Like The Rest Of The Internet Of Things, Most 'Smart' Locks Are Easily Hacked

from the dumb-is-the-new-smart dept

Smart refrigerators that leak your e-mail credentials. Smart TVs that collect but then fail to secure your living room conversations. Smart thermostats that can be loaded with ransomware. Smart vehicles that can be hacked and potentially kill you. This is the end result of "Internet of Things" evangelists and companies that for the last half-decade put hype and profit (the cart) well ahead of consumer privacy and security (the horse), in the process exposing us all to thousands of new attack vectors in homes and businesses around the world.

Not a week now goes by without the Internet of Things revealing a new layer in the dysfunction onion. The latest: researchers have discovered that the majority of Bluetooth-enabled smart locks include broken security, free of charge. Researchers Anthony Rose and Ben Ramsey recently tested 16 Bluetooth smart locks, and found that 12 of them opened when attacked. Like so many IoT products, the companies building these devices failed to take even standard precautions to protect user security:
"The problems didn't lie with the Bluetooth Low Energy protocol itself, Rose said, but in the way the locks implemented Bluetooth communications, or with a lock's companion smartphone app. Four locks, for example, transmitted their user passwords in plaintext to smartphones, making it easy for anyone with a $100 Bluetooth sniffer to pluck the passwords out of thin air. "
And when manufacturers could be bothered to use encryption, they didn't do a very good job of it:
"Other lock manufacturers said they encrypted the user password for Bluetooth transmissions, Rose said. Technically, they did. But with at least one, Rose discovered that he could simply grab the encrypted password out of the air, then send it back to the lock — and the lock would unlock without the password ever being decrypted."
The hackers, which demonstrated the attacks at Defcon, noted that owners can help protect themselves by turning off Bluetooth on their smartphones when not in use (or revert to higher quality "dumb" locks). But it's worth noting that forgetting to include basic security on your device is one thing. But time and time again when these companies are informed of the vulnerabilities in their products, they double down on their incompetence and apathy, making it abundantly clear that they don't actually care if their security products are actually secure:
"We figured we'd find vulnerabilities in Bluetooth Low Energy locks, then contact the vendors. It turned out that the vendors actually don't care," Rose said. "We contacted 12 vendors. Only one responded, and they said, 'We know it's a problem, but we're not gonna fix it.'"
It's worth reading that last bit again, so when Bruce Schneier's Internet-of-Things-induced cyber apocalypse occurs we can't pretend we weren't warned.

Reader Comments

Subscribe: RSS

View by: Time | Thread


  • identicon
    Ven, 11 Aug 2016 @ 6:51am

    Alternate title

    "Like Most other locks, Most 'Smart' Locks Are Easily Hacked"

    Honestly most home locks (external door locks) and padlocks are just so bad at real security, but at least they require the attacker to be physically present.

    reply to this | link to this | view in chronology ]

    • icon
      Ninja (profile), 11 Aug 2016 @ 7:07am

      Re: Alternate title

      Hmmm. Even this bluetooth vector seems to need some physical presence. But still, while I do agree that most locks can be breached I do think there are levels of difficulty. Even if you include explosives there ;)

      Some people seem to misunderstand Karl as some Luddite (after all the vulnerabilities shown here require physical presence) but what he is pointing out is that manufacturers are failing hard at even the most basic security practices of things that are smart but not necessarily connected. This is a problem once you move into the connected realm as many stories have demonstrated so far.

      I hope people stop dismissing the problems just because they need some degree of expertise or physical access to the devices and start focusing on the fact that security is, at best, an after-thought for most smart devices.

      reply to this | link to this | view in chronology ]

      • identicon
        Ven, 11 Aug 2016 @ 1:08pm

        Re: Re: Alternate title

        I hope I didn't in any way imply Karl or anyone else was a Luddite. I don't see this as a technology issue, but as a "The door lock industry doesn't really give a flying rats ass about security" issue.


        I hope people stop dismissing the problems just because they need some degree of expertise or physical access to the devices and start focusing on the fact that security is, at best, an after-thought for most smart devices.


