BLE authentication design challenges on smartphone controlled IoT devices: analyzing Gogoro Smart Scooter

Presented at TROOPERS17 (2017), March 21, 2017, 1:30 p.m. (Unknown duration)

Smartphones are commonly used as the controller and Internet gateway for BLE-enabled IoT devices. Designing a strong authentication protocol between them is the key part of IoT security. However App design has challenges such as limited input / output interfaces and privacy protection standards. Due to these restrictions, many vendors has given-up BLE build-in security manager and choose to build their own authentication protocols.

This study focused on the method to analyze these BLE protocols, discovering and solving these challenges. We applied this method on commercial products, including popular Gogoro Smart Scooter from Taiwan. We will demo under some certain circumstances we are able to dump key used to unlock your Gogoro Scooter and send fake BLE signals to steal your scooter.

Presenters:

• Chen-yu Dai
  Chen-yu Dai (GD) is CTO at Team T5 Research, providing Digital Forensics & Incident Response services, developing Threat Intelligence Program and Platforms, consulting enterprise cyber defenses. He is studying at the graduate school of Department of Information Management in the National Taiwan University of Science and Technology. He also volunteered as deputy coordinator of HITCON, the largest hacker community and security conference in Taiwan. He has received many prizes from domestic and international CTFs, as well as bug bounty programs. He has been speaker at several conferences: HITCON, BOTNET TW, CODE BLUE, IEEE GCCE, etc.
• Shi-Cho Cha
  Shi-Cho Cha (CSC) is currently an associate professor at the Department of Information Management in the National Taiwan University of Science and Technology, where he has been a faculty member since 2006. He received his B.S. and Ph.D. in Information Management from the National Taiwan University in 1996 and 2003. He is a certified PMP, CISSP, CCFP and CISM. From 2000~2003.He was a senior consultant in eLand technologies and played the role of project leaders to develop several systems about e-marketing. From 2003~2006, he was a manager at PricewaterhouseCoopers, Taiwan and helped several major government agencies to develop their information security management systems. Recently, he helped NTUST to establish security analysis workforce and help several organizations to evaluate their system security. His current research interests are in the area information security management, identity management, smartphone security, and IoT security.

Links:

• https://troopers.de/troopers17/ngi/talks/796-ble-authentication-design-challenges-on-smartphone-controlled-iot-devices-analyzing-gogoro-smart-scooter/
• https://infocon.org/cons/TROOPERS/TROOPERS 2017/BLE Authentication Design Challenges On Smartphone Controlled IoT Devices Analyzing.mp4
• https://troopers.de/downloads/troopers17/TR17_analyzing_ Gogoro_ Smart_ Scooter.pdf

Similar Presentations:

• Kawaiicon (2019) / When I grow up, I want to be a scooter
• CHCon '20 (2020) / No... that's my Lime
• Still Hacking Anyway (SHA2017) / Hack-a-ble: Hacking BLE Smart Devices