12 of the 16 Bluetooth-enabled locks that have tested have absolutely rubbish security. If you are using or planning to use Bluetooth enabled locks, this is a must read.
When Anthony Rose, a security researcher wanted to explore the range of his Bluetooth range finding setup he did not expect that breaking into “security” gadgets would be this easy.
Sniffing around through his neighbourhood he picked up loads of Bluetooth locks.
“I discovered plaintext passwords being sent that anybody could read. I couldn’t imagine I was the only one that could see this,” said Rose after he presented a paper on this during last week’s Def Con security conference.
In order to get to the bottom of this massive security hole, Rose then purchased 16 Bluetooth-enabled door locks. To his sheer amazement and possibly delight, he discovered that almost every lock that was designed to secure homes, had poorly implemented to non-existent security in them.
“I never imagined that I would come across 12 of the 16 locks that I bought having either no security or poorly implemented security,” said Rose.
The Quicklock Padloock, Quicklock Doorlock, iBluLock Padlock and the Plantraco PhantomLock – all Bluetooth enabled locks, transmitted passwords in plain text. To make matters even worse, he was able to even alter the admin password in the QuickLock brand’s products. For the end-user, the only way to reset the password would be to remove the battery. However, if he is locked out of his own house, how can he get access to the battery?
The Ceomate Bluetooth Smartlock, Lagute Sciener Smart Doorlock and the the Elecycle Smart Padlock were vulnerable to replay attacks (when captured data is replayed or delayed in transmission). What’s even more shocking is that some of these locks claim that some form of encryption is being used. The question is what is the utility of that encryption when passwords can be captured, stored and sent out?
Rose and his partner, Ben Ramsey were even able to hijack those locks which claimed that they were “encrypted” with “patented cryptographic solutions” (from Okidokey Smart Doorlock) by simply altering the third byte in its unique key to 00. Doing so confused the lock and it resulted in the opening of the door.
When he contacted Okidokey, instead of replying to his e-mail, the company shut down its website. However, its doorlock can still be bought from Amazon.com
While Danalock Doorlock makes use of a hard coded password Mesh Motion’s Bitlock Padlock can be opened with a Raspberry Pi through device spoofing.
The gravity of the situation increases when you come to realise that a burglar armed with a long range antenna can open these supposedly “secure” blue tooth enabled locks from almost half a mile away.
Rose and his partner has tested only 16 Bluetooth-enabled locks – what about the rest? The Bluetooth-enabled security market is growing at a rapid pace.
“In most cases convenience [is] their top goal because they’re trying to sell a product. Security usually ends up being a second thought in these cases,” said Rose.
Only the security of four Bluetooth-enabled locks couldn’t be breached by Rose and his partner. These are Noke Padlock, Kwikset Kevo Doorlock, Masterlock Padlock, and August Doorlock.