14 DAY TRIAL // Researchers Anthony Rose and Ben Ramsey from Merculite Security revealed at the DEF CON 24 security conference that took place in Las Vegas last weekend that most smart door lock systems using Bluetooth LE are woefully insecure and allow attackers to defeat their protections, some of them with relative ease.
Rose and Ramsey's research consisted of an experiment that revolved around hacking their way through a batch of 16 smart door lock systems. They were successful in doing so in 12 of the tested locks.
In their DEF CON presentation, the researchers highlight several problems with the door locks, which, in their opinion, are trivial to hack, exposing the people who rely on them to theft and possible physical harm.
12 out of 16 locks contained design flaws and vulnerabilities
Rose and Ramsey's hacking techniques ranged from traffic analysis to crafting a sniffing device that would cost crooks around $200 and allow them to catch the door lock authentication password sent via a Bluetooth LE connection in mid-flight or record and then replay the authentication request at a later date.
The researchers discovered vulnerable locks models from vendors such as Quicklock, iBlulock, Plantraco, Ceomate, Elecycle, Vians, Okidokey, and Mesh Motion.
Some of these vendors had hilariously simple security flaws, like sending the lock password in cleartext, with some of them even sending it twice, just to make sure.
Hacks range from trivial to advanced
In the case the password was masked, the researchers found that they could record the authentication request and play it later, at a more convenient date, when nobody was home, in what's called a replay attack.
In case the locks featured a more secure method of transmitting the data, the researcher said that basic source code fuzzing techniques exposed flaws that crashed the lock software, which also unlocked it.
For a particular lock, the Mesh Motion bicycle lock, the researchers had to go as far as to stage a MitM attack, but they did eventually manage to crack it.
None of the 12 vendors patched their products
When the time to inform all vendors about their issues came, Rose and Ramsey said that all 12 provided negative responses. Ten companies simply ignored them and never replied, one bluntly told them they wouldn't fix their software, and one Chinese manufacturer, Okidokey, just shut down its websites and continued to sell via its Amazon Store.
The four smart locks they tested that couldn't be broken came from vendors such as August, Noke Locks, Masterlock, and Kwickset Kevo, although another researcher later presented separately how he managed to break the August's locking protocol.
Rose and Ramsey pointed out something ironic. The Kwickset Kevo lock, the one product that featured the strongest security measures, was actually easy to unlock using a regular flathead screwdriver.