75 Percent of Bluetooth Smart Locks Can Be Hacked

It turns out, the majority of Bluetooth smart locks you see on the market can easily be hacked and opened by unauthorized users. The news comes from DEF CON hacker conference in Las Vegas, where security researchers revealed the vulnerability, adding that concerned OEMs are doing little to nothing to patch the hole. Tom's Guide reports: Researcher Anthony Rose, an electrical engineer, said that of 16 Bluetooth smart locks he and fellow researcher Ben Ramsey had tested, 12 locks opened when wirelessly attacked. The locks -- including models made by Quicklock, iBlulock, Plantraco, Ceomate, Elecycle, Vians, Okidokey and Mesh Motion -- had security vulnerabilities that ranged from ridiculously easy to moderately difficult to exploit. "We figured we'd find vulnerabilities in Bluetooth Low Energy locks, then contact the vendors. It turned out that the vendors actually don't care," Rose said. "We contacted 12 vendors. Only one responded, and they said, 'We know it's a problem, but we're not gonna fix it.'" The problems didn't lie with the Bluetooth Low Energy protocol itself, Rose said, but in the way the locks implemented Bluetooth communications, or with a lock's companion smartphone app. Four locks, for example, transmitted their user passwords in plaintext to smartphones, making it easy for anyone with a $100 Bluetooth sniffer to pluck the passwords out of thin air.

Locks are for honest people :)

[wangmaster]

I go by the notion that locks are for honest people and things like smartlocks and connected locks are primarily for the convenience of the owner. Realistically, for most consumer applications of locks, if someone wanted to get in, the lock isn't keeping them out. So while I'm disappointed at the overall non-concern for real security by the manufacturers, I'm not incredibly surprised and I'd be really surprised, outside of a handful of specific targetted cases, that any real thief would even bother with hacking a lock.

Re:Locks are for honest people :)

[sexconker]

Such a bullshit cliche. Honest people don't need locks to stop them from opening things they shouldn't be opening.

Re: Locks are for honest people :)

[c-A-d]

According to BosnianBill on YouTube, MasterLock's main weakness is the tumbler. check out his videos. He rakes a MasterLock with a ziptie and opens it.

Re: Locks are for honest people :)

[easyTree]

To keep those on the line between honesty and criminality from straying across without effort - like a fence.

Re:Locks are for honest people :)

[wangmaster]

That's not really an accurate analogy. One wouldn't need to hack the lock of a jeep to get access to the contents of the jeep.

Re: Locks are for honest people :)

[wangmaster]

Exactly. The nihilistic view of honest people is that they are simply an opportunity away from being a dishonest person :).

Re: Locks are for honest people :)

[dpidcoe]

Did you see his video on the bluetooth masterlock though? 3 blows with a standard claw hammer blew it apart.

Re:Locks are for honest people :)

[chiefcrash]

Realistically, for most consumer applications of locks, if someone wanted to get in, the lock isn't keeping them out.

This is very true, but even then the lock accomplishes something else: it creates evidence of a break-in. You show your home insurance adjuster a kicked in door, they cut a check. You swear up and down that you locked the door and someone must have hacked it, have a fun few months/years in court...

Being able to hack the lock from a car parked on the street also has advantages: it cuts down on the amount of time and noise you have to make to break in. After all, there's a reason thieves are getting into electronic gizmos to unlock car doors...

Re: Locks are for honest people :)

[easyTree]

Yep, we need meta insurance. Oh wait.

Re:Locks are for honest people :)

[Ungrounded+Lightning]

As you said these are convenience things, and short of someone looking to specificly target that home these bluetooth locks probably shouldn't be on the front-door in the first place. They should be on the carport door, where you want a quick entry/exit, and still have the garage door as a second barrier.

Crooks LOVE unlocked garages or other crummy garage security. It gives them plenty of time unobserved to deal with the garage/house door.

Re:Locks are for honest people :)

[viperidaenz]

Then they realised the IoT devices were using 900MHz or 433, or 468, or 968... or 5.8GHz.. or cellular.

Their 2.4GHz high-power device is also illegal, so they're breaking and entering and violating FCC rules turning their crime into a federal offence.

Re:Locks are for honest people :)

[sexconker]

Do you even know what "cliche" means? What cliche did I use?

Re:Locks are for honest people :)

[HornWumpus]

Because of all the law enforcement agencies in the USA, uncle charlie is the one to fear most?

