Nortek Mobile Access Reader BluePass Examined

Published Feb 12, 2019 15:28 PM

Nortek's Linear access control division claims to make mobile credentials "more secure and easier to use than ever before" with their BluePass reader.

However, the company's approach potentially uncovers big security vulnerabilities. Inside we examine:

  • BluePass Readers & Credentials Key Claims
  • Linear System Pricing
  • Potential Wiegand/125 kHz Weakness
  • Compared to HID Origo Mobile & Openpath Readers
  • Partnership with Unikey

Product ********

******/******'* ******** ****** ******** ***-****** *******, allowing ****** ***** ** ******* ***** or ******* *********** ** ******** *********** via ********* *** ****** (***).

*** ***** ***** ** *** ************'* overview:

*** ********:

  • **** ********** ******: ******** ***** **** ***-***** *** or ******** **-***/**-*** *** *** ***********.
  • ***** *******: **** ***** *** ******* (*.*.: ********), ***** *** **** ** ********* phone ** ***** ****** *** ****** 'touch' *** ****** ** ****** *** door.
  • ***** **** **** ****** *******: *** **** ******** ** * controller *** ******* *** **** ******* data *******, ** ******** *** ** retrofit **** **** ******** ******* ** swapping *** ******.

Key ***** ******* / ************

*** ******** ****** ****** **** **** a ****** ** ******* ******** ** relative ************, *********:

  • ******* ****: * ******* ************* ** ******** credential **** ****** ******* ******** **** not *** ********* ************** **** ****.
  • **-*** ** **-*** ****: ** ******* *** ***** ****** or ***** ********** *******, ******** ****** a ****** ** ******* ****** *** doors ******* ** *** ******.
  • ****** ****** *****: ****** ****** **** *******, **** PIN *** ******** ****** ** ****** range ****-***** ***** *** *** *********.
  • ***-********** ********** ******: *** ************** ********, * *** portal **** ** **** ******** **** the ****** ****** ******, ******* ***** to ****** *** **** **** ******** times.

BluePass ****** *******

****** ****** *** ******** ******* *** ~$250, ********* **** **** ******** *** alarm ************ *** ****** *********.

Credential *******

****** *** ********** ****** ****** ***** between $*.** - $*.** **** ** a ***-**** ********, ********* ** *** volumes *********. ******** **** * - 100 *********** *** *********.

** ********* ****** ** ********** **** is **** **** **** ****** **** have * ******** ********** ******** ** it, ********** ** ** ******* ** be ****** ** *** **** ********** to *** ****** ******.

************, *********** *** *** ************ *** are ****** ** ******** *******. **** cannot ** '******' *** *********** ***** visitors ** ******** **** **** ******* are ******** ** ********, *** *** BluePass *********** **** ** *********.

********** With ******** *** *** ***********

*** ** *** **** *********** ******* is ******** *** ****** **** ***** of ******** ****** *********** ** **** enrollment *** ** **** ******* **-*********** existing ****** *******.

******** ****** ** *** ****** ******** 26 *** ** ** *** *********** and ****** ****** ****** ** ****** that ***** ***** *******. ***** ******** to **** ***** *** ********** *****, they *** *** ** *** **** common *** ******* ****** *********** ** use. ***** **** ****** ********* ** advanced ******* ****** ** ****, **-***/**-*** credentials ****** *******, **** ****** **% ** *********** ***** ******* *** **** '**** *******' and **** ******** ******* ***** ***** them.

****** ****** *** ****** ******* ******** uploading * .*** **** **** ******** card *******, *****, *** ***** ********* to ***** *** ******, *** **** those ******* *** **** ********* **** BluePass ****** **** *** ************ ** users **** ***** ******.

Single ***** ****

*******, ***** ******** *********** *********** ***** be ******, *** ******** ****** **** comes ** * ******, ******* *****, short (******** **********) **** ***** ***** *** may *** ** ******** *** ***** door ** ****** ***********. ******'* **** BLE/125 *** ****** **** **** ******-**** boxes **** ** ******** *******.

