:30,120 --> 00:16:36,140 using HTTP. Over this link the application on your phone sends login data, 218 00:16:36,140 --> 00:16:39,980 gets back from the cloud the information about the lock. So you can install 219 00:16:39,980 --> 00:16:42,820 your app on a new phone, enter your login credentials and instantly use 220 00:16:42,820 --> 00:16:47,380 all your locks. Or the locks that were shared to you. Usually these apps also 221 00:16:47,380 --> 00:16:51,040 send events to the cloud, when you open your locks. So if you share the lock 222 00:16:51,040 --> 00:16:55,170 with someone you can see on your other phone that he opened it, and possibly 223 00:16:55,170 --> 00:16:59,710 where he opened it. And things like that. And of course also data is edited, 224 00:16:59,710 --> 00:17:04,670 if you add a new code to it or something. So this is sent over the link. 225 00:17:04,670 --> 00:17:09,189 So, some people would say: “Oh, but TLS encryption is secure, isn’t it?” 226 00:17:09,189 --> 00:17:13,049 Of course, usually it is. There are flaws which you hear about from time to time 227 00:17:13,049 --> 00:17:17,089 at these conferences. But that’s not the problem here. The problem is – but 228 00:17:17,089 --> 00:17:20,540 it’s not a problem, it’s nice for us researchers – you own the phone 229 00:17:20,540 --> 00:17:25,699 with the app. You control the app. You can even modify the app. But owning the phone 230 00:17:25,699 --> 00:17:29,890 you control the TLS trust store, with the certificate authorities. So 231 00:17:29,890 --> 00:17:35,770 you can install a new CA and trust your own servers. People could try to 232 00:17:35,770 --> 00:17:39,700 prevent this using key pinning in the app. But, again, you also control the app. 233 00:17:39,700 --> 00:17:43,559 You can change the app, you can remove the key pinning. So, basically, breaking 234 00:17:43,559 --> 00:17:47,650 into this TLS is something the vendor has to expect. It’s your device, 235 00:17:47,650 --> 00:17:51,940 it’s your communication. You can listen to it. So, and the nice thing 236 00:17:51,940 --> 00:17:55,530 – and this is what I’m trying to tell all of you here in this talk – these things 237 00:17:55,530 --> 00:17:58,840 are not difficult. There are nice available tools; and if you have some apps 238 00:17:58,840 --> 00:18:03,520 which do some things you want to know – install such a tool, watch your app doing 239 00:18:03,520 --> 00:18:07,600 transferring data, and look what your apps actually communicate. Actually it’s 240 00:18:07,600 --> 00:18:11,890 quite interesting to see what your phone communicates to Google all the time. 241 00:18:11,890 --> 00:18:15,530 I realized it: one of these apps is telling Facebook when I started, 242 00:18:15,530 --> 00:18:21,760 every time. What the Fuck?? But you easily see it. What you do is you install e.g. 243 00:18:21,760 --> 00:18:25,620 mitmproxy, it’s a small hell of Python dependencies, but it’s usually installable 244 00:18:25,620 --> 00:18:29,220 on a Linux, and even on a Mac machine. Haven’t tried it on Windows but 245 00:18:29,220 --> 00:18:33,240 I’m pretty sure there’s options for that. And you install it as a web proxy, so, 246 00:18:33,240 --> 00:18:37,630 you change the internet connection of your phone, and say: “Oh, this Wi-Fi has to use 247 00:18:37,630 --> 00:18:43,580 a proxy, enter the IP of your proxy…” And mitmproxy creates fake certificates 248 00:18:43,580 --> 00:18:47,410 on the fly. So whatever side you access it creates a new certificate looking 249 00:18:47,410 --> 00:18:52,000 the same, signs it with the fake CA, and you can install the fake CA just 250 00:18:52,000 --> 00:18:55,770 by going to http://mitm.it/ So, man-in-the-middle it. 251 00:18:55,770 --> 00:18:59,180 And there’s a link to install a fake CA on your phone. So that’s actually really 252 00:18:59,180 --> 00:19:03,640 [done] in, like, 5..10 minutes, with compiling of the Python stuff 15 minutes, 253 00:19:03,640 --> 00:19:07,400 and you have a working man-in-the-middle setup and can watch your communication. 254 00:19:07,400 --> 00:19:11,390 This is what the app looks like. So we see here a few POST requests 255 00:19:11,390 --> 00:19:17,130 to the NOKE app. We get replies; actually we see funny 403’s here. 256 00:19:17,130 --> 00:19:21,250 I’m not sure why it’s doing that. But okay. But this is what the NOKE app 257 00:19:21,250 --> 00:19:25,160 does on startup. And of course we can not just see the requests, we can look 258 00:19:25,160 --> 00:19:30,180 into the request itself. And it’s e.g. a good way to recover your password. 259 00:19:30,180 --> 00:19:34,600 Possibly I should have blurred it here. So if you have forgotten your password 260 00:19:34,600 --> 00:19:38,530 you just sniff your communication. It also works for your Play Store password, 261 00:19:38,530 --> 00:19:43,460 usually. Usually they use a token but some time it’s renewed. 262 00:19:43,460 --> 00:19:46,710 So every app that has a password and sends it to the cloud – you can 263 00:19:46,710 --> 00:19:53,370 recover it with that. And from this login you get data back. 264 00:19:53,370 --> 00:19:57,280 And in the NOKE app it’s usually done like I send 265 00:19:57,280 --> 00:20:00,050 login, with user and password, and I get a token back. 266 00:20:00,050 --> 00:20:02,920 And then all following your request I just have to send this token, and 267 00:20:02,920 --> 00:20:08,530 then I’m authenticated. So that’s an okay mechanism I would say. 268 00:20:08,530 --> 00:20:11,460 So. What do we get also? We have a GETLOCKS key, and 269 00:20:11,460 --> 00:20:15,080 when we call ‘getlocks’ we get the information about our locks. 270 00:20:15,080 --> 00:20:18,580 So this basically is an ID of the lock. This is a lock key. There’s something 271 00:20:18,580 --> 00:20:22,100 to remember: 0137 – we’ll see that later. 272 00:20:22,100 --> 00:20:25,200 You see the MAC of the lock, you see a picture URL 273 00:20:25,200 --> 00:20:29,001 where the application shows me the lock – if I have multiple locks 274 00:20:29,001 --> 00:20:34,059 I can assign different pictures to it. And this is a quick open code 275 00:20:34,059 --> 00:20:37,110 where I can push on the shackle to open this lock. 276 00:20:37,110 --> 00:20:40,590 So this is all no hacking because this data I’m supposed to know. 277 00:20:40,590 --> 00:20:44,240 It’s my lock, I can know the information, then it’s not a big problem. 278 00:20:44,240 --> 00:20:47,870 But it’s interesting to see what it’s doing to understand how it’s working. 279 00:20:47,870 --> 00:20:50,880 Then we have the next thing, the ‘shared locks’. 280 00:20:50,880 --> 00:20:55,690 This is more interesting, possibly because I see: “Oh, I’m allowed to use it all day, 281 00:20:55,690 --> 00:20:59,170 starting at that day, starting at that time, 282 00:20:59,170 --> 00:21:03,990 ending at that date, at that time”. And this lock has a key, 283 00:21:03,990 --> 00:21:08,470 and there’s another key. And another MAC. 284 00:21:08,470 --> 00:21:12,760 So, the nice thing is, the lock does not have a time. 285 00:21:12,760 --> 00:21:16,580 The lock does not know when I’m allowed to open it. 286 00:21:16,580 --> 00:21:21,520 So all I need is this key. And the nice thing also is I don’t have to manipulate 287 00:21:21,520 --> 00:21:27,050 the app in any way. I can use Mitmproxy to change the data on the fly. 288 00:21:27,050 --> 00:21:33,260 So I just tell Mitmproxy, please change 2016 to 2066, 289 00:21:33,260 --> 00:21:36,830 then the reply comes back, and then the NOKE app thinks “Oh, he’s still allowed 290 00:21:36,830 --> 00:21:42,420 to use that”. Of course the NOKE people were clever and do an online check. 