It’s an open secret that the Internet of Things (if we must call it so) is pretty terrible, whether in standards, interoperability or security. You don’t really expect good security in a smart light bulb or coffee maker, though. A smart front door lock, however, really shouldn’t be quite this easy to hack.
Two different presentations at DEF CON this year made it clear that there’s a long way to go before we should start trusting the average smart lock — or even the nice ones (though if you had to choose, the latter is the better). This may surprise you, or you might have been saying it for years. At all events, these guys proved it with gusto.
Anthony Rose and Ben Ramsey, from Merculite Security, showed off a bit of lock hacking done with less than $200 worth of off-the-shelf hardware. Some opened easier than others, but in the end 12 out of 16 yielded.
Locks from Quicklock, iBluLock, and Plantraco transmitted their passwords in plaintext, making them vulnerable to anyone with a Bluetooth sniffer. Others were tricked by the attacker simply replaying the same data they snatched out of the air when a legit user unlocked the door. Another entered a failstate and opened by default when it received an encrypted string that was off by one byte.
Worth noting as well: doing a bit of wardriving, the two found plenty of locks identifying themselves as such, making it easy for an attacker to find devices to listen in on.
For now, it seems, these locks are long on convenience and short on security. If you don’t mind having less-than-stellar security on your pool house or mother-in-law, this could be a nice way to keep your keychain light — but for the front door, you can do better.