Page 1 of 1

SCLAK secure access control system. Is it really secure?

PostPosted: Thu Jul 27, 2017 1:10 am
by femurat
I've found this new product called SCLAK and I'm wondering if anyone has experience with it.
Is it really secure as they say on the website? I know the bluetooth protocol can be hacked, but they say it's not possible to analyse the messages to extract the secret key, encrypted with SHA-2.
Is the app the weak point? I imagine that there may be attacks against this new technology. I'm not planning to do it myself, just curious.

Thanks

ps: I have no affiliation with the manufacturer.

Re: SCLAK secure access control system. Is it really secure?

PostPosted: Thu Jul 27, 2017 3:03 am
by Josephus
Bluetooth can be monitored easily. Crackle can brute force the pairing pin. Most devices are only numeric and limited to 4, 8, or 16, so the process doesn't take long.

Looking at the website...SHA-2 isn't "an encryption communication protocol" it's just a hash algorithm. If it's sending a hash then you don't need to know the password, you just send a copy of the hash.

There could be more to it, but since their material treats SHA-2 as a "state-of-the-art" something it isn't, the odds are pretty good that the developers didn't add anything more, that they are using the cheapest chips they can and so on.

So yeah, that's it. Be near it, brute force pair, wait until someone uses it and record the connection, then reuse hash later.

I should clarify, yes you pretty much wont be able to get the pass in cleartext, that part of their sales pitch is correct, but you don't need to.

Re: SCLAK secure access control system. Is it really secure?

PostPosted: Thu Jul 27, 2017 3:17 am
by femurat
Yes, I agree with you, but they say "In other words the secret key changes at every new message" so it should not be possible to reuse a already sent one.

Re: SCLAK secure access control system. Is it really secure?

PostPosted: Thu Jul 27, 2017 11:02 am
by Jaakko Fagerlund
Changes, but how? PRNG? Timestamp?

Re: SCLAK secure access control system. Is it really secure?

PostPosted: Thu Jul 27, 2017 12:03 pm
by MartinHewitt
Without having a really close look it is probably not possible to say if it is good.

Re: SCLAK secure access control system. Is it really secure?

PostPosted: Thu Jul 27, 2017 4:08 pm
by Josephus
Hard to say without knowing what they implemented. What is listed isn't accurate. Typically SHA is used to store passwords somewhere or for integrity, not for transport.

Jaakko Fagerlund wrote:Changes, but how? PRNG? Timestamp?

Math, which does include randomness, but there's more to it.

What they might mean by secret key changing is the bluetooth authentication challenge made from the pin, hardware address, and random part generated. So long as the hardware address and the pin doesn't change the result is the same on either side and authentication is made with an everchanging key. It's like other encryption protocols where the randomness is used as a "seed" with other information, like Diffie-Hellman but I think bluetooth is still different in a way that allows the random part to be acquired. There was talk years ago about using DH in mode 3 but I don't have any knowledge of whether or not it has been implemented. Everything I have found with a cursory look indicates no change has happened.

In any case, there's lots of information about how to do this. Just a random paper that does an okay overview on the math and is focused on breaking it: https://www.usenix.org/legacy/event/mob ... shaked.pdf

Without something more, it isn't secure. However worth mentioning, the range is pretty short. You would have to be within tens of feet or use a directional antenna and wait to get the key exchange. It would take someone dedicated and with technical skill to crack just one pairing. Then the admin could revoke those access rights, but then they would have to know the pin was stolen to begin with.

As usual, a brick is better and surreptitious entry takes significant effort, which is all we can really do.