Technical Advisory – Kwikset/Weiser BLE Proximity Authentication in Kevo Smart Locks Vulnerable to Relay Attacks

Vendor: Kwikset/Weiser (Spectrum Brands)
Vendor URLs: https://www.kwikset.com/kevo/smart-lock, https://www.weiserlock.com/en/kevo/default
Versions Affected: All versions. Attack tested on Kevo Generation 2 hardware with firmware v1.9.49 and Android application version Kevo 2.9.1.21765p.
Systems Affected: Kevo smart locks, including Kevo Contemporary
Author: Sultan Qasim Khan
Risk: <6.8 CVSS v3.1 AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N> - An attacker within BLE signal range of a smartphone or key fob authorized to unlock a Kevo smart lock can conduct a relay attack to unlock the lock over long distances.

Summary

The Kwikset/Weiser Kevo line of smart locks support Bluetooth Low Energy (BLE) passive entry through their Touch-to-Open functionality. When a user touches the exterior portion of the lock, the lock checks that an authorized BLE device is exterior to and within a short distance of the smart lock, and then performs a cryptographic handshake over a BLE connection to verify the identity of the device.

In a BLE relay attack, one relaying devices is placed with signal range of the smart lock, and another within range of the user’s smartphone or key fob. BLE communications between the two relaying devices are forwarded, making the smart lock and smartphone/key fob believe they are adjacent when they may actually be great distances apart, and allowing Touch-to-Open operations on Kevo smart locks to succeed.

Impact

Attackers can unlock or lock affected Kevo smart locks without the owner’s authorization if they can place one attacking device near the smart lock, and another within BLE range of a device authorized to unlock (the user’s smart phone or key fob). While the Kevo mobile application disables touch-to-unlock functionality when the user’s phone has been stationary for over 30 seconds, relay attacks are nevertheless possible when the user is carrying their phone (such as in their hand, pocket, or bag) or when the phone is placed on a non-stationary surface (such as in a moving vehicle).

Details

Testing of a relay attack against the Kevo smart lock was conducted using an internal NCC Group developed BLE link layer relay tool. This tool conducts a new type of BLE relay attack operating at the link layer, for which added latency is within the range of normal GATT response timing variation, and which is capable of relaying encrypted link layer communications. This approach can circumvent the existing relay attack mitigations of GATT response latency bounding or link layer encryption, and bypass localization defences commonly used against relay attacks that use signal amplification.

While this NCC Group developed tool has not been released to the public, it may also be possible to use existing public GATT-layer BLE relay tools to conduct the attack against Kevo devices if response timing requirements are not strict. GATT based relay attacks can only be used for unencrypted link layers, but this is not an impediment to the attack the Kevo devices as they do not use link layer encryption. NCC Group has not attempted to use GATT-layer relay tools against the Kevo products.

Recommendation

As currently defined, the Bluetooth Low Energy standard lacks a suitable mechanism for secure ranging. Angle of arrival and RSSI measurement do not protect against attacks where a relay transmits from the same location and with the same power as a legitimate device. Secure ranging is normally implemented using technologies that support time-of-flight measurement, such as Ultra-Wide Band (UWB). Nevertheless, there are some approaches that can be used to defend against BLE relay attacks.

Disabling proximity unlock functionality when the user’s phone or key fob has been stationary for an extended period, as done by the Kevo application, substantially reduces opportunities for relay attacks when devices are placed on a stationary surface. To further reduce the opportunities to conduct a relay attack, the mobile application could be modified to only allow unlocking when a particular pattern of user movement is observed. Typically, a user would first walk to their door, then slow down and stop walking when they are unlocking their door. By determining user motion state based on accelerometer data, the mobile application could refuse to unlock if the user has not walked in the last minute or is still walking.

Another option may be to employ geofencing wherein the mobile application checks the user’s cellular or GPS location, and only allows unlocking when the phone is near where the lock was installed. However, acquiring location in the mobile app may be too slow, resisted by user privacy concerns, and may be restricted by background location and power saving policies of mobile operating systems.

Relay attacks are most useful against passive systems that do not require user authorization to perform an action. For a higher level of security, the mobile application could be modified to allow disabling the touch-to-open feature or allow requiring user interaction in the mobile app to authorize unlocking the lock. User interaction is less important for authorizing locking the lock, compared to unlocking. This would give the user a choice between more convenient and more secure modes of operation.

Vendor Communication

September 16, 2021: Relay attack concern reported to Kwikset customer service online portal
September 23, 2021: Initial contact with Spectrum Brands HHI engineering lead over email to schedule a voice call
September 30, 2021: Disclosure of draft advisory over email, and voice call discussion of relay attack issue with Spectrum Brands HHI engineering. Spectrum Brands HHI notified of our intent to publish research regarding BLE relay attacks and their applicability to many products including Kevo smart locks. High level discussions on nature of relay attack and mitigation approaches. Spectrum Brands stated that they will investigate and discuss possible mitigation approaches internally.
October 13, 2021: Follow-up discussion with broader Spectrum Brands HHI engineering team regarding attack setup details and mitigation approaches
May 15, 2022: Advisory released to public

Thanks to

Jeremy Boone and Aaron Haymore for assisting with disclosure. We also wish to thank Deviant Ollam for assisting us in making the initial contact with Spectrum Brands.

About NCC Group

NCC Group is a global expert in cybersecurity and risk mitigation, working with businesses to protect their brand, value and reputation against the ever-evolving threat landscape. With our knowledge, experience and global footprint, we are best placed to help businesses identify, assess, mitigate & respond to the risks they face. We are passionate about making the Internet safer and revolutionizing the way in which organizations think about cybersecurity.

Published date: May 15, 2022
Written by: Sultan Qasim Khan