75 Percent of Bluetooth Smart Locks Can Be Hacked

UPDATED Aug. 10 to include names of two more uncracked locks.

LAS VEGAS — Many Bluetooth Low Energy smart locks can be hacked and opened by unauthorized users, but their manufacturers seem to want to do nothing about it, a security researcher said yesterday (Aug. 6) at the DEF CON hacker conference here.

Credit: Alexander Kirch

(Image credit: Alexander Kirch)

Researcher Anthony Rose, an electrical engineer, said that of 16 Bluetooth smart locks he and fellow researcher Ben Ramsey had tested, 12 locks opened when wirelessly attacked. The locks — including models made by Quicklock, iBlulock, Plantraco, Ceomate, Elecycle, Vians, Okidokey and Mesh Motion — had security vulnerabilities that ranged from ridiculously easy to moderately difficult to exploit.

"We figured we'd find vulnerabilities in Bluetooth Low Energy locks, then contact the vendors.  It turned out that the vendors actually don't care," Rose said. "We contacted 12 vendors. Only one responded, and they said, 'We know it's a problem, but we're not gonna fix it.'"

The problems didn't lie with the Bluetooth Low Energy protocol itself, Rose said, but in the way the locks implemented Bluetooth communications, or with a lock's companion smartphone app. Four locks, for example, transmitted their user passwords in plaintext to smartphones, making it easy for anyone with a $100 Bluetooth sniffer to pluck the passwords out of thin air. 

Two of those four models, the Quicklock Doorlock and Quicklock Padlock, sent the password twice, Rose said. He and Ramsey found that they could change the user password by returning the same command with the second iteration of the password changed to something else, freezing out the legitimate user.

"The user can't reset it without removing the battery, and he can't remove the battery without unlocking the lock," Rose said.

Other lock manufacturers said they encrypted the user password for Bluetooth transmissions, Rose said. Technically, they did. But with at least one, Rose discovered that he could simply grab the encrypted password out of the air, then send it back to the lock — and the lock would unlock without the password ever being decrypted.

An Okidokeys smart lock claimed to use a proprietary encryption format. Rose and Ramsey knew that roll-your-own encryption often has flaws, so they tried a "fuzzing" attack, sending random data to the lock to see how the software responded. By changing one byte in the encryption string, Rose said, the Okidokey entered an error state — and the lock opened.

"We contacted Okidokeys, and then they turned off their website," Rose said. "But you can still buy the locks on Amazon."

It was harder, but not impossible, for Rose and Ramsey to crack the Mesh Motion Bitlock bicycle lock. Using free software, they replicated the lock's wireless profile on an Android phone, then were able to stage a man-in-the-middle attack on the traffic flowing between the Bitlock, its smartphone app and Mesh Motion's cloud servers.

The pair found that the Bitlock's encryption depended on a predictable "nonce" numerical value to generate encrypted strings. Nonces are supposed to be random, but Rose and Ramsey found that the Bitlock's nonce function simply added one to the nonce used the previous time. Because of that, they were able to impersonate the legitimate user and open the lock.

"We contacted the Bitlock's manufacturer and told them about this," Rose said. "They said they'd fix the problem, but after three months they still haven't."

There were four smart locks that Rose said he and Ramsey failed to hack into, including models made by Kwikset and August. All four used encryption properly, offered two-factor authentication and contained no hardcoded passwords buried in the software. However, Rose said there was a YouTube videos that showed one secure model, the Kwikset Kevo, being opened with a flathead screwdriver.

(UPDATE: In an Aug. 7 presentation at DEF CON, another researcher showed how he'd defeated most of the security precautions on the August Smart Lock. UPDATE UPDATE: August contacted Tom's Guide about the previous sentence, and issued a statement, in part: "The ability for a user to download and access their own encrypted key has been removed. Our system has never been compromised and none of our users' smart locks have been at risk." UPDATE UPDATE UPDATE: The researcher who looked into the August Smart Lock, Jmaxxz, contacted Tom's Guide to say that "the August is still vulnerable. The information they have been feeding you is nearly completely wrong.")

Nevertheless, Rose said, the takeaway was that 12 out of 16 Bluetooth Low Energy smartlocks had broken security.

"Vendors prioritize physical robustness over wireless security," Rose said. "Our recommendation to anyone who owns one of these smartlocks is to turn off Bluetooth on the smartphone when it's not in use."

UPDATE: The two other uncrackable locks were the Noke Padlock and the Masterlock Padlock, per presentation slides posted on Github.

Paul Wagenseil

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.