291 00:21:42,420 --> 00:21:47,160 Which actually means you can only unlock a lock if you have a shared lock. 292 00:21:47,160 --> 00:21:50,640 Your own lock you can use offline. But a shared lock you can only use when you 293 00:21:50,640 --> 00:21:55,470 have internet. Not good if it’s the cellar or something. But it does an online check, 294 00:21:55,470 --> 00:22:01,610 it asks: “Can unlock?” and the cloud answers: “Yes, success, can unlock”. 295 00:22:01,610 --> 00:22:06,920 Of course I can also fake that! So this is completely bogus; it’s unnecessary 296 00:22:06,920 --> 00:22:09,920 to be online. I could do it offline. If I want to hack the lock I can do it 297 00:22:09,920 --> 00:22:14,510 in the cellar. Only the legitimate user has to be online. 298 00:22:14,510 --> 00:22:21,759 So the sharing feature of the NOKE already is broken just with the Mitmproxy tool. 299 00:22:21,759 --> 00:22:27,670 Really, that’s not big hacking. They could have thought about that. But okay. 300 00:22:27,670 --> 00:22:33,580 So, once somebody shares a lock to you, a NOKE to you, 301 00:22:33,580 --> 00:22:36,770 you have this key and you can use this key from then forever on. 302 00:22:36,770 --> 00:22:43,230 Using the original app. That’s the nice thing. You don’t have to change it. 303 00:22:43,230 --> 00:22:47,660 One thing which is positive about the architecture here, the key that they use 304 00:22:47,660 --> 00:22:51,750 for sharing is a different key than you have to operate your lock. That means 305 00:22:51,750 --> 00:22:56,860 with this sharing key I can not modify the lock. I can’t re-key it, 306 00:22:56,860 --> 00:23:02,050 or change the click code, or things like that. So I just can open it. 307 00:23:02,050 --> 00:23:06,890 And they have an option to change the key of the lock. So I can go to my lock 308 00:23:06,890 --> 00:23:12,299 and say “Re-key!”, and the they do a new key. But for that I have to go to my lock. 309 00:23:12,299 --> 00:23:16,030 So that’s nothing if I share the lock to you from Congress, and the lock is 310 00:23:16,030 --> 00:23:22,060 somewhere in… Salzburg! Then that doesn’t work. So not really helping. 311 00:23:22,060 --> 00:23:25,549 Possibly one time keys or something like that would be a better option, or just 312 00:23:25,549 --> 00:23:29,820 some challenge/response mechanism. If you have to be online, why not. 313 00:23:29,820 --> 00:23:34,390 But that’s something for the future. Currently lock sharing is not very secure, 314 00:23:34,390 --> 00:23:39,770 and I would advise you to keep that in mind when you use the Sharing feature. 315 00:23:39,770 --> 00:23:44,070 Oh, regarding dumping firmware: as I said before a firmware was not dumpable 316 00:23:44,070 --> 00:23:47,820 from the NOKE. The Dog & Bone I didn’t even try to dump the firmware because 317 00:23:47,820 --> 00:23:52,380 it was shimmable. But they sent me an URL in the CONNECT where I can 318 00:23:52,380 --> 00:23:58,510 download the firmware. And if you… *laughs* 319 00:23:58,510 --> 00:24:04,240 *laughter and applause* 320 00:24:04,240 --> 00:24:07,381 Again, I don’t consider this a vulnerability. I think if I own the lock 321 00:24:07,381 --> 00:24:11,011 I should be allowed to read the firmware. If you download that it’s an actual 322 00:24:11,011 --> 00:24:15,340 hex dump of the firmware. It looks like directly what you would flash on the chip. 323 00:24:15,340 --> 00:24:17,980 So if you want to do some firmware reverse engineering that’s a very easy 324 00:24:17,980 --> 00:24:21,799 starting point to get the firmware from the internet, disassemble it, play with it, 325 00:24:21,799 --> 00:24:24,161 flash it possibly to your own dev board without even owning the lock, 326 00:24:24,161 --> 00:24:29,850 to play with it. Why not. Okay, so, so much for the app communication. 327 00:24:29,850 --> 00:24:33,780 You can do quite a lot with it already. But we want to go a little deeper. 328 00:24:33,780 --> 00:24:37,880 We want to go for the Bluetooth Low Energy level. So the communication 329 00:24:37,880 --> 00:24:44,400 between my phone and my lock. Or my vibrator. Or whatever. 330 00:24:44,400 --> 00:24:49,380 So Bluetooth Low Energy is newer, but actually easier to sniff than Bluetooth. 331 00:24:49,380 --> 00:24:53,240 There’s a talk called “With Low Energy comes Low Security” 332 00:24:53,240 --> 00:24:57,600 if you want to have an introduction to that. You find it on Youtube. Basically, 333 00:24:57,600 --> 00:25:02,460 it has 3 security modes. But the most common used are NON and ADHOC 334 00:25:02,460 --> 00:25:07,250 which is like almost none security. And the third one would be pairing with a code 335 00:25:07,250 --> 00:25:10,900 which is usually a 6-digit number. If you listen to that pairing you also 336 00:25:10,900 --> 00:25:16,130 own everything. This improved with Bluetooth Low Energy 4.2, or Bluetooth 4.2 337 00:25:16,130 --> 00:25:20,710 which includes a new Low Energy standard. But this is not implemented very commonly 338 00:25:20,710 --> 00:25:25,330 today, and won’t be in the very near future. Because 339 00:25:25,330 --> 00:25:30,110 not so many devices support it. So for now Bluetooth Low Energy is an easy target 340 00:25:30,110 --> 00:25:34,440 to get into research. There’s available tools for it like the Ubertooth One 341 00:25:34,440 --> 00:25:38,799 by Mike Ossmann. The Adafruit BTLE sniffer for… very cheap. 342 00:25:38,799 --> 00:25:42,510 And you can build your own one by flashing a firmware available from Nordic 343 00:25:42,510 --> 00:25:46,830 directly to any dev board with this chip you have. 344 00:25:46,830 --> 00:25:50,610 So this is the hackerspace entry point. If you have this stuff lying around… 345 00:25:50,610 --> 00:25:54,760 Otherwise I would recommend going for the Adafruit Sniffer. It’s orderable 346 00:25:54,760 --> 00:25:59,080 even in Europe, very easily. So not a big problem. 347 00:25:59,080 --> 00:26:03,090 But the very cheap option is: get a 3..5 Euros dev board 348 00:26:03,090 --> 00:26:06,590 like this from China, use your STM32 programmer. 349 00:26:06,590 --> 00:26:10,220 I have another board here which is a serial interface. But you could use 350 00:26:10,220 --> 00:26:15,429 your normal FTDI USB-to-Serial, also. And then this board 351 00:26:15,429 --> 00:26:21,560 is identical to the Adafruit Bluetooth LE Sniffer, for like 5 bucks. 352 00:26:21,560 --> 00:26:26,320 Okay. Talking about this research. This is nothing nobody did before. 353 00:26:26,320 --> 00:26:31,160 Somebody like e.g. Rose & Ramsey did it at DEF CON and presented quite a nice talk 354 00:26:31,160 --> 00:26:36,840 where he analyzed a lot of locks. He had like 15 locks of it, and 12 of them broken. 355 00:26:36,840 --> 00:26:40,639 So it was really plain text passwords on the Bluetooth LE, for the Quicklock, 356 00:26:40,639 --> 00:26:45,190 iBluLock, Plantraco Phantomlock. I hope that’s correct. 357 00:26:45,190 --> 00:26:49,330 I don’t claim that to be true. But he told [it] in the talk. He found replay attacks 358 00:26:49,330 --> 00:26:53,860 on these locks. So you can just resend the same code that you saw before, 359 00:26:53,860 --> 00:26:57,190 even without understanding it. But he stopped where it became interesting. 360 00:26:57,190 --> 00:27:01,679 And instead of that posted this slide. Which I hate. 361 00:27:01,679 --> 00:27:07,090 He wrote about uncracked locks. And the first one was the NOKE padlock. 