Published in: Internet
  1. 1. Smart Wars: A+acking Smart Locks with a Smart Phone Song Li NewSky Security / 0XiD Labs
  2. 2. Kevo Smart Lock •  Bluetooth Low Energy (BLE) interface. •  When someone touches the deadbolt, Kevo smart lock will try to talk to BLE devices. •  Talks to BLE-enabled smart phones, iPhone 4S and later models, many Android phones with BLE enabled. •  Talks to key fob which is BLE-enabled. •  If device is around, unlock.
  3. 3. DEMO •  A brief demo of how Kevo smart lock works
  4. 4. DOS APack •  BLE protocol has broadcasQng mode and other modes that are point-to-point – The concept of bind – Similar to pair, less authenQcaQon, requires no password to bind •  Unfortunately, Kevo smart lock works on p2p mode •  Use a BLE-enabled smart phone to bind with fob before it talks to the lock
  5. 5. Convincing the Lock to Work for You(1) •  Kevo fob smart features – Its gyro sensor detects if it is being carried around. – If no moQon detected, the fob shuts down radio within a minute – The baPery will last longer – Fob is off when owner is home asleep, aPackers won’t be able to unlock the smart lock
  6. 6. Convincing the Lock to Work for You(2) •  When fob is bound with a device, it will NOT shutdown radio •  Even if the gyro sensor detects no moQon •  When fob is unbound, it takes about one minute before shuts down radio •  During this window, aPacker can touch the deadbolt and unlock, while owner is asleep
  8. 8. Timeline •  Ordered Kevo Smart Lock in Sept. 2015 •  DOS aPack successful 15 minutes a]er first power on •  Keep-awake aPack successful the next day – most of the Qme spent on reading user’s manual •  Contacted Kevo with aPack details •  Kevo responded with details and correcQons, focusing on the requirement of external doors •  Repeated experiment on a door that met Kevo’s requirement
  9. 9. Possible Fixes •  Add a physical buPon to the fob. •  Use broadcasQng mode instead of p2p mode •  Do not use fob, always use phone + app, so as to achieve more sophisQcated communicaQon – August smart lock uses this approach, an aPacking smart phone will be ignored.
  10. 10. Breaking locks, the physical way •  Demo Video