Like The Rest Of The Internet Of Things, Most 'Smart' Locks Are Easily Hacked
from the dumb-is-the-new-smart dept
Smart refrigerators that leak your e-mail credentials. Smart TVs that collect but then fail to secure your living room conversations. Smart thermostats that can be loaded with ransomware. Smart vehicles that can be hacked and potentially kill you. This is the end result of “Internet of Things” evangelists and companies that for the last half-decade put hype and profit (the cart) well ahead of consumer privacy and security (the horse), in the process exposing us all to thousands of new attack vectors in homes and businesses around the world.
Not a week now goes by without the Internet of Things revealing a new layer in the dysfunction onion. The latest: researchers have discovered that the majority of Bluetooth-enabled smart locks include broken security, free of charge. Researchers Anthony Rose and Ben Ramsey recently tested 16 Bluetooth smart locks, and found that 12 of them opened when attacked. Like so many IoT products, the companies building these devices failed to take even standard precautions to protect user security:
“The problems didn’t lie with the Bluetooth Low Energy protocol itself, Rose said, but in the way the locks implemented Bluetooth communications, or with a lock’s companion smartphone app. Four locks, for example, transmitted their user passwords in plaintext to smartphones, making it easy for anyone with a $100 Bluetooth sniffer to pluck the passwords out of thin air. “
And when manufacturers could be bothered to use encryption, they didn’t do a very good job of it:
“Other lock manufacturers said they encrypted the user password for Bluetooth transmissions, Rose said. Technically, they did. But with at least one, Rose discovered that he could simply grab the encrypted password out of the air, then send it back to the lock ? and the lock would unlock without the password ever being decrypted.”
The hackers, which demonstrated the attacks at Defcon, noted that owners can help protect themselves by turning off Bluetooth on their smartphones when not in use (or revert to higher quality “dumb” locks). But it’s worth noting that forgetting to include basic security on your device is one thing. But time and time again when these companies are informed of the vulnerabilities in their products, they double down on their incompetence and apathy, making it abundantly clear that they don’t actually care if their security products are actually secure:
“We figured we’d find vulnerabilities in Bluetooth Low Energy locks, then contact the vendors. It turned out that the vendors actually don’t care,” Rose said. “We contacted 12 vendors. Only one responded, and they said, ‘We know it’s a problem, but we’re not gonna fix it.‘”
It’s worth reading that last bit again, so when Bruce Schneier’s Internet-of-Things-induced cyber apocalypse occurs we can’t pretend we weren’t warned.
Filed Under: hacking, iot, privacy, security, smart locks
Comments on “Like The Rest Of The Internet Of Things, Most 'Smart' Locks Are Easily Hacked”
Alternate title
“Like Most other locks, Most ‘Smart’ Locks Are Easily Hacked”
Honestly most home locks (external door locks) and padlocks are just so bad at real security, but at least they require the attacker to be physically present.
Re: Alternate title
Hmmm. Even this bluetooth vector seems to need some physical presence. But still, while I do agree that most locks can be breached I do think there are levels of difficulty. Even if you include explosives there 😉
Some people seem to misunderstand Karl as some Luddite (after all the vulnerabilities shown here require physical presence) but what he is pointing out is that manufacturers are failing hard at even the most basic security practices of things that are smart but not necessarily connected. This is a problem once you move into the connected realm as many stories have demonstrated so far.
I hope people stop dismissing the problems just because they need some degree of expertise or physical access to the devices and start focusing on the fact that security is, at best, an after-thought for most smart devices.
Re: Re: Alternate title
I hope I didn’t in any way imply Karl or anyone else was a Luddite. I don’t see this as a technology issue, but as a “The door lock industry doesn’t really give a flying rats ass about security” issue.
I’m not at all dismissing the problem, let me be explicit, I intended to point out this is the nexus of bad security.
The smart devices craze has lead to some of the most mind-numbingly bad security decisions in recent memory.
Intersect that with the home locks industry, that has threatened and in some cases sued people that have pointed out how little protection their locks provide. The overwhelming majority American door locks can be unlocked with nearly no skill and a little practice using the physical equivalent of rapidly sending the password ‘000000’ until the lock pops open.
