Slashdot Mirror

← Back to Stories (view on slashdot.org)

75 Percent of Bluetooth Smart Locks Can Be Hacked (tomsguide.com)

Posted by msmash on from the security-blues dept.

It turns out, the majority of Bluetooth smart locks you see on the market can easily be hacked and opened by unauthorized users. The news comes from DEF CON hacker conference in Las Vegas, where security researchers revealed the vulnerability, adding that concerned OEMs are doing little to nothing to patch the hole. Tom's Guide reports: Researcher Anthony Rose, an electrical engineer, said that of 16 Bluetooth smart locks he and fellow researcher Ben Ramsey had tested, 12 locks opened when wirelessly attacked. The locks -- including models made by Quicklock, iBlulock, Plantraco, Ceomate, Elecycle, Vians, Okidokey and Mesh Motion -- had security vulnerabilities that ranged from ridiculously easy to moderately difficult to exploit. "We figured we'd find vulnerabilities in Bluetooth Low Energy locks, then contact the vendors. It turned out that the vendors actually don't care," Rose said. "We contacted 12 vendors. Only one responded, and they said, 'We know it's a problem, but we're not gonna fix it.'" The problems didn't lie with the Bluetooth Low Energy protocol itself, Rose said, but in the way the locks implemented Bluetooth communications, or with a lock's companion smartphone app. Four locks, for example, transmitted their user passwords in plaintext to smartphones, making it easy for anyone with a $100 Bluetooth sniffer to pluck the passwords out of thin air.

87 comments

  1. 100% by Anonymous Coward · · Score: 0

    More like 100%. 75% just had easily exploitable attacks.

    1. Re: 100% by Anonymous Coward · · Score: 2, Informative

      The update at the end of the article states the August smartlock, one of the 4 called out as being good, has now been hacked. Up to 81% at least

  2. Locks are for honest people :) by wangmaster · · Score: 2, Interesting

    I go by the notion that locks are for honest people and things like smartlocks and connected locks are primarily for the convenience of the owner. Realistically, for most consumer applications of locks, if someone wanted to get in, the lock isn't keeping them out. So while I'm disappointed at the overall non-concern for real security by the manufacturers, I'm not incredibly surprised and I'd be really surprised, outside of a handful of specific targetted cases, that any real thief would even bother with hacking a lock.

    1. Re:Locks are for honest people :) by whoever57 · · Score: 0

      outside of a handful of specific targetted cases, that any real thief would even bother with hacking a lock.

      Oh rly?

      What we see here is yet another example of how the manufactures of IoT devices don't give a shit about security.

      --
      The real "Libtards" are the Libertarians!
    2. Re: Locks are for honest people :) by Anonymous Coward · · Score: 0

      When is the last time you saw an ad for a lock that actually emphasized the difficulty someone would have to defeat it? It probably was when someone shot a hole through a MasterLock padlock, wasn't it?

      Convenience triumphs over security because security isn't convenient. As long as the appearance of security fools most users, they forgive lax security.

    3. Re:Locks are for honest people :) by sexconker · · Score: 4, Insightful

      Such a bullshit cliche. Honest people don't need locks to stop them from opening things they shouldn't be opening.

    4. Re: Locks are for honest people :) by c-A-d · · Score: 1

      According to BosnianBill on YouTube, MasterLock's main weakness is the tumbler. check out his videos. He rakes a MasterLock with a ziptie and opens it.

      --
      some karma... and kinda lukewarm about it.
    5. Re: Locks are for honest people :) by easyTree · · Score: 1

      To keep those on the line between honesty and criminality from straying across without effort - like a fence.

      --
      Requiem for the American Dream
    6. Re:Locks are for honest people :) by wangmaster · · Score: 2

      That's not really an accurate analogy. One wouldn't need to hack the lock of a jeep to get access to the contents of the jeep.

