Like The Rest Of The Internet Of Things, Most 'Smart' Locks Are Easily Hacked

from the dumb-is-the-new-smart dept

Smart refrigerators that leak your e-mail credentials. Smart TVs that collect but then fail to secure your living room conversations. Smart thermostats that can be loaded with ransomware. Smart vehicles that can be hacked and potentially kill you. This is the end result of "Internet of Things" evangelists and companies that for the last half-decade put hype and profit (the cart) well ahead of consumer privacy and security (the horse), in the process exposing us all to thousands of new attack vectors in homes and businesses around the world.

Not a week now goes by without the Internet of Things revealing a new layer in the dysfunction onion. The latest: researchers have discovered that the majority of Bluetooth-enabled smart locks include broken security, free of charge. Researchers Anthony Rose and Ben Ramsey recently tested 16 Bluetooth smart locks, and found that 12 of them opened when attacked. Like so many IoT products, the companies building these devices failed to take even standard precautions to protect user security:
"The problems didn't lie with the Bluetooth Low Energy protocol itself, Rose said, but in the way the locks implemented Bluetooth communications, or with a lock's companion smartphone app. Four locks, for example, transmitted their user passwords in plaintext to smartphones, making it easy for anyone with a $100 Bluetooth sniffer to pluck the passwords out of thin air. "
And when manufacturers could be bothered to use encryption, they didn't do a very good job of it:
"Other lock manufacturers said they encrypted the user password for Bluetooth transmissions, Rose said. Technically, they did. But with at least one, Rose discovered that he could simply grab the encrypted password out of the air, then send it back to the lock — and the lock would unlock without the password ever being decrypted."
The hackers, which demonstrated the attacks at Defcon, noted that owners can help protect themselves by turning off Bluetooth on their smartphones when not in use (or revert to higher quality "dumb" locks). But it's worth noting that forgetting to include basic security on your device is one thing. But time and time again when these companies are informed of the vulnerabilities in their products, they double down on their incompetence and apathy, making it abundantly clear that they don't actually care if their security products are actually secure:
"We figured we'd find vulnerabilities in Bluetooth Low Energy locks, then contact the vendors. It turned out that the vendors actually don't care," Rose said. "We contacted 12 vendors. Only one responded, and they said, 'We know it's a problem, but we're not gonna fix it.'"
It's worth reading that last bit again, so when Bruce Schneier's Internet-of-Things-induced cyber apocalypse occurs we can't pretend we weren't warned.

Filed Under: hacking, iot, privacy, security, smart locks

Reader Comments

Subscribe: RSS

View by: Time | Thread

  1. icon
    Atkray (profile), 11 Aug 2016 @ 11:27am

    Re: Re: Re: Re: Alternate title

    The additional point often missed in these discussions is that many consumers are buying these precisely because they know that standard "dumb" locks are trivial to pick.

    They buy into the marketing that "smart" locks will protect them better.

    The orders of magnitude higher price reassures them this must be true.

    That is why it is significant how simple they are to bypass.

Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here

Subscribe to the Techdirt Daily newsletter

Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Follow Techdirt
Techdirt Gear
Show Now: Takedown
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Report this ad  |  Hide Techdirt ads
Recent Stories
Report this ad  |  Hide Techdirt ads


Email This

This feature is only available to registered users. Register or sign in to use it.