A researcher, at Defcon in Las Vegas, said that most of the Bluetooth Smart Locks currently in use could be hacked into easily by unauthorized users. He also expressed his concern with vendors’ lack of intent to overcome this.
Anthony Rose, an electrical engineer, and Ben Ramsey, a security researcher, tested 16 Bluetooth smart locks and said that 12 of those were unlocked when attacked wirelessly. The difficulty in carrying out the feat ranged from shockingly minimal to a little moderate, according to the researchers. They tested locks from companies like iBlulock, Ceomate, Vians, Elecycle, Okidokey, and Mesh Motion.
Anthony Rose said that his partner and he had aimed at finding vulnerabilities in the Bluetooth smart locks and then contacting the vendors to let them know about it. After doing so, though, they said that only one of the twelve vendors got back to them, and the one that did get back responded that they knew about the issue but would not solve it.
According to Rose, the problem does not necessarily lie with the Bluetooth Low Energy protocol, but it is the way Bluetooth communications are implemented by the locks that are dangerous to the users. For example, he said that four of the locks that Ramsey and he tested sent the passwords as plaintext to the user’s smartphone. Anyone with a Bluetooth sniffer can intercept this message and use the password.
There are vendors, though, that encrypt the password to protect the user. However, not all of them make it as secure as it should be. One vendor did not decrypt the password when being entered. This means that intercepting the encrypted password and then sending it in that same format could easily let any unauthorized user gain access to the lock.
Okidokey smart lock said that they use proprietary software for their job. Since the researchers knew that his approach had flaws, they tried sending random bits to the lock to see what would happen. By simply changing one bit in the encrypted message they were able to send the lock in an error state which led to it being unlocked.
Mesh Motion’s Bitlock bicycle lock proved to be the toughest opponent for Rose and Ramsey, but they succeeded eventually. They replicated the lock’s wireless profile on an Android phone using free software and then mounted a man-in-the-middle attack on the communication between the traffic through the lock, the app, and Mesh Motion’s cloud.
The encryption depended on a nonce, which is a randomly generated number that aids in encrypting the text randomly. However, on studying the pattern, the researchers found that two encrypted messages only differed by one digit, which enabled them to gain access to the lock.
More than the ease of breaking into these Bluetooth Smart Locks, the researchers were surprised at the vendors’ unwillingness to act upon it. They said that these vendors should use good encryption and multi-factor authentication techniques like those used by the four locks they could not hack into.