Moving from Hacking IoT Gadgets to Breaking into One of Europe's Highest Hotel Suites

Presented at Black Hat USA 2019, Aug. 8, 2019, 5 p.m. (60 minutes)

We're taking Bluetooth LE hacking from toys and padlocks to the real world. Improving the tools and methods we used in previous research to break the AES cryptography of the NOKE Padlock, we went to do the one thing a mobile hotel key is supposed to prevent: wirelessly sniff someone entering his room - or just unlocking the elevator - and then reconstruct the needed data to open the door with any BTLE enabled PC or even a raspberry pi.

In this talk we will show and explain the tools and methods we used and developed to break the BTLE based mobile phone key system of a large hotel chain. And then come from the academic proof of concept to a reliable setup that can be used in real life scenarios to carry out the attack.

Methods shown will cover the reverse engineering of the wireless protocol based on BTLE captures, analyzing the decompiled mobile phone app and intercepting the TLS encrypted traffic to the back end API, which in combination led to the compromise of the system.

Presenters:

• Michael Huebler - Physical Security Researcher,   
  Michael Huebler has been analyzing, hacking and improving locks since the 1970's. He is an engineer and works in SW development in other technical fields, but still regularly participates in lock manipulation competitions and helps lock manufacturers to improve their products. His current security research mainly focuses on electromechanical locks and wireless systems like Bluetooth LE.
• Ray - Security Researcher,      as Ray .
  Ray is an independent security researcher from Germany. He is active member of the European hacker organization CCC as well as of the world's oldest lock-picking club SSDeV. He created the first 3D printed key in 2009 and replicated high security handcuff keys with a laser cutter. His practical lock picking skills earned him a DEFCON Black Badge before moving to analyzing and breaking electronic locking systems. In 2016 he was the first to break a BTLE lock which actually uses real encryption, showing that "AES128 encrypted" doesn't mean anything without looking at the whole system.

Links:

• https://www.blackhat.com/us-19/briefings/schedule/#moving-from-hacking-iot-gadgets-to-breaking-into-one-of-europe39s-highest-hotel-suites-16099
• https://infocon.org/cons/Black Hat/Black Hat USA/Black Hat USA 2019/Moving from Hacking IoT Gadgets to Breaking into One of Europe's Highest Hotel Suites.mp4
• https://infocon.org/cons/Black Hat/Black Hat USA/Black Hat USA 2019/Moving from Hacking IoT Gadgets to Breaking into One of Europe's Highest Hotel Suites.en.transcribed.srt (subtitles)
• https://www.youtube.com/watch?v=LNbjGst23cA

Similar Presentations:

• DEF CON 22 (2014) / Learn how to control every room at a luxury hotel remotely: the dangers of insecure home automation deployment
• Black Hat USA 2014 / Learn How to Control Every Room at a Luxury Hotel Remotely: The Dangers of Insecure Home Automation Deployment
• 33C3 (2016) / Lockpicking in the IoT: ...or why adding BTLE to a device sometimes isn't smart at all