"Hack a lock and get free rides! (No free beer yet though...). This talk will explore the ever growing ride sharing economy and look at how the BLE ""Smart"" locks on shared bicycles work. The entire solution will be deconstructed and examined, from the mobile application to its supporting web services and finally communications with the lock. We will look at how to go about analysing communications between a mobile device and the lock, what works, what doesn't.
Previous talks on attacking BLE targeted the protocol itself using various hardware and software such as Ubertooth and Wireshark, which could be potentially difficult for someone new wanting to explore BLE and the ever connected IoT world. I'll simplify and stupidify the entire process such that anyone with a mobile phone and basic experience with Frida can go about breaking locks and hacking BLE the world over."
3. whoami
• From Sunny Singapore
• Senior Security Consultant @ MWR
• Mobile and Wireless geek
– BlackHat USA 2016 – Bad for Enterprise:
Attacking BYOD Enterprise Mobile Security Solutions
2
4. Bike-Sharing Economy and the BLE “Smart” Lock
1
Overview
3
Building a Master Key3
Demo
4
Analyzing Communications
2
7. Major Players
6
Country China China Singapore
Founded 2014 2015 2017
Operations 20 Countries 16 Countries 22 Countries
Cost SGD$0.50/30min
8. Bluetooth Low Energy
Generic Access Profile (GAP)
• Peripheral
Small low powered device
e.g. bicycle lock
• Central
High powered computing device
e.g. Mobile Phone
9. Bluetooth Low Energy
8
Generic Attribute Profile (GATT)
• Services
Groups of Characteristics
16/128-bit UUID
• Characteristics
A single data point
16/128-bit UUID
21. iOS CoreBluetooth
CBPeripheral
• Remote peripheral devices that the app has discovered advertising or is currently connected
to.
• -m "*[CBPeripheral readValue*]"
• -m "*[CBPeripheral writeValue*]"
• -m "*[CBPeripheral setNotifyValue*]"
CBPeripheralDelegate
• Provides methods called on events relating to discovery, exploration, and interaction with a
remote peripheral.
• -m "*[* *didUpdateNotificationStateForCharacteristic*]"
• -m "*[* *didUpdateValueForCharacteristic*]"
20
22. Summary…
Scan QR Code
01
02
Get Lock Key From Server
04
Request Encrypted Token
05
Gets Encrypted Token
06
Decrypt Token & Unlock!
03
Server Responds with Lock Key
41. 02
App Checks Lock Status. Uploads Coordinates.
04
Server Responds with Unlock Key
05
03
Server Responds with Lock Status
http://www.mobike.com/down
load/app.html?b=AXXXXXXX
01
Unlock Bike Lock