Like The Rest Of The Internet Of Things, Most 'Smart' Locks Are Easily Hacked
from the dumb-is-the-new-smart dept
Smart refrigerators that leak your e-mail credentials. Smart TVs that collect but then fail to secure your living room conversations. Smart thermostats that can be loaded with ransomware. Smart vehicles that can be hacked and potentially kill you. This is the end result of "Internet of Things" evangelists and companies that for the last half-decade put hype and profit (the cart) well ahead of consumer privacy and security (the horse), in the process exposing us all to thousands of new attack vectors in homes and businesses around the world.Not a week now goes by without the Internet of Things revealing a new layer in the dysfunction onion. The latest: researchers have discovered that the majority of Bluetooth-enabled smart locks include broken security, free of charge. Researchers Anthony Rose and Ben Ramsey recently tested 16 Bluetooth smart locks, and found that 12 of them opened when attacked. Like so many IoT products, the companies building these devices failed to take even standard precautions to protect user security:
"The problems didn't lie with the Bluetooth Low Energy protocol itself, Rose said, but in the way the locks implemented Bluetooth communications, or with a lock's companion smartphone app. Four locks, for example, transmitted their user passwords in plaintext to smartphones, making it easy for anyone with a $100 Bluetooth sniffer to pluck the passwords out of thin air. "And when manufacturers could be bothered to use encryption, they didn't do a very good job of it:
"Other lock manufacturers said they encrypted the user password for Bluetooth transmissions, Rose said. Technically, they did. But with at least one, Rose discovered that he could simply grab the encrypted password out of the air, then send it back to the lock — and the lock would unlock without the password ever being decrypted."The hackers, which demonstrated the attacks at Defcon, noted that owners can help protect themselves by turning off Bluetooth on their smartphones when not in use (or revert to higher quality "dumb" locks). But it's worth noting that forgetting to include basic security on your device is one thing. But time and time again when these companies are informed of the vulnerabilities in their products, they double down on their incompetence and apathy, making it abundantly clear that they don't actually care if their security products are actually secure:
"We figured we'd find vulnerabilities in Bluetooth Low Energy locks, then contact the vendors. It turned out that the vendors actually don't care," Rose said. "We contacted 12 vendors. Only one responded, and they said, 'We know it's a problem, but we're not gonna fix it.'"It's worth reading that last bit again, so when Bruce Schneier's Internet-of-Things-induced cyber apocalypse occurs we can't pretend we weren't warned.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: hacking, iot, privacy, security, smart locks
Reader Comments
Subscribe: RSS
View by: Time | Thread
Alternate title
Honestly most home locks (external door locks) and padlocks are just so bad at real security, but at least they require the attacker to be physically present.
[ link to this | view in chronology ]
Re: Alternate title
Some people seem to misunderstand Karl as some Luddite (after all the vulnerabilities shown here require physical presence) but what he is pointing out is that manufacturers are failing hard at even the most basic security practices of things that are smart but not necessarily connected. This is a problem once you move into the connected realm as many stories have demonstrated so far.
I hope people stop dismissing the problems just because they need some degree of expertise or physical access to the devices and start focusing on the fact that security is, at best, an after-thought for most smart devices.
[ link to this | view in chronology ]
Re: Re: Alternate title
I'm not at all dismissing the problem, let me be explicit, I intended to point out this is the nexus of bad security.
The smart devices craze has lead to some of the most mind-numbingly bad security decisions in recent memory.
Intersect that with the home locks industry, that has threatened and in some cases sued people that have pointed out how little protection their locks provide. The overwhelming majority American door locks can be unlocked with nearly no skill and a little practice using the physical equivalent of rapidly sending the password '000000' until the lock pops open.
[ link to this | view in chronology ]
Re: Re: Re: Alternate title
[ link to this | view in chronology ]
Re: Re: Alternate title
[ link to this | view in chronology ]
Re: Alternate title
[ link to this | view in chronology ]
Re: Alternate title
But if you get your smart lock hacked you may not even know about it.
[ link to this | view in chronology ]
Re: Alternate title
[ link to this | view in chronology ]
Re: Re: Alternate title
[ link to this | view in chronology ]
Re: Re: Re: Alternate title
Consumer locks are security theater.
That being said, not spending the time to do a bit of basic communication security on any device these days is rather pathetic. Saying you are not going to be bothered to fix it? I'd like to know which company that was and never purchase anything from them ever again.
[ link to this | view in chronology ]
Re: Re: Re: Re: Alternate title
They buy into the marketing that "smart" locks will protect them better.
The orders of magnitude higher price reassures them this must be true.
That is why it is significant how simple they are to bypass.
