You are using an older browser version. Please use a supported version for the best MSN experience.

Researcher finds huge security flaws in Bluetooth locks

Engadget Engadget 10/08/2016 Roberto Baldwin
© Provided by Engadget © Provided by Engadget

Security research Anthony Rose just wanted to try out his Bluetooth range-finding setup. While wandering in his neighborhood, he noticed a lot of Bluetooth locks popping up and decided to do some sniffing of those "security" gadgets (read: capturing packets being sent between devices). "I discovered plaintext passwords being sent that anybody could read. I couldn't imagine I was the only one that could see this," Rose told Engadget following a presentation at last week's Def Con security conference.

Rose then purchased 16 Bluetooth-enabled door locks. With the help of his partner Ben Ramsey, he found that across the board, security was either non-existent or seriously flawed. "I never imagined that I would come across 12 of the 16 locks that I bought having either no security or poorly implemented security," Rose said.

Of those security-impaired locks, four of them sent plaintext-passwords. They were the Quicklock Doorlock, Quicklock Padloock, iBluLock Padlock and Plantraco PhantomLock. The QuickLock brand was especially troubling because Rose could change the admin password and lock out the user. The only way to reset it is to remove the battery which can only be accessed when the door it's attached to is open.

Four other locks were prone to replay attacks (when validated data is played again or delayed in transmission). Those were the Ceomate Bluetooth Smartlock, Elecycle Smart Padlock, Vians Bluetooth Smart Doorlock and Lagute Sciener Smart Doorlock. Some of these locks even claimed that encryption was being used. Which really doesn't matter if you can capture, store and later send out passwords.

Rose and Ramsey were also able to hijack the "encrypted" with "patented cryptographic solutions" of the Okidokey Smart Doorlock by changing the third byte in its unique key to 00. The lock gets confused and opens. The researcher contacted Okidokey and instead of replying to his email, the company shut down its site. But the doorlock is still available on Amazon.

He also found that the Danalock Doorlock had a hard-coded password and that the Mesh Motion Bitlock Padlock could be impersonated (known as device spoofing) with a Raspberry Pi that would trick the device's cloud server to send out a password.

This is all extremely troubling when you realize that these pieces of technology are all that stand between a burglar and the inside of your house. With a long range antenna, some of these locks could be open from half a mile away. Someone trying to jimmy your front door would arouse suspicion. If that same person just walked up and opened the door, there's a good chance neighbors would believe everything was above board.

Rose's team only tested 16 locks. But the Bluetooth-enabled security market continues to grow which concerns Rose. "In most cases convenience their top goal because they're trying to sell a product. Security usually ends up being a second thought in these cases," he told Engadget. It's equally worrisome that only one of the companies he contacted replied to his findings. He had expected at half to get back to him.

The four locks that the team couldn't hack were the Noke Padlock, Masterlock Padlock, Kwikset Kevo Doorlock and August Doorlock. But he did note that the earlier versions of the Kwikset could be opened by jamming a screwdriver into the keyhole, while another researcher at this year's Def Con was able to crack the August.

Rose says he will continue testing not only Bluetooth door locks, but other connected devices as well. When asked if he'd seen any locks on the market he would add to his front door, Rose replied, "absolutely not."


More from Engadget

image beaconimage beaconimage beacon