FAQ  •  My feedback  •  Feedback
UKLockpickers.co.uk Lockpicking supplies such as Lockpicks, tools, and more! COMMANDOLOCK.COM Military grade padlock systems lockpickshop.com A source for lockpicking supplies such as lockpicks, locksmith tools, and more!

SCLAK secure access control system. Is it really secure?

<<

femurat

User avatar

Prolific Poster

Posts: 859

Joined: Mon Mar 14, 2011 9:47 pm

Location: Italy

Post Thu Jul 27, 2017 7:10 am

SCLAK secure access control system. Is it really secure?

I've found this new product called SCLAK and I'm wondering if anyone has experience with it.
Is it really secure as they say on the website? I know the bluetooth protocol can be hacked, but they say it's not possible to analyse the messages to extract the secret key, encrypted with SHA-2.
Is the app the weak point? I imagine that there may be attacks against this new technology. I'm not planning to do it myself, just curious.

Thanks

ps: I have no affiliation with the manufacturer.
An old post of mine that you'd like to read is missing pictures? PM me and I'll fix them.
<<

Josephus

Active Member

Posts: 250

Joined: Sun Feb 10, 2013 11:30 pm

Location: Michigan

Post Thu Jul 27, 2017 9:03 am

Re: SCLAK secure access control system. Is it really secure?

Bluetooth can be monitored easily. Crackle can brute force the pairing pin. Most devices are only numeric and limited to 4, 8, or 16, so the process doesn't take long.

Looking at the website...SHA-2 isn't "an encryption communication protocol" it's just a hash algorithm. If it's sending a hash then you don't need to know the password, you just send a copy of the hash.

There could be more to it, but since their material treats SHA-2 as a "state-of-the-art" something it isn't, the odds are pretty good that the developers didn't add anything more, that they are using the cheapest chips they can and so on.

So yeah, that's it. Be near it, brute force pair, wait until someone uses it and record the connection, then reuse hash later.

I should clarify, yes you pretty much wont be able to get the pass in cleartext, that part of their sales pitch is correct, but you don't need to.
<<

femurat

User avatar

Prolific Poster

Posts: 859

Joined: Mon Mar 14, 2011 9:47 pm

Location: Italy

Post Thu Jul 27, 2017 9:17 am

Re: SCLAK secure access control system. Is it really secure?

Yes, I agree with you, but they say "In other words the secret key changes at every new message" so it should not be possible to reuse a already sent one.
An old post of mine that you'd like to read is missing pictures? PM me and I'll fix them.
<<

Jaakko Fagerlund

Active Member

Posts: 298

Joined: Mon Jan 06, 2014 3:55 pm

Location: Finland

Post Thu Jul 27, 2017 5:02 pm

Re: SCLAK secure access control system. Is it really secure?

Changes, but how? PRNG? Timestamp?
<<

MartinHewitt

User avatar

Active Member

Posts: 435

Joined: Sat Nov 26, 2016 6:19 pm

Location: Germany

Post Thu Jul 27, 2017 6:03 pm

Re: SCLAK secure access control system. Is it really secure?

Without having a really close look it is probably not possible to say if it is good.
<<

Josephus

Active Member

Posts: 250

Joined: Sun Feb 10, 2013 11:30 pm

Location: Michigan

Post Thu Jul 27, 2017 10:08 pm

Re: SCLAK secure access control system. Is it really secure?

Hard to say without knowing what they implemented. What is listed isn't accurate. Typically SHA is used to store passwords somewhere or for integrity, not for transport.

Jaakko Fagerlund wrote:Changes, but how? PRNG? Timestamp?

Math, which does include randomness, but there's more to it.

What they might mean by secret key changing is the bluetooth authentication challenge made from the pin, hardware address, and random part generated. So long as the hardware address and the pin doesn't change the result is the same on either side and authentication is made with an everchanging key. It's like other encryption protocols where the randomness is used as a "seed" with other information, like Diffie-Hellman but I think bluetooth is still different in a way that allows the random part to be acquired. There was talk years ago about using DH in mode 3 but I don't have any knowledge of whether or not it has been implemented. Everything I have found with a cursory look indicates no change has happened.

In any case, there's lots of information about how to do this. Just a random paper that does an okay overview on the math and is focused on breaking it: https://www.usenix.org/legacy/event/mob ... shaked.pdf

Without something more, it isn't secure. However worth mentioning, the range is pretty short. You would have to be within tens of feet or use a directional antenna and wait to get the key exchange. It would take someone dedicated and with technical skill to crack just one pairing. Then the admin could revoke those access rights, but then they would have to know the pin was stolen to begin with.

As usual, a brick is better and surreptitious entry takes significant effort, which is all we can really do.

Return to HAL 3000 - Computer Geeks

Who is online

Users browsing this forum: No registered users

Don't forget to visit our sponsors for all of your lockpicking needs!
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Grop
"CA Black" theme designed by stsoftware