    7. Re: Locks are for honest people :) by wangmaster · · Score: 1

      Exactly. The nihilistic view of honest people is that they are simply an opportunity away from being a dishonest person :).

    8. Re:Locks are for honest people :) by Anonymous Coward · · Score: 0

      Locks are for honest people

      I really hate that argument. It implies that the quality of the lock does not matter. If you truly believe that, maybe you should put your money where your mouth is, and convert all locks on your exterior doors to bathroom/bedroom door type locks.

    9. Re: Locks are for honest people :) by dpidcoe · · Score: 1

      Did you see his video on the bluetooth masterlock though? 3 blows with a standard claw hammer blew it apart.

    10. Re:Locks are for honest people :) by chiefcrash · · Score: 5, Insightful

      Realistically, for most consumer applications of locks, if someone wanted to get in, the lock isn't keeping them out.

      This is very true, but even then the lock accomplishes something else: it creates evidence of a break-in. You show your home insurance adjuster a kicked in door, they cut a check. You swear up and down that you locked the door and someone must have hacked it, have a fun few months/years in court...

      Being able to hack the lock from a car parked on the street also has advantages: it cuts down on the amount of time and noise you have to make to break in. After all, there's a reason thieves are getting into electronic gizmos to unlock car doors...

      --
      Show me on the 1st Amendment bobblehead where the moderator touched you...
    11. Re:Locks are for honest people :) by Anonymous Coward · · Score: 0

      The big problem is if you don't shown signs of a breakin, hard to get insurance for it. So it's more serious than physical locks being easy to break into.

    12. Re: Locks are for honest people :) by Anonymous Coward · · Score: 0

      Yup. It just stops the lazy and opportunistic criminals, which there are a lot of so it's still worth using. Nothing will stop a determined criminal, which is what insurance is for. Now the claim that insurance companies are criminal is another story.

    13. Re:Locks are for honest people :) by Anonymous Coward · · Score: 0

      I've got 3 person sized sheets of glass that are completely hidden from the street and at ground level. If I welded over the key hole on the deadbolt that door and adjoining windows would not be significantly safer. Your cliche is just as much BS.

    14. Re: Locks are for honest people :) by Anonymous Coward · · Score: 0

      That word, I do not think it means what you think it means.

    15. Re: Locks are for honest people :) by easyTree · · Score: 1

      Yep, we need meta insurance. Oh wait.

      --
      Requiem for the American Dream
    16. Re:Locks are for honest people :) by Anonymous Coward · · Score: 0

      Yeah, they wouldn't bother with hacking the lock, they would just use a pry-bar on the wooden door frame and that takes far less time. Even aluminum frames can just be bent with enough force.

      Someone who is looking for a smash-and-grab, will literately smash a window (which many front-door's have, stupidly enough.)

      Now, on the other hand, if someone is looking specifically to steal an item of value and not set off alarms, the first thing they would do generate a 2.4Ghz high-power signal to drown out all the IoT devices communication, rip out the fiber/cable/copper phone lines from the building, and then make sure to steal all the computers, IoT devices and whatever else of value while you're in the home to make sure there's no digital tracks.

      As you said these are convenience things, and short of someone looking to specificly target that home these bluetooth locks probably shouldn't be on the front-door in the first place. They should be on the carport door, where you want a quick entry/exit, and still have the garage door as a second barrier. But a IoT garage door opener is likely a thing too, and I wouldn't put it past someone who puts a BT IoT lock on all their doors, to not put one on their garage too.

      In fact, the best application for BT locks is actually AirBnB rentals. Because you want to change the locks between rentals without physically changing the locks.

    17. Re: Locks are for honest people :) by Anonymous Coward · · Score: 0

      Or a wall!

    18. Re:Locks are for honest people :) by Ungrounded+Lightning · · Score: 1

      As you said these are convenience things, and short of someone looking to specificly target that home these bluetooth locks probably shouldn't be on the front-door in the first place. They should be on the carport door, where you want a quick entry/exit, and still have the garage door as a second barrier.