Re: Re: Re: Alternate title
It was actually a general message but I did misunderstand you so my apologies. I think physical locks (dumb ones) have physical limitations to how secure they can get (remember at the very last you can blow up the thing) so it’s kind of different from security in connected stuff.
Re: Re: Alternate title
The “physical presence” for a Bluetooth lock can look a lot more like “hanging around in nearby fiddling with your smartphone” than “directly poking and prodding at the door lock”. Given that the main practical deterrent of most door locks is to put burglars at some risk of getting caught at the latter, that’s a significant difference.
Re: Alternate title
Yeah, but this is more like a dumb lock that spit out a copy of the key if you asked it nicely.
Re: Alternate title
True. While most locks can be circumvented (ie: you can break the door down or cut the lock or metal cable) often times doing so may leave evidence.
But if you get your smart lock hacked you may not even know about it.
Re: Alternate title
Yes, most physical locks (even most very high end ones) are easy to get past. But that doesn’t mean it’s smart of increase the attack surface and make them even easier to get past.
Re: Re: Alternate title
Especially with no traces. Your house lock gets broken you investigate and be careful. You know someone was in and might still be in. Your lock gets hacked, someone comes in and steals one item, you may even think you misplaced it and never know it was stolen. Or they can be hiding inside your house without your knowledge waiting for an opportune moment to attack. Could be dangerous if a female was home alone.
Re: Re: Re: Alternate title
Picking the lock on the door of most houses s trivial, takes seconds, and leaves no trace of it having been done.
Consumer locks are security theater.
That being said, not spending the time to do a bit of basic communication security on any device these days is rather pathetic. Saying you are not going to be bothered to fix it? I’d like to know which company that was and never purchase anything from them ever again.
Re: Re: Re:2 Alternate title
The additional point often missed in these discussions is that many consumers are buying these precisely because they know that standard “dumb” locks are trivial to pick.
They buy into the marketing that “smart” locks will protect them better.
The orders of magnitude higher price reassures them this must be true.
That is why it is significant how simple they are to bypass.
Re: Alternate title
Well, OK, but if the attacker wants to actually exploit the lock, he does have to be physically present at some point. Someone can unlock my car door remotely, but he still has to come to the car if he wants to steal anything in it.
Re: Re: Alternate title
Alter the notion of stealing something to prankster-ism…
Hacking a door lock so that homeowner or automobile owner can’t get in. Subsequent money for repairs or locksmith
Hacking an automobile so that it no longer works, requiring a tow and visit to dealership for repairs. Subsequent money for repairs.
Re: Alternate title
A point I’d like to add, which is also in reply to Anonymous Coward, Aug 11th, 2016 @ 7:36am, is that if you use (say) a rock to break in to a house or garage, anyone who sees that might get suspicious.
With an insecure bluetooth lock they can just walk up and open it. Unless the passerby knows you, they’ll just assume it’s legit.
Re: Re: Alternate title
Even if they don’t know you, we live in a world where its plausible to hire people to show up when you are not home to do things for you. Walk the dog, fix my furnace, clean my kitchen, etc.
One flaw with smart locks, at least if you want to be sure that you can open the lock, is that you still need a key to open them in the event of hardware failure. While remote opening gates and garage doors might be nice, it is not so useful for the doors into the house, as the difference between fiddling with a phone or fiddling with a key is fairly minor, (I would hope that just waving the phone at the door does not open it, otherwise whoever steals your phone now pwns your your house).
Does real security require cryptographic functions?
Cryptographic functions. Cryptographic strength secure hash functions. Cryptographic strength random number generators. Public / private key encryption. Digital signatures. Certificate chains with lists of CAs and revocation lists. Can any of this be done without encryption?
Should the government ban encryption, and thus keep everything insecure?
Should the government allow only weak encryption with, say, 16 bit keys? Nobody could possibly brute force that!
Should the government mandate crypto keys be kept in escrow with the government — for your safety! Think of the children!