        I'm not at all dismissing the problem, let me be explicit, I intended to point out this is the nexus of bad security.

        The smart devices craze has lead to some of the most mind-numbingly bad security decisions in recent memory.

        Intersect that with the home locks industry, that has threatened and in some cases sued people that have pointed out how little protection their locks provide. The overwhelming majority American door locks can be unlocked with nearly no skill and a little practice using the physical equivalent of rapidly sending the password '000000' until the lock pops open.

        reply to this | link to this | view in chronology ]

        • icon
          Ninja (profile), 12 Aug 2016 @ 6:46am

          Re: Re: Re: Alternate title

          It was actually a general message but I did misunderstand you so my apologies. I think physical locks (dumb ones) have physical limitations to how secure they can get (remember at the very last you can blow up the thing) so it's kind of different from security in connected stuff.

          reply to this | link to this | view in chronology ]

    • icon
      Synonymous Howard (profile), 11 Aug 2016 @ 7:08am

      Re: Alternate title

      Yeah, but this is more like a dumb lock that spit out a copy of the key if you asked it nicely.

      reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 11 Aug 2016 @ 7:52am

      Re: Alternate title

      True. While most locks can be circumvented (ie: you can break the door down or cut the lock or metal cable) often times doing so may leave evidence.

      But if you get your smart lock hacked you may not even know about it.

      reply to this | link to this | view in chronology ]

    • icon
      John Fenderson (profile), 11 Aug 2016 @ 8:20am

      Re: Alternate title

      Yes, most physical locks (even most very high end ones) are easy to get past. But that doesn't mean it's smart of increase the attack surface and make them even easier to get past.

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 11 Aug 2016 @ 8:24am

        Re: Re: Alternate title

        Especially with no traces. Your house lock gets broken you investigate and be careful. You know someone was in and might still be in. Your lock gets hacked, someone comes in and steals one item, you may even think you misplaced it and never know it was stolen. Or they can be hiding inside your house without your knowledge waiting for an opportune moment to attack. Could be dangerous if a female was home alone.

        reply to this | link to this | view in chronology ]

        • identicon
          Michael, 11 Aug 2016 @ 10:16am

          Re: Re: Re: Alternate title

          Picking the lock on the door of most houses s trivial, takes seconds, and leaves no trace of it having been done.

          Consumer locks are security theater.

          That being said, not spending the time to do a bit of basic communication security on any device these days is rather pathetic. Saying you are not going to be bothered to fix it? I'd like to know which company that was and never purchase anything from them ever again.

          reply to this | link to this | view in chronology ]

          • icon
            Atkray (profile), 11 Aug 2016 @ 11:27am

            Re: Re: Re: Re: Alternate title

            The additional point often missed in these discussions is that many consumers are buying these precisely because they know that standard "dumb" locks are trivial to pick.

            They buy into the marketing that "smart" locks will protect them better.

            The orders of magnitude higher price reassures them this must be true.

            That is why it is significant how simple they are to bypass.

            reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 11 Aug 2016 @ 8:48am

      Re: Alternate title

      Well, OK, but if the attacker wants to actually exploit the lock, he does have to be physically present at some point. Someone can unlock my car door remotely, but he still has to come to the car if he wants to steal anything in it.

      reply to this | link to this | view in chronology ]

      • icon
        afn29129 (profile), 11 Aug 2016 @ 8:59am

        Re: Re: Alternate title

        Alter the notion of stealing something to prankster-ism...

        Hacking a door lock so that homeowner or automobile owner can't get in. Subsequent money for repairs or locksmith

        Hacking an automobile so that it no longer works, requiring a tow and visit to dealership for repairs. Subsequent money for repairs.

        reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Howard II, 11 Aug 2016 @ 9:00am

      Re: Alternate title

      A point I'd like to add, which is also in reply to Anonymous Coward, Aug 11th, 2016 @ 7:36am, is that if you use (say) a rock to break in to a house or garage, anyone who sees that might get suspicious.