      Crooks LOVE unlocked garages or other crummy garage security. It gives them plenty of time unobserved to deal with the garage/house door.

      --
      Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
    19. Re:Locks are for honest people :) by viperidaenz · · Score: 1

      Then they realised the IoT devices were using 900MHz or 433, or 468, or 968... or 5.8GHz.. or cellular.

      Their 2.4GHz high-power device is also illegal, so they're breaking and entering and violating FCC rules turning their crime into a federal offence.

    20. Re:Locks are for honest people :) by sexconker · · Score: 1

      Do you even know what "cliche" means? What cliche did I use?

    21. Re:Locks are for honest people :) by HornWumpus · · Score: 1

      Because of all the law enforcement agencies in the USA, uncle charlie is the one to fear most?

      Uncle charlie doesn't care what you do as long as you don't interfere with their cash cows. 1000W linear on a crappy CB, no enforcement, had to put a pin through the jackass's coax myself.

      --
      John McAfee 'It was like that time I hired that Bangkok prostitute; to do my taxes, while I fucked my accountant'
    22. Re: Locks are for honest people :) by Anonymous Coward · · Score: 0

      I hope you flattened the cable a bit before flush cutting the pin.

    23. Re:Locks are for honest people :) by swillden · · Score: 1

      This is very true, but even then the lock accomplishes something else: it creates evidence of a break-in.

      A bump key or a properly-handled tensioner and rake don't leave any evidence.

      --
      Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
    24. Re:Locks are for honest people :) by Anonymous Coward · · Score: 0

      What's the reason you end every single paragraph with an ellipsis? Brain damage?

    25. Re:Locks are for honest people :) by skids · · Score: 1

      Honest people don't need locks to stop them from opening things they shouldn't be opening.

      This may be true of your home's exterior door or your car door in modern western society, but it certainly is not in
      other settings. People often find themselves in situations where they need to try doorknobs until they find the right
      room/closet, and a locked door is a good way to tell them "not the right door." Signs are usually a better way, but
      sometimes it is silly to put a sign on everything.

      For example, you don't leave the door to your dangerous laboratory unlocked and then send your temp worker
      down the hallway to empty all the trash pails.

      It's sort of like saying AAA isn't needed to stop honest people from assuming a website is for public use...
      an honest person will usually eventually figure material should not have been left posted, but they may
      end up seeing or doing something they were not supposed to before then, especially if they come in via
      a link to a subpage... unless you put a header at the top of every page saying "don't read this."

      --
      Someone had to do it.
    26. Re:Locks are for honest people :) by chiefcrash · · Score: 1

      Not quite true, though at that point you'd have to pay a forensic locksmith to take apart the lock. The act of key bumping basically slams the key against the bottom pins to allow for kinetic energy to be transferred from the key to the top pins. Because they are immobile and absorb the kinetic energy, this causes considerable damage to the bottom pins in the form of large dents and scratches. Similarly, picking the lock tends to leave distinctive scratches on the interior pins...

      --
      Show me on the 1st Amendment bobblehead where the moderator touched you...
    27. Re:Locks are for honest people :) by swillden · · Score: 1

      That makes sense. However, it doesn't really affect the point. If you have to disassemble the lock to discover that there was a break-in, then you'll never know there was a break-in. I suppose if you have some *other* reason to believe there might have been a break-in the lock could provide evidence, but that seems like a pretty rare situation, one which wouldn't justify putting locks everywhere.

      --
      Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
    28. Re:Locks are for honest people :) by peawormsworth · · Score: 1

      Why do they need a lock, if they have nothing to hide?

  3. Same as regular locks? by phorm · · Score: 2

    "had security vulnerabilities that ranged from ridiculously easy to moderately difficult to exploit."
    and
    "We contacted 12 vendors. Only one responded, and they said, 'We know it's a problem, but we're not gonna fix it.'"

