Like The Rest Of The Internet Of Things, Most 'Smart' Locks Are Easily Hacked

from the dumb-is-the-new-smart dept

Smart refrigerators that leak your e-mail credentials. Smart TVs that collect but then fail to secure your living room conversations. Smart thermostats that can be loaded with ransomware. Smart vehicles that can be hacked and potentially kill you. This is the end result of “Internet of Things” evangelists and companies that for the last half-decade put hype and profit (the cart) well ahead of consumer privacy and security (the horse), in the process exposing us all to thousands of new attack vectors in homes and businesses around the world.

Not a week now goes by without the Internet of Things revealing a new layer in the dysfunction onion. The latest: researchers have discovered that the majority of Bluetooth-enabled smart locks include broken security, free of charge. Researchers Anthony Rose and Ben Ramsey recently tested 16 Bluetooth smart locks, and found that 12 of them opened when attacked. Like so many IoT products, the companies building these devices failed to take even standard precautions to protect user security:

“The problems didn’t lie with the Bluetooth Low Energy protocol itself, Rose said, but in the way the locks implemented Bluetooth communications, or with a lock’s companion smartphone app. Four locks, for example, transmitted their user passwords in plaintext to smartphones, making it easy for anyone with a $100 Bluetooth sniffer to pluck the passwords out of thin air. “

And when manufacturers could be bothered to use encryption, they didn’t do a very good job of it:

“Other lock manufacturers said they encrypted the user password for Bluetooth transmissions, Rose said. Technically, they did. But with at least one, Rose discovered that he could simply grab the encrypted password out of the air, then send it back to the lock ? and the lock would unlock without the password ever being decrypted.”

The hackers, which demonstrated the attacks at Defcon, noted that owners can help protect themselves by turning off Bluetooth on their smartphones when not in use (or revert to higher quality “dumb” locks). But it’s worth noting that forgetting to include basic security on your device is one thing. But time and time again when these companies are informed of the vulnerabilities in their products, they double down on their incompetence and apathy, making it abundantly clear that they don’t actually care if their security products are actually secure:

“We figured we’d find vulnerabilities in Bluetooth Low Energy locks, then contact the vendors. It turned out that the vendors actually don’t care,” Rose said. “We contacted 12 vendors. Only one responded, and they said, ‘We know it’s a problem, but we’re not gonna fix it.‘”

It’s worth reading that last bit again, so when Bruce Schneier’s Internet-of-Things-induced cyber apocalypse occurs we can’t pretend we weren’t warned.

Filed Under: , , , ,

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Like The Rest Of The Internet Of Things, Most 'Smart' Locks Are Easily Hacked”

Subscribe: RSS Leave a comment
54 Comments
Ninja (profile) says:

Re: Alternate title

Hmmm. Even this bluetooth vector seems to need some physical presence. But still, while I do agree that most locks can be breached I do think there are levels of difficulty. Even if you include explosives there 😉

Some people seem to misunderstand Karl as some Luddite (after all the vulnerabilities shown here require physical presence) but what he is pointing out is that manufacturers are failing hard at even the most basic security practices of things that are smart but not necessarily connected. This is a problem once you move into the connected realm as many stories have demonstrated so far.

I hope people stop dismissing the problems just because they need some degree of expertise or physical access to the devices and start focusing on the fact that security is, at best, an after-thought for most smart devices.

Ven says:

Re: Re: Alternate title

I hope I didn’t in any way imply Karl or anyone else was a Luddite. I don’t see this as a technology issue, but as a “The door lock industry doesn’t really give a flying rats ass about security” issue.

I hope people stop dismissing the problems just because they need some degree of expertise or physical access to the devices and start focusing on the fact that security is, at best, an after-thought for most smart devices.

I’m not at all dismissing the problem, let me be explicit, I intended to point out this is the nexus of bad security.

The smart devices craze has lead to some of the most mind-numbingly bad security decisions in recent memory.

Intersect that with the home locks industry, that has threatened and in some cases sued people that have pointed out how little protection their locks provide. The overwhelming majority American door locks can be unlocked with nearly no skill and a little practice using the physical equivalent of rapidly sending the password ‘000000’ until the lock pops open.

