Researcher finds huge security flaws in many Bluetooth locks

1 Like

Locks made by real lock companies were not hackable by these researchers.

The four locks that the team couldn’t hack were the Noke Padlock, Masterlock Padlock, Kwikset Kevo Doorlock and August Doorlock.

The schlage would not have been hackable in this fashion either, although they didn’t even try that one.

The others are all from gadget companies or one product start ups. It’s also notable that none of the companies that could be hacked behaved in the recommended fashion. They did not respond to the researchers’ inquiries prior to publication or issue a press release . One of them, Okidokeys, appears to have shut down its website prior to defcon but no public response.

The one troubling brand that they found was the Bluetooth Danalock. That one is concerning. @tyler @slagle The Danalock models which are on the official “works with smartthings” list would have the same flaw as they include both Z wave and Bluetooth protocols. It appears from this report that a hacker might be able to use the Bluetooth flaw to open the danalock even though the homeowner was using the Z wave protocol with SmartThings. At least that should be looked into.

More on vendor responses:

The problems didn’t lie with the Bluetooth Low Energy protocol itself, Rose said, but in the way the locks implemented Bluetooth communications, or with a lock’s companion smartphone app.

Response from professional lock pickers —

“We have been pwning these things for over a 100 years!”

1 Like