back

Lockpicking in the IoT

...or why adding BTLE to a device sometimes isn't smart at all

If you suspend your transcription on amara.org, please add a timestamp below to indicate how far you progressed! This will help others to resume your work!

Please do not press “publish” on amara.org to save your progress, use “save draft” instead. Only press “publish” when you're done with quality control.

Video duration
01:00:40
Language
English
Abstract
"Smart" devices using BTLE, a mobile phone and the Internet are becoming more and more popular. We will be using mechanical and electronic hardware attacks, TLS MitM, BTLE sniffing and App decompilation to show why those devices and their manufacturers aren't always that smart after all. And that even AES128 on top of the BTLE layer doesn't have to mean "unbreakable". Our main target will be electronic locks, but the methods shown apply to many other smart devices as well...

This talk will hand you all the tools you need to go deeply into hacking smart devices. And you should! The only reason a huge bunch of these products doesn't even implement the most basic security mechanisms, might be that we don't hack them enough!

We start by looking at the hardware layer, dissecting PCBs and showing which chips are usually used for building those devices. Even if the firmware is read protected they still can be used as nice devboards with unusual pheripherals - if you can't flash it, you don't own it!

But you don't always have to get out your JTAG interfaces. The most simple part is intercepting an Apps communication with its servers. We show an easy Man-in-the-middle setup, which on the fly breaks the TLS encryption and lets you read and manipulate the data flowing through. This was enough to completely defeat the restrictions on a locks "share to a friend" feature and of course helps you recover your password...

Understanding the API also is the best way to actually OWN your device - giving you the option to replace the vendors cloud service with an own backend. We show how this can be for example used to continue using your bike lock when the kickstarter you got it from goes bankrupt after a presentation about it's bad crypto. Just kidding, they are already notified and working on a patch.

Also going for the wireless interface and sniffing BTLE isn't as difficult as it might sound. Turning a cheap 10 EUR devboard into a sniffer we show how to use Wireshark to dissect the packets going from and to the device and analyze the payload. In some cases this is all what's needed to get the secret key from a single interaction...

Finally we will turn into reverse engineers, showing how to decompile an android app and analyze it's inner working or even modify it to your needs. Using this we show, that a quite popular electronic padlock indeed correctly claims to use AES128, but due to a silly key exchange mechanism we can break it by listening to a single opening command. All details of this 0-day attack will be released during the talk - the vendor has been notified in May.

Last but not least we will go back for the hardware layer, showing that sometimes even simple things like magnets or shims can be used to defeat $80+ electronic locks in seconds...

Talk ID
8019
Event:
33c3
Day
1
Room
Saal 1
Start
9:45 p.m.
Duration
01:00:00
Track
Hardware & Making
Type of
lecture
Speaker
Ray
Talk Slug & media link
33c3-8019-lockpicking_in_the_iot

Talk & Speaker speed statistics

Very rough underestimation:
170.2 wpm
915.7 spm
170.5 wpm
915.3 spm
100.0% Checking done100.0%
0.0% Syncing done0.0%
0.0% Transcribing done0.0%
0.0% Nothing done yet0.0%
  
100.0% Checking done100.0%
0.0% Nothing done yet0.0%
  

Work on this video on Amara!

Talk & Speaker speed statistics with word clouds

Whole talk:
170.2 wpm
915.7 spm
lockkeynokeapplocksopenphonebluetoothtimethingcoursethingsgoodhardwarebasicallycryptolaughterpeopleaesrayfirmwaremastersourceapplauseideachangerandomtalknicecodecommunicationenergyreadlowinternettalkingunderstandcompletely4chipquestionsend&smartworksecureisn’tbigtoldpadlock
Ray:
170.5 wpm
915.3 spm