Nortek Mobile Access Reader BluePass Examined

By Brian Rhodes, Published Feb 12, 2019, 10:28am EST

Nortek's Linear access control division claims to make mobile credentials "more secure and easier to use than ever before" with their BluePass reader.

However, the company's approach potentially uncovers big security vulnerabilities. Inside we examine:

  • BluePass Readers & Credentials Key Claims
  • Linear System Pricing
  • Potential Wiegand/125 kHz Weakness
  • Compared to HID Origo Mobile & Openpath Readers
  • Partnership with Unikey

Product ********

******/******'* ******** ****** ******** non-mobile *******, ******** ****** users ** ******* ***** or ******* *********** ** transmit *********** *** ********* Low ****** (***).

*** ***** ***** ** the ************'* ********:

*** ********:

  • **** ********** ******: ******** ***** **** app-based *** ** ******** 26-bit/37-bit *** *** ***********.
  • ***** *******: **** ***** *** readers (*.*.: ********), ***** *** **** an ********* ***** ** their ****** *** ****** 'touch' *** ****** ** unlock *** ****.
  • ***** **** **** ****** Systems: *** **** ******** to * ********** *** Wiegand *** **** ******* data *******, ** ******** can ** ******** **** most ******** ******* ** swapping *** ******.

Key ***** ******* / ************

*** ******** ****** ****** does **** * ****** of ******* ******** ** relative ************, *********:

  • ******* ****: * ******* ************* in ******** ********** **** exists ******* ******** **** not *** ********* ************** like ****.
  • **-*** ** **-*** ****: ** ******* *** using ****** ** ***** credential *******, ******** ****** a ****** ** ******* format *** ***** ******* by *** ******.
  • ****** ****** *****: ****** ****** **** factors, **** *** *** equipped ****** ** ****** range ****-***** ***** *** not *********.
  • ***-********** ********** ******: *** ************** ********, a *** ****** **** be **** ******** **** the ****** ****** ******, causing ***** ** ****** the **** **** ******** times.

BluePass ****** *******

****** ****** *** ******** readers *** ~$***, ********* from **** ******** *** alarm ************ *** ****** resellers.

Credential *******

****** *** ********** ****** tokens ***** ******* $*.** - $*.** **** ** a ***-**** ********, ********* on *** ******* *********. Packages **** * - 100 *********** *** *********.

** ********* ****** ** credential **** ** **** each **** ****** **** have * ******** ********** assigned ** **, ********** if ** ******* ** be ****** ** *** same ********** ** *** access ******.

************, *********** *** *** transferable *** *** ****** to ******** *******. **** cannot ** '******' *** circulation ***** ******** ** reissued **** **** ******* are ******** ** ********, and *** ******** *********** must ** *********.

********** With ******** *** *** ***********

*** ** *** **** interesting ******* ** ******** can ****** **** ***** of ******** ****** *********** so **** ********** *** be **** ******* **-*********** existing ****** *******.

******** ****** ** *** import ******** ** *** or ** *** *********** and ****** ****** ****** to ****** **** ***** those *******. ***** ******** to **** ***** *** credential *****, **** *** two ** *** **** common *** ******* ****** credentials ** ***. ***** more ****** ********* ** advanced ******* ****** ** used, **-***/**-*** *********** ****** popular, **** ****** **% ** *********** ***** ******* *** **** 'Most *******' *** **** existing ******* ***** ***** them.

****** ****** *** ****** process ******** ********* * .csv **** **** ******** card *******, *****, *** email ********* ** ***** web ******, *** **** those ******* *** **** converted **** ******** ****** that *** ************ ** users **** ***** ******.

Single ***** ****

*******, ***** ******** *********** information ***** ** ******, the ******** ****** **** comes ** * ******, mullion *****, ***** (******** credential) **** ***** ***** *** may *** ** ******** for ***** **** ** reader ***********. ******'* **** BLE/125 *** ****** **** into ******-**** ***** **** an ******** *******.

