Security researcher Anthony Rose just wanted to try out his Bluetooth range-finding setup. While wandering in his neighborhood, he noticed a lot of Bluetooth locks popping up and decided to do some sniffing of those "security" gadgets (read: capturing packets being sent between devices). "I discovered plain-text passwords being sent that anybody could read. I couldn't imagine I was the only one that could see this," Rose told Engadget following a presentation at last week's DefCon security conference.
Rose then purchased 16 Bluetooth-enabled door locks. With the help of his partner, Ben Ramsey, he found that across the board, security was either nonexistent or seriously flawed. "I never imagined that I would come across 12 of the 16 locks that I bought having either no security or poorly implemented security," Rose said.
Of those security-impaired locks, four of them sent plain-text-passwords. They were the Quicklock Doorlock, Quicklock Padloock, iBluLock Padlock and Plantraco PhantomLock. The QuickLock brand was especially troubling because Rose could change the admin password and lock out the user. The only way to reset it is to remove the battery, which can only be accessed when the door it's attached to is open.