Researcher finds huge security flaws in Bluetooth locks

You might want to rethink adding technology to your front door.

Researcher Anthony Rose discloses Bluetooth lock security issues at Def Con.

Security researcher Anthony Rose just wanted to try out his Bluetooth range-finding setup. While wandering in his neighborhood, he noticed a lot of Bluetooth locks popping up and decided to do some sniffing of those "security" gadgets (read: capturing packets being sent between devices). "I discovered plain-text passwords being sent that anybody could read. I couldn't imagine I was the only one that could see this," Rose told Engadget following a presentation at last week's DefCon security conference.

Rose then purchased 16 Bluetooth-enabled door locks. With the help of his partner, Ben Ramsey, he found that across the board, security was either nonexistent or seriously flawed. "I never imagined that I would come across 12 of the 16 locks that I bought having either no security or poorly implemented security," Rose said.

Of those security-impaired locks, four of them sent plain-text-passwords. They were the Quicklock Doorlock, Quicklock Padloock, iBluLock Padlock and Plantraco PhantomLock. The QuickLock brand was especially troubling because Rose could change the admin password and lock out the user. The only way to reset it is to remove the battery, which can only be accessed when the door it's attached to is open.

Four other locks were prone to replay attacks (when validated data is played again or delayed in transmission). Those were the Ceomate Bluetooth Smartlock, Elecycle Smart Padlock, Vians Bluetooth Smart Doorlock and Lagute Sciener Smart Doorlock. Some of these locks even claimed that encryption was being used. Which really doesn't matter if someone can capture, store and later send out passwords.

Rose and Ramsey were also able to hijack the "encrypted" with "patented cryptographic solutions" of the Okidokey Smart Doorlock by changing the third byte in its unique key to 00. The lock gets confused and opens. The researcher contacted Okidokey and instead of replying to his email, the company shut down its site. But the door lock is still available on Amazon.

He also found that the Danalock Doorlock had a hard-coded password and that the Mesh Motion Bitlock Padlock could be impersonated (known as device spoofing) with a Raspberry Pi that would trick the device's cloud server to send out a password.

This is all extremely troubling when you realize that these pieces of technology are all that stand between a burglar and the inside of your house. With a long-range antenna, some of these locks could be opened from half a mile away. Someone trying to jimmy your front door would arouse suspicion. If that same person just walked up and opened the door, there's a good chance neighbors would believe everything was above board.

Rose's team tested only 16 locks. But the Bluetooth-enabled security market continues to grow, which concerns Rose. "In most cases, convenience is their top goal because they're trying to sell a product. Security usually ends up being a second thought in these cases," he told Engadget. It's equally worrisome that only one of the companies he contacted replied to his findings. He had expected at least half to get back to him.

The four locks that the team couldn't hack were the Noke Padlock, Masterlock Padlock, Kwikset Kevo Doorlock and August Doorlock. But he did note that the earlier versions of the Kwikset could be opened by jamming a screwdriver into the keyhole, while another researcher at this year's Def Con was able to crack the August system by upgrading a guest account to an owner account with a custom firmware. The flaw has since been fixed. An August spokesperson told Engadget, "the ability for a user to download and access their own encrypted key has been removed."

Rose says he will continue testing not only Bluetooth door locks, but other connected devices as well. When asked if he'd seen any locks on the market he would add to his front door, Rose replied, "absolutely not."

UPDATE: The article has been updated to clarify the August lock hack from Def Con.