*** ****** ****** ** ** **** and **** *-***** ***** @ ***** typical ** **** ***** *** *** be ******* ** ********** ******* **** *********** ******* ******* ********** ***** ******** ** new *******.

*** ***** ******* ***********, *** **** also ***** ******* *** *** ***** or ****.

** ****, *******, *** ******** ****** *** no ****** (** *** *******), *** the **** ***** *** ******** *** kHz ** ****** ******, *** ************ with ******** ***** (*.*.: ******* *******), only *** ******-***** *** *********** *** reach.

*************, ****** ***** *** '*** *** cannot ** ********' ** *** ***, potentially ******* ******* ********** ** ******* detailed ** **** **** ****** ******* **** **** $30 *** ****** **** ******:

BLE *****

*** ******'* *** *********** **** ** manually ******** ***, **** ****** ***** may ************* ****** ******** ** ****** users.

*********** **** *************:

** *** ******’* ********* ********* ******** is *** *** ****,
** *** ************* **** **** ** employee’s ****** ******
*** ***** ************ ***** **** *** building ****** **
******* * **** ****, ** ********, the ******.

** ****** ***** ***-*** *******, ** additional ************* **** ** ****** *** BluePass **** ********* ** ******** **** risk.

Wiegand *****

******* *** **** ** **** **** is *** ********* ** ********, **** Wiegand, *** ************** **** ******* *** unit *** **** *********** *** ** intercepted.

*** **** ** ********** ** '*** in *** ******' ******** ***$** ****** ** ******* ******* **** **** ** ********** ********* and ****** ** *** ***** ** reader *****:

******** ***** *** **** **** ******* by ******** * ****** ****** ** sensor ** *** ******, ** ********** such * ****** ***** *********** ** undetected ** *** ******.

Middleware ********** **********

******** ********** ********** ******** *** ********** **** *** ****** management ******** *** **** ****** * separate **** ** ****** *** ***** data *** **** *****.

***** ********* *** ***** *** ********* credentials ** ***-*****, *** ** *** trial ***********, **** ** *** ** does **** ** ***** **** ** required. *** ******* **** ******** ******** creating * ********** ****** ** *** access ****** *** **** ******* ********* record ** ******** ** ******'* ******.

************ **** ****** ** ******* ** their ********* ****** ****** ********** **** done ** *** ****** ******, *** in ***** ** ********** ****** ** turn-off * ****** **********, ** **** be **** ** *** *** ******.

Versus *** *****/****** ***********

*** **** ** ******** ** ****** to ** ****** **** *** ** used ** ***** ******* **** **** users **** ******** ****** ****** ********.

*** ******* ******** **** ****** ** mobile *********** *** ***-************ *** ****** be ******** ** **** **** *** device, ****** *** ********** ******* ** ***** ** '*** ****'. So ****** ********, ******** ******* *** be ****** ***** *** ***** *********** for * ****** ***** ** ***** $7 *** ****.

*******, **** ******, *** ****** ********** ** a ***-**** ******** **** *** ** used *** *** **** ** *** device ** *** ********, ***** *** is ** ****** ****.

Versus ********

**** ** *** **** '**** ******' features ********* ** ******* ********'* ******* are ******* ** ********, ********* *** 'Touch' ** **** ******* *** ************* with **** *** *** ******* *******.

******, ******** ********* **** ** *** 125 *** *** ******* ************ **** BluePass *** ** ********** **** **.** MHz ******* *** ********** **** **** the ****** ** **********.

** ***** ** *** ******** ****, **** ******'* *********** *******, *** ********* ****** ** ~$*** each, *** *** ***** *** *********.

**** ********, ***** ** ** ****** credential ******** ********. *******, ****** ******, Openpath ******* **** **** **** ******** controllers *** *** ****** ****** **** be **** *** * ******* *** purchased ******* *** *********** ** ** valid.