    Soooo... pretty much the same standard as most consumer (non-smart) locks? I agree that it's pretty pathetic, but given that most locks are susceptible to a "bump key" and that even some supposedly secure safes can be easily opened with a magnet, the locks are mostly about keeping honest people honest, and do little to deter thieves.

    For the price of smart locks though, perhaps one should expect a slightly better attitude regarding security. General for $100-200 you can get a fairly decent door-lock in the non-smart variety.

    1. Re:Same as regular locks? by iMadeGhostzilla · · Score: 1

      The difference is dumb locks you have to access physically to break them open and while doing so you may look suspicious -- there is a time pressure that raises the barrier. With smart locks, you can take your time working the lock at a distance, and once it is unlocked you can casually access the protected item as if it were yours.

    2. Re:Same as regular locks? by Anonymous Coward · · Score: 0

      The difference is dumb locks you have to access physically to break them open and while doing so you may look suspicious -- there is a time pressure that raises the barrier. With smart locks, you can take your time working the lock at a distance, and once it is unlocked you can casually access the protected item as if it were yours.

      Don't suppose you heard of a bump-key? I guessing not...

    3. Re:Same as regular locks? by phorm · · Score: 2

      Yeah, especially since I actually mentioned them in my post...
      Maybe a video would help illustrate how quickly these things work.

  4. Transmit the password as cleartext? by Snotnose · · Score: 2

    We all know most people only have 2-3 passwords, which get used for the dozens of times a password is needed. If I sniffed a password I wouldn't bother with the lock, I'd start seeing what else used that same password.

    1. Re:Transmit the password as cleartext? by Anonymous Coward · · Score: 0

      sniff the password on bluetooth, apply it to their wifi, sniff the now decrypted wifi for what bank they use, look at where the direct deposit comes from, log in to their HR system with the same password, redirect 1-2% of their paycheck to an account you control, move on to the next house and repeat.

      find 50-100 locks get an extra paycheck!

    2. Re:Transmit the password as cleartext? by Anonymous Coward · · Score: 0

      My password is "dirtyunderwear". I don't use locks.

      Sniff that.

  5. Keep honest people honest but make a good product by sjbe · · Score: 2

    I go by the notion that locks are for honest people and things like smartlocks and connected locks are primarily for the convenience of the owner. Realistically, for most consumer applications of locks, if someone wanted to get in, the lock isn't keeping them out.

    That's true but there is no point in making it easier than necessary for a lock to get picked. At least with the deadbolt on my door someone would either have to A) smash the door which tends to leave evidence or B) pick the lock which (should) take non-trivial amounts of time. You are quite correct that locks are generally more for keeping honest people honest than to keep out determined criminals but that doesn't excuse making a shoddy, easily bypassed product.

  6. 100% of pin tumbler locks can be hacked by Anonymous Coward · · Score: 0

    75% sound more secure than pin tumbler lock to me.

    If you can not hack my lock you can always break my window or force a door open.

    I am not willing to pay or put up with the inconvenience of perfect physical security for my home.

  7. Breaking news! by otaku244 · · Score: 2
    Obligatory XKCD: https://xkcd.com/538/

    I agree that this is a clear vulnerability... but seriously: if a single lock is the only thing separating an intruder and your valuables, bluetooth isn't going to save you anymore than a standard tumbler lock.

    If anything, the data spillage on the password is the biggest problem (given people's propensity to recycle passwords). NOW the *ahem* "hacker" probably has a good guess on the login to your computer, wifi, bank account, etc. To prevent this human performance error, they should probably ditch the password in preference to some other key salted from a sensor on the device itself. That way, it's set once, provides a key to input to your mobile devices, and then be changed whenever you find out your spouse is cheating on you.

    In deference to the XKCD, though, said spouse would probably kick the door down... so better make sure there's a backup plan!