SteveMB (profile) says:

Re: Re: Alternate title

The “physical presence” for a Bluetooth lock can look a lot more like “hanging around in nearby fiddling with your smartphone” than “directly poking and prodding at the door lock”. Given that the main practical deterrent of most door locks is to put burglars at some risk of getting caught at the latter, that’s a significant difference.

Anonymous Coward says:

Re: Re: Alternate title

Especially with no traces. Your house lock gets broken you investigate and be careful. You know someone was in and might still be in. Your lock gets hacked, someone comes in and steals one item, you may even think you misplaced it and never know it was stolen. Or they can be hiding inside your house without your knowledge waiting for an opportune moment to attack. Could be dangerous if a female was home alone.

Michael (profile) says:

Re: Re: Re: Alternate title

Picking the lock on the door of most houses s trivial, takes seconds, and leaves no trace of it having been done.

Consumer locks are security theater.

That being said, not spending the time to do a bit of basic communication security on any device these days is rather pathetic. Saying you are not going to be bothered to fix it? I’d like to know which company that was and never purchase anything from them ever again.

Atkray (profile) says:

Re: Re: Re:2 Alternate title

The additional point often missed in these discussions is that many consumers are buying these precisely because they know that standard “dumb” locks are trivial to pick.

They buy into the marketing that “smart” locks will protect them better.

The orders of magnitude higher price reassures them this must be true.

That is why it is significant how simple they are to bypass.

Anonymous Howard II says:

Re: Alternate title

A point I’d like to add, which is also in reply to Anonymous Coward, Aug 11th, 2016 @ 7:36am, is that if you use (say) a rock to break in to a house or garage, anyone who sees that might get suspicious.

With an insecure bluetooth lock they can just walk up and open it. Unless the passerby knows you, they’ll just assume it’s legit.

Anonymous Coward says:

One flaw with smart locks, at least if you want to be sure that you can open the lock, is that you still need a key to open them in the event of hardware failure. While remote opening gates and garage doors might be nice, it is not so useful for the doors into the house, as the difference between fiddling with a phone or fiddling with a key is fairly minor, (I would hope that just waving the phone at the door does not open it, otherwise whoever steals your phone now pwns your your house).

DannyB (profile) says:

Does real security require cryptographic functions?

Cryptographic functions. Cryptographic strength secure hash functions. Cryptographic strength random number generators. Public / private key encryption. Digital signatures. Certificate chains with lists of CAs and revocation lists. Can any of this be done without encryption?

Should the government ban encryption, and thus keep everything insecure?

Should the government allow only weak encryption with, say, 16 bit keys? Nobody could possibly brute force that!

Should the government mandate crypto keys be kept in escrow with the government — for your safety! Think of the children!

Should the government mandate that nerds invent a secure system that can be cracked by the government on demand? (Can they actually say this with a straight face?)

What about magical golden keys? (But the previous two items cover ‘golden keys’.)

What about RIAA / MPAA style third party liability? If someone breaks into your home, no matter what brand of system you have, it must be the fault of (1) your ISP and (2) Google!

JustShutUpAndObey says:

Re: Does real security require cryptographic functions?

The government uses a different definition of security than normal people. You think security means YOU are secure from ALL intrusions. The government thinks it means it has the right to know EVERYTHING about you. For your “security” of course.

DannyB (profile) says:

Re: Re: Does real security require cryptographic functions?

I left out an option:

The government could come up with, what it calls, the most secure encryption key ever. This will keep us all safer. Everyone must start using this new, secure key as their encryption key at once! Anyone not using it is obviously up to no good. They aren’t using this ‘secure’ key, and therefore are trying to weaken all of our security. Including our IoT gadgets.

(I think I can actually imagine Comey and McCain and others actually saying something like that with a straight face.)

Similarly, the government has a new physical key that everyone must start using for all of their locks. Homes, automobiles, etc. Copies of this will will be mass duplicated and distributed immediately.

JBDragon (profile) says:

IoT was never designed for all the crap it’s being used for these days. It’s because of the piss poor security that it currently has. From what I hear they’re working on a updated version with much better security, but it’s not compatible with the current version of IoT. I guess you would have to replace everything.

I refuse to buy anything that is a IoT device, especially a Door Lock. Something like Lights is one thing, Locks are a different matter.

