The DEF CON hacker conference was told that Bluetooth Low Energy smart locks can be hacked and opened by unauthorised users, but their manufacturers seem to want to do nothing about it.
Researcher Anthony Rose said that of 16 Bluetooth smart locks he and fellow researcher Ben Ramsey had tested, 12 locks opened when wirelessly attacked. Quicklock, iBlulock, Plantraco, Ceomate, Elecycle, Vians, Okidokey and Mesh Motion locks had security vulnerabilities that ranged from ridiculously easy to moderately difficult to exploit. Which is what you want from a doorlock.
Rose said that: “We figured we’d find vulnerabilities in Bluetooth Low Energy locks, then contact the vendors. It turned out that the vendors actually don’t care. We contacted 12 vendors. Only one responded, and they said, ‘We know it’s a problem, but we’re not gonna fix it.'”
The issue is not with the Bluetooth Low Energy protocol but in the way the locks implemented Bluetooth communications, or with a lock’s companion smartphone app. Four locks send their user passwords in plaintext to smartphones, making it easy for anyone with a $100 Bluetooth sniffer to pluck the passwords out of thin air.
Two of those four models, the Quicklock Doorlock and Quicklock Padlock, sent the password twice, Rose said. He found that they could change the user password by returning the same command with the second iteration of the password changed to something else, freezing out the legitimate user.
“The user can’t reset it without removing the battery, and he can’t remove the battery without unlocking the lock,” Rose said.
Other lock manufacturers said they encrypted the user password for Bluetooth transmissions,. But with at least one, Rose discovered that he could simply grab the encrypted password out of the air, then send it back to the lock — and the lock would unlock without the password ever being decrypted.
An Okidokeys smart lock claimed it used a proprietary encryption format. Rose tried a “fuzzing” attack, sending random data to the lock to see how the software responded. By changing one byte in the encryption string, Rose said, the Okidokey entered an error state — and the lock opened.
“We contacted Okidokeys, and then they turned off their website. But you can still buy the locks on Amazon.”
The Mesh Motion Bitlock bicycle lock was harder. Using free software, they replicated the lock’s wireless profile on an Android phone, then were able to stage a man-in-the-middle attack on the traffic flowing between the Bitlock, its smartphone app and Mesh Motion’s cloud servers.
“We contacted the Bitlock’s manufacturer and told them about this,” Rose said. “They said they’d fix the problem, but after three months they still haven’t.”
Kwikset and August locks could not be hacked. All four used encryption properly, offered two-factor authentication and contained no hardcoded passwords buried in the software. However another presentation at DefCon showed how to hack an August Smart Lock.
Nevertheless, Rose said, the takeaway was that 12 out of 16 Bluetooth Low Energy smartlocks had broken security.