Should the government mandate that nerds invent a secure system that can be cracked by the government on demand? (Can they actually say this with a straight face?)
What about magical golden keys? (But the previous two items cover ‘golden keys’.)
What about RIAA / MPAA style third party liability? If someone breaks into your home, no matter what brand of system you have, it must be the fault of (1) your ISP and (2) Google!
Re: Does real security require cryptographic functions?
The government uses a different definition of security than normal people. You think security means YOU are secure from ALL intrusions. The government thinks it means it has the right to know EVERYTHING about you. For your “security” of course.
Re: Re: The state definition of "security"
For national security which is to say for the security of government agencies and those who direct their actions.
We peons are the enemy and don’t count.
Re: Does real security require cryptographic functions?
Google. Definitely Google is to blame for people breaking my physical lock. Makes total sense! – MAFIAA Goon
Re: Re: Does real security require cryptographic functions?
I left out an option:
The government could come up with, what it calls, the most secure encryption key ever. This will keep us all safer. Everyone must start using this new, secure key as their encryption key at once! Anyone not using it is obviously up to no good. They aren’t using this ‘secure’ key, and therefore are trying to weaken all of our security. Including our IoT gadgets.
(I think I can actually imagine Comey and McCain and others actually saying something like that with a straight face.)
Similarly, the government has a new physical key that everyone must start using for all of their locks. Homes, automobiles, etc. Copies of this will will be mass duplicated and distributed immediately.
This one I consider a non-issue. Why? Rocks are cheaper than Bluetooth sniffers, and some homes even provide them outside their front doors!
Re: Re:
Yes, Bluetooth sniffers are relatively expensive now. What happens when any yokel can order one off alibaba.com for 5 bucks.
Re: Re: Re:
“What happens when any yokel can order one off alibaba.com for 5 bucks.”
No need to even do that if you have a smartphone. There are plenty of bluetooth sniffer apps that use your phone’s hardware.
Re: Re: Re:
A rock is still cheaper, and doesn’t have shipping fees.
Re: Re: Re: Re:
You’ve obviously never tried to have one shipped. I think you would be surprised how expensive it is to ship a rock.
Re: Re: Re:2 Re:
No need to ship a rock when you can source them locally. Many homes even stock them in their landscaping!
smart=complexity
complexity=more points of failure
IoT was never designed for all the crap it’s being used for these days. It’s because of the piss poor security that it currently has. From what I hear they’re working on a updated version with much better security, but it’s not compatible with the current version of IoT. I guess you would have to replace everything.
I refuse to buy anything that is a IoT device, especially a Door Lock. Something like Lights is one thing, Locks are a different matter.
Re: Re:
Strongly disagree.
IoT is label for connecting devices – it is not “designed”. It does not have “security”. Its a concept, implementation is left to the user.
Unfortunately, security is a major issue in general, most companies can’t be bothered to design security into their devices, applications, etc, because it costs money & time for no obvious immediate payback. It’s only when the lawsuits start that they even begin starting to think about it.
Re: Re: Re:
IoT is a marketing term, not a technical term.
Selling a false sense of security, in the digital age this is new?
"dysfunction onion"
Did anyone else hear a Schoolyard Rock start playing in their head when they read the phrase “dysfunction onion”?
Or am I just weird?
Re: "dysfunction onion"
Oops. I meant “Schoolhouse Rock”
Will this mean that from now on, the “digital” padlocks regularly sold on Techdirt’s “dirty deals” will mention this important fact in the sales pitch?
https://www.techdirt.com/articles/20150723/09513631736/daily-deal-quicklock.shtml
Re: Re:
Talk about obsession!
Still, it would be interesting if that brand was labeled insecure.
Real Security!
Security is a problem never fully understood for two reasons.
1. Governments do not wish for citizens to know the truth about security.
2. Citizens foolishly think government should over see their security! A true impossibility!
A true security lock should have only 2 responsibilities.
1. Reasonable mechanism for keeping anyone or thing out without a valid key.
2. A log of ALL access attempts successful or not.
As long as you have those two features, the physical limits of security of the device itself is not very critical because you can have additional security mechanisms outside of the device handle more complex issues which can be much more difficult to fool.
