Researchers Show 75% of Bluetooth Locks Can Be Hacked Wirelessly

Electrical engineer and security researcher Anthony Rose has revealed at the DEF CON hacker conference earlier this week, that majority of Bluetooth Low Energy smart locks can be hacked and opened by unauthorised users, and that their manufacturers are doing nothing about it (via Tom’s Guide). He said that him and his fellow researcher Ben Ramsey were able to open 12 out of 16 Bluetooth smart locks they tested, using simple wireless attacks.

Smartlock phone shst w 755

Rose shared that Bluetooth locks from manufacturers like Quicklock, iBlulock, Plantraco, Ceomate, Elecycle, Vians, Okidokey and Mesh Motion, had security vulnerabilities that ranged from ridiculously easy to moderately difficult to exploit. “We figured we’d find vulnerabilities in Bluetooth Low Energy locks, then contact the vendors.  It turned out that the vendors actually don’t care,” Rose said. “We contacted 12 vendors. Only one responded, and they said, ‘We know it’s a problem, but we’re not gonna fix it.'”

The problems didn’t lie with the Bluetooth Low Energy protocol itself, Rose said, but in the way the locks implemented Bluetooth communications, or with a lock’s companion smartphone app. Four locks, for example, transmitted their user passwords in plaintext to smartphones, making it easy for anyone with a $100 Bluetooth sniffer to pluck the passwords out of thin air. 

Two of those four models, the Quicklock Doorlock and Quicklock Padlock, sent the password twice, Rose said. He and Ramsey found that they could change the user password by returning the same command with the second iteration of the password changed to something else, freezing out the legitimate user.” The user can’t reset it without removing the battery, and he can’t remove the battery without unlocking the lock,” Rose said.

There were four smart locks that Rose said the couple failed to hack into, including models made by Kwikset and August. All four used encryption properly, offered two-factor authentication and contained no hardcoded passwords buried in the software.

“Technology runs through my veins...” | Follow me: @DrUsmanQ usman@iPhoneinCanada.ca

  • Wes

    Update: In an Aug. 7 presentation at DEF CON, another researcher showed how he’d defeated most of the security precautions on the August Smart Lock.

  • johnnygoodface

    “Kwikset and August failed to hack into”… Maybe it has something to do with the fact that they’re using HomeKit? Hmmm? 😉 To make a story short: HomeKit certified hardware includes a dedicated security co-processor paired with 3072-bit keys and the very secure Curve25519 key exchange system (which is an encrypted key exchange system layered over the already strong 3072-bit key itself) …. When will we learn that many iOT devices are NOT safe… But Homekit devices are.. 🙂