362 00:27:07,090 --> 00:27:11,590 And for the time line: at that point I already had disclosed to NOKE 363 00:27:11,590 --> 00:27:16,470 our findings. Which you will see today. So the NOKE company knew about 364 00:27:16,470 --> 00:27:20,720 the lock being completely broken on the crypto layer [at that time]. But they see 365 00:27:20,720 --> 00:27:24,210 this talk by Rose & Ramsey and post a blog post: “NOKE just one of the few 366 00:27:24,210 --> 00:27:30,460 Bluetooth locks to pass hacker testing”… SERIOUSLY?? They were notified! 367 00:27:30,460 --> 00:27:34,400 And they… we had active communication about them changing the crypto protocol. 368 00:27:34,400 --> 00:27:39,100 Possibly the social network people are not so close with the technical people. 369 00:27:39,100 --> 00:27:44,850 But okay. So, let’s crack it. Using the Nordic Bluetooth LE sniffer firmware, 370 00:27:44,850 --> 00:27:48,679 which is… unfortunately the easiest way to use is on Windows. But you can use it 371 00:27:48,679 --> 00:27:52,860 with Python also on Linux. And Wireshark integration isn’t that nice… 372 00:27:52,860 --> 00:27:58,030 So if you have a Windows, or Windows VM it’s the more easy entry point. 373 00:27:58,030 --> 00:28:01,770 Here you have a text interface where you say: “I want to sniff to this device”, 374 00:28:01,770 --> 00:28:05,100 then you get a lot of lot of lot of packets here. Mostly ‘discovery, discovery, discovery’. 375 00:28:05,100 --> 00:28:09,160 You have to look for the bigger packets. This was a bigger packet with some payload, 376 00:28:09,160 --> 00:28:14,210 and it contains a very long string which looks completely random. 377 00:28:14,210 --> 00:28:19,270 So I see from phone to NOKE there’s random; from NOKE to phone there’s random. 378 00:28:19,270 --> 00:28:25,450 Looks actually encrypted. And NOKE is claiming they are using AES128. 379 00:28:25,450 --> 00:28:29,170 So I didn’t even try to understand what I see here because 380 00:28:29,170 --> 00:28:33,350 if it’s AES encrypted you won’t find any meaning in it. 381 00:28:33,350 --> 00:28:37,380 So let’s put the sniffing aside for a moment. We can’t sniff to the data. 382 00:28:37,380 --> 00:28:41,429 We can get this communication off the air. But for the NOKE we can’t do anything 383 00:28:41,429 --> 00:28:47,780 with that. So let’s go for app hacking. 384 00:28:47,780 --> 00:28:52,140 There are different approaches. One – the easiest… not the easiest but 385 00:28:52,140 --> 00:28:58,870 the first one we did – is manipulating the apps. 386 00:28:58,870 --> 00:29:03,610 So you can get an APK from your phone very easily with ADB. You don’t have to have 387 00:29:03,610 --> 00:29:08,450 a rooted device for that. You can just enable Devel mode and copy the APK over. 388 00:29:08,450 --> 00:29:11,780 There’s lots of tutorials on the internet how to do it. It’s basically 3 calls 389 00:29:11,780 --> 00:29:17,090 on the shell. And those APKs can easily be disassembled with a tool like SMALI. 390 00:29:17,090 --> 00:29:21,290 You can change things in it, like a URL. You can change values. 391 00:29:21,290 --> 00:29:25,919 Then you can re-assemble it, self-sign it, and put it again on your phone. 392 00:29:25,919 --> 00:29:29,590 One thing you can do with that is change the app to use a different URL 393 00:29:29,590 --> 00:29:34,280 for its communication. And that’s actually quite a nice idea. Because we saw before 394 00:29:34,280 --> 00:29:37,500 we can completely understand this protocol. It’s not a complicated protocol. 395 00:29:37,500 --> 00:29:40,710 It’s sending some requests, and it’s getting some JSON responses. I can 396 00:29:40,710 --> 00:29:45,070 write this in a Python script with a few 100 lines, and fake their server. 397 00:29:45,070 --> 00:29:50,860 So I actually could run my NOKE lock – if it would be having good crypto, but okay – 398 00:29:50,860 --> 00:29:55,020 on my own server. Not connected to their cloud, but build my own NOKE app and 399 00:29:55,020 --> 00:30:01,039 have it communicate with my NOKE server. Why not. Possibly in the far future 400 00:30:01,039 --> 00:30:04,630 NOKE doesn’t exist anymore, who knows? It happened before to other companies: 401 00:30:04,630 --> 00:30:08,380 the servers are gone – your hardware is gone. If you understand the protocol, 402 00:30:08,380 --> 00:30:11,370 if you have sniffed it before you can reimplement it and continue using 403 00:30:11,370 --> 00:30:15,820 your hardware. Except for that I wouldn’t like to have my locks in the cloud! 404 00:30:15,820 --> 00:30:19,520 We actually used this method during the analysis of the NOKE lock 405 00:30:19,520 --> 00:30:23,260 to change a random number generator in the app to always return ‘42’. 406 00:30:23,260 --> 00:30:27,500 Thanks to Sec for that one. He did a binary patch on the MIPS binary on it. 407 00:30:27,500 --> 00:30:31,980 We just put it in and had a nice random number to spot it easier 408 00:30:31,980 --> 00:30:37,870 on the communication. The other thing is you can decompile these app APKs. 409 00:30:37,870 --> 00:30:42,340 You get it, again with ADB. Run it through a decompiler like Jadx which you can 410 00:30:42,340 --> 00:30:45,880 install on your PC. You can download it from Github. Or if you just want 411 00:30:45,880 --> 00:30:50,269 an easy decompile you go to an online decompilation service. 412 00:30:50,269 --> 00:30:54,360 They say: “Please only use it for legitimate purposes”, but we do! 413 00:30:54,360 --> 00:31:00,460 And yesterday Sec was very annoyed by the Adblocker blocker they have. 414 00:31:00,460 --> 00:31:04,460 But if you ignore that then it’s very easy to just upload an APK, 415 00:31:04,460 --> 00:31:08,130 get back the source code. And then, basically, you have Java source 416 00:31:08,130 --> 00:31:15,520 which you can read, you can search, you can grep… Oh! You can grep. 417 00:31:15,520 --> 00:31:21,479 So. We were looking for AES! *laughter* 418 00:31:21,479 --> 00:31:30,730 *applause* 419 00:31:30,730 --> 00:31:34,809 Yeah, everybody is laughing at that slide. But there’s 2 things to mention. 420 00:31:34,809 --> 00:31:38,690 First of all this is not all of our research. This is just the beginning. 421 00:31:38,690 --> 00:31:42,670 Then it became difficult. The other thing is this key of course is very silly. 422 00:31:42,670 --> 00:31:47,270 They actually use 01 to 15 as an AES encryption key. 423 00:31:47,270 --> 00:31:50,610 But if they would have used a real random pre-shared key I still would have found it 424 00:31:50,610 --> 00:31:55,080 that way. So, actually, it’s not really less secure. It’s just possibly left over 425 00:31:55,080 --> 00:31:59,820 from development. I have no idea why you would use that key! But still 426 00:31:59,820 --> 00:32:02,529 – even a better key, I would have found it in the source code. Because it’s 427 00:32:02,529 --> 00:32:06,770 a pre-shared key. The lock knows it. The app knows it – has to know it 428 00:32:06,770 --> 00:32:11,299 because it’s pre-shared. So, yeah… But still it’s very funny that they have 429 00:32:11,299 --> 00:32:15,880 this silly key in there. And we were actually wondering quite a lot: 430 00:32:15,880 --> 00:32:20,080 “Oh, but what blockchaining mode do they use? How do they use AES? 431 00:32:20,080 --> 00:32:24,020 Is there an initialization vector?”. I don’t know. 432 00:32:24,020 --> 00:32:29,210 Took us quite a while until we realized: it’s simply just one block! If we use 433 00:32:29,210 --> 00:32:34,740 that thing that we sniffed earlier and just run one AES decryption 434 00:32:34,740 --> 00:32:39,570 with the key 0001 etc. we get something 435 00:32:39,570 --> 00:32:43,749 which includes our 42 numbers. Oh! Our ‘random’ numbers turn up! 436 00:32:43,749 --> 00:32:48,590 How are the chances for that? No. So, actually this key decrypted the thing 437 00:32:48,590 --> 00:32:52,900 we got from the wire. So we thought: “Success!” and NOKE is cracked! 