The knowledge of breach is far more important than preventing breach. This logic is lost on most people, especially security in the corporate and IT setting, but not the government.
Re: Real Security!
Unfortunately for your notion, most hackers / admins head straight for the audit trial when they gain illicit access. Records deleted.
You’ll only see protection against this in enterprise class systems where illicit entry immediately raises a remote alarm.
Interesting legal dilemma here. If any other manufacturer had a product that they knowingly could cause damage or loss, they’d get sued. What about that company that said ‘We know it’s a problem, but we’re not gonna fix it.'” ?
All good points, but...
Dare I say that these locks create a back door to your front door?
The rock thing is, I guess, a good point. But a rock is loud and visually obvious to neighbors. This trick would be both silent (or as silent as the lock itself is) and would look normal to a neighbor, possibly.
On the other hand, if you have to sniff the password, it seems like this would have to be someone with a grudge and not just some random thief. They have to be relatively close while you’re unlocking it to get the password in the first place. It seems highly unlikely that anyone would find this to be an issue.
The point of the article is that the IoT industry is the problem, as someone else said. These companies don’t care about building-in proper security, and they don’t care about trying to fix broken security. For now, we have hackers to warn us about these issues, but we will probably need legislation to make sure there is some incentive for manufacturers to do it right.
Re: All good points, but...
but we will probably need legislation to make sure there is some incentive for manufacturers to do it right.
This is the problem with all humanity. Let’s get a fucking law. We cannot be bothered with NOT buying shit we just need to create more corruption by having someone create and then administer the law and regulate it so we can pick and choose winners and losers.
And when we are done, bitch about the corrupt we just invited in the front fucking door!
Still, Why the Rage Pointed Just at IoT?
“Not a week now goes by without the Internet of Things revealing a new layer in the dysfunction onion.”
Right.
And not a week goes by without every other thing also being hacked through some security lapse. PCs, Browsers, phones, banks, stores, credit cards, DNC, and on and on. They all get hacked.
IoT, like any other connected devices, is attacked, often with success. Like the others, they should be more secure. But I still don’t understand why Karl is so singularly pissed off at IoT, out of proportion with all else.
Here’s news today on Volkswagen’s keyless system that can be hacked. Is IoT really so specially bad?
https://www.yahoo.com/news/keyless-systems-older-vw-group-cars-hacked-researchers-140603841–finance.html?ref=gs
Re: Once again: 'Everyone else is doing it' is not a valid excuse
I notice you didn’t mention starvation, homelessness, wars, grand theft auto and jaywalking. Why all the focus on Karl’s stand on IoT? Surely those other things are much more serious, why spend so much time on articles like this?
And not a week goes by without every other thing also being hacked through some security lapse. PCs, Browsers, phones, banks, stores, credit cards, DNC, and on and on. They all get hacked.
There’s a pretty hefty difference between ‘No security is perfect, and as a result system X got hacked’ and ‘Company X/Y/Z isn’t even trying to secure their products, leaving them wide open for attack’.
Exactly what is your objection to articles like this pointing out lousy security practices that companies should know better by now? ‘It should be better but it’s not’ is a pretty poor argument for why companies shouldn’t be called out on their actions, and if anything should be cause for more criticism, not less.
Re: Re: Once again: 'Everyone else is doing it' is not a valid excuse
There is a big difference between:
saying “Your article’s should cover things I care about: starvation, jaywalking, etc”
and saying “You are consistently writing about one particular topic in a way that suggests a chip on your shoulder more than a fair evaluation.”
“Exactly what is your objection to articles like this pointing out lousy security practices”
My objection is not calling out the security. It is the content (article and comments) that are summarized as: “The IoT is dumb because it currently is insecure.”
Read the article. That insinuation is in there. For example, 16 locks were tested. An abysmal 12 were hackable. OK, so was the conclusion that the other 4 are better products, and we should look to them? No, there is no reward for being one of the better-made locks. Instead, the entire sector is painted with one brush: “the dysfunction onion”.