[ link to this | view in chronology ]
Re: Alternate title
[ link to this | view in chronology ]
Re: Re: Alternate title
Hacking a door lock so that homeowner or automobile owner can't get in. Subsequent money for repairs or locksmith
Hacking an automobile so that it no longer works, requiring a tow and visit to dealership for repairs. Subsequent money for repairs.
[ link to this | view in chronology ]
Re: Alternate title
With an insecure bluetooth lock they can just walk up and open it. Unless the passerby knows you, they'll just assume it's legit.
[ link to this | view in chronology ]
Re: Re: Alternate title
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Does real security require cryptographic functions?
Should the government ban encryption, and thus keep everything insecure?
Should the government allow only weak encryption with, say, 16 bit keys? Nobody could possibly brute force that!
Should the government mandate crypto keys be kept in escrow with the government -- for your safety! Think of the children!
Should the government mandate that nerds invent a secure system that can be cracked by the government on demand? (Can they actually say this with a straight face?)
What about magical golden keys? (But the previous two items cover 'golden keys'.)
What about RIAA / MPAA style third party liability? If someone breaks into your home, no matter what brand of system you have, it must be the fault of (1) your ISP and (2) Google!
[ link to this | view in chronology ]
Re: Does real security require cryptographic functions?
[ link to this | view in chronology ]
The state definition of "security"
We peons are the enemy and don't count.
[ link to this | view in chronology ]
Re: Does real security require cryptographic functions?
[ link to this | view in chronology ]
Re: Re: Does real security require cryptographic functions?
The government could come up with, what it calls, the most secure encryption key ever. This will keep us all safer. Everyone must start using this new, secure key as their encryption key at once! Anyone not using it is obviously up to no good. They aren't using this 'secure' key, and therefore are trying to weaken all of our security. Including our IoT gadgets.
(I think I can actually imagine Comey and McCain and others actually saying something like that with a straight face.)
Similarly, the government has a new physical key that everyone must start using for all of their locks. Homes, automobiles, etc. Copies of this will will be mass duplicated and distributed immediately.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
No need to even do that if you have a smartphone. There are plenty of bluetooth sniffer apps that use your phone's hardware.
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re: Re:
[ link to this | view in chronology ]
complexity=more points of failure
[ link to this | view in chronology ]
I refuse to buy anything that is a IoT device, especially a Door Lock. Something like Lights is one thing, Locks are a different matter.
[ link to this | view in chronology ]
Re:
IoT is label for connecting devices - it is not "designed". It does not have "security". Its a concept, implementation is left to the user.
Unfortunately, security is a major issue in general, most companies can't be bothered to design security into their devices, applications, etc, because it costs money & time for no obvious immediate payback. It's only when the lawsuits start that they even begin starting to think about it.
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
[ link to this | view in chronology ]
"dysfunction onion"
Or am I just weird?
[ link to this | view in chronology ]
Re: "dysfunction onion"
[ link to this | view in chronology ]
https://www.techdirt.com/articles/20150723/09513631736/daily-deal-quicklock.shtml
[ link to this | view in chronology ]
Re:
Still, it would be interesting if that brand was labeled insecure.
[ link to this | view in chronology ]
Real Security!
1. Governments do not wish for citizens to know the truth about security.
2. Citizens foolishly think government should over see their security! A true impossibility!
A true security lock should have only 2 responsibilities.
1. Reasonable mechanism for keeping anyone or thing out without a valid key.
2. A log of ALL access attempts successful or not.
As long as you have those two features, the physical limits of security of the device itself is not very critical because you can have additional security mechanisms outside of the device handle more complex issues which can be much more difficult to fool.
The knowledge of breach is far more important than preventing breach. This logic is lost on most people, especially security in the corporate and IT setting, but not the government.
[ link to this | view in chronology ]
Re: Real Security!
You'll only see protection against this in enterprise class systems where illicit entry immediately raises a remote alarm.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
All good points, but...
The rock thing is, I guess, a good point. But a rock is loud and visually obvious to neighbors. This trick would be both silent (or as silent as the lock itself is) and would look normal to a neighbor, possibly.
On the other hand, if you have to sniff the password, it seems like this would have to be someone with a grudge and not just some random thief. They have to be relatively close while you're unlocking it to get the password in the first place. It seems highly unlikely that anyone would find this to be an issue.
The point of the article is that the IoT industry is the problem, as someone else said. These companies don't care about building-in proper security, and they don't care about trying to fix broken security. For now, we have hackers to warn us about these issues, but we will probably need legislation to make sure there is some incentive for manufacturers to do it right.
[ link to this | view in chronology ]
Re: All good points, but...
This is the problem with all humanity. Let's get a fucking law. We cannot be bothered with NOT buying shit we just need to create more corruption by having someone create and then administer the law and regulate it so we can pick and choose winners and losers.