      With an insecure bluetooth lock they can just walk up and open it. Unless the passerby knows you, they'll just assume it's legit.

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 11 Aug 2016 @ 11:25am

        Re: Re: Alternate title

        Even if they don't know you, we live in a world where its plausible to hire people to show up when you are not home to do things for you. Walk the dog, fix my furnace, clean my kitchen, etc.

        reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 11 Aug 2016 @ 7:09am

    One flaw with smart locks, at least if you want to be sure that you can open the lock, is that you still need a key to open them in the event of hardware failure. While remote opening gates and garage doors might be nice, it is not so useful for the doors into the house, as the difference between fiddling with a phone or fiddling with a key is fairly minor, (I would hope that just waving the phone at the door does not open it, otherwise whoever steals your phone now pwns your your house).

    reply to this | link to this | view in chronology ]

  • icon
    DannyB (profile), 11 Aug 2016 @ 7:17am

    Does real security require cryptographic functions?

    Cryptographic functions. Cryptographic strength secure hash functions. Cryptographic strength random number generators. Public / private key encryption. Digital signatures. Certificate chains with lists of CAs and revocation lists. Can any of this be done without encryption?

    Should the government ban encryption, and thus keep everything insecure?

    Should the government allow only weak encryption with, say, 16 bit keys? Nobody could possibly brute force that!

    Should the government mandate crypto keys be kept in escrow with the government -- for your safety! Think of the children!

    Should the government mandate that nerds invent a secure system that can be cracked by the government on demand? (Can they actually say this with a straight face?)

    What about magical golden keys? (But the previous two items cover 'golden keys'.)

    What about RIAA / MPAA style third party liability? If someone breaks into your home, no matter what brand of system you have, it must be the fault of (1) your ISP and (2) Google!

    reply to this | link to this | view in chronology ]

    • identicon
      JustShutUpAndObey, 11 Aug 2016 @ 7:44am

      Re: Does real security require cryptographic functions?

      The government uses a different definition of security than normal people. You think security means YOU are secure from ALL intrusions. The government thinks it means it has the right to know EVERYTHING about you. For your "security" of course.

      reply to this | link to this | view in chronology ]

      • icon
        Uriel-238 (profile), 11 Aug 2016 @ 12:33pm

        The state definition of "security"

        For national security which is to say for the security of government agencies and those who direct their actions.

        We peons are the enemy and don't count.

        reply to this | link to this | view in chronology ]

    • icon
      Ninja (profile), 11 Aug 2016 @ 8:24am

      Re: Does real security require cryptographic functions?

      Google. Definitely Google is to blame for people breaking my physical lock. Makes total sense! - MAFIAA Goon

      reply to this | link to this | view in chronology ]

      • icon
        DannyB (profile), 11 Aug 2016 @ 10:53am

        Re: Re: Does real security require cryptographic functions?

        I left out an option:

        The government could come up with, what it calls, the most secure encryption key ever. This will keep us all safer. Everyone must start using this new, secure key as their encryption key at once! Anyone not using it is obviously up to no good. They aren't using this 'secure' key, and therefore are trying to weaken all of our security. Including our IoT gadgets.

        (I think I can actually imagine Comey and McCain and others actually saying something like that with a straight face.)

        Similarly, the government has a new physical key that everyone must start using for all of their locks. Homes, automobiles, etc. Copies of this will will be mass duplicated and distributed immediately.

        reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 11 Aug 2016 @ 7:36am

    This one I consider a non-issue. Why? Rocks are cheaper than Bluetooth sniffers, and some homes even provide them outside their front doors!

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 11 Aug 2016 @ 7:36am

    smart=complexity
    complexity=more points of failure

    reply to this | link to this | view in chronology ]

  • icon
    JBDragon (profile), 11 Aug 2016 @ 7:52am

    IoT was never designed for all the crap it's being used for these days. It's because of the piss poor security that it currently has. From what I hear they're working on a updated version with much better security, but it's not compatible with the current version of IoT. I guess you would have to replace everything.

