My favorite part about the annual DEF CON security conference is the part where supposedly secure devices get torn to pieces. For some pieces of hardware, there’s an excuse, but I think smart door locks fall into the “you only had one job” category. And that job was not to be hacked this hard.
Researchers Anthony Rose and Ben Ramsey presented work they’d done highlighting vulnerabilities in Bluetooth locks. Using cheap, easily obtainable equipment, the researchers were able to hack a whole host of Bluetooth-connected locks from manufacturers like Quicklock, iBlulock, Plantraco, Ceomate, Elecycle, Vians, Okidokey and Mesh Motion.
The news should be worrying for anyone who has hooked up a cheap Bluetooth lock for convenience. Sure, you can pick most any kind of lock, but fiddling with a smartphone is a lot less incriminating than trying to physically pick a lock, so I can imagine this kind of trick catching on for thieves.
A few more popular locks from manufacturers like August weren’t hacked, although a separate presentation did find a (much less serious) vulnerability in August’s smart lock.
More than revealing specific vulnerabilities, the research mostly proves how much of a security problem internet-connected home devices are going to be. Building a watertight, non-hackable device is hard enough for Apple with iPhones. For hardware companies with much smaller R&D departments, ensuring security is even harder. Couple that with the seriousness of hacking internet-connected home hardware, and it’s a real problem just waiting to happen.