It’s an open secret that the Internet of Things (if we must call it so) is pretty terrible, whether in standards, ineroperability, or security. Good security, though, you don’t really expect in a smart light bulb or coffee maker. A smart front door lock, however, really shouldn’t be quite this easy to hack.
Two different presentations at DEF CON this year made it clear that there’s a long way to go before we should start trusting the average smart lock — or even the nice ones. This may surprise you, or you might have been saying it for years. At all events, these guys proved it with gusto.
Anthony Rose and Ben Ramsey, from Merculite Security, showed off a bit of lock hacking done with less than $200 worth of off-the-shelf hardware. Some opened easier than others, but in the end 12 out of 16 yielded.
Locks from Quicklock, iBluLock, and Plantraco transmitted their passwords in plaintext, making them vulnerable to anyone with a Bluetooth sniffer. Others were tricked by the attacker simply replaying the same data they snatched out the air when a legit user unlocked the door. Another entered a failstate and opened by default when it received an encrypted string that was off by one byte.
Worth noting as well: doing a bit of wardriving, the two found plenty of locks identifying themselves as such, making it easy for an attacker to find devices to listen in on.
Pretty poor showing altogether, although a few resisted Rose and Ramsey’s attempts: the Noke and Masterlock smart padlocks survived, and a Kwikset Kevo did as well — until they opened it with a screwdriver. Okay, that’s cheating, but the point stands.
Perhaps most worryingly, only one of the 12 vendors the two contacted to inform them of these flaws responded — and even then, there was no plan to fix anything.
One that Merculite failed to crack was the August door lock, a rather more well known brand than the others (MasterLock notwithstanding). Fortunately, someone else had already made it their mission to break the thing wide open.
Jmaxxz’s entertaining, meme-filled presentation puts the lie to many of the claims set forth by August, and although it’s unlikely your average B&E artist is going to bother to circumvent certificate pinning and pawing through your logs, the security holes are real.
Many items that were too hard to get by ordinary hacking means like sniffers… could be found in plaintext in logs and the like. Jmaxxz is one of those hackers that doesn’t like to work any harder than he has to — and why should he?
Inside the August there were good practices and bad — and to the company’s credit, the hacker noted, they have been responsive and many of these holes are likely fixed. Still, it’s hard to believe that guests could ever award themselves extra lock permissions just by changing a string in the API calls from “user” to “superuser”!
For now, it seems, these locks are long on convenience and short on security. If you don’t mind having less-than-stellar security on your pool house or mother-in-law, this could be a nice way to keep your keychain light — but for the front door, you can do better.
Featured Image: August