Nortek Mobile Access Reader BluePass Examined

By Brian Rhodes, Published Feb 12, 2019, 10:28am EST

Nortek's Linear access control division claims to make mobile credentials "more secure and easier to use than ever before" with their BluePass reader.

However, the company's approach potentially uncovers big security vulnerabilities. Inside we examine:

  • BluePass Readers & Credentials Key Claims
  • Linear System Pricing
  • Potential Wiegand/125 kHz Weakness
  • Compared to HID Origo Mobile & Openpath Readers
  • Partnership with Unikey

Product ********

******/******'* ******** ****** ******** non-mobile *******, ******** ****** users ** ******* ***** or ******* *********** ** transmit *********** *** ********* Low ****** (***).

*** ***** ***** ** the ************'* ********:

*** ********:

  • **** ********** ******: ******** ***** **** app-based *** ** ******** 26-bit/37-bit *** *** ***********.
  • ***** *******: **** ***** *** readers (*.*.: ********), ***** *** **** an ********* ***** ** their ****** *** ****** 'touch' *** ****** ** unlock *** ****.
  • ***** **** **** ****** Systems: *** **** ******** to * ********** *** Wiegand *** **** ******* data *******, ** ******** can ** ******** **** most ******** ******* ** swapping *** ******.

Key ***** ******* / ************

*** ******** ****** ****** does **** * ****** of ******* ******** ** relative ************, *********:

  • ******* ****: * ******* ************* in ******** ********** **** exists ******* ******** **** not *** ********* ************** like ****.
  • **-*** ** **-*** ****: ** ******* *** using ****** ** ***** credential *******, ******** ****** a ****** ** ******* format *** ***** ******* by *** ******.
  • ****** ****** *****: ****** ****** **** factors, **** *** *** equipped ****** ** ****** range ****-***** ***** *** not *********.
  • ***-********** ********** ******: *** ************** ********, a *** ****** **** be **** ******** **** the ****** ****** ******, causing ***** ** ****** the **** **** ******** times.

BluePass ****** *******

****** ****** *** ******** readers *** ~$***, ********* from **** ******** *** alarm ************ *** ****** resellers.

Credential *******

****** *** ********** ****** tokens ***** ******* $*.** - $*.** **** ** a ***-**** ********, ********* on *** ******* *********. Packages **** * - 100 *********** *** *********.

** ********* ****** ** credential **** ** **** each **** ****** **** have * ******** ********** assigned ** **, ********** if ** ******* ** be ****** ** *** same ********** ** *** access ******.

************, *********** *** *** transferable *** *** ****** to ******** *******. **** cannot ** '******' *** circulation ***** ******** ** reissued **** **** ******* are ******** ** ********, and *** ******** *********** must ** *********.

********** With ******** *** *** ***********

*** ** *** **** interesting ******* ** ******** can ****** **** ***** of ******** ****** *********** so **** ********** *** be **** ******* **-*********** existing ****** *******.

******** ****** ** *** import ******** ** *** or ** *** *********** and ****** ****** ****** to ****** **** ***** those *******. ***** ******** to **** ***** *** credential *****, **** *** two ** *** **** common *** ******* ****** credentials ** ***. ***** more ****** ********* ** advanced ******* ****** ** used, **-***/**-*** *********** ****** popular, **** ****** **% ** *********** ***** ******* *** **** 'Most *******' *** **** existing ******* ***** ***** them.

****** ****** *** ****** process ******** ********* * .csv **** **** ******** card *******, *****, *** email ********* ** ***** web ******, *** **** those ******* *** **** converted **** ******** ****** that *** ************ ** users **** ***** ******.

Single ***** ****

*******, ***** ******** *********** information ***** ** ******, the ******** ****** **** comes ** * ******, mullion *****, ***** (******** credential) **** ***** ***** *** may *** ** ******** for ***** **** ** reader ***********. ******'* **** BLE/125 *** ****** **** into ******-**** ***** **** an ******** *******.