What is the objective? To push for better security, or to kill IoT with FUD? I think it’s the former, and I think even Karl might agree — but the article does the latter.
Re: Still, Why the Rage Pointed Just at IoT?
I have read numerous articles here and elsewhere about the security problems in every one of the other things you have mentioned. I don’t see a single-minded focus on IoT issues at all.
Re: Re: Still, Why the Rage Pointed Just at IoT?
True, Techdirt has called out most dumb security lapses. But I don’t think the entire sector was considered stupid because of the lapses.
Take HTTPS web servers. Mike harped on that for years waiting for websites to figure out they should secure the connection. But at no point did anyone suggest the web was stupid, useless, or silly as a result.
Re: Still, Why the Rage Pointed Just at IoT?
There are two specific problems (I see) with IoT devices.
One is that they are often vunerabilities into the rest of a network, for example, the refrigerator that logs into a local router that will reveal to hackers the password to the router. So the IoT device makes your array less secure just by its presence.
The other is that IoT devices often are controlled remotely though their IoT-ness, thus a car can be shut down (or forced to accellerate) in the middle of a freeway. A thermostat can be set to the highest setting or shut off. While the incidents with airplanes in which pilot controls are connected to the passenger-access wifi (yes really) pretty much counts as an IoT once a passenger can drop the oxygen tanks or adjust the trim.
Someone’s going get written into the history books as the first person to be murdered by IoT hack before this gets fixed.
Time for some motivation
“We figured we’d find vulnerabilities in Bluetooth Low Energy locks, then contact the vendors. It turned out that the vendors actually don’t care,” Rose said. “We contacted 12 vendors. Only one responded, and they said, ‘We know it’s a problem, but we’re not gonna fix it.'”
I imagine they might start to care, or at least pretend to, if their crap security and indifference towards it was made public. Don’t demonstrate it at a security conference, send the info(anonymously of course, hence why you skip the public demonstration, to make it harder to pin the info to you) to a few news groups and let them run with it.
A few PR black eyes from articles pointing out how companies selling these types of locks don’t actually take even rudimentary steps to make them secure might convince them that investing in some security isn’t just a waste of money.
Keeping Honest
Seriously, locks are intentionally designed ‘to keep honest people honest’. When a 10-year old with a screwdriver and a rubber mallet can open your front door in 20-seconds, what makes you think your electronic devices are secure against those skilled enough to hack them, and corrupt enough to try? As with all locks, just remember, ‘locks are designed only to keep honest people honest’.
That said, only a fool puts his gold on display in his front window, or builds a castle without security. Either stop chasing the ‘Jones’ (and hi-tech IT) unless you also have the money to add that real layer of ‘extra security’. Otherwise, you’re just setting yourself up for a major loss.
Wow. It’s one thing when your fridge or thermostat has bad security. But a freaking lock? Companies are literally selling *home security devices* but can’t even be bothered to follow the most basic and simple of real security practices? And when informed of these flaws, they simply shrug their shoulders? It boggles my mind.
The rush to connect everything to the net, creating all new security issues in the process is like removing your front door to make it more convenient to enter your home and then wondering what you can do to keep the burglars out.
Rose said. “We contacted 12 vendors. Only one responded, and they said, ‘We know it’s a problem, but we’re not gonna fix it.'”
Not only is that extremely problematic but that seems like a lawsuit just waiting to happen and one that should be pretty easy to win and very expensive for that company if they are flat out admitting they know of the problem but refuse to do anything to fix it.
Re: The trouble with honesty.
Yeah, but that will encourage future responses of we know it’s a problem and we have top men on it, when they don’t.
I’m not sure the solution in this clime.
If these companies can be forced to do a product recall since an easily hackable lock can be reasonably inferred to be a flawed product, that might force them to fix the problem or withdrawal the product from market, whether or not they’re honest about their intentions.
Re: Re:
What would be the basis of the lawsuit? Factor in that there’s almost certainly wording in the license agreement that to the effect that there is no promise of fitness for purpose or that bugs will be fixed.