Smart Locks Can Be Hacked
Introduction:
What are Smart Locks? Are they really smart enough?
Well, smart locks is something very similar to normal one, difference is there isn't requirement for a physical key. It's an electromechanical lock which is designed to perform locking and unlocking operations on a door when it receives instructions from an authorized device using a wireless protocol such as Bluetooth, Zigbee, Z-wave etc., and a cryptographic key to execute the authorization process.
It also tracks the access and monitors the activities and send real time alerts to the corresponding user, it is more often deployed as a integral part of smart homes.
Image: Smart Locks
Courtesy: TechHive
Most of the smart locks are installed together with conventional mechanical locks like deadbolts, padlocks, knoblocks etc., and they physically upgrade the ordinary lock.
There are different variants of such smart locks available nowadays with finger print authentication, various device authorization etc.,
The very first concern is, are they safe, how secure are they compared to conventional one? Let's see..
At DEF CON 2016 - Presenters Anthony Rose and Ben Ramsey from Merculite Security focused on smart locks. They tested 16 different Bluetooth-enabled locks and found that 75 percent had "Insufficient BLE security." Well that's a bad news!!
They were able to access multiple BLE locks from manufacturers with roughly 205 bucks worth of hacking tools!
Image Courtesy: DefCon
Source: https://www.getkisi.com/blog/smart-locks-hacked-bluetooth-ble
HOW DID THEY DO IT???
Here's the link for the complete presentation of DEFCON.
In one case, the smart lock was using a proprietary encryption, a choice that is known to make implementations weak. In this specific case, the experts exploited the change of a byte in order to put the smart lock in an error state, which led to the lock opening.
Above: Watch Engineers Hack a Door Lock
So why were these locks compromised, some major factors are:
- Replay attacks
- Vulnerable to fuzzing
- Decompiling the APK
- Device spoofing
- Adding a backdoor into the lock by a guest user
- Brute forcing
- Master API Admin code was hard coded in the lock
Well, what are some features that makes the lock code UNHACKABLE???
- 2-factor authentication
- Proper AES encryption
- No hard coded passwords
- Long passwords allowed (16-20 characters)
Smart Locks + Smart Home Platforms = Total Security
Similar to physical locks, no smart lock is perfect in practicality! It absolutely depends on the security you're willing to trade off for the convenience of controlling the lock remotely.
In conclusion, it is a very rare occurrence, and second- and third-generation Smart Locks have proven most difficult to compromise. Compare that to traditional, manual locks and windows, which are notoriously able to be picked or broken with much less expertise or ingenuity required.
When you integrate high-end Smart Lock products with reputable automated home security and comfort systems, you'll benefit from a house that is much more secure.
Related Reads:
Choosing best smart locks: https://medium.com/@awsamuel/how-to-choose-a-smart-lock-deab8576756e
https://www.cnet.com/news/smart-lock-buying-guide/
Firmware update bricked smart locks in 2017: https://www.extremetech.com/internet/254177-internet-things-smart-locks-bricked-bad-firmware-update
Fingerprint based smart lock hacked HOW! : https://www.theverge.com/circuitbreaker/2018/6/13/17461612/tapplock-smart-lock-hack-bluetooth-low-energy
-----------------------------------------------------------------------------------------------------------------------------------------
Related Links of Sources and Articles Referred:
https://www.tomsguide.com/us/bluetooth-lock-hacks-defcon2016,news-23129.html
https://www.getkisi.com/blog/smart-locks-hacked-bluetooth-ble
https://www.extremetech.com/computing/254177-internet-things-smart-locks-bricked-bad-firmware-update
https://www.cnet.com/news/have-a-smart-lock-yeah-it-can-probably-be-hacked/
https://securityaffairs.co/wordpress/50268/breaking-news/hacking-bluetooth-smart-locks.html
https://info.richmondalarm.com/news/can-burglars-hack-my-smart-locks