438 00:32:52,900 --> 00:32:56,160 Unfortunately it only worked for the first 2 messages, and all we saw 439 00:32:56,160 --> 00:32:59,550 in these 2 messages is our ‘random’ number, and in the answer 440 00:32:59,550 --> 00:33:03,990 another obviously real random number, because we didn’t patch the lock. 441 00:33:03,990 --> 00:33:10,480 The next messages from that on again were completely scrambled. 442 00:33:10,480 --> 00:33:15,270 So we had to do some more reverse-engineering. 443 00:33:15,270 --> 00:33:20,909 Unfortunately, or fortunately – to make it a little more interesting for us – 444 00:33:20,909 --> 00:33:25,180 this APK from NOKE doesn’t only include the Java source. 445 00:33:25,180 --> 00:33:29,080 It has some shared object files. So, binaries, which are compiled 446 00:33:29,080 --> 00:33:34,160 with some other compiler, probably C. Luckily those were in there for Android, 447 00:33:34,160 --> 00:33:38,289 for multiple architectures. And one of those – I don’t know who is using Android 448 00:33:38,289 --> 00:33:44,249 on x86, but obviously it exists – so we had all the libraries also in x86. 449 00:33:44,249 --> 00:33:48,090 Which we could run through a commonly available disassembler. I started doing 450 00:33:48,090 --> 00:33:51,760 this object dump, and things (?) a little bit. But it’s really hard to read, and 451 00:33:51,760 --> 00:33:57,310 you don’t come so far with it. So, big thanks again to Sec and to e7p 452 00:33:57,310 --> 00:34:01,210 who helped me a lot during Easterhegg this year, which was a quite nice event, 453 00:34:01,210 --> 00:34:06,000 where we did some lock hacking. And they were staring with me at IDA Pro dumps 454 00:34:06,000 --> 00:34:11,639 all the time to find the key exchange, and finally, it worked out. 455 00:34:11,639 --> 00:34:16,460 So, all the assembler is very hard to read, I think. But we see there’s 456 00:34:16,460 --> 00:34:20,580 a parseCmd function we found. Actually they had the labels in there! 457 00:34:20,580 --> 00:34:23,540 Which again is not the vulnerability, it just made it easier for us 458 00:34:23,540 --> 00:34:29,530 to spot the stuff. I don’t think that’s bad from them. It’s okay. 459 00:34:29,530 --> 00:34:35,248 So we found this parseCmd. It actually calls an AES decrypt function. 460 00:34:35,248 --> 00:34:39,639 It gets a little bigger and bigger and bigger. There we find 461 00:34:39,639 --> 00:34:44,339 – I actually can’t read it from here very good – this was the Create Session key. 462 00:34:44,339 --> 00:34:49,329 This sounds very promising. It was called ‘CreateSessionKey’. Hm. 463 00:34:49,329 --> 00:34:54,409 Might have something to do with the things we saw before. And it has this in a loop. 464 00:34:54,409 --> 00:34:58,249 And this loop is actually something people could understand if they can read some 465 00:34:58,249 --> 00:35:03,339 x86 assembler. It’s a loop of 4 iterations. And it’s XORing values 466 00:35:03,339 --> 00:35:09,490 from one array to another. So it’s basically XORing 4 values. 467 00:35:09,490 --> 00:35:14,029 And this is the core component of the key exchange. This is the 4 byte numbers 468 00:35:14,029 --> 00:35:20,320 that we saw earlier. My 42 42 42 42… and the other one coming from the lock, 469 00:35:20,320 --> 00:35:25,440 are XORed together, and then there’s some more magic done. So basically 470 00:35:25,440 --> 00:35:29,380 the app sends a random number to the lock, the lock sends a random number to the app. 471 00:35:29,380 --> 00:35:34,430 And from that there’s a session key calculated by adding XOR 472 00:35:34,430 --> 00:35:40,299 of these 2 numbers to the middle of the original key. 473 00:35:40,299 --> 00:35:45,200 So you have this original key which we saw before. 474 00:35:45,200 --> 00:35:49,140 And you add this result onto it. So. 475 00:35:49,140 --> 00:35:54,410 We saw from the app our 42 44 42. Of course if you have the real app 476 00:35:54,410 --> 00:35:58,799 running that would be still real random. But this doesn’t make a difference. 477 00:35:58,799 --> 00:36:01,950 It just was easier for us to see it’s the same every time, so… 478 00:36:01,950 --> 00:36:06,450 It helped a little bit, but not too much. So the lock sends the key, those 2 values 479 00:36:06,450 --> 00:36:12,680 are XORed together; and then they are added onto this silly pre-shared key. 480 00:36:12,680 --> 00:36:17,329 I don’t know why they’re doing that! I mean, they could have at least added it 481 00:36:17,329 --> 00:36:21,430 to different parts of it, and they would have more entropy in it, or… 482 00:36:21,430 --> 00:36:24,140 I’m not sure who sits in the cell and does some coding, and thinks: 483 00:36:24,140 --> 00:36:30,160 “This is a good key exchange!”? You can’t really look into these minds. 484 00:36:30,160 --> 00:36:34,260 But okay, so, we can do something in our head. We see here is 0xFD, 485 00:36:34,260 --> 00:36:39,069 we add 0x05 to it. So it rolls over. This is why here’s the Modulo operation. 486 00:36:39,069 --> 00:36:43,609 And get the 0x02. We have 0xBB here. We add 0x06 to 0xBB. 487 00:36:43,609 --> 00:36:48,900 If you can calculate hex you see it comes to 0xC1. Etc. So everything that changed 488 00:36:48,900 --> 00:36:55,660 in the key is the middle 4 bytes. Which is actually another vulnerability. 489 00:36:55,660 --> 00:37:00,220 Because it means even if for some reason, which I really can’t imagine because 490 00:37:00,220 --> 00:37:04,400 this exchange is done everytime you open your lock. It’s not something done 491 00:37:04,400 --> 00:37:08,839 on the first time or done once per phone or something. Everytime somebody opens 492 00:37:08,839 --> 00:37:12,440 this NOKE this whole sequence is run through. It connects to the lock, sends 493 00:37:12,440 --> 00:37:19,469 a random number, receives a random number, the session key is calculated, and using 494 00:37:19,469 --> 00:37:23,539 the new session key the rest of the communication is done. But just in case 495 00:37:23,539 --> 00:37:27,420 you did miss the first packets for some reason: if you have a real attack scenario 496 00:37:27,420 --> 00:37:31,089 where you can’t replay it it might happen that it’s scrambled. Then it’s still 497 00:37:31,089 --> 00:37:34,290 4 bytes changed in the key, so we can brute-force the new key. By knowing 498 00:37:34,290 --> 00:37:39,079 the old one and brute-forcing those 4 bytes. So I think that’s doable 499 00:37:39,079 --> 00:37:43,390 on a modern machine without bigger problem. So really, 500 00:37:43,390 --> 00:37:47,809 not the cleverest key exchange. But even if it would be better 501 00:37:47,809 --> 00:37:51,059 it wouldn’t really help. Because there’s no asymmetric crypto in it, there’s 502 00:37:51,059 --> 00:37:54,869 nothing preventing us from following it. If you exchange a session key 503 00:37:54,869 --> 00:37:58,630 over a pre-shared secret, somebody knowing the pre-shared secret 504 00:37:58,630 --> 00:38:03,349 will always be able to follow it. So, they have to do some big changes 505 00:38:03,349 --> 00:38:08,250 there to make it proof against sniffing. 506 00:38:08,250 --> 00:38:13,489 We have this new session key and of course we have to verify what is happening. 