FIGURE 2-3. The Kwikset Kevo door lock
Here we will discuss known BLE weaknesses and how to capture wireless traffic, but we
will pay particular attention to the iOS app, which sets this lock apart from the ones we have
looked at so far.
Understanding Weaknesses in BLE and Using Packet-Capture Tools
Established in 2010 as part of the Bluetooth 4.0 standard, BLE has received phenomenal sup-
port in the industry because it uses minimal power, which is extremely important in devices
such as smartphones, tablets, and IoT devices. Bluetooth hardware chips are available for as
little as $2, which puts it at a significant advantage over competing protocols such as ZigBee
and Z-Wave.
The Bluetooth Special Interest Group maintains the current Bluetooth specification. Note
that the specification covers classic Bluetooth as well as BLE, and these two standards are not
compatible with each other (i.e., Bluetooth devices implementing specifications prior to 4.0
cannot communicate with BLE devices).
BLE operates in the 2.4 GHz spectrum, which is split into 40 channels: 37 of these are
used to transmit data, while the other 3 are used by unconnected devices to broadcast device
information and establish connections. Devices can broadcast data to any scanning device or
receiver in listening range. This allows devices to send one-way data to other devices.
CHAPTER 2: ELECTRONIC LOCK PICKING—ABUSING DOOR LOCKS TO COMPROMISE(^46) PHYSICAL SECURITY