Hotel security RFID vs bluetooth

Ok just curious if anyone can answer this, I’m traveling and the hotels I have been at are switching from physical RFID cards to digital cards that communicate through bluetooth. Is that really that much more secure, I can tell you its not anymore convenient, makes me wish I had gotten a mifare implant.

hard to say without analyzing the entire application and radio packets… but… potentially?

I was just curious cause if I look at my phones list of available bluetooth connections all of the digital key connections come up. I don’t know enough about bluetooth but my gut says someone that knew more than me could figure out a way to take advantage of the fact that all of those connections are discoverable.

While I’m on the topic is it possible for my phone to emulate a mifare 1k classic using nfctools pro or another app? I keep leaving my stupid card in the room cause if I take it out of the switch on the wall the sockets don’t work and my wifes phone stops charging lol.

like RFID / NFC, bluetooth is simply a communication channel… the security of which depends entirely on the applications that use that channel to perform their function. In reality, thinking that “bluetooth” is or is not secure is like asking if a copper wire is or is not secure when it really has nothing to do with security.

android has “HCE” or host card emulation but the problem is that most phones cannot set a UID, the UID is randomized each time… and because most access applications are total shit and rely on the UID, this is not practical. however, that said, if the door lock application did not rely on the UID in any way, but instead used common access keys across all cards which were not based on a derivation algorithm that used the UID as part of a value seed, then sure it could be possible if you had those keys and your phone had an NXP reader chip with the proper license to work with Mifare classic and crypto1.

1 Like

to expand a little bit on this, bluetooth protocols do attempt to leverage pairing security and encryption within the stack, but relying on this is foolish… but absolutely standard for basically everyone making bluetooth enabled products… so yeah in reference to your OP, it’s probably not secured properly.

image

Thanks for your replies and the extra info about bluetooth. Its nice to know my IT degree is helping me I felt pretty good when I recognized to osi model.

1 Like

I’ll tell you what happens with those BT locks: leave your phone on the charger in your room and voila: you’ve just locked yourself out.

They are a pain you have to pull out your phone open the app choose if you are unlocking the elevator the stairs or your door and wait for it to work.

I’m learning so much I love when I have a question and it opens up a whole new world of tech for me. Never heard of HCE, I can’t find any apps or any way to access the info. I think I may have seen that when I was exploring my phone when I had it unlocked, only one more day in my hotel so its probably not worth flashing my phone lol.

it was created so android phones could do contactless payment without a secure element chip inside on the PCB… and in theory you can make apps that use it… however because of the way it works (issued outlined above) it’s kinda useless and basically engineers working on product development just go for a bluetooth or something much easier to deal with… so yeah android is capable, but like, nothing even bothers with it.

1 Like