Skip to main content

Surprise: a lot of smart locks have terrible security

Surprise: a lot of smart locks have terrible security

Share this story

Gadget makers love the Internet of Things. Just look at connected refrigerators, connected tampons, and connected pregnancy tests as some examples. As I’ve said before, and I’ll say again, the security of these devices is often inadequate. This week at DEF CON, two researchers, Anthony Rose and Ben Ramsey, emphasized this point by demonstrating how they easily compromised 12 different Bluetooth Low Energy smart locks using cheap hardware that cost around $200 altogether.

Some devices, including the Quicklock Doorlock & Padlock and the iBluLock Padlock, stored passwords in plain text. Anyone with a Bluetooth sniffer could gain access. Other locks, including the Ceomate Bluetooth Smart Doorlock and the Elecycle EL797, were vulnerable to replay attacks, which means the researchers grabbed data over the air when a legitimate user unlocked the lock, and they then just replayed that data to gain access. Some of the other attacks were a bit more intricate, although still fairly basic. Only one of the companies the researchers contacted responded to their vulnerability report, and it didn’t offer a patch. A separate DEF CON presentation showed how to hack the August lock by exfiltrating a one-time key from a paired phone, although that vulnerability has since been patched. Others still exist, however, including one that involves the installation of a backdoor key.

But for many of the other devices, a hacker with the right hardware and tools can open a locked door without any special access to authorized keys. It might be time to ask whether the conveniences of the IoT are worth the potential security risks.

Update 2:53PM ET: Updated to reflect that the August smart lock has been patched.