    --
    Mod me down, I shall become more off-topic than you could possibly imagine.
  8. Hackdot? by Tablizer · · Score: 1

    There's an increasing number of security-related Slashdot stories. While not necessarily a bad thing, perhaps an easier way should be provided to browse non-security-related stories when one wants to. Suggestions welcome.

    Security certainly is a growing problem, I don't dispute that, but reading too many gets depressing.

    A preliminary suggestion is to adjust the top "Categories" to have checkmarks. Your preferred (default) checkmarks would be stored with your user profile, along with a link next to the category menu to change preferences (to avoid hunting around in menu trees).

    Draft categories:

    * Hardware
    * Security
    * Development
    * Open Source
    * Non-IT STEM
    * Politics
    * Social Media / Entertainment
    * Other

    One would uncheck categories they don't want included.

    Many stories will fall into multiple categories, which could make things tricky. There are of course UI's for fancier filtering, but that may be overkill. Maybe color coding of some kind?

    --
    Table-ized A.I.
  9. Telnet by invictusvoyd · · Score: 1

    Four locks, for example, transmitted their user passwords in plaintext to smartphones, making it easy for anyone with a $100 Bluetooth sniffer to pluck the passwords out of thin air.

    Right

  10. "...we're not gonna fix it" by fustakrakich · · Score: 1

    I wonder, does this attitude have any effect on sales? To explicitly state this publicly must mean they are very confident that it doesn't.

    --
    “He’s not deformed, he’s just drunk!”
  11. Wow by easyTree · · Score: 1

    Only 75%

    It turned out that the vendors actually don't care,

    Omg. It's almost as if their interest ends at getting your money. Who'd have thunk?

    --
    Requiem for the American Dream
    1. Re:Wow by Anonymous Coward · · Score: 0

      That's okay. Some people are interested in getting the vendors' money. -PCP

  12. That's because the default pin by SailorSpork · · Score: 1

    That's because the default pin for 75% of Bluetooth locks is either 0000 or 1234.

  13. Re:Keep honest people honest but make a good produ by Anonymous Coward · · Score: 4, Informative

    Most house deadbolts take about 1 second to covertly open:

    https://www.youtube.com/watch?v=iaBIvKzBCxI

    Hopefully you bought a replacement for the junk the builder installed.

  14. Security. by Anonymous Coward · · Score: 0

    I have purchansed a domain from namecheap and also brought hosting from bluehost...My site url is : http://www.myespressoinfo.com.

    now my question is will my site be hacked by others because i have not buy domain name from same hosting company.
    thank you

  15. Failure on all fronts by ia.echo.hotel · · Score: 2

    Master Lock's Bluetooth padlock has a body that's just straight up pot metal and won't stand up to a decent smack. https://www.youtube.com/watch?...

  16. Same with keys. by gurps_npc · · Score: 4, Insightful

    Most locks can be opened in 5 seconds with a 'bump key'.

    Even the best locks can easily be defeated by a sledge hammer.

    The real advantage of most locks is that it TELLS you when they have been attacked. A good Bluetooth lock should keep an easily accessible record of how many times and when it was opened.

    But yes, this should be fixed. Even simple encryption is better than plain text password transmission.

    --
    excitingthingstodo.blogspot.com
    1. Re:Same with keys. by bhetrick · · Score: 1

      Actually, I think plain text is better than poor encryption. Poor encryption is worse than none, as it leads you to believe the communication is "secure" (and gives the marketing weasels air cover). At least with plain text, you know it's vulnerable.

    2. Re:Same with keys. by Anonymous Coward · · Score: 1

      > Even the best locks can easily be defeated by a sledge hammer.

      https://www.youtube.com/watch?v=mkP1rA5Jhpw

    3. Re:Same with keys. by Anonymous Coward · · Score: 0

      So then you just smash though the wall itself. Wood framed houses and cinder blocks are trivial to destroy. Unless you are literally building a fortress, this door is overkill. (But cool)

    4. Re:Same with keys. by Anonymous Coward · · Score: 0

      Headline levels of knowledge does not make for factual discourse.

