Hacking Smart Locks with Bluetooth / BLE

By Bernhard Mehl

August 13, 2018

Smart Locks Hacked By Bluetooth

At the annual security conference in Las Vegas, Defcon 2016, @jmaxxz, Anthony Rose and Ben Ramsey introduced different ways how bluetooth smart locks can be hacked [we were a little disappointed to not be included as we always like to be challenged on our security].

4 Devices to Get Hacking:

  1. Passwords were transmitted in plain text, making it easy to extract passwords using a bluetooth sniffer like the Ubertooth One or Bleno.
  2. You’d need a Bluetooth Smart USB dongle to broadcast
  3. Raspberry Pi
  4. A high gain directional antenna
Bluetooth hacking

To make it easy for everyone we’ve summarized the main reasons why these locks were compromised:

  • Replay attacks – simply recording and replaying the signal unlocks the lock.
  • Vulnerable to fuzzing – meaning to change bytes of a valid command to get the lock into an error state that gets it to open. (Okidokey)
  • Decompiling the APK used to unlock the smart lock by downloading the APK from the Android device, converting from dex to jar and then decompiling it. (Dana lock)
  • Device spoofing (Bitlock Padlock)
  • Adding a backdoor into the lock by a guest user allows to reset to factory settings and open lock. (August lock)
  • Brute forcing because they only have 8 digit pins.
  • Master API Admin code was hard coded in the hacked August Lock. Here are some of the original images:
bluetooth encryption
Static

Starting a new project?

Learn everything you need in this downloadable guide.

Download Guide
Get A Quote
Starting a new project?

Some features of the “uncrackable” smart locks:

  • Proper AES encryption
  • Truly random nonce (8 – 16 bytes)
  • 2-factor authentication
  • No hard coded passwords
  • Long passwords allowed (16-20 characters)

Reading some of the comments in the Hackaday post suggests it will not take long till we see Bluetooth locks showing up in a CSI TV show. Let’s hope manufacturers will be more transparent with regards to their security standards and also communicate them to end users. In the end the strange thing about this whole discussion is that it’s not the lock that makes things secure, it’s the communication to and from the lock. Mechanics still work the same way they always did.

Bernhard
Bernhard Mehl

Bernhard is the co-founder and CEO of Kisi. His philosophy, "security is awesome," is contagious among tech-enabled companies.

linkedin-icon twitter-icon
Before: Equipment Leasing Models Next: How to Calculate Facility Code Using Card Bit Calculators

Related Articles

Communication Protocols

Communication Protocols Used by IoT

March 08, 2021

Remote IT Management

Remote IT Management

June 29, 2018

Best WiFi Analyzers

WiFi Speed Test Apps

October 29, 2018