507 00:38:13,489 --> 00:38:18,870 We have the next message on our wire. We’re decoding it with the new 508 00:38:18,870 --> 00:38:21,819 – very cool – key we have. And we get something that doesn’t look 509 00:38:21,819 --> 00:38:25,849 completely random. We do it with multiple ones and see some structure in it. 510 00:38:25,849 --> 00:38:30,950 It’s always… *strange guttural noises* I think I pasted the wrong thing here, 511 00:38:30,950 --> 00:38:36,219 actually. Very sorry for that. You have to imagine a different message here. 512 00:38:36,219 --> 00:38:40,039 Encrypt that using that key and you would see what would be up here. 513 00:38:40,039 --> 00:38:44,279 But here would be this random we got from the air. We de-crypt it with that, 514 00:38:44,279 --> 00:38:49,869 and get this. And this dissects into an op code which is always at the third byte. 515 00:38:49,869 --> 00:38:53,640 And after the op code we actually see the lock key which you remember from 516 00:38:53,640 --> 00:38:58,589 one of the first slides – 013755 – this is the key from my lock. 517 00:38:58,589 --> 00:39:05,609 So we now got the key from the air, and have full access to the lock. 518 00:39:05,609 --> 00:39:08,249 Bad luck for NOKE. 519 00:39:08,249 --> 00:39:16,430 *applause* 520 00:39:16,430 --> 00:39:20,270 So 06 is just one of the op codes. When you browse through the Java source 521 00:39:20,270 --> 00:39:26,109 you see much more op codes that might happen. So e.g. there’s the Rekey option 522 00:39:26,109 --> 00:39:30,849 which you send to the lock, and the lock starts to re-key to regenerate the key, 523 00:39:30,849 --> 00:39:34,530 send back the new keys. You can unlock – which is what we just saw. 524 00:39:34,530 --> 00:39:38,910 Get the battery level. Set a new Quick Opening Code. Can reset the lock. 525 00:39:38,910 --> 00:39:42,890 Can do a firmware update. That looks promising! I have the idea, we will see 526 00:39:42,890 --> 00:39:48,770 this op code in the near future. And you can enable ‘key fob’ 527 00:39:48,770 --> 00:39:52,640 which a small device is which you can use to open the lock without a phone. 528 00:39:52,640 --> 00:39:57,210 So you can send commands to pair those, and add them, 529 00:39:57,210 --> 00:40:00,789 and get locks of this (?). So this is just a few, we haven’t played with all of them. 530 00:40:00,789 --> 00:40:04,720 The SetQuickCode, I think I sniffed a few… 531 00:40:04,720 --> 00:40:09,260 Yeah, but that’s basically the things you can do, and you can decode all of them 532 00:40:09,260 --> 00:40:12,150 with the message shown before. 533 00:40:12,150 --> 00:40:16,429 So some history of the vendor notification. 534 00:40:16,429 --> 00:40:20,099 We did this on the Easterhegg [2016]. Everybody knows Easterhegg is Easter. 535 00:40:20,099 --> 00:40:23,440 So this was in April [2016]. Possibly it wasn’t 536 00:40:23,440 --> 00:40:26,829 the best idea to send them on April, 1st. But… 537 00:40:26,829 --> 00:40:28,899 *laughter* 538 00:40:28,899 --> 00:40:35,419 No, they replied and took it seriously. So they actually very instantly told us they 539 00:40:35,419 --> 00:40:39,369 like the research and everything. They knew their crypto isn’t perfect, 540 00:40:39,369 --> 00:40:42,469 but the product has to get out. And they were working on a new protocol, they sent 541 00:40:42,469 --> 00:40:47,579 a few details of that. We don’t have full details so far, so we can’t really tell 542 00:40:47,579 --> 00:40:52,709 if the new protocol is very good. But it looked, from the idea, a little better. 543 00:40:52,709 --> 00:40:57,200 They’re bringing out a Bike U-lock which is not out yet. And it’s supposed to have 544 00:40:57,200 --> 00:41:01,460 the new protocol from shipping. We will see. A thing which I found 545 00:41:01,460 --> 00:41:05,599 very funny is I downloaded a new [NOKE] app in November, and it has a major update 546 00:41:05,599 --> 00:41:10,550 in the screen: the ‘Rekey’ button is now hidden! 547 00:41:10,550 --> 00:41:13,509 So, remember, that’s the only button which saves you from someone 548 00:41:13,509 --> 00:41:17,450 you shared a lock to, to lock him out. So this button now is hidden. 549 00:41:17,450 --> 00:41:21,200 Possibly not the best idea. Possibly people weren’t understanding it. 550 00:41:21,200 --> 00:41:25,079 But it can be enabled in the ‘Advanced Settings’ menu. So, no problem. 551 00:41:25,079 --> 00:41:28,680 But they just recently told me that they’re planning to actually fix that 552 00:41:28,680 --> 00:41:33,049 in January. So we’re actually really in a Zeroday here. 553 00:41:33,049 --> 00:41:37,540 So the locks are still vulnerable. But 8 months, sorry… I… 554 00:41:37,540 --> 00:41:41,960 the conference is now, we couldn’t change that! *laughter* 555 00:41:41,960 --> 00:41:53,450 *Ray laughs* *applause* 556 00:41:53,450 --> 00:41:58,299 If you use such a NOKE lock I still want to say I like the hardware. 557 00:41:58,299 --> 00:42:01,509 It’s quite a nice hardware. Possibly write an open source firmware for it, 558 00:42:01,509 --> 00:42:04,920 build your own crypto, during the time. Or just don’t use it 559 00:42:04,920 --> 00:42:09,420 for real valuable things. Or use your Aluburka or other shielding while 560 00:42:09,420 --> 00:42:15,049 opening it, I don’t know. But just be aware if someone sniffs your communication 561 00:42:15,049 --> 00:42:18,650 using his 5 Dollar dev board he probably knows your codes. 562 00:42:18,650 --> 00:42:25,300 So, yeah. So much for the NOKE. This is not really the end, it’s just 563 00:42:25,300 --> 00:42:31,680 the beginning of the end section. Because we still have one mechanical bypass left. 564 00:42:31,680 --> 00:42:36,529 You remember that earlier I mentioned also the Master Lock doesn’t have 565 00:42:36,529 --> 00:42:41,609 no mechanical bypass that we found. If you remember Chaos Communication Congress 566 00:42:41,609 --> 00:42:45,279 4 years ago – you can remember from the Rocket standing exactly here – 567 00:42:45,279 --> 00:42:48,190 *points to picture on slide* we did a presentation on this first Bluetooth… 568 00:42:48,190 --> 00:42:52,529 not Bluetooth, on this first electronic padlock by Master Lock, where we had 569 00:42:52,529 --> 00:42:56,109 a nice mechanical magnet attack, which was found by Michael Hübler 570 00:42:56,109 --> 00:43:01,829 by very cleverly drilling a hole, observing the motors, acting with magnets… 571 00:43:01,829 --> 00:43:07,829 and found this special move which opens the old Master Lock. 572 00:43:07,829 --> 00:43:11,200 And we reported that back then. So 4 years ago we told Master Lock: 573 00:43:11,200 --> 00:43:15,920 “Oh, your padlock can be opened with a magnet, this is not very good”. 574 00:43:15,920 --> 00:43:21,539 But this was a 30 Dollars padlock, and… oh my god, could be done with a magnet. 575 00:43:21,539 --> 00:43:25,309 So this is the new one, and they changed something. Actually it’s something they 576 00:43:25,309 --> 00:43:30,990 told us back then that they’re planning to do. They added a shielding metal. 577 00:43:30,990 --> 00:43:36,719 So, this very big, thick shielding here which I would use to block 578 00:43:36,719 --> 00:43:43,099 all the radiation from whatever it is, around half of the motor 579 00:43:43,099 --> 00:43:49,460 is supposed to help. Let’s have a look. 580 00:43:49,460 --> 00:43:52,529 *silent video starts* So this is the Master Lock. 581 00:43:52,529 --> 00:43:56,259 We have a bigger magnet. I have to admit you see it’s a much bigger magnet. 582 00:43:56,259 --> 00:44:02,519 Those magnets are illegal to possess all over Germany, I hope, soon! 583 00:44:02,519 --> 00:44:05,750 And we have a different move. We’re now rotating the magnet. We were 584 00:44:05,750 --> 00:44:09,759 shifting it before. – And it’s open! 585 00:44:09,759 --> 00:44:24,650 *laughter and applause* 586 00:44:24,650 --> 00:44:28,249 This also is not really Zeroday because as you saw before on the slide 587 00:44:28,249 --> 00:44:33,540 by Rose & Ramsey he also told the Master Lock is unpickable. 