*** ****** ****** ** be **** *** **** 5-16VDC ***** @ ***** typical ** **** ***** and *** ** ******* by ********** ******* **** *********** ******* ******* ********** ***** supplies ** *** *******.

*** ***** ******* ***********, the **** **** ***** generic *** *** ***** or ****.

** ****, *******, *** ******** reader *** ** ****** (No *** *******), *** the **** ***** *** standard *** *** ** within ******, *** ************ with ******** ***** (*.*.: Parking *******), **** *** mobile-based *** *********** *** reach.

*************, ****** ***** *** '125 *** ****** ** disabled' ** *** ***, potentially ******* ******* ********** to ******* ******** ** **** **** ****** ******* With **** $** *** 125kHz **** ******:

BLE *****

*** ******'* *** *********** must ** ******** ******** too, **** ****** ***** may ************* ****** ******** by ****** *****.

*********** **** *************:

** *** ******’* ********* reception ******** ** *** too ****,
** *** ************* **** with ** ********’* ****** device
*** ***** ************ ***** into *** ******** ****** by
******* * **** ****, or ********, *** ******.

** ****** ***** ***-*** readers, ** ********** ************* step ** ****** *** BluePass **** ********* ** minimize **** ****.

Wiegand *****

******* *** **** ** that **** ** *** supported ** ********, **** Wiegand, *** ************** **** between *** **** *** door *********** *** ** intercepted.

*** **** ** ********** to '*** ** *** middle' ******** ***$** ****** ** ******* ******* **** **** ** physically ********* *** ****** in *** ***** ** reader *****:

******** ***** *** **** even ******* ** ******** a ****** ****** ** sensor ** *** ******, so ********** **** * device ***** *********** ** undetected ** *** ******.

Middleware ********** **********

******** ********** ********** ******** *** ********** **** the ****** ********** ******** and **** ****** * separate **** ** ****** and ***** **** *** most *****.

***** ********* *** ***** and ********* *********** ** web-based, *** ** *** trial ***********, **** ** use ** **** **** an ***** **** ** required. *** ******* **** BluePass ******** ******** * credential ****** ** *** access ****** *** **** another ********* ****** ** required ** ******'* ******.

************ **** ****** ** changes ** ***** ********* should ****** ********** **** done ** *** ****** system, *** ** ***** to ********** ****** ** turn-off * ****** **********, it **** ** **** in *** *** ******.

Versus *** *****/****** ***********

*** **** ** ******** is ****** ** ** higher **** *** ** used ** ***** ******* with **** ***** **** frequent ****** ****** ********.

*** ******* ******** **** Nortek ** ****** *********** are ***-************ *** ****** be ******** ** **** than *** ******, ****** *** ********** ******* ** ***** ** 'per ****'. ** ****** BluePass, ******** ******* *** be ****** ***** *** Origo *********** *** * single ***** ** ***** $7 *** ****.

*******, **** ******, *** mobile credential ** * ***-**** purchase **** *** ** used *** *** **** of *** ****** ** was ********, ***** *** is ** ****** ****.

Versus ********

**** ** *** **** 'cool ******' ******** ********* in ******* ********'* ******* are ******* ** ********, including *** '*****' ** open ******* *** ************* with **** *** *** Android *******.

******, ******** ********* **** of *** *** *** and ******* ************ **** BluePass *** ** ********** only **.** *** ******* and ********** **** **** the ****** ** **********.

** ***** ** *** ******** ****, **** ******'* *********** *******, *** ********* ****** at ~$*** ****, *** two ***** *** *********.

**** ********, ***** ** no ****** ********** ******** required. *******, ****** ******, Openpath ******* **** **** with ******** *********** *** the ****** ****** **** be **** *** * service *** ********* ******* for *********** ** ** valid.