Uncle charlie doesn't care what you do as long as you don't interfere with their cash cows. 1000W linear on a crappy CB, no enforcement, had to put a pin through the jackass's coax myself.

Re:Locks are for honest people :)

[swillden]

This is very true, but even then the lock accomplishes something else: it creates evidence of a break-in.

A bump key or a properly-handled tensioner and rake don't leave any evidence.

Re:Locks are for honest people :)

[skids]

Honest people don't need locks to stop them from opening things they shouldn't be opening.

This may be true of your home's exterior door or your car door in modern western society, but it certainly is not in
other settings. People often find themselves in situations where they need to try doorknobs until they find the right
room/closet, and a locked door is a good way to tell them "not the right door." Signs are usually a better way, but
sometimes it is silly to put a sign on everything.

For example, you don't leave the door to your dangerous laboratory unlocked and then send your temp worker
down the hallway to empty all the trash pails.

It's sort of like saying AAA isn't needed to stop honest people from assuming a website is for public use...
an honest person will usually eventually figure material should not have been left posted, but they may
end up seeing or doing something they were not supposed to before then, especially if they come in via
a link to a subpage... unless you put a header at the top of every page saying "don't read this."

Re:Locks are for honest people :)

[chiefcrash]

Not quite true, though at that point you'd have to pay a forensic locksmith to take apart the lock. The act of key bumping basically slams the key against the bottom pins to allow for kinetic energy to be transferred from the key to the top pins. Because they are immobile and absorb the kinetic energy, this causes considerable damage to the bottom pins in the form of large dents and scratches. Similarly, picking the lock tends to leave distinctive scratches on the interior pins...

Re:Locks are for honest people :)

[swillden]

That makes sense. However, it doesn't really affect the point. If you have to disassemble the lock to discover that there was a break-in, then you'll never know there was a break-in. I suppose if you have some *other* reason to believe there might have been a break-in the lock could provide evidence, but that seems like a pretty rare situation, one which wouldn't justify putting locks everywhere.

Re:Locks are for honest people :)

[peawormsworth]

Why do they need a lock, if they have nothing to hide?

Same as regular locks?

[phorm]

"had security vulnerabilities that ranged from ridiculously easy to moderately difficult to exploit."
and
"We contacted 12 vendors. Only one responded, and they said, 'We know it's a problem, but we're not gonna fix it.'"

Soooo... pretty much the same standard as most consumer (non-smart) locks? I agree that it's pretty pathetic, but given that most locks are susceptible to a "bump key" and that even some supposedly secure safes can be easily opened with a magnet, the locks are mostly about keeping honest people honest, and do little to deter thieves.

For the price of smart locks though, perhaps one should expect a slightly better attitude regarding security. General for $100-200 you can get a fairly decent door-lock in the non-smart variety.

Re:Same as regular locks?

[iMadeGhostzilla]

The difference is dumb locks you have to access physically to break them open and while doing so you may look suspicious -- there is a time pressure that raises the barrier. With smart locks, you can take your time working the lock at a distance, and once it is unlocked you can casually access the protected item as if it were yours.

Re:Same as regular locks?

[phorm]

Yeah, especially since I actually mentioned them in my post...
Maybe a video would help illustrate how quickly these things work.

Transmit the password as cleartext?

[Snotnose]

We all know most people only have 2-3 passwords, which get used for the dozens of times a password is needed. If I sniffed a password I wouldn't bother with the lock, I'd start seeing what else used that same password.

Keep honest people honest but make a good product

[sjbe]

I go by the notion that locks are for honest people and things like smartlocks and connected locks are primarily for the convenience of the owner. Realistically, for most consumer applications of locks, if someone wanted to get in, the lock isn't keeping them out.

That's true but there is no point in making it easier than necessary for a lock to get picked. At least with the deadbolt on my door someone would either have to A) smash the door which tends to leave evidence or B) pick the lock which (should) take non-trivial amounts of time. You are quite correct that locks are generally more for keeping honest people honest than to keep out determined criminals but that doesn't excuse making a shoddy, easily bypassed product.

Breaking news!

[otaku244]

Obligatory XKCD: https://xkcd.com/538/

I agree that this is a clear vulnerability... but seriously: if a single lock is the only thing separating an intruder and your valuables, bluetooth isn't going to save you anymore than a standard tumbler lock.