    I refuse to buy anything that is a IoT device, especially a Door Lock. Something like Lights is one thing, Locks are a different matter.

    reply to this | link to this | view in chronology ]

    • icon
      Roman (profile), 11 Aug 2016 @ 8:13am

      Re:

      Strongly disagree.

      IoT is label for connecting devices - it is not "designed". It does not have "security". Its a concept, implementation is left to the user.

      Unfortunately, security is a major issue in general, most companies can't be bothered to design security into their devices, applications, etc, because it costs money & time for no obvious immediate payback. It's only when the lawsuits start that they even begin starting to think about it.

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 11 Aug 2016 @ 7:54am

    Selling a false sense of security, in the digital age this is new?

    reply to this | link to this | view in chronology ]

  • icon
    Gwiz (profile), 11 Aug 2016 @ 7:59am

    "dysfunction onion"

    Did anyone else hear a Schoolyard Rock start playing in their head when they read the phrase "dysfunction onion"?

    Or am I just weird?

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 11 Aug 2016 @ 8:14am

    Will this mean that from now on, the "digital" padlocks regularly sold on Techdirt's "dirty deals" will mention this important fact in the sales pitch?

    https://www.techdirt.com/articles/20150723/09513631736/daily-deal-quicklock.shtml

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 11 Aug 2016 @ 8:24am

    Real Security!

    Security is a problem never fully understood for two reasons.

    1. Governments do not wish for citizens to know the truth about security.

    2. Citizens foolishly think government should over see their security! A true impossibility!

    A true security lock should have only 2 responsibilities.
    1. Reasonable mechanism for keeping anyone or thing out without a valid key.
    2. A log of ALL access attempts successful or not.

    As long as you have those two features, the physical limits of security of the device itself is not very critical because you can have additional security mechanisms outside of the device handle more complex issues which can be much more difficult to fool.

    The knowledge of breach is far more important than preventing breach. This logic is lost on most people, especially security in the corporate and IT setting, but not the government.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 12 Aug 2016 @ 12:09am

      Re: Real Security!

      Unfortunately for your notion, most hackers / admins head straight for the audit trial when they gain illicit access. Records deleted.

      You'll only see protection against this in enterprise class systems where illicit entry immediately raises a remote alarm.

      reply to this | link to this | view in chronology ]

  • icon
    Keroberos (profile), 11 Aug 2016 @ 8:25am

    Interesting legal dilemma here. If any other manufacturer had a product that they knowingly could cause damage or loss, they'd get sued. What about that company that said 'We know it's a problem, but we're not gonna fix it.'" ?

    reply to this | link to this | view in chronology ]

  • identicon
    Tony E, 11 Aug 2016 @ 10:29am

    All good points, but...

    Dare I say that these locks create a back door to your front door?

    The rock thing is, I guess, a good point. But a rock is loud and visually obvious to neighbors. This trick would be both silent (or as silent as the lock itself is) and would look normal to a neighbor, possibly.

    On the other hand, if you have to sniff the password, it seems like this would have to be someone with a grudge and not just some random thief. They have to be relatively close while you're unlocking it to get the password in the first place. It seems highly unlikely that anyone would find this to be an issue.

    The point of the article is that the IoT industry is the problem, as someone else said. These companies don't care about building-in proper security, and they don't care about trying to fix broken security. For now, we have hackers to warn us about these issues, but we will probably need legislation to make sure there is some incentive for manufacturers to do it right.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 11 Aug 2016 @ 11:38am

      Re: All good points, but...

      but we will probably need legislation to make sure there is some incentive for manufacturers to do it right.

      This is the problem with all humanity. Let's get a fucking law. We cannot be bothered with NOT buying shit we just need to create more corruption by having someone create and then administer the law and regulate it so we can pick and choose winners and losers.

      And when we are done, bitch about the corrupt we just invited in the front fucking door!

      reply to this | link to this | view in chronology ]

  • icon
    Derek Kerton (profile), 11 Aug 2016 @ 10:30am

    Still, Why the Rage Pointed Just at IoT?

