A security researcher has found that 75% of Bluetooth door locks on sale today can be easily hacked and unlocked. Anthony Rose, who is also an electrical engineer, was able to open 12 out of 16 locks by hacking into their Bluetooth connection.
Speaking at the Def Con hacker conference in Las Vegas, Rose revealed he could disable the so-called smart locks via their Bluetooth connection, which is normally used to create a secure connection between the lock and the owner's smartphone.
Shockingly, Rose said the manufacturers of these locks "actually don't care...we contacted 12 vendors. Only one responded, and they said: 'We know it's a problem, but we're not going to fix it'."
Rose found four of the locks he tested transmitted their users' passwords in plaintext to the smartphone paired with the lock. Disabling the lock meant purchasing a £75 Bluetooth 'sniffer', which can capture the password and read it as it is being handed from the smartphone to the lock. Standing within 10 meters of the door as it is unlocked would be enough to capture the password, then come back and unlock it at a later date.
Other low-tech equipment used by Rose included a £30 Raspberry Pi computer, a £40 antenna and a £10 USB Bluetooth dongle.
Two of the locks sent the password twice, making it even easier for a potential burglar to grab, and also letting them create a new password and send this back to the lock, locking the owner out. "The user can't reset it without removing the battery, and he can't remove the battery without unlocking the lock," Rose said, adding: "Smart locks appear to be made by dumb people."
One lock prevented users from creating a password longer than six digits, leaving it open to a brute force attack, where a computer can be used to systematically guess until the right combination is found. Another hard-coded its administrator password into its software, meaning it cannot be changed. The password was, ironically, 'thisisthesecret'.
Some locks encrypt their passwords, Rose found, with the intention of making it impossible for someone to find out what the password is. But with one lock Rose found he could grab the encrypted password with his Bluetooth sniffer, then fire it back at the lock, which unlocked it. There was no need to decrypt the password. Another lock spring open when Rose changed just one byte of the encryption string; this forced the lock, made by Okidokey, into a panic mode, causing it to open.
The Okidokeys website is no longer available, yet its Bluetooth locks can still be bought on Amazon for over £400. Another lock hacked by Rose is made by Bitlock, who said they would fix the problem. But, the researcher says, "after three months they still haven't."
The good news is that, of all the locks Rose tested, those made by Kwikset, Noke Locks, Masterlock and August could not be unlocked.
Here is a quick list of the locks which failed Rose's test:
- Quicklock doorlock
- Quicklock padlock
- IBluLock padlock
- Plantrace Phantomlock
- Ceomate Bluetooth Smart Doorlock
- Lagute Sciener Smart Doorlock
- Vians Bluetooth Smart Doorlock
- Elecycle El797
- Elecycle EL797G
- Bluetooth locks produced by Okidokey
- Kwickset Kevo - offered "fantastic" software security, but could be opened easily with a screwdriver