*** ****** ****** ** be **** *** **** 5-16VDC ***** @ ***** typical ** **** ***** and *** ** ******* by ********** ******* **** *********** ******* ******* ********** ***** supplies ** *** *******.

*** ***** ******* ***********, the **** **** ***** generic *** *** ***** or ****.

** ****, *******, *** ******** reader *** ** ****** (No *** *******), *** the **** ***** *** standard *** *** ** within ******, *** ************ with ******** ***** (*.*.: Parking *******), **** *** mobile-based *** *********** *** reach.

*************, ****** ***** *** '125 *** ****** ** disabled' ** *** ***, potentially ******* ******* ********** to ******* ******** ** **** **** ****** ******* With **** $** *** 125kHz **** ******:

BLE *****

*** ******'* *** *********** must ** ******** ******** too, **** ****** ***** may ************* ****** ******** by ****** *****.

*********** **** *************:

** *** ******’* ********* reception ******** ** *** too ****,
** *** ************* **** with ** ********’* ****** device
*** ***** ************ ***** into *** ******** ****** by
******* * **** ****, or ********, *** ******.

** ****** ***** ***-*** readers, ** ********** ************* step ** ****** *** BluePass **** ********* ** minimize **** ****.

Wiegand *****

******* *** **** ** that **** ** *** supported ** ********, **** Wiegand, *** ************** **** between *** **** *** door *********** *** ** intercepted.

*** **** ** ********** to '*** ** *** middle' ******** ***$** ****** ** ******* ******* **** **** ** physically ********* *** ****** in *** ***** ** reader *****:

******** ***** *** **** even ******* ** ******** a ****** ****** ** sensor ** *** ******, so ********** **** * device ***** *********** ** undetected ** *** ******.

Middleware ********** **********

******** ********** ********** ******** *** ********** **** the ****** ********** ******** and **** ****** * separate **** ** ****** and ***** **** *** most *****.

***** ********* *** ***** and ********* *********** ** web-based, *** ** *** trial ***********, **** ** use ** **** **** an ***** **** ** required. *** ******* **** BluePass ******** ******** * credential ****** ** *** access ****** *** **** another ********* ****** ** required ** ******'* ******.

************ **** ****** ** changes ** ***** ********* should ****** ********** **** done ** *** ****** system, *** ** ***** to ********** ****** ** turn-off * ****** **********, it **** ** **** in *** *** ******.

Versus *** *****/****** ***********

*** **** ** ******** is ****** ** ** higher **** *** ** used ** ***** ******* with **** ***** **** frequent ****** ****** ********.

*** ******* ******** **** Nortek ** ****** *********** are ***-************ *** ****** be ******** ** **** than *** ******, ****** *** ********** ******* ** ***** ** 'per ****'. ** ****** BluePass, ******** ******* *** be ****** ***** *** Origo *********** *** * single ***** ** ***** $7 *** ****.

*******, **** ******, *** mobile credential ** * ***-**** purchase **** *** ** used *** *** **** of *** ****** ** was ********, ***** *** is ** ****** ****.

Versus ********

**** ** *** **** 'cool ******' ******** ********* in ******* ********'* ******* are ******* ** ********, including *** '*****' ** open ******* *** ************* with **** *** *** Android *******.

******, ******** ********* **** of *** *** *** and ******* ************ **** BluePass *** ** ********** only **.** *** ******* and ********** **** **** the ****** ** **********.

** ***** ** *** ******** ****, **** ******'* *********** *******, *** ********* ****** at ~$*** ****, *** two ***** *** *********.

**** ********, ***** ** no ****** ********** ******** required. *******, ****** ******, Openpath ******* **** **** with ******** *********** *** the ****** ****** **** be **** *** * service *** ********* ******* for *********** ** ** valid.

Versus ******** *** *** *******

******** ** *** ***** of '***-***' *** *** readers, ******'* **** ** quite ****. **** *** example *** *** **** Midrange **** **** ******* ~$130 ****** ** ******'* ~$250 *****:

***** **** *******, ********'* 125 *** ************* ***** sense *** '******' ********* credentials, *** ** ******* are ********* ***** ***** physical *********** ****** **** mobile, **** ****** *** kHz ******* *** ******** available.

