75 Percent of Bluetooth Smart Locks Can Be Hacked

It turns out, the majority of Bluetooth smart locks you see on the market can easily be hacked and opened by unauthorized users. The news comes from DEF CON hacker conference in Las Vegas, where security researchers revealed the vulnerability, adding that concerned OEMs are doing little to nothing to patch the hole. Tom's Guide reports: Researcher Anthony Rose, an electrical engineer, said that of 16 Bluetooth smart locks he and fellow researcher Ben Ramsey had tested, 12 locks opened when wirelessly attacked. The locks -- including models made by Quicklock, iBlulock, Plantraco, Ceomate, Elecycle, Vians, Okidokey and Mesh Motion -- had security vulnerabilities that ranged from ridiculously easy to moderately difficult to exploit. "We figured we'd find vulnerabilities in Bluetooth Low Energy locks, then contact the vendors. It turned out that the vendors actually don't care," Rose said. "We contacted 12 vendors. Only one responded, and they said, 'We know it's a problem, but we're not gonna fix it.'" The problems didn't lie with the Bluetooth Low Energy protocol itself, Rose said, but in the way the locks implemented Bluetooth communications, or with a lock's companion smartphone app. Four locks, for example, transmitted their user passwords in plaintext to smartphones, making it easy for anyone with a $100 Bluetooth sniffer to pluck the passwords out of thin air.

Re:Locks are for honest people :)

[sexconker]

Such a bullshit cliche. Honest people don't need locks to stop them from opening things they shouldn't be opening.

Same with keys.

[gurps_npc]

Most locks can be opened in 5 seconds with a 'bump key'.

Even the best locks can easily be defeated by a sledge hammer.

The real advantage of most locks is that it TELLS you when they have been attacked. A good Bluetooth lock should keep an easily accessible record of how many times and when it was opened.

But yes, this should be fixed. Even simple encryption is better than plain text password transmission.

Re:Locks are for honest people :)

[chiefcrash]

Realistically, for most consumer applications of locks, if someone wanted to get in, the lock isn't keeping them out.

This is very true, but even then the lock accomplishes something else: it creates evidence of a break-in. You show your home insurance adjuster a kicked in door, they cut a check. You swear up and down that you locked the door and someone must have hacked it, have a fun few months/years in court...

Being able to hack the lock from a car parked on the street also has advantages: it cuts down on the amount of time and noise you have to make to break in. After all, there's a reason thieves are getting into electronic gizmos to unlock car doors...