0

I am theoretically thinking about automatically unlocking the house door via smart phone. Without the need to fiddle with the smart phone (opening an app, pressing a button).

There is a commercially available locking/unlocking device which works as follows:

  • Determining if the smart phone is in a geo fence
  • Within 40 minutes, it has to enter the range of a bluetooth beacon and then an TLS / bluetooth unlock signal is sent to the door unlocking device.

They claim that even the bluetooth beacon can be manipulated (emulated), the unlock signal can not be faked / repeated.

I am thinking off the following attack vector:

  1. Phone is inside the house, next to the owner's bed
  2. From outside the window, fake GPS signal to fake leaving and entering the geo fence
  3. Phone would emit bluetooth opening signal
  4. Catch that bluetooth signal (if not in range of the door already)
  5. Repeat it to the door
  6. Door opens

Another attach vector would be, that the phone is outside of the house, but the attacker is nearby the pone. The attach works the similar

  1. Fake GPS to make the phone believe it enters enter the geofance
  2. Catch the bluetooth signal, repeat it via internet to the owner's home
  3. Open the door

Is this theoretically possible, if not, why is it still secure? If it is not secure, how can it be make safer?

Alex
  • 1,207
  • 1
  • 10
  • 9
  • To prevent Man In The Middle Attacks (MITM), you can make TLS negotiation the way that on the serwer (home) you have private / public key pair on and your phone you carry user certificate issued by your home appliance. Then, you send that user certificate to the serwer using bluetooth connection and verify your phone. This way, you can threat bluetooth connection like it was completely unecrypted, however it has some security. – Aria Apr 23 '17 at 16:29
  • ps. You send that user certificate only if the public key of your home appliance matches whatever you have stored on your phone, this way you know it's your home and not someone performing man in the middle attack. If there's someone in the middle listening he will not be able to read your user certificate as your phone has established TLS connection with your home device using their private / public key pair. – Aria Apr 23 '17 at 16:35
  • So the attack is not possible because you can't fake private key during TLS message which is additional layer of encryption on top of bluetooth. So even if you MITM bluetooth it's still safe during TLS. – Aria Apr 23 '17 at 16:49
  • There is a [product](http://www.kwikset.com/kevo/smart-lock/security) on the market that claims doing exactly what you want to do. Maybe try to see how they did it? – Marko Vodopija Apr 24 '17 at 07:56

1 Answers1

1

In this case the security can indeed be circumvented, because GPS isn't secure. Having the phone out of range of the Bluetooth device is actually a help.

The weak point of the attack is this:

From outside the window, fake GPS signal to fake leaving and entering the geo fence

"Faking GPS signal" is not really easy since you also have the real signals coming in. You might set up a GPS receiver somewhere else, and have the signals it receives sent back to a powerful retransmitter next to the victim phone. This is probably not going to work too well due to retransmission delays, which will mutually invalidate several satellite signals (the satellite constellation will appear to be farther out than LEO orbit, and be wobbling something fierce). What you would see if you were looking at the phone with a map app turned on would be the "You're Here" dot jumping around like crazy, and disappearing altogether for several seconds or minutes. Actually I'm not so sure you could acquire a position. But I have seen that slightly messing with GPS signals results in the blue dot floating at random around the count(r)y, and its uncertainty radius to grow proportionally.

If this is enough to activate the geofence trigger, you're golden. And, to thwart this attack, what you need to do is monitor the GPS position and ensure it's sane (no jumping around at more than 200 km/h, for example). So an additional requirement for the "improved geofence" is for the phone to stably position itself outside of it for a reasonable amount of time with a small uncertainty radius.

LSerni
  • 22,521
  • 4
  • 51
  • 60
  • But how to trigger the Bluetooth signal for the opener? – Alex Apr 23 '17 at 18:31
  • I expect that the opener is simply broadcasting its presence, and attempts to pair with the phone. Any "blind" Bluetooth repeater could then make it appear to the phone as if the opener was nearby, and vice versa (e.g. AirCable's HostXR4). Another safety check that might or might not work would be carefully timing Bluetooth packets' round-trip time. – LSerni Apr 23 '17 at 18:41
  • It does multiple TLS key exchanges – Alex Apr 23 '17 at 18:51
  • That is not going to really help. The only thing the devices establish is that they are **what** they think they are. The bad thing here is that the devices are not **where** they think they are. Blind repeaters do not access packets, they just receive and retransmit the radio signals; imagine you have an encrypted link over copper cable, and then someone splices twenty extra feet of cable and makes it longer. The devices are unchanged, and they still communicate securely, but now they are farther apart. – LSerni Apr 23 '17 at 18:55