Roman (profile) says:

Re: Re:

Strongly disagree.

IoT is label for connecting devices – it is not “designed”. It does not have “security”. Its a concept, implementation is left to the user.

Unfortunately, security is a major issue in general, most companies can’t be bothered to design security into their devices, applications, etc, because it costs money & time for no obvious immediate payback. It’s only when the lawsuits start that they even begin starting to think about it.

Anonymous Coward says:

Real Security!

Security is a problem never fully understood for two reasons.

1. Governments do not wish for citizens to know the truth about security.

2. Citizens foolishly think government should over see their security! A true impossibility!

A true security lock should have only 2 responsibilities.
1. Reasonable mechanism for keeping anyone or thing out without a valid key.
2. A log of ALL access attempts successful or not.

As long as you have those two features, the physical limits of security of the device itself is not very critical because you can have additional security mechanisms outside of the device handle more complex issues which can be much more difficult to fool.

The knowledge of breach is far more important than preventing breach. This logic is lost on most people, especially security in the corporate and IT setting, but not the government.

Tony E says:

All good points, but...

Dare I say that these locks create a back door to your front door?

The rock thing is, I guess, a good point. But a rock is loud and visually obvious to neighbors. This trick would be both silent (or as silent as the lock itself is) and would look normal to a neighbor, possibly.

On the other hand, if you have to sniff the password, it seems like this would have to be someone with a grudge and not just some random thief. They have to be relatively close while you’re unlocking it to get the password in the first place. It seems highly unlikely that anyone would find this to be an issue.

The point of the article is that the IoT industry is the problem, as someone else said. These companies don’t care about building-in proper security, and they don’t care about trying to fix broken security. For now, we have hackers to warn us about these issues, but we will probably need legislation to make sure there is some incentive for manufacturers to do it right.

Anonymous Coward says:

Re: All good points, but...

but we will probably need legislation to make sure there is some incentive for manufacturers to do it right.

This is the problem with all humanity. Let’s get a fucking law. We cannot be bothered with NOT buying shit we just need to create more corruption by having someone create and then administer the law and regulate it so we can pick and choose winners and losers.

And when we are done, bitch about the corrupt we just invited in the front fucking door!

Derek Kerton (profile) says:

Still, Why the Rage Pointed Just at IoT?

“Not a week now goes by without the Internet of Things revealing a new layer in the dysfunction onion.”

Right.

And not a week goes by without every other thing also being hacked through some security lapse. PCs, Browsers, phones, banks, stores, credit cards, DNC, and on and on. They all get hacked.

IoT, like any other connected devices, is attacked, often with success. Like the others, they should be more secure. But I still don’t understand why Karl is so singularly pissed off at IoT, out of proportion with all else.

Here’s news today on Volkswagen’s keyless system that can be hacked. Is IoT really so specially bad?

https://www.yahoo.com/news/keyless-systems-older-vw-group-cars-hacked-researchers-140603841–finance.html?ref=gs

That One Guy (profile) says:

Re: Once again: 'Everyone else is doing it' is not a valid excuse

I notice you didn’t mention starvation, homelessness, wars, grand theft auto and jaywalking. Why all the focus on Karl’s stand on IoT? Surely those other things are much more serious, why spend so much time on articles like this?

And not a week goes by without every other thing also being hacked through some security lapse. PCs, Browsers, phones, banks, stores, credit cards, DNC, and on and on. They all get hacked.

There’s a pretty hefty difference between ‘No security is perfect, and as a result system X got hacked’ and ‘Company X/Y/Z isn’t even trying to secure their products, leaving them wide open for attack’.

Exactly what is your objection to articles like this pointing out lousy security practices that companies should know better by now? ‘It should be better but it’s not’ is a pretty poor argument for why companies shouldn’t be called out on their actions, and if anything should be cause for more criticism, not less.

Derek Kerton (profile) says:

Re: Re: Once again: 'Everyone else is doing it' is not a valid excuse

There is a big difference between:

saying “Your article’s should cover things I care about: starvation, jaywalking, etc”

and saying “You are consistently writing about one particular topic in a way that suggests a chip on your shoulder more than a fair evaluation.”