    "Not a week now goes by without the Internet of Things revealing a new layer in the dysfunction onion."

    Right.

    And not a week goes by without every other thing also being hacked through some security lapse. PCs, Browsers, phones, banks, stores, credit cards, DNC, and on and on. They all get hacked.

    IoT, like any other connected devices, is attacked, often with success. Like the others, they should be more secure. But I still don't understand why Karl is so singularly pissed off at IoT, out of proportion with all else.

    Here's news today on Volkswagen's keyless system that can be hacked. Is IoT really so specially bad?

    https://www.yahoo.com/news/keyless-systems-older-vw-group-cars-hacked-researchers-140603841--fin ance.html?ref=gs

    reply to this | link to this | view in chronology ]

    • icon
      That One Guy (profile), 11 Aug 2016 @ 12:12pm

      Once again: 'Everyone else is doing it' is not a valid excuse

      I notice you didn't mention starvation, homelessness, wars, grand theft auto and jaywalking. Why all the focus on Karl's stand on IoT? Surely those other things are much more serious, why spend so much time on articles like this?

      And not a week goes by without every other thing also being hacked through some security lapse. PCs, Browsers, phones, banks, stores, credit cards, DNC, and on and on. They all get hacked.

      There's a pretty hefty difference between 'No security is perfect, and as a result system X got hacked' and 'Company X/Y/Z isn't even trying to secure their products, leaving them wide open for attack'.

      Exactly what is your objection to articles like this pointing out lousy security practices that companies should know better by now? 'It should be better but it's not' is a pretty poor argument for why companies shouldn't be called out on their actions, and if anything should be cause for more criticism, not less.

      reply to this | link to this | view in chronology ]

      • icon
        Derek Kerton (profile), 16 Aug 2016 @ 4:48pm

        Re: Once again: 'Everyone else is doing it' is not a valid excuse

        There is a big difference between:

        saying "Your article's should cover things I care about: starvation, jaywalking, etc"

        and saying "You are consistently writing about one particular topic in a way that suggests a chip on your shoulder more than a fair evaluation."

        "Exactly what is your objection to articles like this pointing out lousy security practices"
        My objection is not calling out the security. It is the content (article and comments) that are summarized as: "The IoT is dumb because it currently is insecure."

        Read the article. That insinuation is in there. For example, 16 locks were tested. An abysmal 12 were hackable. OK, so was the conclusion that the other 4 are better products, and we should look to them? No, there is no reward for being one of the better-made locks. Instead, the entire sector is painted with one brush: "the dysfunction onion".

        What is the objective? To push for better security, or to kill IoT with FUD? I think it's the former, and I think even Karl might agree -- but the article does the latter.

        reply to this | link to this | view in chronology ]

    • icon
      John Fenderson (profile), 11 Aug 2016 @ 12:21pm

      Re: Still, Why the Rage Pointed Just at IoT?

      I have read numerous articles here and elsewhere about the security problems in every one of the other things you have mentioned. I don't see a single-minded focus on IoT issues at all.

      reply to this | link to this | view in chronology ]

      • icon
        Derek Kerton (profile), 16 Aug 2016 @ 4:50pm

        Re: Re: Still, Why the Rage Pointed Just at IoT?

        True, Techdirt has called out most dumb security lapses. But I don't think the entire sector was considered stupid because of the lapses.

        Take HTTPS web servers. Mike harped on that for years waiting for websites to figure out they should secure the connection. But at no point did anyone suggest the web was stupid, useless, or silly as a result.

        reply to this | link to this | view in chronology ]

    • icon
      Uriel-238 (profile), 11 Aug 2016 @ 12:46pm

      Re: Still, Why the Rage Pointed Just at IoT?

      There are two specific problems (I see) with IoT devices.

      One is that they are often vunerabilities into the rest of a network, for example, the refrigerator that logs into a local router that will reveal to hackers the password to the router. So the IoT device makes your array less secure just by its presence.

