Open nelsonic opened 4 years ago
From the (small) amount of research I've done the general consensus is that Bluetooth 4 / Bluetooth low energy is "secure". However i'm not sure how well Bluetooth stands up to replay and man-in-the-middle attacks.
I think by treating Bluetooth as an insecure protocol we gain several benefits:
I believe we could easily implement a challenge response protocol over Bluetooth that would be plenty secure enough for use on a door lock.
Sharing private keys in a initial setup phase could easily be done over WiFi or, if needed, the wider internet over TLS.
This may be vulnerable to Relay attacks, but this could be pretty easily mitigated by adding a timestamp to the signed response number, making it impossible to use stored responses at a later date.
There is an industry standard protocol based on this, Kerberos, but it looks a bit heavy handed for our usage.
This is arguably less secure, but is simpler (less to go wrong) and plenty "good enough" - especially if we presume Bluetooth has good security on top of this.
This however, won't work if the door does not have a reliable way to keep time.
The running theme of the research on "Smart Door Locks" I've done so far is the biggest vulnerability is the locks themselves to "low tech" attacks. Some of the most cryptographically secure locks on the market are vulnerable to simple attacks with screwdrivers.
Remote entry is a hard problem, Tesla, VW, Citroen, Ford and Peugeot have struggled to use an implement secure systems.
Its worth remembering that most physical locks are also vulnerable to picking and other physical attacks, so your not gaining or loosing any "real world" security by making a well-implemented smart lock.
Some interesting reading on remote access systems, some aren't Bluetooth based but still give a good overview of why remote locks are so hard to do properly.
https://morphuslabs.com/hacking-the-nok%C4%93-padlock-adfe7b1b5617 - Hacking a BLE padlock - used a hardcoded key however so this shouldn't apply to a challenge-response solution.
https://www.cs.bham.ac.uk/~oswalddf/publications/2016_usenix_lock_it_and_still_lose_it.pdf - A research paper on various car keys.
https://eprint.iacr.org/2010/332.pdf - Another research paper targeting car keys.
Also interesting, slides from Black Hat 2016 documenting attacks on Bluetooth 4: https://github.com/securing/docs/blob/master/slides.pdf
and the associated white paper: https://github.com/securing/docs/blob/master/whitepaper.pdf
Hi @th0mas thanks very much for doing some initial investigation on this! š„ I read through the links you shared; the slides and whitepaper.pdf and both are insightful. š Had a look at https://gattack.io & https://github.com/securing/gattacker And my takeaway is that attacks are most effective during the initial pairing. MITM attacks rely on there being no encryption implemented between devices. A DOS via signal jamming attack is not one that concerns us as it requires reasonable technical sophistication and does not have a payoff for the attacker beyond service disruption.
The tech we want to use is not regular Bluetooth but rather BLE Beacons as per the diagram above. But what I got wrong is that we don't want the Phone to be the beacon but rather the phone to be the reader and the Raspberry Pi to be the Beacon. More info to follow in a revised diagram.
Meanwhile if you are new to BLE Beacons, this is a good intro:
https://youtu.be/L44m7otNI7o
Annoyingly the video creator did not link to any blog post or GitHub repo so this is only a demo, not a tutorial.
This video actually links to source:
https://youtu.be/bAcK80fm1_0
https://github.com/HackerShackOfficial/Smartphone-Doorlock
I'm not as fussed about the code, doubt we will be able to re-use any of it.
We are planning to use Bluetooth Low Energy (BTLE) to authenticate people via their Phone (or other BTLE capable device) in order to enter the house
@home
.We know this is how the keyless entry works on Tesla Model 3: https://www.tesla.com/support/car-safety-security-features![image](https://user-images.githubusercontent.com/194400/85164036-a815f200-b25b-11ea-964f-c2a55b5c5d58.png)
We need to investigate if the Bluetooth Identifier for the device can bee spoofed or if there is any way to crack the data transmission. We are going to be entrusting a lot of value into this system so we need to know that the foundations we are building on are rock solid.
So far this is what I've read:
Is Bluetooth 4.0 traffic encrypted by default/design? https://security.stackexchange.com/questions/100554/is-bluetooth-4-0-traffic-encrypted-by-default-design
Is it possible to spoof a paired Bluetooth device? https://security.stackexchange.com/questions/139854/is-it-possible-to-spoof-a-paired-bluetooth-device
Todo