How to Hack smart Bluetooth locks and IoT devices.


Bluetooth Low Energy, also known as Bluetooth Smart or Bluetooth 4, is the leading protocol designed for connecting IoT devices, medical equipment, smart homes and like most emerging technologies, security is often an afterthought.

As devices become more and more embedded in our daily lives, vulnerabilities have real impact on our digital and physical security.


Enter the Bluetooth lock, promising digital key convenience with temporary and Internet shareable access. The problem is, almost all of these locks have vulnerabilities, easily exploited via Bluetooth!

DEF CON always has the coolest new hacks and security news, and this year was no exception. The hacking conferences are a great way to get a pulse on the general status of the security world, what people are interested in, worried about, or looking to exploit.

This year clearly had an uptick in Internet of Things (IoT) devices and ways to hack them.

Obviously, we had to go and take a look at the Bluetooth lock hack, and we are not the only ones.

There were articles in a number of security and general tech sites about how vulnerable some of these locks are – a shocking 75% of them could be hacked relatively easily, and one reported to have great security could actually be broken into with a screwdriver.


The locks were from companies like BlueLock, Kwikset, Noke, August, BitLock, and QuickLock.

How to Hack a Bluetooth Lock:

There have been a number of different researchers who have tackled this problem, but Anthony Rose and Ben Ramsay out of Merculite Security did a great job of thoroughly going through a significant number of them, documenting the hacks and contacting the manufacturers.
Look for plaintext passwords: Many of the locks had passwords but were simply transmitting them in plaintext. Anyone with a decent Bluetooth sniffer like Ubertooth and some effort has just owned your passwordReplay the signal: OK, great you’ve built in awesome encryption and I can't possibly hope to read and decrypt the signal you just sent to that lock. But I just capture and replay what you just sent, and the door opens wide.Man in the Middle: Here I am, using one of the many Man in the Middle tools to sit in the middle of your connection and control everything you're transmitting to the device. There's *definitely* no way I could change what you’re transmitting (say, to keep the deadbolt from hearing a "lock" command).The great news is that we found a video of Zero_Chaos and Granolocks at Pwnie Express that show all of this stuff in action and tools you can actually use to detect these hacks in action.

Locks are not the only Bluetooth devices shown to be vulnerable. Here’s a quick list of just some of the devices that have already been found vulnerable:
CarsTeakettles and coffee machinesMedical devices (including implanted ones)Fitness trackersThis news should be worrying for people who have invested in a cheap Bluetooth lock for their convenience, and such attacks could be a real problem just waiting to happen.


Comments