Skip to main content

DEF CON attendee finds 75 percent of Bluetooth smart locks are open to hacks

At this year’s annual DEF CON hacking conference in Las Vegas, a duo of researchers made the startling discovery that roughly 75 percent of Bluetooth-powered Low Energy smart locks are susceptible to hacks. What’s arguably a touch more unsettling than the researchers’ findings, however, is the fact the manufacturers of these at-risk locks — companies like Ceomate, Vians, Quicklock, and others — didn’t seem overly concerned their products contained such holes. Considering a large part of smart home innovation is geared toward making homes safer, these findings certainly won’t be attracting new customers anytime soon.

While attending the DEF CON conference last week, electrical engineer and smart home researcher Anthony Rose took to the task of testing 16 different Bluetooth smart locks. Along with research partner Ben Ramsey, the duo found that 12 of the reviewed locks featured at least some amount of wireless access when attacked. Furthermore, Rose and Ramsey say that the difficulty of successfully hacking each product was various, as some proved to be rather easy to access while others boasted a slightly harder barrier for entry.

The August Smart Lock
August

“We figured we’d find vulnerabilities in Bluetooth Low Energy locks, then contact the vendors,” Rose told Tom’s Guide. “It turned out that the vendors don’t really care. We contacted 12 vendors. One one responded, and they said, ‘We know it’s a problem, but we’re not gonna fix it.'”

Recommended Videos

Obviously, a statement of that nature is particularly troubling, though it’s the actual vulnerabilities Rose and Ramsey found that are especially damning to the companies involved. Of the 12 locks boasting security holes, four of them willingly sent a user’s password — in plain text — to a smartphone, meaning someone who knows their way around a Bluetooth sniffer wouldn’t have to struggle much to obtain a critical password. Additionally, Rose and Ramsey reported that Quicklock’s Doorlock and Padlock models even offered to send the password multiple times, allowing them to change the password and effectively cut off access to the original owner.

“Vendors prioritize physical robustness over wireless security,” Rose added. “Our recommendation to anyone who owns one of these smart locks is to turn off Bluetooth on the smartphone when it’s not in use.”

Though a few of the manufacturers with hacked locks claim they encrypt a user’s password when it’s transmitted via Bluetooth, Rose and Ramsey still reported having the ability to swipe the password out of thin air before sending it back to the lock itself. By doing this, the smart lock would then unlock itself without the original owner knowing or either of the researchers needing to decrypt and encrypted password.

So who passed the test? According to the pair of researchers, models released by August and Kwikset boasted enough security — i.e., no hard-coded passwords, proper encryption, and two-factor authentication — to pass as somewhat secure. It is worth noting that a different researcher at DEF CON claims to have hacked the August Smart Lock so, take Rose and Ramsey’s pseudo-seal of approval with a grain of salt.

Rick Stella
Former Digital Trends Contributor
Rick became enamored with technology the moment his parents got him an original NES for Christmas in 1991. And as they say…
Lockly debuts four smart locks with the new Zeno Series
The Lockly Zeno Series installed on a door.

Lockly is responsible for some of the most futuristic smart locks on the market, and that legacy continues with the newly revealed Zeno Series. Comprised of four different smart locks, the series is built around slimmer designs, advanced functionality, and compatibility with a wide range of other smart devices.

The Lockly Visage Zeno Series and Lockly Vision Zeno Series are the most intriguing of the bunch, carrying price tags of $349 and $429, respectively. The Visage featuresmultiple access methods, including a fingerprint scanner, support for Apple Home Keys, passcodes, and facial recognition. That last one is a big addition to the world of smart locks, allowing the door to detect, scan, and unlock without the need for you to press any buttons.

Read more
Yale smart locks get powerful new Airbnb integrations
The Yale Assure Lock 2 Smart Lock Deadbolt keypad being used by someone.

Yale smart locks were already a great choice for Airbnb hosts, as they allow users to create and manually share temporary codes with guests. The Yale Assure Lock 2, Yale Approach, and August Wi-Fi Smart Lock are now more enticing than ever to hosts, as they've just received a massive update that provides enhanced integration with Airbnb.

The new integration allows hosts to link their smart locks directly to the Airbnb app, which can then automatically send unique door codes to guests alongside all the other details of their stay. Before this update, hosts would have to manually create and send codes for each guest. This is now all handled automatically via the Airbnb app -- making the hosting process more seamless than ever.

Read more
The latest Philips smart lock can read your palm to open your front door
The Philips Palm Reader smart lock on a blue door.

Philips just launched a slew of new products, headlined by the Philips Home Access 5000 Series Palm Recognition Smart Lock. The device works not just with a physical key, PIN code, or Philips mobile app, but also with the built-in palm scanner -- making it one of the most futuristic smart locks of 2024.

According to Philips, the scanner works by tracking "unique palm vein patterns," making it nearly impossible to hack and offering families an ultra-secure way to lock their front door. Setup is just as easy as most other smart locks, thanks to built-in Wi-Fi so you can get up and running without the need for a secondary bridge. It also works with voice commands via Amazon Alexa and Google Assistant.

Read more