In a presentation at the DEF CON hacking conference in Las Vegas, Nevada, security researcher Anthony Rose detailed how to hack Bluetooth smart locks using the $100 Ubertooth sniffing device, a $40 Raspberry Pi, a $50 high-gain antenna, and a $15 USB Bluetooth dongle.
These “smart locks appear to be made by dumb people,” Rose said. “Lots of manufacturers choose user convenience over security and aren’t bothered about fixing their hardware.”
The highly susceptible
Some of the locks Rose tested were unbelievably easy to crack with this kit. Four of them, the Quicklock doorlock and padlock, the IBluLock padlock, and the Plantrace Phantomlock, transmit their passwords in plaintext - making it trivially easy for a data sniffer to pick up the code once the lock is used.
Five more locks are susceptible to replay attacks whereby a hacker picks up the signal when the lock is used, stores it, then sends it again to unlock the device. The susceptible systems were the Ceomate Bluetooth Smart Doorlock, the Lagute Sciener Smart Doorlock, the Vians Bluetooth Smart Doorlock, and the Elecycle EL797 and EL797G smart padlocks.
Some manufacturers are still making basic mistakes that also leave them highly vulnerable. One brand, Quicklock, only allows six-digit passwords, making it easy to brute force, while another manufacturer hardcoded the administrator’s password (ironically the phrase “thisisthesecret”) in the firmware and Rose was able to find it.
Fuzzing also proved very effective at finding flaws in the source code for many locks, as did crashing them. By sending malformed packets at one lock he managed to crash it, causing the lock to automatically open.
What they had to say for themselves
When Rose contacted the 12 manufacturers about these issues the response was almost universally negative. One Chinese manufacturer shut down its website, but still sells on Amazon. Ten other companies simply ignored his messages. One firm did come back to him, acknowledging the issue, but said it wasn’t going to fix it.
Some locks did hold up however, so if you’re in the market for such as device then check out Noke locks. The Bluetooth Masterlock and Kwickset Kevo lock also have “fantastic” software security systems with strong crypto, but should be avoided because the locks’ hardware is so poorly made you could open it in seconds with a hammer or screwdriver.
For more info about the DEF CON hacker conference, check out: http://www.theregister.co.uk/2016/08/08/using_a_smart_bluetooth_lock_to_protect_your_valuables_youre_an_idiot/https://techcrunch.com/2016/08/08/smart-locks-yield-to-simple-hacker-tricks/