Versus ******** *** *** *******

******** ** *** ***** ** '***-***' 125 *** *******, ******'* **** ** quite ****. **** *** ******* *** HID **** ******** **** **** ******* ~$130 ****** ** ******'* ~$*** *****:

***** **** *******, ********'* *** *** compatibility ***** ***** *** '******' ********* credentials, *** ** ******* *** ********* using ***** ******** *********** ****** **** mobile, **** ****** *** *** ******* are ******** *********.

UniKey *****

**** ********, ****** ** ******* ** significant ******** *********** *** *** ****** platform. *************, **** ******* ** **** of * *********** **** '****** ***********' developer******:

** ***** ** ********* ***********, **** ******* *** ********* *** 'mobile ***********' ***** *** **** ******** from ****** **** ******* (*** *** **** **** ****), ****, ****, *** *********.

Comments (11)
U
Undisclosed #1
Feb 13, 2019

This looks like the cousin of my Alexa Fire Stick Remote.

UI
Undisclosed Integrator #2
Feb 14, 2019

THis could be an interesting product. A few things:

Why don't they use a twist motion of the smartphone to open the door? That issue of people passing by and opening a door is a flaw in the design in my opinion.

The price of the credentials is a strange decision. One gets PROX at approximately the same price ... or much lesss

What is that issue to use a web something to configure the system. Integration with an existing system becomes quite bothersome with increasing probability of mistakes...

There will be more of those BLE products on the ACS market. This is an early entrance , not polished yet IMO. We'll wait and see.

JH
John Honovich
Feb 14, 2019
IPVM

Why don't they use a twist motion of the smartphone to open the door?

Because HID has a patent on that. HID Global Opens Door to New Era of Security and Convenience with HID Mobile Access:

The solution also makes it possible for users to unlock doors and open gates from a distance using the company’s patented “Twist and Go” gesture technology.  [emphasis added]

That's my guess. I am curious if HID licenses it out? Brian can you check?

Avatar
Brian Rhodes
Feb 14, 2019
IPVMU Certified

Like John mentions, the 'twist' gesture activation is an HID patent: HID 'Twist and Go' Access Control.

Incidentally, Nortek and non-HID partners in general market the fact no gesture is needed as a feature, not a drawback.  They typically tout opening doors while keeping your phone in your pocket for hands-free access. 

However, your point of accidental unlocks and potential intrusion is a risk will likely exclude it from high-security deployments. 

I'll ask HID for details on licensing the gesture.

SD
Shannon Davis
Feb 18, 2019
IPVMU Certified

What some of the manufacturers are doing is using the technology built into your smartphone. Your phone can learn how you walk, your "Gait", so when you walk up to the door the app knows it is you. Lenel BlueDiamond does this with their latest version and works very well. You can also setup the path you most commonly take when arriving at work everyday so it will only unlock those doors applicable.

Bluetooth readers are still a ways off IMO but are getting better everyday, especially when using built in technology that already exists on the phone instead of reinventing the wheel.

UE
Undisclosed End User #3
Feb 14, 2019

Can IPVM procure RBH Blueline for comparison?:

Blueline - Bluetooth and NFC Readers

http://www.rbh-access.com/products/blueline

Avatar
Brian Rhodes
Feb 14, 2019
IPVMU Certified

Am I correct that Blueline is proprietary/ only functions with RBH Access?

Avatar
Cary Menage
Feb 14, 2019
IPVMU Certified

I don't think so, but I am sure RBH would answer that. It was demoed to me and am fairly certain that was one of my main questions to them at the time.

RL
Randy Lines
Feb 14, 2019

Great report :) Nortek lost me at 125kHz and no OSDP. The credential of the future will be a mobile phone but it won't be this Nortek reader for my clients. 

rbl

(2)
UI
Undisclosed Integrator #2
Feb 14, 2019

Hi

ISONAS seems to have that gesture on their RC-01 and RC-1 readers ... Perhaps they use HID sensors ... Haven't tried it yet.

(1)
Avatar
Brian Rhodes
Mar 17, 2020
IPVMU Certified

Identiv is reselling BluePass as MobilisID: