Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Csw2016 song li-smart_wars


Published on


Published in: Internet
  • Be the first to comment

  • Be the first to like this

Csw2016 song li-smart_wars

  1. 1. Smart Wars: A+acking Smart Locks with a Smart Phone Song Li NewSky Security / 0XiD Labs
  2. 2. Kevo Smart Lock •  Bluetooth Low Energy (BLE) interface. •  When someone touches the deadbolt, Kevo smart lock will try to talk to BLE devices. •  Talks to BLE-enabled smart phones, iPhone 4S and later models, many Android phones with BLE enabled. •  Talks to key fob which is BLE-enabled. •  If device is around, unlock.
  3. 3. DEMO •  A brief demo of how Kevo smart lock works
  4. 4. DOS APack •  BLE protocol has broadcasQng mode and other modes that are point-to-point – The concept of bind – Similar to pair, less authenQcaQon, requires no password to bind •  Unfortunately, Kevo smart lock works on p2p mode •  Use a BLE-enabled smart phone to bind with fob before it talks to the lock
  5. 5. Convincing the Lock to Work for You(1) •  Kevo fob smart features – Its gyro sensor detects if it is being carried around. – If no moQon detected, the fob shuts down radio within a minute – The baPery will last longer – Fob is off when owner is home asleep, aPackers won’t be able to unlock the smart lock
  6. 6. Convincing the Lock to Work for You(2) •  When fob is bound with a device, it will NOT shutdown radio •  Even if the gyro sensor detects no moQon •  When fob is unbound, it takes about one minute before shuts down radio •  During this window, aPacker can touch the deadbolt and unlock, while owner is asleep
  7. 7. DEMO •  Youtube video of aPacks •  Find it on our blog:
  8. 8. Timeline •  Ordered Kevo Smart Lock in Sept. 2015 •  DOS aPack successful 15 minutes a]er first power on •  Keep-awake aPack successful the next day – most of the Qme spent on reading user’s manual •  Contacted Kevo with aPack details •  Kevo responded with details and correcQons, focusing on the requirement of external doors •  Repeated experiment on a door that met Kevo’s requirement
  9. 9. Possible Fixes •  Add a physical buPon to the fob. •  Use broadcasQng mode instead of p2p mode •  Do not use fob, always use phone + app, so as to achieve more sophisQcated communicaQon – August smart lock uses this approach, an aPacking smart phone will be ignored.
  10. 10. Breaking locks, the physical way •  Demo Video