Versus ******** *** *** *******

******** ** *** ***** of '***-***' *** *** readers, ******'* **** ** quite ****. **** *** example *** *** **** Midrange **** **** ******* ~$130 ****** ** ******'* ~$250 *****:

***** **** *******, ********'* 125 *** ************* ***** sense *** '******' ********* credentials, *** ** ******* are ********* ***** ***** physical *********** ****** **** mobile, **** ****** *** kHz ******* *** ******** available.

UniKey *****

**** ********, ****** ** relying ** *********** ******** development *** *** ****** platform. *************, **** ******* is **** ** * partnership **** '****** ***********' developer******:

** ***** ** ********* ***********, **** ******* *** developed *** '****** ***********' piece *** **** ******** from ****** **** ******* (see *** **** **** ****), ****, ****, *** Honeywell.

Comments (11)

**** ***** **** *** cousin ** ** ***** Fire ***** ******.

**** ***** ** ** interesting *******. * *** things:

*** ***'* **** *** a ***** ****** ** the ********** ** **** the ****? **** ***** of ****** ******* ** and ******* * **** is * **** ** the ****** ** ** opinion.

*** ***** ** *** credentials ** * ******* decision. *** **** **** at ************* *** **** price ... ** **** lesss

**** ** **** ***** to *** * *** something ** ********* *** system. *********** **** ** existing ****** ******* ***** bothersome **** ********** *********** of ********...

***** **** ** **** of ***** *** ******** on *** *** ******. This ** ** ***** entrance , *** ******** yet ***. **'** **** and ***.

*** ***'* **** *** a ***** ****** ** the ********** ** **** the ****?

******* *** *** * patent ** ****.*** ****** ***** **** to *** *** ** Security *** *********** **** HID ****** ******:

*** ******** **** ***** it ******** *** ***** to ****** ***** *** open ***** **** * distance ***** ***company’s ******** “***** *** **” ******* technology.  [emphasis added]

****'* ** *****. * am ******* ** *** licenses ** ***? ***** can *** *****?

**** **** ********, *** 'twist' ******* ********** ** an *** ******: *** '***** *** **' Access *******.

************, ****** *** ***-*** partners ** ******* ****** the **** ** ******* is ****** ** * feature, *** * ********.  They ********* **** ******* doors ***** ******* **** phone ** **** ****** for *****-**** ******. 

*******, **** ***** ** accidental ******* *** ********* intrusion ** * **** will ****** ******* ** from ****-******** ***********. 

*'** *** *** *** details ** ********* *** gesture.

**** **** ** *** manufacturers *** ***** ** using *** ********** ***** into **** **********. **** phone *** ***** *** you ****, **** "****", so **** *** **** up ** *** **** the *** ***** ** is ***. ***** *********** does **** **** ***** latest ******* *** ***** very ****. *** *** also ***** *** **** you **** ******** **** when ******** ** **** everyday ** ** **** only ****** ***** ***** applicable.

********* ******* *** ***** a **** *** *** but *** ******* ****** everyday, ********** **** ***** built ** ********** **** already ****** ** *** phone ******* ** *********** the *****.

*** **** ******* *** Blueline *** **********?:

******** - ********* *** NFC *******

****://***.***-******.***/********/********

** * ******* **** Blueline ** ***********/ **** functions **** *** ******?

* ***'* ***** **, but * ** **** RBH ***** ****** ****. It *** ****** ** me *** ** ****** certain **** *** *** of ** **** ********* to **** ** *** time.

***** ****** :) ****** lost ** ** ****** and ** ****. *** credential ** *** ****** will ** * ****** phone *** ** ***'* be **** ****** ****** for ** *******. 

***

**

****** ***** ** **** that ******* ** ***** RC-01 *** **-* ******* ... ******* **** *** HID ******* ... *****'* tried ** ***.

******* ** ********* ******** as*********:

Read this IPVM report for free.

This article is part of IPVM's 6,728 reports, 907 tests and is only available to members. To get a one-time preview of our work, enter your work email to access the full article.

Already a member? Login here | Join now
Loading Related Reports