      Both of your first two statements are incorrect. The first is like saying 'most computers can be hacked in 5 seconds with a keyboard ' and the second is just asinine. Bank robbers (of this century) never take a couple cracks with a sledgehammer to open vault doors.

    5. Re:Same with keys. by Anonymous Coward · · Score: 0

      I'm not living in a bunker... and the exterior walls of my apartment are made out of concrete.....

  17. Re:Keep honest people honest but make a good produ by RobertNotBob · · Score: 2

    Sjbe, I was sorely disappointed to discover how NOT NON trivial it is to pick most commercial locks (meaning, of course, that it IS trivial.) - after watching a 25 minute DVD and practicing for less than 15 minutes (meaning my total investment in this skill is less than one hour), I myself am able to do it in less than 20 seconds. I can only imagine that for an actual thief with experience, that the time is less than 5 seconds. -- That seems pretty trivial to me. That's why I have a mechanical, electrical and biological system of overlapping security systems now.

    --
    ___ I don't respond to Anonymous Cowards, and I Never Mod them UP.
  18. Cryptography by DrYak · · Score: 1

    I am not willing to pay or put up with the inconvenience of perfect physical security for my home.

    The thing is, perfect smart lock (I mean, at least perfect on the software side) are technically possible.
    There are modern cryptographic method that could work very well in this situation.

    The smartlock makers where simply too lazy to even try it.
    And that's sad.

    --
    "Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
    1. Re:Cryptography by dgatwood · · Score: 1

      They're probably not lazy, but rather they probably all obtained the electronic guts from some Chinese manufacturer that builds lock guts for hundreds of different companies, using basically the same firmware, just changing the VID/PID pairs. The lock manufacturer probably played no part in the development of the electronics or in the firmware that runs on the device, which means that any fix would require them to lean on the actual hardware vendor, who would then do anything and everything to avoid actually fixing the problem—assuming the firmware is even field-upgradable in the first place.

      --

      Check out my sci-fi/humor trilogy at PatriotsBooks.

  19. Masterlock by Anonymous Coward · · Score: 0

    Masterlock Bluetooth lock opens after three to four blows with a hammer

  20. 75% today by JustAnotherOldGuy · · Score: 1

    75% today, but it'll be 100% in a few weeks or maybe a few months.

    --
    Just cruising through this digital world at 33 1/3 rpm...
  21. Bolt cutters by BlytheBowman · · Score: 1

    I think you are still more at risk from the low tech methods of getting past locks, but the "fuck you, we don't care" additude these companies are showing is very alarming.

  22. Newsflash by Anonymous Coward · · Score: 0

    75% of dumb locks can be hacked too, with a lock pick.

    1. Re:Newsflash by WillAffleckUW · · Score: 1

      Hammers and cold steel pry bars work well.

      We used to open military cases with those. Faster than trying to get the rusted lock open.

      Safety is a myth. Everything can be opened, if you're willing to do it.

      --
      -- Tigger warning: This post may contain tiggers! --
  23. "smart" things by Gravis+Zero · · Score: 1

    does anyone else think all the "smart" devices are really just stupid ways of solving a previously solved problem?

    --
    Anons need not reply. Questions end with a question mark.
    1. Re:"smart" things by Vadim+Makarov · · Score: 1

      I agree. In three years half the startups making them will be dead, and so will the app. The only remaining opening method will be keypad code entry, until electronics dies and no service is available. I'd approach these expensive toys with caution. They are probably not worth the price.

      --
      17779 eligible voters in a district, 17779 'vote' as one. This is Russia.
  24. Problem Easily Solved! by Anonymous Coward · · Score: 0

    Rather than some cheap bluetooth lock that someone is just going to pry open with a WIFI-enabled jackhammer eventually, I would propose the use of wild attack dogs to secure the contents of your house. Look for something a bit like the ones they used to take down that JFK double that no one had any further use for...

