LAS VEGAS – A vulnerability in a popular IoT lock key – used chiefly by a high-end hotel in Europe – allowed researchers to break into hotel rooms. The locks in question are dubbed “mobile keys” because of their reliance on mobile phones as opposed to card-based access such as those based on mag-strips and RFID.
Researchers at Black Hat USA 2019 showcased how they were able to circumvent an Internet of Things connected key system utilized by an unnamed European hotel. The name of the hotel and specific IoT lock system was not identified for safety reasons, as the locks are still deployed in the hotel.
“We went to do the one thing a mobile hotel key is supposed to prevent: wirelessly sniff someone entering his room – or just unlocking the elevator – and then reconstruct the needed data to open the door with any BTLE enabled PC or even a Raspberry Pi,” said security researcher (under the alias of) “Ray” and Michael Huebler during a Thursday session.
Mobile Key Cards
Researchers said hotels are increasingly swapping out key-cards and instead asking that guests use their mobile phone for room access. According to the vendors selling the systems, such as OpenKey, the use of mobile keys drives guest loyalty, encourages direct bookings and are more efficient than card-based keys.
However, the product is still nascent and vendors are facing various challenges, including secure pairing issues, old hardware utilized in the locks, and apps being made by third parties that might not be compatible with some systems.
While this option may seem convenient and seamless for guests, it’s also not secure – so much so that researchers are able to easily hack into the key system and break into guests’ rooms.
Mobile key cards involve a lock, which attaches to the hotel room door, and a smartphone app, which connects to the lock via Bluetooth low energy (BLE), a cheap and low-power alternative to Bluetooth that is commonly utilized in IoT devices. “All together there’s quite a lot of attack vectors there,” said Ray.
The researchers, both German hackers associated with the European hacker group Chaos Computer Club, previously have analyzed and broke electronic locks for the past few years, including padlocks using AES encryption. They decided to bring their skills to the smart lock space, assessing one such mobile phone hotel key system that they discovered in a high-end hotel in Germany in early 2019. This hotel used the mobile key system in their elevators, rooms and fitness centers.
The first step of the hack was to obtain and analyze BLE traffic used by the system. In order to do that, researchers needed to log traffic locally.
First, using Android devices, they enabled debug mode and activating the HCI snoop log, while on iOS devices, they installed the Apple Bluetooth Debug Certificate on the device.
Then, in order to actually monitor the traffic, researchers were then able to use wireless sniffing, which are packet analyzers that specifically capture data on wireless networks, and can be done using classic sniffing tools like Support Wireshark live view or Adafruit Bluefruit LE Sniffer (through researchers created their own tool for more a more reliable attack).
After monitoring the traffic and specifically inspecting the credential packet, researchers found the mobile key system to be vulnerable to a key stealing attack, which would allow them to circumvent the vendor’s method of replay protection.
Researchers then developed an exploit that allowed them to perform an array of malicious functions. There are some drawbacks: An attacker would need to be local and would need to identify the lock’s MAC address in advance. However, with these requirements, researchers were able to break into a hotel room.
After discovering the vulnerabilities, researchers first notified the lock vendor April 18. In May, the vendor acknowledged the vulnerability, and on June 28, the vendor discussed update plans – however, the system remains unpatched as of Thursday, researchers said.
Several issues exist that are hindering the update process, researchers said. While some of the locks can be updated remotely, others need to be updated by someone who goes from door to door with an update device. Also, multiple app vendors have to integrate to a new SDK that comes along with the update.
“One lesson we learned from this responsible disclosure process is that we have to not only identify the vendor but also identify any one else is involved,” researchers said.
It’s not the first issue to plague connected deadbolts. In June researchers warned that a keyless smart door lock made by U-tec, called Ultraloq, could allow attackers to track down where the device is being used and easily pick the lock – either virtually or physically. And last year, smart padlock Tapplock, which was marketed as “unbreakable,” received a critical patch after researchers discovered several security issues enabling them to easily hack into and unlock the device.
Black Hat USA 2019 has kicked off this week in Las Vegas. For more Threatpost breaking news, stories and videos from Black Hat and DEF CON, click here.