If hacking chinese padlocks and bike sharing systems isn't enough any more, let's go and open some new doors. Like the ones of some 37th floor Hotel Suites...
We're taking Bluetooth LE hacking from toys and padlocks to the real world. Improving the tools and methods we used in previous research to break the AES cryptography of the NOKE Padlock, we went to do the one thing a mobile hotel key is supposed to prevent: wirelessly sniff someone entering his room - or just unlocking the elevator - and then reconstruct the needed data to open the door with any BTLE enabled PC or even a raspberry pi.
In this talk we will show and explain the tools and methods we used and developed to break the BTLE based mobile phone key system of a large hotel chain. And then come from the academic proof of concept to a reliable setup that can be used in real life scenarios to carry out the attack.
Methods shown will cover the reverse engineering of the wireless protocol based on BTLE captures, analyzing phone apps and intercepting the TLS encrypted traffic to the back end API, which in combination led to the compromise of a system used in quite some big and expensive hotels for their "next level" customer experience: mobile room keys.