  25. I am shocked by WillAffleckUW · · Score: 1

    Shocked that the "hackers" can only break 75 percent.

    They must be n00bZ

    --
    -- Tigger warning: This post may contain tiggers! --
  26. Locksmith told me Kwikset is unpickable by MillerHighLife21 · · Score: 2

    Not all Kwikset but apparently the new ones that you can re-key yourself. He said the tool that's supposed to let locksmiths pick them won't even work. Locked myself out one day and discovered that my only option was basically going to be to drill through it.

    Made me both happy and sad at the same time....

    --
    "Don't teach a man to fish, feed yourself. He's a grown man. Fishing's not that hard." - Ron Swanson
    1. Re:Locksmith told me Kwikset is unpickable by Anonymous Coward · · Score: 0

      You could have destroyed the lock easier and cheaper with simple hand tools borrowed from your neighbour:

      https://www.youtube.com/watch?v=P-9YNcnegjY

    2. Re:Locksmith told me Kwikset is unpickable by Anonymous Coward · · Score: 0

      Correction, shitty locksmith told you Kwikset is unpickable.

    3. Re:Locksmith told me Kwikset is unpickable by naughtynaughty · · Score: 1

      Your locksmith was incorrect.

      https://www.youtube.com/watch?...

      But his incorrect information did allow him to charge you for drilling out your old lock and sell you a new one.

  27. August Lock for the win! by Anonymous Coward · · Score: 0

    Whew! August lock wasn't on the list. But I always knew there was probably a way to hack them when I installed in on my front door. The thing is...if someone really wanted to break into my house, they could just break the window and then just reach in an unlock the deadbolt by hand anyway. With all of my large windows on the front of my house, short of barring my windows or replacing them with "unbreakable" glass there isn't a whole lot I could do to stop someone who was really intent on breaking in. So I just take comfort that I live in a nice neighborhood. The biggest security feature of my house is that I live up a steep hill from downtown on a low trafficked, but well lit street.

    1. Re:August Lock for the win! by GunR · · Score: 1

      It didn't last long, I guess (from article): "Update: In an Aug. 7 presentation at DEF CON, another researcher showed how he'd defeated most of the security precautions on the August Smart Lock.".

      Not sure what "most of the security" pertains to, though.

  28. Re:These are actually LUDDITE locks. by viperidaenz · · Score: 1

    If they used LUDDITE locks instead of APPY locks, then those APPY hackers wouldn't have been able to hack the LUDDITE locks

    Luddite!

  29. Re:Keep honest people honest but make a good produ by recjhl · · Score: 1

    It sounds too inconvenient for most people. One more lock, and it will be faster to break in than use to keys.

  30. 95% of regular locks can be hacked by naughtynaughty · · Score: 1

    Not that reporting insecurities in Bluetooth implementations isn't important, but the reality is someone is far more likely to kick your door open or manipulate your mechanical lock than they are to go to the trouble of sniffing your short range BTLE traffic to find a way to electronically open your lock.

  31. most physical locks are also pickable by johnrpenner · · Score: 1

    mosty physical locks are also pickable — with a pick and a tension bar — at 25% — the electronic locks might be less pickable than their physical counterparts.. :-p

  32. Who cares by ironicsky · · Score: 1

    Honestly... who cares, really. Smart locks aren't about security, they are about convenience. The fact that most residential mechanical locks can be picked in mere seconds by a skilled lock smith with cheap tools should be more concerning. A hacker will need specialized software to hack bluetooth locks, greatly reducing the likelihood of a bad-dooer doing something to your house.

    Further, locks don't stop dishonest people from doing dishonest things. You could kick down a door faster than you can pick the lock or bluetooth hack it. Its just a hell of a lot noisier. Locks stop honest people from trying to be dishonest people.