If anything, the data spillage on the password is the biggest problem (given people's propensity to recycle passwords). NOW the *ahem* "hacker" probably has a good guess on the login to your computer, wifi, bank account, etc. To prevent this human performance error, they should probably ditch the password in preference to some other key salted from a sensor on the device itself. That way, it's set once, provides a key to input to your mobile devices, and then be changed whenever you find out your spouse is cheating on you.

In deference to the XKCD, though, said spouse would probably kick the door down... so better make sure there's a backup plan!

Hackdot?

[Tablizer]

There's an increasing number of security-related Slashdot stories. While not necessarily a bad thing, perhaps an easier way should be provided to browse non-security-related stories when one wants to. Suggestions welcome.

Security certainly is a growing problem, I don't dispute that, but reading too many gets depressing.

A preliminary suggestion is to adjust the top "Categories" to have checkmarks. Your preferred (default) checkmarks would be stored with your user profile, along with a link next to the category menu to change preferences (to avoid hunting around in menu trees).

Draft categories:

* Hardware
* Security
* Development
* Open Source
* Non-IT STEM
* Politics
* Social Media / Entertainment
* Other

One would uncheck categories they don't want included.

Many stories will fall into multiple categories, which could make things tricky. There are of course UI's for fancier filtering, but that may be overkill. Maybe color coding of some kind?

Telnet

[invictusvoyd]

Four locks, for example, transmitted their user passwords in plaintext to smartphones, making it easy for anyone with a $100 Bluetooth sniffer to pluck the passwords out of thin air.

Right

Re: 100%

The update at the end of the article states the August smartlock, one of the 4 called out as being good, has now been hacked. Up to 81% at least

"...we're not gonna fix it"

[fustakrakich]

I wonder, does this attitude have any effect on sales? To explicitly state this publicly must mean they are very confident that it doesn't.

Wow

[easyTree]

Only 75%

It turned out that the vendors actually don't care,

Omg. It's almost as if their interest ends at getting your money. Who'd have thunk?

That's because the default pin

[SailorSpork]

That's because the default pin for 75% of Bluetooth locks is either 0000 or 1234.

Re:Keep honest people honest but make a good produ

Most house deadbolts take about 1 second to covertly open:

https://www.youtube.com/watch?v=iaBIvKzBCxI

Hopefully you bought a replacement for the junk the builder installed.

Failure on all fronts

[ia.echo.hotel]

Master Lock's Bluetooth padlock has a body that's just straight up pot metal and won't stand up to a decent smack. https://www.youtube.com/watch?...

Same with keys.

[gurps_npc]

Most locks can be opened in 5 seconds with a 'bump key'.

Even the best locks can easily be defeated by a sledge hammer.

The real advantage of most locks is that it TELLS you when they have been attacked. A good Bluetooth lock should keep an easily accessible record of how many times and when it was opened.

But yes, this should be fixed. Even simple encryption is better than plain text password transmission.

Re:Same with keys.

[bhetrick]

Actually, I think plain text is better than poor encryption. Poor encryption is worse than none, as it leads you to believe the communication is "secure" (and gives the marketing weasels air cover). At least with plain text, you know it's vulnerable.

Re:Same with keys.

> Even the best locks can easily be defeated by a sledge hammer.

https://www.youtube.com/watch?v=mkP1rA5Jhpw

Re:Keep honest people honest but make a good produ

[RobertNotBob]

Sjbe, I was sorely disappointed to discover how NOT NON trivial it is to pick most commercial locks (meaning, of course, that it IS trivial.) - after watching a 25 minute DVD and practicing for less than 15 minutes (meaning my total investment in this skill is less than one hour), I myself am able to do it in less than 20 seconds. I can only imagine that for an actual thief with experience, that the time is less than 5 seconds. -- That seems pretty trivial to me. That's why I have a mechanical, electrical and biological system of overlapping security systems now.

Cryptography

[DrYak]

I am not willing to pay or put up with the inconvenience of perfect physical security for my home.

The thing is, perfect smart lock (I mean, at least perfect on the software side) are technically possible.
There are modern cryptographic method that could work very well in this situation.

The smartlock makers where simply too lazy to even try it.
And that's sad.

Re:Cryptography

[dgatwood]

They're probably not lazy, but rather they probably all obtained the electronic guts from some Chinese manufacturer that builds lock guts for hundreds of different companies, using basically the same firmware, just changing the VID/PID pairs. The lock manufacturer probably played no part in the development of the electronics or in the firmware that runs on the device, which means that any fix would require them to lean on the actual hardware vendor, who would then do anything and everything to avoid actually fixing the problem—assuming the firmware is even field-upgradable in the first place.

