Have a smart lock? Yeah, it can probably be hacked

Two security experts show just how easy it is to hack certain smart locks.

Megan Wollerton Former Senior Writer/Editor
2 min read
Chris Monroe/CNET

Once a year, security enthusiasts gather at the Las Vegas-based hacker convention DEF CON to call out vulnerabilities in the tech industry.

At DEF CON 2016 -- the 24th such meeting -- presenters Anthony Rose and Ben Ramsey from Merculite Security focused on smart locks. And the news wasn't good. Specifically, the duo tested 16 different Bluetooth-enabled locks and found that 75 percent had "insufficient BLE security."

You can find their 42-page slide presentation here, but the gist is that Rose and Ramsey were able to access multiple BLE locks from manufacturers Quicklock, iBlulock, Plantraco, Ceomate, Elecycle, Vians, Okidokey and Mesh Motion -- with roughly 100 bucks worth of hacking tools.

Enlarge Image

As you can see in the screenshot above, the team found four models from Quicklock, iBlulock and Plantraco that use plain text passwords, one of the easiest ways to access a smart lock. The other models were vulnerable to a variety of different hacks, including replay attack, fuzzing, device spoofing and decompiling APKs. Again, check out their presentation for more details.

Bluetooth locks from Noke, Masterlock, August and Kwikset managed to escape uncracked, but Rose and Ramsey did manage to bypass the Kwikset Kevo with a good old fashioned flathead screwdriver -- something we've also tested in our office.

Testing the security of the Kwikset Kevo Bluetooth Door Lock
Watch this: Testing the security of the Kwikset Kevo Bluetooth Door Lock

All of this may seem like good news for August customers, but another DEF CON presenter, @Jmaxxz, was able to bypass an August Smart Lock the next day.

Here's what an August representative had to say on the subject: "Yes, we have seen @Jmaxxz's presentation from DEF CON, which is impressive. Ultimately, what he showed was that a hacker could hack their own phone to obtain a one-time use key for their own lock. The ability for a user to download and access their own encrypted key has been removed. Our system has never been compromised and none of our users smart locks have been at risk."

As @Jmaxxz noted in his presentation: "Consumers are not able to evaluate security claims made by companies. We need more researchers investigating security claims made by companies on behalf of consumers."

The hacks outlined here all focus on Bluetooth-based smart locks, but other smart locks using both the Zigbee and Z-Wave wireless standards have been hacked before as well. Much like physical locks, no smart lock is perfect. The question you need to ask yourself then, is how much security you're willing to trade off for the convenience of controlling a lock with your phone.