Electrical engineer and security researcher Anthony Rose has revealed at the DEF CON hacker conference earlier this week, that majority of Bluetooth Low Energy smart locks can be hacked and opened by unauthorised users, and that their manufacturers are doing nothing about it (via Tom’s Guide). He said that him and his fellow researcher Ben Ramsey were able to open 12 out of 16 Bluetooth smart locks they tested, using simple wireless attacks.
Rose shared that Bluetooth locks from manufacturers like Quicklock, iBlulock, Plantraco, Ceomate, Elecycle, Vians, Okidokey and Mesh Motion, had security vulnerabilities that ranged from ridiculously easy to moderately difficult to exploit. “We figured we’d find vulnerabilities in Bluetooth Low Energy locks, then contact the vendors. It turned out that the vendors actually don’t care,” Rose said. “We contacted 12 vendors. Only one responded, and they said, ‘We know it’s a problem, but we’re not gonna fix it.'”
The problems didn’t lie with the Bluetooth Low Energy protocol itself, Rose said, but in the way the locks implemented Bluetooth communications, or with a lock’s companion smartphone app. Four locks, for example, transmitted their user passwords in plaintext to smartphones, making it easy for anyone with a $100 Bluetooth sniffer to pluck the passwords out of thin air.
Two of those four models, the Quicklock Doorlock and Quicklock Padlock, sent the password twice, Rose said. He and Ramsey found that they could change the user password by returning the same command with the second iteration of the password changed to something else, freezing out the legitimate user.” The user can’t reset it without removing the battery, and he can’t remove the battery without unlocking the lock,” Rose said.
There were four smart locks that Rose said the couple failed to hack into, including models made by Kwikset and August. All four used encryption properly, offered two-factor authentication and contained no hardcoded passwords buried in the software.