Wednesday, August 10, 2016

Bluetooth door locks - insecure and staying that way

Ah, the "Internet Of Things" - ubiquitous insecurity.  Not just coming to your house, but coming to your front door:
Many Bluetooth Low Energy smart locks can be hacked and opened by unauthorized users, but their manufacturers seem to want to do nothing about it, a security researcher said yesterday (Aug. 6) at the DEF CON hacker conference here. 
Researcher Anthony Rose, an electrical engineer, said that of 16 Bluetooth smart locks he and fellow researcher Ben Ramsey had tested, 12 locks opened when wirelessly attacked. The locks — including models made by Quicklock, iBlulock, Plantraco, Ceomate, Elecycle, Vians, Okidokey and Mesh Motion — had security vulnerabilities that ranged from ridiculously easy to moderately difficult to exploit. 
"We figured we'd find vulnerabilities in Bluetooth Low Energy locks, then contact the vendors. It turned out that the vendors actually don't care," Rose said. "We contacted 12 vendors. Only one responded, and they said, 'We know it's a problem, but we're not gonna fix it.'"
None of these will ever come to my front door, and I recommend the same to you.

Security: not an afterthought - it wasn't thought of at all.


lee n. field said...

One of those things where I wonder "who in their right mind would want one?"

Unknown said...

Just in case anyone is interested, the slides and code from the DEFCON presentation are at the link.

"Security: not an afterthought - it wasn't thought of at all."

Preach it, Brother Borepatch. Someone created a security product that is vulnerable to replay attacks? In feakin' 2016?

Unknown said...

If you buy a lock for your front door that has "Okiedokie" any on the packaging, you get what you deserve/

Unknown said...

ANYWHERE on the packaging.

Obviously, I'm an engineer for Okiedokie Lock and Spindle Company.

Borepatch said...

Lee, I sure don't want one.

Unknown, can I get an "Amen"? ;-)

Jason, it's like a "Not Too Bad Lock Company".

Unknown said...


(And all of my locks are products of the Acme Safe and Lock Company. "Acme: Coyote tested, coyote approved.")

Eagle said...

Not just locks - stay as far away from BLE medical devices as you can.

Divemedic said...

Even key locks can be "hacked" by people with lock picks. Instead of trying to figure out IF you can jack a lock, perhaps rating how difficult it is would be more helpful.

I assume that any lock can be defeated, and even if a lock were designed well enough to be foolproof, a burglar can always break a window, or just kick in the door.

As a firefighter for m ore than 22 years, I gained access to literally thousands of houses and businesses. There was not a single one that I failed to gain entry to- nearly all of them in less than a minute.

Sean D Sorrentino said...

I'm with Divemedic, here. Is it easier or harder to hack these Bluetooth locks than just picking it? Is the average crack junkie going to hack my door lock? Or is he just going to kick in the back door?

abnormalist said...

Sean and divemedic have it right.

Know what the most commonly used lock pick is? A pry bar or a rock.

I pick locks for fun, I have a set of picks in my back pocket right now, and bump keys on my keychain for the sc1- and kw1 type locks (Abut 85% of home lock sets)

I've helped friends cleanup and recover from break ins on several occasions. Usually the back door is targeted, and the door jamb is attacked with a pry bar, or a window in the door is smashed with a rock so the perp can reach in and open the door.

Keep your home well lighted, use a vertical (jimmy proof) deadbolt, solid doors without windows, have a dog, preferably don't live in the hood, and you'll be ok.

Reason I say don't live in the hood, is its amazing how many people in suburbia don't lock their doors. Your house doesnt have to be fort knox if the neighbors door isn't locked.