UniKey *****

**** ********, ****** ** relying ** *********** ******** development *** *** ****** platform. *************, **** ******* is **** ** * partnership **** '****** ***********' developer******:

** ***** ** ********* ***********, **** ******* *** developed *** '****** ***********' piece *** **** ******** from ****** **** ******* (see *** **** **** ****), ****, ****, *** Honeywell.

Comments (11)

This looks like the cousin of my Alexa Fire Stick Remote.

Agree
Disagree
Informative
Unhelpful
Funny

THis could be an interesting product. A few things:

Why don't they use a twist motion of the smartphone to open the door? That issue of people passing by and opening a door is a flaw in the design in my opinion.

The price of the credentials is a strange decision. One gets PROX at approximately the same price ... or much lesss

What is that issue to use a web something to configure the system. Integration with an existing system becomes quite bothersome with increasing probability of mistakes...

There will be more of those BLE products on the ACS market. This is an early entrance , not polished yet IMO. We'll wait and see.

Agree
Disagree
Informative
Unhelpful
Funny

Why don't they use a twist motion of the smartphone to open the door?

Because HID has a patent on that. HID Global Opens Door to New Era of Security and Convenience with HID Mobile Access:

The solution also makes it possible for users to unlock doors and open gates from a distance using the company’s patented “Twist and Go” gesture technology.  [emphasis added]

That's my guess. I am curious if HID licenses it out? Brian can you check?

Agree
Disagree
Informative
Unhelpful
Funny

Like John mentions, the 'twist' gesture activation is an HID patent: HID 'Twist and Go' Access Control.

Incidentally, Nortek and non-HID partners in general market the fact no gesture is needed as a feature, not a drawback.  They typically tout opening doors while keeping your phone in your pocket for hands-free access. 

However, your point of accidental unlocks and potential intrusion is a risk will likely exclude it from high-security deployments. 

I'll ask HID for details on licensing the gesture.

Agree
Disagree
Informative
Unhelpful
Funny

What some of the manufacturers are doing is using the technology built into your smartphone. Your phone can learn how you walk, your "Gait", so when you walk up to the door the app knows it is you. Lenel BlueDiamond does this with their latest version and works very well. You can also setup the path you most commonly take when arriving at work everyday so it will only unlock those doors applicable.

Bluetooth readers are still a ways off IMO but are getting better everyday, especially when using built in technology that already exists on the phone instead of reinventing the wheel.

Agree
Disagree
Informative
Unhelpful
Funny

Can IPVM procure RBH Blueline for comparison?:

Blueline - Bluetooth and NFC Readers

http://www.rbh-access.com/products/blueline

Agree
Disagree
Informative
Unhelpful
Funny

Am I correct that Blueline is proprietary/ only functions with RBH Access?

Agree
Disagree
Informative
Unhelpful
Funny

I don't think so, but I am sure RBH would answer that. It was demoed to me and am fairly certain that was one of my main questions to them at the time.

Agree
Disagree
Informative
Unhelpful
Funny

Great report :) Nortek lost me at 125kHz and no OSDP. The credential of the future will be a mobile phone but it won't be this Nortek reader for my clients. 

rbl

Agree: 2
Disagree
Informative
Unhelpful
Funny

Hi

ISONAS seems to have that gesture on their RC-01 and RC-1 readers ... Perhaps they use HID sensors ... Haven't tried it yet.

Agree
Disagree
Informative: 1
Unhelpful
Funny

Identiv is reselling BluePass as MobilisID:

Agree
Disagree
Informative
Unhelpful
Funny
Read this IPVM report for free.

This article is part of IPVM's 7,197 reports and 958 tests and is only available to subscribers. To get a one-time preview of our work, enter your work email to access the full article.

Already a subscriber? Login here | Join now
Loading Related Reports