The bad ones send passwords in plaintext, the good ones can’t survive a screwdiver
DEF CON Bluetooth-enabled locks are increasingly popular, but an analysis of 16 such devices shows 12 are easily hackable with inexpensive kit and some can be broken into from 400 metres away.
In a presentation to the DEF CON hacking conference in Las Vegas security researcher Anthony Rose detailed how to hack these supposedly smart locks with using the US$100 Ubertooth sniffing device, a $40 Raspberry Pi, a $50 high-gain antenna, and a $15 USB Bluetooth dongle.
“Smart locks appear to be made by dumb people,” Rose said. “Lots of manufacturers choose user convenience over security and aren’t bothered about fixing their hardware.”
Some of the locks he tested were ridiculously easy to crack with this kit.
Four of them, the Quicklock doorlock and padlock, the IBluLock padlock, and the Plantrace Phantomlock, transmit their passwords in plaintext – making it trivially easy for a data sniffer to pick up the code once the lock is used.
Five more locks are susceptible to replay attacks whereby a hacker picks up the signal when the lock is used, stores it, then sends it again to unlock the device.
The susceptible systems were the Ceomate Bluetooth Smart Doorlock, the Lagute Sciener Smart Doorlock, the Vians Bluetooth Smart Doorlock, and the Elecycle EL797 and EL797G smart padlocks.
Rose said his equipment made it easy to crack the locks, but there are other methods that are less conspicuous.
As we saw in February with the SimpliSafe hack, an attacker could simply hide a sniffer behind some bushes and come back for it later.
Some manufacturers are still making basic mistakes that also leave them highly vulnerable. One brand, Quicklock, only allows six-digit passwords, making it trivially easy to brute force, while another manufacturer hardcoded the administrator’s password (ironically the phrase “thisisthesecret”) in the firmware and Rose was able to find it.
Fuzzing also proved very effective at finding flaws in the source code for many locks, as did crashing them.
By sending malformed packets at one lock he managed to crash it, causing the lock to automatically open.
When Rose contacted the 12 manufacturers about these issues the response was almost universally negative. One Chinese manufacturer shut down its website, but still sells on Amazon.
Ten other companies simply ignored his messages. One firm did come back to him, acknowledging the issue, but said it wasn’t going to fix it.
Four locks did hold up however, so if you’re in the market for such as device then check out the Noke Locks, Masterlock, the August doorlock.
The Kwickset Kevo lock has a “fantastic” software security system with strong crypto, Rose said, but should be avoided because the lock was so badly made you could open it in seconds with a screwdriver. ®
Sponsored: Global DDoS threat landscape report