Slashdot Mirror
75 Percent of Bluetooth Smart Locks Can Be Hacked (tomsguide.com)
It turns out, the majority of Bluetooth smart locks you see on the market can easily be hacked and opened by unauthorized users. The news comes from DEF CON hacker conference in Las Vegas, where security researchers revealed the vulnerability, adding that concerned OEMs are doing little to nothing to patch the hole. Tom's Guide reports: Researcher Anthony Rose, an electrical engineer, said that of 16 Bluetooth smart locks he and fellow researcher Ben Ramsey had tested, 12 locks opened when wirelessly attacked. The locks -- including models made by Quicklock, iBlulock, Plantraco, Ceomate, Elecycle, Vians, Okidokey and Mesh Motion -- had security vulnerabilities that ranged from ridiculously easy to moderately difficult to exploit. "We figured we'd find vulnerabilities in Bluetooth Low Energy locks, then contact the vendors. It turned out that the vendors actually don't care," Rose said. "We contacted 12 vendors. Only one responded, and they said, 'We know it's a problem, but we're not gonna fix it.'" The problems didn't lie with the Bluetooth Low Energy protocol itself, Rose said, but in the way the locks implemented Bluetooth communications, or with a lock's companion smartphone app. Four locks, for example, transmitted their user passwords in plaintext to smartphones, making it easy for anyone with a $100 Bluetooth sniffer to pluck the passwords out of thin air.
I go by the notion that locks are for honest people and things like smartlocks and connected locks are primarily for the convenience of the owner. Realistically, for most consumer applications of locks, if someone wanted to get in, the lock isn't keeping them out. So while I'm disappointed at the overall non-concern for real security by the manufacturers, I'm not incredibly surprised and I'd be really surprised, outside of a handful of specific targetted cases, that any real thief would even bother with hacking a lock.
"had security vulnerabilities that ranged from ridiculously easy to moderately difficult to exploit."
and
"We contacted 12 vendors. Only one responded, and they said, 'We know it's a problem, but we're not gonna fix it.'"
Soooo... pretty much the same standard as most consumer (non-smart) locks? I agree that it's pretty pathetic, but given that most locks are susceptible to a "bump key" and that even some supposedly secure safes can be easily opened with a magnet, the locks are mostly about keeping honest people honest, and do little to deter thieves.
For the price of smart locks though, perhaps one should expect a slightly better attitude regarding security. General for $100-200 you can get a fairly decent door-lock in the non-smart variety.
We all know most people only have 2-3 passwords, which get used for the dozens of times a password is needed. If I sniffed a password I wouldn't bother with the lock, I'd start seeing what else used that same password.
I go by the notion that locks are for honest people and things like smartlocks and connected locks are primarily for the convenience of the owner. Realistically, for most consumer applications of locks, if someone wanted to get in, the lock isn't keeping them out.
That's true but there is no point in making it easier than necessary for a lock to get picked. At least with the deadbolt on my door someone would either have to A) smash the door which tends to leave evidence or B) pick the lock which (should) take non-trivial amounts of time. You are quite correct that locks are generally more for keeping honest people honest than to keep out determined criminals but that doesn't excuse making a shoddy, easily bypassed product.
I agree that this is a clear vulnerability... but seriously: if a single lock is the only thing separating an intruder and your valuables, bluetooth isn't going to save you anymore than a standard tumbler lock.
If anything, the data spillage on the password is the biggest problem (given people's propensity to recycle passwords). NOW the *ahem* "hacker" probably has a good guess on the login to your computer, wifi, bank account, etc. To prevent this human performance error, they should probably ditch the password in preference to some other key salted from a sensor on the device itself. That way, it's set once, provides a key to input to your mobile devices, and then be changed whenever you find out your spouse is cheating on you.
In deference to the XKCD, though, said spouse would probably kick the door down... so better make sure there's a backup plan!
Mod me down, I shall become more off-topic than you could possibly imagine.
The update at the end of the article states the August smartlock, one of the 4 called out as being good, has now been hacked. Up to 81% at least
Most house deadbolts take about 1 second to covertly open:
https://www.youtube.com/watch?v=iaBIvKzBCxI
Hopefully you bought a replacement for the junk the builder installed.
Master Lock's Bluetooth padlock has a body that's just straight up pot metal and won't stand up to a decent smack. https://www.youtube.com/watch?...
Most locks can be opened in 5 seconds with a 'bump key'.
Even the best locks can easily be defeated by a sledge hammer.
The real advantage of most locks is that it TELLS you when they have been attacked. A good Bluetooth lock should keep an easily accessible record of how many times and when it was opened.
But yes, this should be fixed. Even simple encryption is better than plain text password transmission.
excitingthingstodo.blogspot.com
Sjbe, I was sorely disappointed to discover how NOT NON trivial it is to pick most commercial locks (meaning, of course, that it IS trivial.) - after watching a 25 minute DVD and practicing for less than 15 minutes (meaning my total investment in this skill is less than one hour), I myself am able to do it in less than 20 seconds. I can only imagine that for an actual thief with experience, that the time is less than 5 seconds. -- That seems pretty trivial to me. That's why I have a mechanical, electrical and biological system of overlapping security systems now.
___ I don't respond to Anonymous Cowards, and I Never Mod them UP.
Not all Kwikset but apparently the new ones that you can re-key yourself. He said the tool that's supposed to let locksmiths pick them won't even work. Locked myself out one day and discovered that my only option was basically going to be to drill through it.
Made me both happy and sad at the same time....
"Don't teach a man to fish, feed yourself. He's a grown man. Fishing's not that hard." - Ron Swanson