Bluetooth Relay Attack
Gallagher are aware of a new Bluetooth relay attack technique. While we have always had a solution in our Mobile Connect app and SDK to help mitigate relay attacks, such mitigations are never perfect. This new attack technique increases the capabilities of attackers, which will reduce the effectiveness of our mitigations. Due to the nature of the attack, we are not able to prevent it at a technical level.
Gallagher has long recommended requiring a second factor (PIN/Fingerprint or Face ID) when opening doors into secure areas, particularly with Bluetooth. Requiring the cardholder to approve the access transaction prevents would-be relay attackers from exploiting a credential without the cardholder being aware of it and should effectively stop the attacker.
If customers are concerned about this new attack technique, we would encourage them to enable second factor authentication for their secure areas if they have not already done so.
Command Centre provides three ways to achieve this:
1. Schedule the access zones in areas of concern so they are in PINs mode. This will cause access to those areas to require second factor authentication on mobile devices, or a PIN for traditional access cards.
2. Command Centre contains a global option "Second factor authentication always required for Mobile Connect". Enabling this will cause Mobile devices to require second-factor authentication while leaving traditional access cards unaffected. The access zone schedule need not be changed.
3. The "Mobile Connect second factor always required" option can also be overridden on a per-reader basis, so customers can use this to require mobile second factor only for secure areas (or not require it, only for insecure areas). This leaves traditional access cards unaffected, and the access zone schedule need not be changed.
If you have any additional queries, please contact the Cyber security team.
Stay up to date with Gallagher
Get the latest Gallagher news, updates, and event information delivered straight to your inbox.