At BlackHat 2019, the Chaos Computer Club shared details of their successful hacking of new high-end Bluetooth hotel room locks
The locks, from manufacturer Messerschmitt, were using an in-house developed security protocol which relied on a challenge-response system but did not use a cryptographic key to protect the communications. Although the system was not vulnerable to a simple replay attack of the Bluetooth radio communications, the researchers were able to extract the necessary data from the captured communications in order to create their own valid responses and so open any door in the hotel with any Bluetooth enabled PC or even a RaspberryPi. The vulnerability has been disclosed to the lock manufacturer who is rolling out patches before the end of August 2019.
Security through obscurity is no security at all – as the lock designers have discovered to their cost. A secure system should obey Kerckhoffs’s principle which states that a cryptosystem should be secure even if everything is known about it – except for the key.
For almost every practical situation, good security systems already exist and there is no reason to re-invent the wheel. Well known and well tested crypto-libraries such as Sodium or the Windows Cryptography services are always a better choice than inventing an in-house system from scratch. Software Development Managers are well advised to check their programmers are using proven off-the-shelf crypto-libraries in their software rather than trying to invent something new and untested.