      The other is that IoT devices often are controlled remotely though their IoT-ness, thus a car can be shut down (or forced to accellerate) in the middle of a freeway. A thermostat can be set to the highest setting or shut off. While the incidents with airplanes in which pilot controls are connected to the passenger-access wifi (yes really) pretty much counts as an IoT once a passenger can drop the oxygen tanks or adjust the trim.

      Someone's going get written into the history books as the first person to be murdered by IoT hack before this gets fixed.

      reply to this | link to this | view in chronology ]

  • icon
    That One Guy (profile), 11 Aug 2016 @ 12:00pm

    Time for some motivation

    "We figured we'd find vulnerabilities in Bluetooth Low Energy locks, then contact the vendors. It turned out that the vendors actually don't care," Rose said. "We contacted 12 vendors. Only one responded, and they said, 'We know it's a problem, but we're not gonna fix it.'"

    I imagine they might start to care, or at least pretend to, if their crap security and indifference towards it was made public. Don't demonstrate it at a security conference, send the info(anonymously of course, hence why you skip the public demonstration, to make it harder to pin the info to you) to a few news groups and let them run with it.

    A few PR black eyes from articles pointing out how companies selling these types of locks don't actually take even rudimentary steps to make them secure might convince them that investing in some security isn't just a waste of money.

    reply to this | link to this | view in chronology ]

  • identicon
    Skeeter, 11 Aug 2016 @ 2:34pm

    Keeping Honest

    Seriously, locks are intentionally designed 'to keep honest people honest'. When a 10-year old with a screwdriver and a rubber mallet can open your front door in 20-seconds, what makes you think your electronic devices are secure against those skilled enough to hack them, and corrupt enough to try? As with all locks, just remember, 'locks are designed only to keep honest people honest'.

    That said, only a fool puts his gold on display in his front window, or builds a castle without security. Either stop chasing the 'Jones' (and hi-tech IT) unless you also have the money to add that real layer of 'extra security'. Otherwise, you're just setting yourself up for a major loss.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 11 Aug 2016 @ 4:12pm

    Wow. It's one thing when your fridge or thermostat has bad security. But a freaking lock? Companies are literally selling *home security devices* but can't even be bothered to follow the most basic and simple of real security practices? And when informed of these flaws, they simply shrug their shoulders? It boggles my mind.

    reply to this | link to this | view in chronology ]

  • identicon
    Rekrul, 12 Aug 2016 @ 7:36am

    The rush to connect everything to the net, creating all new security issues in the process is like removing your front door to make it more convenient to enter your home and then wondering what you can do to keep the burglars out.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 12 Aug 2016 @ 2:28pm

    Rose said. "We contacted 12 vendors. Only one responded, and they said, 'We know it's a problem, but we're not gonna fix it.'"

    Not only is that extremely problematic but that seems like a lawsuit just waiting to happen and one that should be pretty easy to win and very expensive for that company if they are flat out admitting they know of the problem but refuse to do anything to fix it.

    reply to this | link to this | view in chronology ]

    • icon
      Uriel-238 (profile), 12 Aug 2016 @ 2:43pm

      The trouble with honesty.

      Yeah, but that will encourage future responses of we know it's a problem and we have top men on it, when they don't.

      I'm not sure the solution in this clime.

      If these companies can be forced to do a product recall since an easily hackable lock can be reasonably inferred to be a flawed product, that might force them to fix the problem or withdrawal the product from market, whether or not they're honest about their intentions.

      reply to this | link to this | view in chronology ]

    • icon
      John Fenderson (profile), 12 Aug 2016 @ 3:29pm

      Re:

      What would be the basis of the lawsuit? Factor in that there's almost certainly wording in the license agreement that to the effect that there is no promise of fitness for purpose or that bugs will be fixed.

      reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Use markdown for basic formatting. HTML is no longer supported.
  Save me a cookie
Follow Techdirt
Insider Shop - Show Your Support!

Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

Close

Email This

This feature is only available to registered users. Register or sign in to use it.