I am theoretically thinking about automatically unlocking the house door via smart phone. Without the need to fiddle with the smart phone (opening an app, pressing a button).
There is a commercially available locking/unlocking device which works as follows:
- Determining if the smart phone is in a geo fence
- Within 40 minutes, it has to enter the range of a bluetooth beacon and then an TLS / bluetooth unlock signal is sent to the door unlocking device.
They claim that even the bluetooth beacon can be manipulated (emulated), the unlock signal can not be faked / repeated.
I am thinking off the following attack vector:
- Phone is inside the house, next to the owner's bed
- From outside the window, fake GPS signal to fake leaving and entering the geo fence
- Phone would emit bluetooth opening signal
- Catch that bluetooth signal (if not in range of the door already)
- Repeat it to the door
- Door opens
Another attach vector would be, that the phone is outside of the house, but the attacker is nearby the pone. The attach works the similar
- Fake GPS to make the phone believe it enters enter the geofance
- Catch the bluetooth signal, repeat it via internet to the owner's home
- Open the door
Is this theoretically possible, if not, why is it still secure? If it is not secure, how can it be make safer?