588 00:44:33,540 --> 00:44:37,989 And after the talk at DEF CON I, in the Q&A section somehow mentioned 589 00:44:37,989 --> 00:44:42,690 that I doubt that. I didn’t tell what to do exactly because 590 00:44:42,690 --> 00:44:46,739 I wanted to give Master Lock some response time. But directly after the talk 591 00:44:46,739 --> 00:44:50,599 somebody approached me: “That’s very interesting, I’m with Master Lock!” *laughs* 592 00:44:50,599 --> 00:44:53,400 *laughter* And I actually showed him this and he 593 00:44:53,400 --> 00:44:59,090 filmed it with his mobile phone. So I consider the vendor notified! 594 00:44:59,090 --> 00:45:09,749 *laughs* *laughter and applause* 595 00:45:09,749 --> 00:45:13,019 So I would say: “Works for me!” 596 00:45:13,019 --> 00:45:20,450 *laughter and applause* 597 00:45:20,450 --> 00:45:25,010 So I have a message to all these vendors and kickstarters and lock makers: 598 00:45:25,010 --> 00:45:28,950 “Don’t try to be smart, be smart! And disclose your crypto protocols!” 599 00:45:28,950 --> 00:45:32,150 There’s really no need to make a secret crypto protocol. And if 600 00:45:32,150 --> 00:45:35,609 your development department tells you: ”No no, we can’t disclose that, 601 00:45:35,609 --> 00:45:39,430 that’s a really silly idea to disclose our crypto!” you probably have bad crypto, 602 00:45:39,430 --> 00:45:42,709 and they know it! *laughter* 603 00:45:42,709 --> 00:45:47,119 And, of course, if you build a new thing like a hardware, like a lock e.g. 604 00:45:47,119 --> 00:45:51,920 try to get your hardware in the hands of experienced lockpickers, or locksmiths. 605 00:45:51,920 --> 00:45:55,080 The shimming bypass, of the Dog & Bone padlock, really, 606 00:45:55,080 --> 00:45:58,460 every locksmith in the U.S. would have told them: 607 00:45:58,460 --> 00:46:04,530 “You can’t build a 100 Dollar padlock which can be shimmed with a soda can!” 608 00:46:04,530 --> 00:46:07,839 Especially if you’re an electronics company what those Dog & Bone people 609 00:46:07,839 --> 00:46:11,179 obviously are: Don’t trust on your electronics knowledge. The hardware 610 00:46:11,179 --> 00:46:16,049 also has to work. And please, if you give this hardware to people don’t try to get 611 00:46:16,049 --> 00:46:19,440 any NDA’s, or “Oh you can’t disclose” – because then they won’t do it, and 612 00:46:19,440 --> 00:46:24,479 you will wait just for the product to come out, and disassemble it then. So really… 613 00:46:24,479 --> 00:46:28,740 Actually, I must say the NOKE people which I… 614 00:46:28,740 --> 00:46:32,529 the lock isn’t working that good but I think the company is doing quite well. 615 00:46:32,529 --> 00:46:36,390 They sent us one of their locks for mechanical analysis 616 00:46:36,390 --> 00:46:40,569 after our Master Lock presentation. So we tested their lock 617 00:46:40,569 --> 00:46:43,909 on our magnetic attack and that didn’t work. And still doesn’t work. So 618 00:46:43,909 --> 00:46:47,249 that thing they did good. The other thing is that they didn’t get the crypto right. 619 00:46:47,249 --> 00:46:50,500 But okay. People are learning. *some laughter* 620 00:46:50,500 --> 00:46:53,969 So if someone really wants to be smart – and we also tried to tell that [to] NOKE 621 00:46:53,969 --> 00:46:57,219 in the kickstarter campaign – try to become the first one. 622 00:46:57,219 --> 00:47:01,289 And this is really ‘WTF’. Why is there no – at all – open source lock? 623 00:47:01,289 --> 00:47:06,099 Or light bulb? Or vibrator? I have no idea. But… 624 00:47:06,099 --> 00:47:09,059 I think you want to sell the hardware! Why don’t make the software open source 625 00:47:09,059 --> 00:47:10,980 and make it auditable? 626 00:47:10,980 --> 00:47:21,679 *applause* 627 00:47:21,679 --> 00:47:25,529 Oopf… What’s that slide? Oh yeah, there’s Hacker Jeopardy! 628 00:47:25,529 --> 00:47:29,720 If you want Hacker Jeopardy to happen next year please send content! 629 00:47:29,720 --> 00:47:35,740 *laughs* *applause and cheers* 630 00:47:35,740 --> 00:47:39,890 I heard from that Sec guy and that Ray guy that they’re really old, 631 00:47:39,890 --> 00:47:43,400 and they don’t know the things that the young generation wants to have asked 632 00:47:43,400 --> 00:47:46,549 in a Jeopardy. And what Pokémons you have to ask, and stuff like that… 633 00:47:46,549 --> 00:47:50,869 So send a few ideas! There’s a German page, but Hacker Jeopardy will be German 634 00:47:50,869 --> 00:47:55,130 next year. So, sorry for that. A German page which tells you how to submit ideas, 635 00:47:55,130 --> 00:47:59,410 how to make good ideas. And if you send enough content possibly next year 636 00:47:59,410 --> 00:48:03,749 there will be Hacker Jeopardy, again. 637 00:48:03,749 --> 00:48:09,729 *applause* 638 00:48:09,729 --> 00:48:14,359 So, we have some links. Actually, this is the Zeroday tool we are releasing, 639 00:48:14,359 --> 00:48:19,119 by e7p. It’s not on there yet, I think. Or possibly he’s sitting in the audience 640 00:48:19,119 --> 00:48:23,539 and uploading it right now. It’s a small Python script. It needs Python3. 641 00:48:23,539 --> 00:48:27,819 And it implements this crypto session exchange. So what you basically do is 642 00:48:27,819 --> 00:48:31,640 you get the values from your Wireshark, which is all these Hex strings, 643 00:48:31,640 --> 00:48:36,359 put them to a file, start the decode-NOKE tool and it will tell you 644 00:48:36,359 --> 00:48:40,229 what keycode is in there, what things are set. Currently it only supports, I think, 645 00:48:40,229 --> 00:48:43,899 the ‘Open’ command mainly, and the ‘Read Battery’ possibly. But we’ll try 646 00:48:43,899 --> 00:48:48,289 to add a few more codes as we decode them. But it’s enough to get the lock code 647 00:48:48,289 --> 00:48:52,249 from the air. So with this tool – but you could implement it yourself – 648 00:48:52,249 --> 00:48:57,419 you easily can crack the locks. And there’s a blog entry by MH 649 00:48:57,419 --> 00:49:00,019 who did a nice paper about the NOKE’s hardware and everything. If you really 650 00:49:00,019 --> 00:49:04,039 want to look inside the lock look at this. And then there’s of course the link 651 00:49:04,039 --> 00:49:08,359 to the Nordic RF sniffer software. 652 00:49:08,359 --> 00:49:12,589 This is one of the decompilers which has the Adblocker blocker on it. 653 00:49:12,589 --> 00:49:16,140 And there’s an article from Sec’s blog telling you how to decompile and recompile 654 00:49:16,140 --> 00:49:21,849 an app. Which I found quite helpful during the working. 655 00:49:21,849 --> 00:49:25,939 So okay. So, thanks for listening. 656 00:49:25,939 --> 00:49:29,980 Please, if you have smart things around, and want to play with that, 657 00:49:29,980 --> 00:49:34,579 I have one of these dev boards left. So I have 2, one for me and one I can lend 658 00:49:34,579 --> 00:49:39,539 to someone who wants to sniff to his/her hardware. Come to the MuCCC assembly 659 00:49:39,539 --> 00:49:46,410 and tell me what you want to attack, and I’ll give you my RF sniffer board. 660 00:49:46,410 --> 00:49:49,549 Or leave the things there, and we play during Congress. Not today, possibly, 661 00:49:49,549 --> 00:49:53,499 but tomorrow I’ll be in the assembly, or someone will be there. And I think 662 00:49:53,499 --> 00:49:57,529 now I have basically exactly 10 minutes, and I hope there are some questions. 663 00:49:57,529 --> 00:50:00,179 Otherwise I was too quick! Thank you! 664 00:50:00,179 --> 00:50:11,199 *applause* 665 00:50:11,199 --> 00:50:14,340 Herald: *leise:* Hallo! Mikro wär’ schön! Rufender: Musst’ nur anmachen! 