Smart Locks Can Be Hacked

https://cdn.chipkin.com/assets/uploads/2018/Jul/Newsletter - Cyber Attack The Looming Automation Crisis_03-14-54-23_24-11-32-37.png


Introduction:

What are Smart Locks? Are they really smart enough?

Well, smart locks is something very similar to normal one, difference is there isn't requirement for a physical key. It's an electromechanical lock which is designed to perform locking and unlocking operations on a door when it receives instructions from an authorized device using a wireless protocol such as Bluetooth, Zigbee, Z-wave etc., and a cryptographic key to execute the authorization process.

It also tracks the access and monitors the activities and send real time alerts to the corresponding user, it is more often deployed as a integral part of smart homes.

https://cdn.chipkin.com/assets/uploads/2018/Jul/gwrgg_24-11-34-54.png

Image: Smart Locks
Courtesy:  TechHive

Most of the smart locks are installed together with conventional mechanical locks like deadbolts, padlocks, knoblocks etc., and they physically upgrade the ordinary lock.

There are different variants of such smart locks available nowadays with finger print authentication, various device authorization etc.,

The very first concern is, are they safe, how secure are they compared to conventional one? Let's see..

https://cdn.chipkin.com/assets/uploads/2018/Jul/gwrgg_24-11-36-37.png

At DEF CON 2016 - Presenters Anthony Rose and Ben Ramsey from Merculite Security focused on smart locks. They tested 16 different Bluetooth-enabled locks and found that 75 percent had "Insufficient BLE security." Well that's a bad news!!

They were able to access multiple BLE locks from manufacturers with roughly 205 bucks worth of hacking tools!

https://cdn.chipkin.com/assets/uploads/2018/Jul/gwrgg_24-11-37-53.png

Image Courtesy: DefCon

Source: https://www.getkisi.com/blog/smart-locks-hacked-bluetooth-ble

HOW DID THEY DO IT???

Here's the link for the complete presentation of DEFCON.

In one case, the smart lock was using a proprietary encryption, a choice that is known to make implementations weak. In this specific case, the experts exploited the change of a byte in order to put the smart lock in an error state, which led to the lock opening.


   

Above: Watch Engineers Hack a Door Lock

So why were these locks compromised, some major factors are:

- Replay attacks

- Vulnerable to fuzzing

- Decompiling the APK

- Device spoofing

- Adding a backdoor into the lock by a guest user

- Brute forcing

- Master API Admin code was hard coded in the lock

Well, what are some features that makes the lock code UNHACKABLE???      

- 2-factor authentication

- Proper AES encryption

- No hard coded passwords

- Long passwords allowed (16-20 characters)

Smart Locks + Smart Home Platforms = Total Security

Similar to physical locks, no smart lock is perfect in practicality! It absolutely depends on the security you're willing to trade off for the convenience of controlling the lock remotely.

In conclusion, it is a very rare occurrence, and second- and third-generation Smart Locks have proven most difficult to compromise. Compare that to traditional, manual locks and windows, which are notoriously able to be picked or broken with much less expertise or ingenuity required.

When you integrate high-end Smart Lock products with reputable automated home security and comfort systems, you'll benefit from a house that is much more secure.

Related Reads:

Choosing best smart locks: https://medium.com/@awsamuel/how-to-choose-a-smart-lock-deab8576756e

https://www.cnet.com/news/smart-lock-buying-guide/

Firmware update bricked smart locks in 2017: https://www.extremetech.com/internet/254177-internet-things-smart-locks-bricked-bad-firmware-update

Fingerprint based smart lock hacked HOW! : https://www.theverge.com/circuitbreaker/2018/6/13/17461612/tapplock-smart-lock-hack-bluetooth-low-energy

-----------------------------------------------------------------------------------------------------------------------------------------

Related Links of Sources and Articles Referred:

https://www.tomsguide.com/us/bluetooth-lock-hacks-defcon2016,news-23129.html

https://www.cnet.com/news/amazon-key-took-over-my-door-for-3-months-it-wasnt-as-creepy-as-i-expected/

https://www.getkisi.com/blog/smart-locks-hacked-bluetooth-ble

https://www.extremetech.com/computing/254177-internet-things-smart-locks-bricked-bad-firmware-update

https://www.cnet.com/news/have-a-smart-lock-yeah-it-can-probably-be-hacked/

https://securityaffairs.co/wordpress/50268/breaking-news/hacking-bluetooth-smart-locks.html

https://info.richmondalarm.com/news/can-burglars-hack-my-smart-locks

Contact Us

Contact us via phone (+1 866-383-1657) or leave a detailed message below for sales, support, or any other needs

*Required Field
*Required Field
I'd like to receive the newsletter. *Check email for confirmation.
*Required Field
8:00am - 12:00pm 12:00pm - 5:00pm
Message Sent Successfully