Hacking Smart Locks with Bluetooth / BLE

By Bernhard Mehl
August 13, 2018

At the annual security conference in Las Vegas, Defcon 2016, @jmaxxz, Anthony Rose and Ben Ramsey introduced different ways how bluetooth smart locks can be hacked [we were a little disappointed to not be included as we always like to be challenged on our security]. 

4 devices to get hacking:

  1. Passwords were transmitted in plain text, making it easy to extract passwords using a bluetooth sniffer like the Ubertooth One or Bleno.
  2. You’d need a Bluetooth Smart USB dongle to broadcast
  3. Raspberry Pi
  4. A high gain directional antenna
Bluetooth hacking

To make it easy for everyone we’ve summarized the main reasons why these locks were compromised:

  • Replay attacks – simply recording and replaying the signal unlocks the lock.
  • Vulnerable to fuzzing – meaning to change bytes of a valid command to get the lock into an error state that gets it to open. (Okidokey)
  • Decompiling the APK used to unlock the smart lock by downloading the APK from the Android device, converting from dex to jar and then decompiling it. (Dana lock)
  • Device spoofing (Bitlock Padlock)
  • Adding a backdoor into the lock by a guest user allows to reset to factory settings and open lock. (August lock)
  • Brute forcing because they only have 8 digit pins.
  • Master API Admin code was hard coded in the hacked August Lock. Here are some of the original images:
bluetooth encryption
Static

Some feature of the “uncrackable” smart locks:

  • Proper AES encryption
  • Truly random nonce (8 – 16 bytes)
  • 2-factor authentication
  • No hard coded passwords
  • Long passwords allowed (16-20 characters)

Reading some of the comments in the Hackaday post suggests it will not take long till we see Bluetooth locks showing up in a CSI TV show. Let’s hope manufacturers will be more transparent with regards to their security standards and also communicate them to end users. In the end the strange thing about this whole discussion is that it’s not the lock that makes things secure, it’s the communication to and from the lock. Mechanics still work the same way they always did.

5d08d831370a895c58eec465
template-9
container

Phone-based systems are not just a small-business solution. CEO of Kisi, Bernhard Mehl, comments: “If you see the average of three doors connected then that might seem low but, in reality, one door relates to around 50 employees—so those are locations with about 150 people on average, including satellite offices. That’s quite significant.”

Mobile Access Control Adoption by Industry

Kisi examined which industries are investing the most in mobile access control technology. To do so, the average size of mobile access control installation projects by industry were measured. Commercial real estate topped the list with 23.5 doors running mobile access per facility. Education management came in last with 1.0 door running mobile access per facility. 

Physical Security Statistics: Mobile Access by Industry


The number of shooting incidents at K-12 schools, according to the CHDS, reached an all-time high at 97 incidents in 2018—compared to 44 in 2017. Cloud-based access control companies, like Kisi, offer a lockdown feature for active shooter situations or emergencies, making it an effective protective layer for places that are targeted, such as religious institutions, which come in near the top of the list with 4.0 doors running mobile access per facility. 

Based on industry size, it makes sense that commercial real estate tops the list, with 23.5 doors running mobile access per facility. Cloud-based access control enables these larger organizations to scale more seamlessly and allows large organizations, like telecommunications, to deploy the most manageable IT solutions available, eliminating the need to create and manage a business’s own IT infrastructure over time.

“Commercial real estate is, of course, the driver of mobile adoption since they have the largest buildings,” Mehl adds. “The key here is to show that mobile-first technologies are not a risk but an innovation that brings positive ROI and allows agencies to reposition their buildings as forward-thinking establishments.”

The scalabelilty and ease of use in onboarding an organization allows many different types of industries and businesses of different sizes to adapt a cloud-based access control system, either using keycard or mobile credentials for access. 


Mobile Access Control by State

Looking specifically at the United States, Kisi analyzed in which states companies are investing the most into upgrading to smartphone-enabled access systems. Of the currently installed base of access control readers, around 20 percent will be mobile capable by 2022, according to a recent IHS report. Cloud-based systems, like Kisi, are future-proof—allowing over-the-air updates in real time and unlimited scalability for users.


“Mobile unlock technology makes you think of the major tech hubs like New York, San Francisco or Los Angeles,” Mehl adds. “Looking at which states have the largest projects, it’s surprising and refreshing that those are not the typical ‘tech cities, and yet that’s where access control technology really makes an impact.” The fact that the largest projects are seen in states outside of the typical tech startup landscape is evidence that mobile access control is highly applicable across industry sectors.


For further questions about this study, reach out to Kait Hobson (kait@getkisi.com)

Bernhard Mehl

Bernhard is the co-founder and CEO of Kisi. His philosophy, "security is awesome," is contagious among tech-enabled companies.

Stay updated with Kisi about news and feature releases

Free access to our best guides, industry insights and more

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Access Control Basics
Access Control Technologies
Guides
Useful Resources