666 00:50:14,340 --> 00:50:16,809 Herald: Is an! Ray: He wants a microphone for the questions! 667 00:50:16,809 --> 00:50:19,469 *Herald is told how to switch on microphone* 668 00:50:19,469 --> 00:50:21,959 Herald: Hah, wer lesen kann ist klar im Vorteil! 669 00:50:21,959 --> 00:50:26,759 Ray, thank you very much! Do you have some time later? 670 00:50:26,759 --> 00:50:31,380 I might need to ask a favour! Did I told you about that friend that I’m having 671 00:50:31,380 --> 00:50:36,680 with the Bluetooth enabled coffee machine? We, we speak later! 672 00:50:36,680 --> 00:50:40,509 We have some questions, and we have some questions from the internet. So here we go! 673 00:50:40,509 --> 00:50:43,509 Signal Angel: Yes, thank you. Ray, are you aware 674 00:50:43,509 --> 00:50:47,699 of any secure Bluetooth locks? With decent crypto? 675 00:50:47,699 --> 00:50:52,160 Ray: Actually… not! What I can’t tell is 676 00:50:52,160 --> 00:50:56,580 if the crypto of the Master Lock, or the crypto of the Dog & Bone are good, 677 00:50:56,580 --> 00:51:01,579 because we really haven’t looked into it. But it wouldn’t really help because 678 00:51:01,579 --> 00:51:05,990 the hardware is broken. The NOKE people, as I said, are bringing out a new firmware 679 00:51:05,990 --> 00:51:11,339 in January [2017]. I’ll try to make them tell me what they’re doing. Because 680 00:51:11,339 --> 00:51:14,630 I’m not really going to reverse-engineer it again. I do that for a vendor once. 681 00:51:14,630 --> 00:51:17,799 We don’t have to do it a second time. So I hope they just tell me what they’re doing, 682 00:51:17,799 --> 00:51:21,520 and we can have a look if it looks promising. But at least they react. 683 00:51:21,520 --> 00:51:25,619 So, possibly, the NOKE is becoming a more secure padlock. But besides that 684 00:51:25,619 --> 00:51:30,570 I don’t know any, so far. You can find the talk by Rose & Ramsey on the internet. 685 00:51:30,570 --> 00:51:36,039 It’s unusual for DEF CON talks but this DEF CON talk is online. So you see lots of 686 00:51:36,039 --> 00:51:39,419 locks there which he attacked, and they all were worse than the ones we had here. 687 00:51:39,419 --> 00:51:43,809 So, sorry, no. Which I could recommend. 688 00:51:43,809 --> 00:51:46,480 And I wouldn’t recommend it, anyway, because if it’s not open source you 689 00:51:46,480 --> 00:51:50,890 don’t know if it’s secure! You just know it’s currently uncracked. So, 690 00:51:50,890 --> 00:51:53,599 possibly stick to your old ones! *laughs* 691 00:51:53,599 --> 00:51:54,809 But thanks for the question. 692 00:51:54,809 --> 00:51:58,599 Herald: Then we’re gonna hop over to microphone no. 2! 693 00:51:58,599 --> 00:52:03,199 Question: Thank you. That was quite a bit of ‘Fremdschäming’. Fun talk. (?) 694 00:52:03,199 --> 00:52:07,499 Just one thought: You said that it’s about selling the hardware. 695 00:52:07,499 --> 00:52:12,440 Well, maybe it’s not. Because from what I understand most of those devices 696 00:52:12,440 --> 00:52:17,799 are cloud-enabled. So I’m pretty sure they collect all the data, 697 00:52:17,799 --> 00:52:20,419 and maybe it’s about mining that, for them. I don’t know. 698 00:52:20,419 --> 00:52:25,619 Ray: Actually, yes. The NOKE has a Pro version where they sell a company license 699 00:52:25,619 --> 00:52:29,180 where you can have a company software to the cloud, and have more features like 700 00:52:29,180 --> 00:52:34,499 sharing other’s locks. But still you can make it open source, and make a license 701 00:52:34,499 --> 00:52:38,259 that disallows commercial use, or something like that. Open source 702 00:52:38,259 --> 00:52:43,140 doesn’t have to mean it’s free to use. And if you have very complicated logic 703 00:52:43,140 --> 00:52:48,339 for your company portal, or something, possibly keep that closed-source. 704 00:52:48,339 --> 00:52:52,031 But enable me to follow your communication, to understand 705 00:52:52,031 --> 00:52:55,759 how keys are generated, and stuff like that. This is not your secret. 706 00:52:55,759 --> 00:52:59,680 This is something… this is the elementary function. 707 00:52:59,680 --> 00:53:02,790 People should be able to understand an audit. And especially in a commercial 708 00:53:02,790 --> 00:53:06,980 environment, if you ask a locksmith or some other security expert: 709 00:53:06,980 --> 00:53:11,989 “Would you recommend this device?”, if he can’t look into it he can’t recommend it. 710 00:53:11,989 --> 00:53:16,849 So I think also for selling appliances, or selling services open source algorithms 711 00:53:16,849 --> 00:53:23,039 or open source protocols would be the best solution. But especially in the lock industry 712 00:53:23,039 --> 00:53:26,250 that’s very very uncommon. I had really bad experience talking to 713 00:53:26,250 --> 00:53:29,890 normal lock manufacturers about open sourcing their stuff. It’s an idea they 714 00:53:29,890 --> 00:53:34,299 don’t understand. They’re about secrets, I don’t know. Let’s hope for the future! 715 00:53:34,299 --> 00:53:36,959 *laughs* Another… Herald: Okay, we had… 716 00:53:36,959 --> 00:53:41,119 No. 1 is just coming up! He was queuing at ‘3’ but covering the camera, and then 717 00:53:41,119 --> 00:53:44,519 the camera man got a little bit disturbed, and… it’s a long story. ‘1’, we go! 718 00:53:44,519 --> 00:53:47,930 Question: I was wondering if you knew about the new locks which advertise 719 00:53:47,930 --> 00:53:51,269 their existence, like broadcast things, or things like that? 720 00:53:51,269 --> 00:53:54,649 Could you like walk through the street and know there are Bluetooth locks around you? 721 00:53:54,649 --> 00:53:59,229 Ray: No, those locks usually don’t broadcast because it would use too much energy. 722 00:53:59,229 --> 00:54:02,789 So usually you have to push the shackle of the lock or something. 723 00:54:02,789 --> 00:54:06,870 And then it broadcasts. There are actually if you go back to this DEF CON talk 724 00:54:06,870 --> 00:54:11,170 I was talking about – and I think that’s enough shaming of Master Lock here – 725 00:54:11,170 --> 00:54:16,180 *video playback stops* if he has door locks and stuff like that, 726 00:54:16,180 --> 00:54:19,119 those possibly are connected to [the] power [grid] and advertise all the time. 727 00:54:19,119 --> 00:54:23,410 So he did some lock wardriving. But for the padlocks that doesn’t work. 728 00:54:23,410 --> 00:54:27,380 But of course you can go and click them, and then… get the idea. 729 00:54:27,380 --> 00:54:30,510 And of course you can do the other thing: you could walk around and pretend 730 00:54:30,510 --> 00:54:34,699 you’re a lock, and see if someone has the app running, and connects back to you. 731 00:54:34,699 --> 00:54:37,030 That might work! 732 00:54:37,030 --> 00:54:39,690 Herald: And over to microphone no. 2, please! 733 00:54:39,690 --> 00:54:45,779 Question: I was wondering about that strong encryption, 734 00:54:45,779 --> 00:54:50,809 meaning AES, and on the other hand the very weak, or vulnerable, 735 00:54:50,809 --> 00:54:56,529 or flawed key exchange: do you think that might be due to out-tasking, 736 00:54:56,529 --> 00:55:01,780 like they have specified that they want encryption, and have not specified 737 00:55:01,780 --> 00:55:05,980 how key exchange is to be handled, and that might be the reason why 738 00:55:05,980 --> 00:55:10,709 it takes them 8 months or more to fix that? 739 00:55:10,709 --> 00:55:14,130 Ray: This is basically 2 questions. Of course I can only speculate. 