We’ve known for some time that the Internet of Things (IOT) was basically a connected dumpster fire. Time and time again, these connected devices have proven that, while convenient, they aren’t necessarily safe. In fact, many manufacturers have a rather apathetic view on security, which leads to a lack of trust in connected products.
Smart door locks are no exception.
Two different presentations at hacker conference DEF CON this year make it clear there’s a long way to go before the convenience of a smart lock properly aligns with user safety.
Anthony Rose and Ben Ramsey, from Merculite Security, proved that connected door locks are every bit as vulnerable as their analog counterparts — or even more so — with $200 worth of off-the-shelf hardware. While it’s clear that not all smart locks are created equal, the duo tested 16 locks from top manufacturers like iBluLock, Masterlock, and August — 12 of the 16 failed.
Some, like Quicklock, iBluLock and Plantraco, transmitted passwords in plaintext, making them vulnerable to anyone sniffing Bluetooth traffic.
Others, like Lagute, Vians and Ceomate were vulnerable to a replay attack, which is simply snatching the signal out of the air when a legit user locks/unlocks and then re-using it after they leave. Replay attacks, it should be noted, have been around for decades and were commonly used to open garage doors. The idea that a decades-old vulnerability exists on modern smart locks is nothing short of mind boggling.
That said, some — like the August door lock we reviewed in April — held up admirably and didn’t allow the hackers to gain access. But then again, you can’t argue with results, and 12 of 16 locks having easily-exploitable vulnerabilities certainly doesn’t leave us with a feeling of confidence when buying a smart lock.