Fraunhofer researchers crack Bluetooth locks from Tapplock. A self-made directional antenna made of potato chip boxes and two standard mini-computers are sufficient to crack Bluetooth locks from the US manufacturer Tapplock in seconds.
This has been proven by researchers at the Fraunhofer Institute for Secure Information Technology SIT in Darmstadt. The manufacturer was informed of the weaknesses and has since remedied them in one of its models.
Bluetooth locks cracked in seconds
Cumbersome rummaging for the bike lock or locker key is no longer necessary with a modern Bluetooth lock: you simply lock the lock with your fingerprint or with an app on your smartphone that is connected to the lock via Bluetooth Low Energy (BLE). But these locks can also be cracked, as a group of scientists from Fraunhofer SIT has now found out. You have examined two Bluetooth locks from the manufacturer Tapplock, namely Tapplock ONE and Tapplock ONE +, and found two serious security gaps in both models. These enable attacks with which the security mechanisms of the locks can be completely levered out without leaving any traces of burglary. Both attacks can be implemented with limited technical and financial resources. For this purpose, an attack tool was used that the group had built itself from potato chip jars and commercially available mini computers (Raspberry Pi), among other things.
Attack with a directional antenna made from chip boxes
The first attack scenario uses a man-in-the-middle attack: Here the attacker switches to the Bluetooth connection that is established between the lock and smartphone of the attack victim while he is locking his lock. This means that the data that is normally exchanged directly between the lock and smartphone also pass through the attacker. Once the owner has gone away, the attacker maintains the connection to the lock and simply sends the communication data that has just been sent, which are necessary for opening and closing the lock, to the lock again. This opens and the attacker has achieved his goal.
Replay attack cracks the lock in under a minute
The second vulnerability found can be exploited via a so-called replay attack. For this purpose, only the closing process, in which a challenge-response method is used, has to be recorded once, for example with the self-made attack tool. This time, the attacker no longer needs a permanent connection to the lock, but simply waits until he has free access to the lock and starts any number of queries on the lock. This is possible because the lock did not have a built-in blockage or delay, even with many queries. It takes approximately 30 to 60 seconds for the previously recorded challenge to repeat itself. With the recorded response, it is now possible to open the lock as often as required without the rightful owner noticing.
The scientists at Fraunhofer SIT reported these weaknesses to the manufacturer Tapplock as part of the responsible disclosure process. This has closed the security gaps in the Tapplock One + model, but the Tapplock One model has not received an update.
More at Fraunhofer.de