And when we are done, bitch about the corrupt we just invited in the front fucking door!
[ link to this | view in chronology ]
Still, Why the Rage Pointed Just at IoT?
Right.
And not a week goes by without every other thing also being hacked through some security lapse. PCs, Browsers, phones, banks, stores, credit cards, DNC, and on and on. They all get hacked.
IoT, like any other connected devices, is attacked, often with success. Like the others, they should be more secure. But I still don't understand why Karl is so singularly pissed off at IoT, out of proportion with all else.
Here's news today on Volkswagen's keyless system that can be hacked. Is IoT really so specially bad?
https://www.yahoo.com/news/keyless-systems-older-vw-group-cars-hacked-researchers-140603841--fin ance.html?ref=gs
[ link to this | view in chronology ]
Once again: 'Everyone else is doing it' is not a valid excuse
And not a week goes by without every other thing also being hacked through some security lapse. PCs, Browsers, phones, banks, stores, credit cards, DNC, and on and on. They all get hacked.
There's a pretty hefty difference between 'No security is perfect, and as a result system X got hacked' and 'Company X/Y/Z isn't even trying to secure their products, leaving them wide open for attack'.
Exactly what is your objection to articles like this pointing out lousy security practices that companies should know better by now? 'It should be better but it's not' is a pretty poor argument for why companies shouldn't be called out on their actions, and if anything should be cause for more criticism, not less.
[ link to this | view in chronology ]
Re: Once again: 'Everyone else is doing it' is not a valid excuse
saying "Your article's should cover things I care about: starvation, jaywalking, etc"
and saying "You are consistently writing about one particular topic in a way that suggests a chip on your shoulder more than a fair evaluation."
"Exactly what is your objection to articles like this pointing out lousy security practices"
My objection is not calling out the security. It is the content (article and comments) that are summarized as: "The IoT is dumb because it currently is insecure."
Read the article. That insinuation is in there. For example, 16 locks were tested. An abysmal 12 were hackable. OK, so was the conclusion that the other 4 are better products, and we should look to them? No, there is no reward for being one of the better-made locks. Instead, the entire sector is painted with one brush: "the dysfunction onion".
What is the objective? To push for better security, or to kill IoT with FUD? I think it's the former, and I think even Karl might agree -- but the article does the latter.
[ link to this | view in chronology ]
Re: Still, Why the Rage Pointed Just at IoT?
[ link to this | view in chronology ]
Re: Re: Still, Why the Rage Pointed Just at IoT?
Take HTTPS web servers. Mike harped on that for years waiting for websites to figure out they should secure the connection. But at no point did anyone suggest the web was stupid, useless, or silly as a result.
[ link to this | view in chronology ]
Re: Still, Why the Rage Pointed Just at IoT?
One is that they are often vunerabilities into the rest of a network, for example, the refrigerator that logs into a local router that will reveal to hackers the password to the router. So the IoT device makes your array less secure just by its presence.
The other is that IoT devices often are controlled remotely though their IoT-ness, thus a car can be shut down (or forced to accellerate) in the middle of a freeway. A thermostat can be set to the highest setting or shut off. While the incidents with airplanes in which pilot controls are connected to the passenger-access wifi (yes really) pretty much counts as an IoT once a passenger can drop the oxygen tanks or adjust the trim.
Someone's going get written into the history books as the first person to be murdered by IoT hack before this gets fixed.
[ link to this | view in chronology ]
Time for some motivation
I imagine they might start to care, or at least pretend to, if their crap security and indifference towards it was made public. Don't demonstrate it at a security conference, send the info(anonymously of course, hence why you skip the public demonstration, to make it harder to pin the info to you) to a few news groups and let them run with it.
A few PR black eyes from articles pointing out how companies selling these types of locks don't actually take even rudimentary steps to make them secure might convince them that investing in some security isn't just a waste of money.
[ link to this | view in chronology ]
Keeping Honest
That said, only a fool puts his gold on display in his front window, or builds a castle without security. Either stop chasing the 'Jones' (and hi-tech IT) unless you also have the money to add that real layer of 'extra security'. Otherwise, you're just setting yourself up for a major loss.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Not only is that extremely problematic but that seems like a lawsuit just waiting to happen and one that should be pretty easy to win and very expensive for that company if they are flat out admitting they know of the problem but refuse to do anything to fix it.
[ link to this | view in chronology ]
The trouble with honesty.
I'm not sure the solution in this clime.
If these companies can be forced to do a product recall since an easily hackable lock can be reasonably inferred to be a flawed product, that might force them to fix the problem or withdrawal the product from market, whether or not they're honest about their intentions.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]