Moving from Hacking IoT Gadgets to Breaking into One of Europe's Highest Hotel Suites

Black Hat USA 2019

Presented by: Ray ., Michael Huebler
Date: Thursday August 08, 2019
Time: 17:00 - 18:00
Location: Islander FG

We're taking Bluetooth LE hacking from toys and padlocks to the real world. Improving the tools and methods we used in previous research to break the AES cryptography of the NOKE Padlock, we went to do the one thing a mobile hotel key is supposed to prevent: wirelessly sniff someone entering his room - or just unlocking the elevator - and then reconstruct the needed data to open the door with any BTLE enabled PC or even a raspberry pi.

In this talk we will show and explain the tools and methods we used and developed to break the BTLE based mobile phone key system of a large hotel chain. And then come from the academic proof of concept to a reliable setup that can be used in real life scenarios to carry out the attack.

Methods shown will cover the reverse engineering of the wireless protocol based on BTLE captures, analyzing the decompiled mobile phone app and intercepting the TLS encrypted traffic to the back end API, which in combination led to the compromise of the system.

Ray .

Ray is an independent security researcher from Germany. He is active member of the European hacker organization CCC as well as of the world's oldest lock-picking club SSDeV. He created the first 3D printed key in 2009 and replicated high security handcuff keys with a laser cutter. His practical lock picking skills earned him a DEFCON Black Badge before moving to analyzing and breaking electronic locking systems. In 2016 he was the first to break a BTLE lock which actually uses real encryption, showing that "AES128 encrypted" doesn't mean anything without looking at the whole system.

Michael Huebler

Michael Huebler has been analyzing, hacking and improving locks since the 1970's. He is an engineer and works in SW development in other technical fields, but still regularly participates in lock manipulation competitions and helps lock manufacturers to improve their products. His current security research mainly focuses on electromechanical locks and wireless systems like Bluetooth LE.


KhanFu - Mobile schedules for INFOSEC conferences.
Mobile interface | Alternate Formats