leHACK Conferences & workshops 📅 iCal

The objective of this presentation is to analyze the security of a connected padlock using the Bluetooth Low Energy protocol, which is widely used in the Internet of Things (IoT). This study has been conducted in the context of a student project, co-supervised by INSA Toulouse and EURECOM, and highlights several critical security issues in the implementation of a connected padlock. More importantly, we describe our methodology to analyze this device. Our analysis shows that this padlock relies on a vulnerable proprietary protocol built over the applicative layers of Bluetooth Low Energy, and is representative of bad security practices in the design of BLE-enabled IoT devices. Two main methods have been used to identify vulnerabilities in this connected padlock. The first method, conducted using the Mirage framework, allows us to intercept and analyze the BLE communications between the padlock and the phone, using a Man-in-the-Middle attack. In addition, we conducted a second complementary method based on a static analysis of the code of the Android application used by the padlock, using JADX software. This method allowed us to discover the encryption algorithm in use, the associated cryptographic material and the format of messages used by the proprietary protocol. Our analysis allowed us to design and implement three over the air exploits using Mirage framework. The first exploit allows to unlock the padlock directly from a computer with Bluetooth. The second exploit allows to delete the fingerprints registered on the padlock. The third and last exploit allow to reset the padlock remotely, allowing an attacker to kick non-admin users and delete the fingerprints.