“Exactly what is your objection to articles like this pointing out lousy security practices”
My objection is not calling out the security. It is the content (article and comments) that are summarized as: “The IoT is dumb because it currently is insecure.”

Read the article. That insinuation is in there. For example, 16 locks were tested. An abysmal 12 were hackable. OK, so was the conclusion that the other 4 are better products, and we should look to them? No, there is no reward for being one of the better-made locks. Instead, the entire sector is painted with one brush: “the dysfunction onion”.

What is the objective? To push for better security, or to kill IoT with FUD? I think it’s the former, and I think even Karl might agree — but the article does the latter.

Derek Kerton (profile) says:

Re: Re: Still, Why the Rage Pointed Just at IoT?

True, Techdirt has called out most dumb security lapses. But I don’t think the entire sector was considered stupid because of the lapses.

Take HTTPS web servers. Mike harped on that for years waiting for websites to figure out they should secure the connection. But at no point did anyone suggest the web was stupid, useless, or silly as a result.

Uriel-238 (profile) says:

Re: Still, Why the Rage Pointed Just at IoT?

There are two specific problems (I see) with IoT devices.

One is that they are often vunerabilities into the rest of a network, for example, the refrigerator that logs into a local router that will reveal to hackers the password to the router. So the IoT device makes your array less secure just by its presence.

The other is that IoT devices often are controlled remotely though their IoT-ness, thus a car can be shut down (or forced to accellerate) in the middle of a freeway. A thermostat can be set to the highest setting or shut off. While the incidents with airplanes in which pilot controls are connected to the passenger-access wifi (yes really) pretty much counts as an IoT once a passenger can drop the oxygen tanks or adjust the trim.

Someone’s going get written into the history books as the first person to be murdered by IoT hack before this gets fixed.

That One Guy (profile) says:

Time for some motivation

“We figured we’d find vulnerabilities in Bluetooth Low Energy locks, then contact the vendors. It turned out that the vendors actually don’t care,” Rose said. “We contacted 12 vendors. Only one responded, and they said, ‘We know it’s a problem, but we’re not gonna fix it.'”

I imagine they might start to care, or at least pretend to, if their crap security and indifference towards it was made public. Don’t demonstrate it at a security conference, send the info(anonymously of course, hence why you skip the public demonstration, to make it harder to pin the info to you) to a few news groups and let them run with it.

A few PR black eyes from articles pointing out how companies selling these types of locks don’t actually take even rudimentary steps to make them secure might convince them that investing in some security isn’t just a waste of money.

Skeeter says:

Keeping Honest

Seriously, locks are intentionally designed ‘to keep honest people honest’. When a 10-year old with a screwdriver and a rubber mallet can open your front door in 20-seconds, what makes you think your electronic devices are secure against those skilled enough to hack them, and corrupt enough to try? As with all locks, just remember, ‘locks are designed only to keep honest people honest’.

That said, only a fool puts his gold on display in his front window, or builds a castle without security. Either stop chasing the ‘Jones’ (and hi-tech IT) unless you also have the money to add that real layer of ‘extra security’. Otherwise, you’re just setting yourself up for a major loss.

Anonymous Coward says:

Wow. It’s one thing when your fridge or thermostat has bad security. But a freaking lock? Companies are literally selling *home security devices* but can’t even be bothered to follow the most basic and simple of real security practices? And when informed of these flaws, they simply shrug their shoulders? It boggles my mind.

Anonymous Coward says:

Rose said. “We contacted 12 vendors. Only one responded, and they said, ‘We know it’s a problem, but we’re not gonna fix it.'”

Not only is that extremely problematic but that seems like a lawsuit just waiting to happen and one that should be pretty easy to win and very expensive for that company if they are flat out admitting they know of the problem but refuse to do anything to fix it.

Uriel-238 (profile) says:

Re: The trouble with honesty.

Yeah, but that will encourage future responses of we know it’s a problem and we have top men on it, when they don’t.

I’m not sure the solution in this clime.

If these companies can be forced to do a product recall since an easily hackable lock can be reasonably inferred to be a flawed product, that might force them to fix the problem or withdrawal the product from market, whether or not they’re honest about their intentions.

Add Your Comment

Your email address will not be published.

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...
Loading...