740 00:55:14,130 --> 00:55:18,920 It might be out-tasking, it might also be that they just had the time… 741 00:55:18,920 --> 00:55:22,400 if you follow the NOKE kickstarter campaign – it was all funded 742 00:55:22,400 --> 00:55:25,869 in a kickstarter – they had a lot of problems in delivering on time. 743 00:55:25,869 --> 00:55:29,809 So there’s lots and lots of comments “I’m waiting for my lock, oh. Oh god, 744 00:55:29,809 --> 00:55:33,280 another delay, now you’re claiming manufacturing is difficult…”, so, many, 745 00:55:33,280 --> 00:55:37,410 many people saying “you have to come out with that”. So it might be time pressure, 746 00:55:37,410 --> 00:55:40,739 it might be out-tasking, and of course it might be that they just specified: 747 00:55:40,739 --> 00:55:44,439 “Oh, we want to use AES”. And that’s the other thing, everybody says: 748 00:55:44,439 --> 00:55:48,420 “We disclose what we’re using. We’re using AES!” Here we have a very good example, 749 00:55:48,420 --> 00:55:51,979 yes, it really is using AES. And it’s using a correct implementation. 750 00:55:51,979 --> 00:55:56,749 We actually found it’s a TI example implementation of AES that they’re using. 751 00:55:56,749 --> 00:56:01,559 So it’s completely valid AES128, but still it’s completely insecure. 752 00:56:01,559 --> 00:56:06,089 So people just claim they’re using AES, or “We’re using SHA-somesing or somesing”. 753 00:56:06,089 --> 00:56:09,999 Isn’t enough. You have to know the whole protocol. And that wasn’t the case here. 754 00:56:09,999 --> 00:56:12,579 *laughs* Herald: Okay, then we’re gonna go over 755 00:56:12,579 --> 00:56:14,579 to the internet, again! Ray: The internet… of… 756 00:56:14,579 --> 00:56:19,420 Signal Angel: Thank you. Actually it’s a follow-up question for the previous one: 757 00:56:19,420 --> 00:56:22,809 would it be sufficient to have a hardware-accelerated AES 758 00:56:22,809 --> 00:56:25,379 on these Bluetooth thingies? 759 00:56:25,379 --> 00:56:30,450 Ray: Actually hardware-accelerated AES doesn’t have to do anything with that. 760 00:56:30,450 --> 00:56:34,009 That might be helpful if you have a chip which is a crypto chip, 761 00:56:34,009 --> 00:56:37,900 if you have things like side channel attacks. If you would have a key fob 762 00:56:37,900 --> 00:56:41,869 which has a secret key in it which should not be extractable, those keys can be 763 00:56:41,869 --> 00:56:45,799 extracted with electronic attacks, side channel attacks, power measurements. 764 00:56:45,799 --> 00:56:50,559 Against these attacks a crypto chip could help because it has a good implementation. 765 00:56:50,559 --> 00:56:55,150 But for this… AES is AES. As I said the implementation of AES is valid. 766 00:56:55,150 --> 00:56:59,189 So an accelerated chip wouldn’t help. And they’re not doing bad crypto 767 00:56:59,189 --> 00:57:03,099 for performance reasons. It’s only one AES operation. They’re doing it because 768 00:57:03,099 --> 00:57:06,730 it’s more difficult to do it right. And it possibly would need asymmetric crypto. 769 00:57:06,730 --> 00:57:08,630 That could need acceleration, on the other hand. 770 00:57:08,630 --> 00:57:11,879 But it doesn’t have to do with the chip. 771 00:57:11,879 --> 00:57:15,420 Herald: Are you queuing there, on ‘5’? *lowered voice:* Well, then here we go! 772 00:57:15,420 --> 00:57:20,839 Question: Okay, two little questions, more hardware related. First one: 773 00:57:20,839 --> 00:57:24,961 How could you build a lock which isn’t susceptible to the attack 774 00:57:24,961 --> 00:57:28,999 you showed in the video, like flipping the magnet? 775 00:57:28,999 --> 00:57:33,949 That’s the one, and the second one is that Trelock, or ABUS I think, 776 00:57:33,949 --> 00:57:39,189 says they have an electronic bike lock which doesn’t have any battery, 777 00:57:39,189 --> 00:57:43,719 and I’m quite confused how they will do it. Have you any idea? 778 00:57:43,719 --> 00:57:48,420 Ray: Actually I don’t know – starting with the second question – the ABUS lock 779 00:57:48,420 --> 00:57:52,739 at all, I must admit. But there are e.g. also Cyberlock is it called, they have 780 00:57:52,739 --> 00:57:56,050 battery in the key, and you put the key to it. If it’s a Bluetooth lock I don’t know 781 00:57:56,050 --> 00:58:00,249 how they’re doing it. It might be possible that you push something and it starts 782 00:58:00,249 --> 00:58:04,809 a generator. I’ve seen buttons which you press and they generate the energy to send 783 00:58:04,809 --> 00:58:07,990 while you press it. So it might be that, but I don’t know the products. 784 00:58:07,990 --> 00:58:11,239 The other question, I must admit I didn’t really understand what you want to know. 785 00:58:11,239 --> 00:58:14,749 Can you repeat the first one? 786 00:58:14,749 --> 00:58:18,289 Question: Of course. I was just asking how to protect the lock 787 00:58:18,289 --> 00:58:22,109 so it can’t be opened by flipping a magnet, like you did in the video. 788 00:58:22,109 --> 00:58:26,180 Ray: How to protect it, that’s a very good question. I think we know 789 00:58:26,180 --> 00:58:30,479 how NOKE did it. And the thing is I don’t think NOKE did it intentionally. 790 00:58:30,479 --> 00:58:34,609 It just happened to be in their design. We can’t open the NOKE because 791 00:58:34,609 --> 00:58:38,809 the rotating actor they have is also magnetic. So if I put my magnet there 792 00:58:38,809 --> 00:58:43,819 I lock the lock. In the Master Lock it’s some cast metal which is not magnetic. 793 00:58:43,819 --> 00:58:47,239 So changing this to magnetic would possibly help. Using a completely 794 00:58:47,239 --> 00:58:51,599 different approach, like the motor in The Quicklock, or which needs more power, 795 00:58:51,599 --> 00:58:54,909 or works differently like a servo would help. But would be a completely 796 00:58:54,909 --> 00:58:59,689 different design. But it’s really a tricky part. There have lots of different locks 797 00:58:59,689 --> 00:59:04,339 in the past, also door locks, been attackable by hardware attacks. 798 00:59:04,339 --> 00:59:10,589 So building a good, really good mechanic, or electromechanic isn’t easy. 799 00:59:10,589 --> 00:59:15,259 Herald: And I think we have time for the last one, at microphone 5. 800 00:59:15,259 --> 00:59:19,340 Question: So this isn’t a question, it’s just a precision. At one point 801 00:59:19,340 --> 00:59:23,779 during the presentation you talked about open source smart appliances, 802 00:59:23,779 --> 00:59:28,309 and you said, nobody really does that. And you urge people 803 00:59:28,309 --> 00:59:34,190 to be the first to do e.g. open source sex toys. 804 00:59:34,190 --> 00:59:38,779 And it happens that someone is doing that. 805 00:59:38,779 --> 00:59:43,119 So on Github it’s Q-dot, if you want to learn more 806 00:59:43,119 --> 00:59:47,599 about what they’re doing. They have, you know, 807 00:59:47,599 --> 00:59:52,959 several public repositories about ‘teledildonics’. So, you know, just, 808 00:59:52,959 --> 00:59:55,519 if anyone wants to check that out, just saying. 809 00:59:55,519 --> 00:59:58,660 Ray: Okay, thanks for your self-advertisement. *laughter* 810 00:59:58,660 --> 01:00:02,599 And I was mainly talking about locks, I must admit. I don’t know the other fields 811 01:00:02,599 --> 01:00:05,560 so well. But locks is really difficult to get open source. If you have 812 01:00:05,560 --> 01:00:09,270 more questions I’ll be at the MuCCC assembly. I’m waiting for you to bring 813 01:00:09,270 --> 01:00:14,041 devices, get the dev board, hack the stuff. And thanks again, for listening! 814 01:00:14,041 --> 01:00:16,501 *applause* 815 01:00:16,501 --> 01:00:21,771 *postroll music* 816 01:00:21,771 --> 01:00:40,389 *subtitles created by c3subtitles.de in the year 2017. Join, and help us!*