    1. Re:Who cares by Anonymous Coward · · Score: 0

      A hacker will need specialized software to hack bluetooth locks, greatly reducing the likelihood of a bad-dooer doing something to your house.

      You know that there are loads of ready-to-go kit's being sold for all types of things..... Hardware. hmm.. raspberry pi + battery + bluetooth dongle.. Or maybe just run everything on a smartphone to be even less obvious....

      You should only know what type of things are for sale on some forums...... or maybe it's better that you don't.. you would probably have a hard time sleeping..

      What a burglar want is to do everything quietly without risking being noticed.. (unless it's a junkie out for some quick money).. So to protect yourself you don't have to have the absolute best locks or bars covering the windows... Try these simple things.
      - Make sure if someone approaches your house lights should turn on...
      - Make sure it will make alot of noice if they want to enter the house.. Just rigging sensors for windows and doors and ignoring motion-detection indoors is good enough../
      - Make sure your house does not look like you are away by having some type of randomization of lights going on/off and maybe even react on external motion/sound-detectors.
      - Make sure you don't get a bunch of newspapers and letters visible from the outside. (locked mailbox may be good)
      - Ask a neighbour to clear away any branches and things that may appear outside the house.. Sometimes they put those things to see if someone clears it up, and for a normal person it's fairly natural that you might get a small branch torn off a tree if it's been windy..

  33. Secondary Problem by Anonymous Coward · · Score: 0

    Lock picking is actually a bit rare. Most B&E's are smash and grab operations. The lock is forced and the criminal doesn't care about the damage. The whole dynamic of a B&E is to get in, grab some stuff and get out fast. The criminal is exquisitely sensitive to the amount of time they are in the home. Also, lock picking strands you on the wrong side of the door, exposed to the neighborhood doing something suspicious. This is all bad news for the criminal, really bad news.

    So fix the plaintext passwords and all that BS, just understand that you are fixing a secondary problem.

  34. We knew this... by Anonymous Coward · · Score: 0

    Wasn't this understood about bluetooth from the start? That it was not and never supposed to be secure? It became the defacto short range tool because it was handy, not secure.

  35. Cheap ass by DrYak · · Score: 1

    And it would have nearly cost them as much to only obtain the *electro-mecanical* guts from Chinese (i.e.: physical lock + motors + power stage),
    hire some cryptography master student for an internship to write actually competent security code,
    and flash and solder some ATMega or other pico controller themselves.

    It would be both way much more secure.
    And they could proudly write some "assembled in USA" sticker on the box, knowing that they keep some jobs inland (the master student writing the picocontroller code and the assembly line that assembles the chinese electromecanical part and the picocontroller).

    It would cost a little bit more, but they have good marketing arguments to make up for it (security and keeping jobs).

    Still, they didn't do it. They went instead for the cheap lazy shitty route.

    --
    "Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
  36. $100 BLE sniffer? No, $39 by FryingLizard · · Score: 1

    You want the Nordic nRF51-DK, a devboard which, when loaded with some free Nordic-provided firmware, is a most excellent BLE sniffer ("nRF-Sniffer") - plugs into Wireshark. You can probably lash one together for less than $39 (it's just an NRF51822 and a USB-UART) but this board is quite tasty.
    Anyway, $39 online. Highly recommended, I use it all the time.
    https://www.nordicsemi.com/eng/Products/nRF51-DK

    --
    [FrLz]
  37. Timefor a wardrive by Anonymous Coward · · Score: 0

    Remember the annual World Wide Wardrives from years back? You know... where 10s of thousands of people would wardrive for wi-fi (and upload aggregate results to a central repository) in the name of bringing awareness to crappy wifi security to the world (and, by default, the router & modem manufacturers)? That's what gave the big push for the (basic) security we now have in our home systems. I suggest something similar for these locks; otherwise, the manufacturers will have no reason (shame) to change.
    ~dos4who