75% today

[JustAnotherOldGuy]

75% today, but it'll be 100% in a few weeks or maybe a few months.

Bolt cutters

[BlytheBowman]

I think you are still more at risk from the low tech methods of getting past locks, but the "fuck you, we don't care" additude these companies are showing is very alarming.

"smart" things

[Gravis+Zero]

does anyone else think all the "smart" devices are really just stupid ways of solving a previously solved problem?

Re:"smart" things

[Vadim+Makarov]

I agree. In three years half the startups making them will be dead, and so will the app. The only remaining opening method will be keypad code entry, until electronics dies and no service is available. I'd approach these expensive toys with caution. They are probably not worth the price.

I am shocked

[WillAffleckUW]

Shocked that the "hackers" can only break 75 percent.

They must be n00bZ

Re:Newsflash

[WillAffleckUW]

Hammers and cold steel pry bars work well.

We used to open military cases with those. Faster than trying to get the rusted lock open.

Safety is a myth. Everything can be opened, if you're willing to do it.

Locksmith told me Kwikset is unpickable

[MillerHighLife21]

Not all Kwikset but apparently the new ones that you can re-key yourself. He said the tool that's supposed to let locksmiths pick them won't even work. Locked myself out one day and discovered that my only option was basically going to be to drill through it.

Made me both happy and sad at the same time....

Re:Locksmith told me Kwikset is unpickable

[naughtynaughty]

Your locksmith was incorrect.

https://www.youtube.com/watch?...

But his incorrect information did allow him to charge you for drilling out your old lock and sell you a new one.

Re:These are actually LUDDITE locks.

[viperidaenz]

If they used LUDDITE locks instead of APPY locks, then those APPY hackers wouldn't have been able to hack the LUDDITE locks

Luddite!

Re:Keep honest people honest but make a good produ

[recjhl]

It sounds too inconvenient for most people. One more lock, and it will be faster to break in than use to keys.

95% of regular locks can be hacked

[naughtynaughty]

Not that reporting insecurities in Bluetooth implementations isn't important, but the reality is someone is far more likely to kick your door open or manipulate your mechanical lock than they are to go to the trouble of sniffing your short range BTLE traffic to find a way to electronically open your lock.

most physical locks are also pickable

[johnrpenner]

mosty physical locks are also pickable — with a pick and a tension bar — at 25% — the electronic locks might be less pickable than their physical counterparts.. :-p

Who cares

[ironicsky]

Honestly... who cares, really. Smart locks aren't about security, they are about convenience. The fact that most residential mechanical locks can be picked in mere seconds by a skilled lock smith with cheap tools should be more concerning. A hacker will need specialized software to hack bluetooth locks, greatly reducing the likelihood of a bad-dooer doing something to your house.

Further, locks don't stop dishonest people from doing dishonest things. You could kick down a door faster than you can pick the lock or bluetooth hack it. Its just a hell of a lot noisier. Locks stop honest people from trying to be dishonest people.

Re:August Lock for the win!

[GunR]

It didn't last long, I guess (from article): "Update: In an Aug. 7 presentation at DEF CON, another researcher showed how he'd defeated most of the security precautions on the August Smart Lock.".

Not sure what "most of the security" pertains to, though.

Cheap ass

[DrYak]

And it would have nearly cost them as much to only obtain the *electro-mecanical* guts from Chinese (i.e.: physical lock + motors + power stage),
hire some cryptography master student for an internship to write actually competent security code,
and flash and solder some ATMega or other pico controller themselves.

It would be both way much more secure.
And they could proudly write some "assembled in USA" sticker on the box, knowing that they keep some jobs inland (the master student writing the picocontroller code and the assembly line that assembles the chinese electromecanical part and the picocontroller).

It would cost a little bit more, but they have good marketing arguments to make up for it (security and keeping jobs).

Still, they didn't do it. They went instead for the cheap lazy shitty route.

$100 BLE sniffer? No, $39

[FryingLizard]

You want the Nordic nRF51-DK, a devboard which, when loaded with some free Nordic-provided firmware, is a most excellent BLE sniffer ("nRF-Sniffer") - plugs into Wireshark. You can probably lash one together for less than $39 (it's just an NRF51822 and a USB-UART) but this board is quite tasty.
Anyway, $39 online. Highly recommended, I use it all the time.
https://www.nordicsemi.com/eng/Products/nRF51-DK