Like The Rest Of The Internet Of Things, Most 'Smart' Locks Are Easily Hacked

from the dumb-is-the-new-smart dept

Smart refrigerators that leak your e-mail credentials. Smart TVs that collect but then fail to secure your living room conversations. Smart thermostats that can be loaded with ransomware. Smart vehicles that can be hacked and potentially kill you. This is the end result of "Internet of Things" evangelists and companies that for the last half-decade put hype and profit (the cart) well ahead of consumer privacy and security (the horse), in the process exposing us all to thousands of new attack vectors in homes and businesses around the world.

Not a week now goes by without the Internet of Things revealing a new layer in the dysfunction onion. The latest: researchers have discovered that the majority of Bluetooth-enabled smart locks include broken security, free of charge. Researchers Anthony Rose and Ben Ramsey recently tested 16 Bluetooth smart locks, and found that 12 of them opened when attacked. Like so many IoT products, the companies building these devices failed to take even standard precautions to protect user security:
"The problems didn't lie with the Bluetooth Low Energy protocol itself, Rose said, but in the way the locks implemented Bluetooth communications, or with a lock's companion smartphone app. Four locks, for example, transmitted their user passwords in plaintext to smartphones, making it easy for anyone with a $100 Bluetooth sniffer to pluck the passwords out of thin air. "
And when manufacturers could be bothered to use encryption, they didn't do a very good job of it:
"Other lock manufacturers said they encrypted the user password for Bluetooth transmissions, Rose said. Technically, they did. But with at least one, Rose discovered that he could simply grab the encrypted password out of the air, then send it back to the lock — and the lock would unlock without the password ever being decrypted."
The hackers, which demonstrated the attacks at Defcon, noted that owners can help protect themselves by turning off Bluetooth on their smartphones when not in use (or revert to higher quality "dumb" locks). But it's worth noting that forgetting to include basic security on your device is one thing. But time and time again when these companies are informed of the vulnerabilities in their products, they double down on their incompetence and apathy, making it abundantly clear that they don't actually care if their security products are actually secure:
"We figured we'd find vulnerabilities in Bluetooth Low Energy locks, then contact the vendors. It turned out that the vendors actually don't care," Rose said. "We contacted 12 vendors. Only one responded, and they said, 'We know it's a problem, but we're not gonna fix it.'"
It's worth reading that last bit again, so when Bruce Schneier's Internet-of-Things-induced cyber apocalypse occurs we can't pretend we weren't warned.

Filed Under: hacking, iot, privacy, security, smart locks

Reader Comments

Subscribe: RSS

View by: Time | Thread

  1. identicon
    Ven, 11 Aug 2016 @ 6:51am

    Alternate title

    "Like Most other locks, Most 'Smart' Locks Are Easily Hacked"

    Honestly most home locks (external door locks) and padlocks are just so bad at real security, but at least they require the attacker to be physically present.

Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here

Subscribe to the Techdirt Daily newsletter

Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Follow Techdirt
Special Affiliate Offer

Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Report this ad  |  Hide Techdirt ads
Recent Stories
Report this ad  |  Hide Techdirt ads


Email This

This feature is only available to registered users. Register or sign in to use it.