DEF CON attendee finds 75 percent of Bluetooth smart locks are open to hacks

bluetooth smart locks easily hackable 39577996 ml
Alexander Kirch/123RF
At this year’s annual DEF CON hacking conference in Las Vegas, a duo of researchers made the startling discovery that roughly 75 percent of Bluetooth-powered Low Energy smart locks are susceptible to hacks. What’s arguably a touch more unsettling than the researchers’ findings, however, is the fact the manufacturers of these at-risk locks — companies like Ceomate, Vians, Quicklock, and others — didn’t seem overly concerned their products contained such holes. Considering a large part of smart home innovation is geared toward making homes safer, these findings certainly won’t be attracting new customers anytime soon.

While attending the DEF CON conference last week, electrical engineer and smart home researcher Anthony Rose took to the task of testing 16 different Bluetooth smart locks. Along with research partner Ben Ramsey, the duo found that 12 of the reviewed locks featured at least some amount of wireless access when attacked. Furthermore, Rose and Ramsey say that the difficulty of successfully hacking each product was various, as some proved to be rather easy to access while others boasted a slightly harder barrier for entry.

The August Smart Lock
August

“We figured we’d find vulnerabilities in Bluetooth Low Energy locks, then contact the vendors,” Rose told Tom’s Guide. “It turned out that the vendors don’t really care. We contacted 12 vendors. One one responded, and they said, ‘We know it’s a problem, but we’re not gonna fix it.'”

Obviously, a statement of that nature is particularly troubling, though it’s the actual vulnerabilities Rose and Ramsey found that are especially damning to the companies involved. Of the 12 locks boasting security holes, four of them willingly sent a user’s password — in plain text — to a smartphone, meaning someone who knows their way around a Bluetooth sniffer wouldn’t have to struggle much to obtain a critical password. Additionally, Rose and Ramsey reported that Quicklock’s Doorlock and Padlock models even offered to send the password multiple times, allowing them to change the password and effectively cut off access to the original owner.

“Vendors prioritize physical robustness over wireless security,” Rose added. “Our recommendation to anyone who owns one of these smart locks is to turn off Bluetooth on the smartphone when it’s not in use.”

Though a few of the manufacturers with hacked locks claim they encrypt a user’s password when it’s transmitted via Bluetooth, Rose and Ramsey still reported having the ability to swipe the password out of thin air before sending it back to the lock itself. By doing this, the smart lock would then unlock itself without the original owner knowing or either of the researchers needing to decrypt and encrypted password.

So who passed the test? According to the pair of researchers, models released by August and Kwikset boasted enough security — i.e., no hard-coded passwords, proper encryption, and two-factor authentication — to pass as somewhat secure. It is worth noting that a different researcher at DEF CON claims to have hacked the August Smart Lock so, take Rose and Ramsey’s pseudo-seal of approval with a grain of salt.

Health & Fitness

In search of the fountain of youth, beauty companies turn to tech

Beauty tech is a fairly new concept, but at CES 2019, companies such as Olay, L’Oreal, and Neutrogena were fully embracing it with all kinds of gadgets that promise to give you glowing skin.
Smart Home

Want a smarter home? Ditch the keys with these great smart locks

A good smart lock should offer a combination of security and convenience. Fortunately, these devices keep your home protected, your family safe, and your belongings secure from possible intruders.
Mobile

Android vs. iOS: Which smartphone platform is the best?

If you’re trying to choose a new phone and you’re not sure about the merits and pitfalls of the leading smartphone operating systems, then come on in for a detailed breakdown as we pit Android vs. iOS in various categories.
Computing

Data breach compromises 773 million records, 21 million passwords

A security researcher was alerted to a collection of breached data that included more than 773 million compromised records. After digging deeper, the breach was revealed to contain more than 21 million passwords.
Product Review

Kwikset Kevo Contemporary review

Tired of carrying around keys? Make keyless entry so easy that all you have to do is have your phone nearby to open the door. It’s a little pricey, but sleek lines and simple features make the Kwikset Kevo Contemporary a great choice for…
Smart Home

Thinking of buying an Instant Pot? Here's what you need to know

The Instant Pot is a powerful kitchen appliance that does everything from pressure cook to to slow cook to steam. Heck, you can even make yogurt in it. Here's all you need to know about the magic device.
Smart Home

Busted: Facebook Portal gets 5-star reviews from company employees

It's fair to say that Facebook's Portal smart display received a tepid response at launch, so it was something of a surprise to see lots of glowing reviews of the device on Amazon. Turns out some were written by Facebook workers.
Smart Home

The best sous vide machines cook your food perfectly, every single time

Want to make four-star meals from the comforts of your own kitchen? Here are the best sous vide machines available right now, whether you prefer simple immersion circulators or something more complex.
Smart Home

Idaho mother says her child’s light-up sippy cup exploded

After a mother filled a Nuby insulated light-up cup with milk, the cup allegedly exploded. The incident caused burns to the mother's hand and face and a stinging sensation in her lungs that required a trip to the hospital.
Smart Home

Project Alias is a ‘smart parasite’ that stops smart speakers from listening

Two designers chose to do something about nosy smart speakers. The result is Project Alias, a "smart parasite" that whispers nonsense to Google Home and Alexa until it hears a specific wake word.
Smart Home

DS3 Clean water-free swatches could be the future of cleaning products

DS3 Clean swatches were on display at CES 2019. The small swatches come in several types, including shampoo and toilet cleaner. They're great for travel, but their real impact is in how such supplies will be shipped and stored.
Smart Home

Amazon patents a technology to help Alexa fight fake voice attacks

Amazon filed a patent this month for a new technology that looks like it would help its digital assistant Alexa fight fake voice attacks that could potentially fool Alexa's biometric security protocols.
Smart Home

Amazon Prime members number more than 100 million in the U.S., survey says

Consumer Intelligence Research Partners estimated there were 101 million U.S. Amazon Prime members as of December 31, 2018. Last April, CEO Jeff Bezos wrote there were more than 100 global million Prime members.
Smart Home

The Instant Pot Lux is a gateway drug into the pleasures of pressure cooking

The 3-quart Instant Pot Lux is one of the most affordable Instant Pots you can buy. Is it still a solid pressure cooker? Here are our thoughts on the Instant Pot Lux, a great IP baseline model.