Moving from Hacking IoT Gadgets to Breaking into One of Europe's Highest Hotel Suites

Conference:  BlackHat USA 2019



The presentation discusses the vulnerabilities of electronic hotel room locks and the importance of responsible disclosure.
  • Electronic hotel room locks are vulnerable to attacks through Bluetooth technology
  • Application crypto should be used instead of relying on the link layer
  • Secrets should not be hidden in the app
  • Security is important in real world applications
  • Responsible disclosure is crucial in identifying vulnerabilities and ensuring fixes are implemented
The presenters discovered a vulnerability in a hotel room lock that could be exploited through Bluetooth advertising. They contacted the vendor and went through a responsible disclosure process to ensure the vulnerability was fixed before it could harm anyone.


We're taking Bluetooth LE hacking from toys and padlocks to the real world. Improving the tools and methods we used in previous research to break the AES cryptography of the NOKE Padlock, we went to do the one thing a mobile hotel key is supposed to prevent: wirelessly sniff someone entering his room - or just unlocking the elevator - and then reconstruct the needed data to open the door with any BTLE enabled PC or even a raspberry pi. In this talk we will show and explain the tools and methods we used and developed to break the BTLE based mobile phone key system of a large hotel chain. And then come from the academic proof of concept to a reliable setup that can be used in real life scenarios to carry out the attack. Methods shown will cover the reverse engineering of the wireless protocol based on BTLE captures, analyzing the decompiled mobile phone app and intercepting the TLS encrypted traffic to the back end API, which in combination led to the compromise of the system.