The Terrible Security Of Bluetooth Locks

Bluetooth devices are everywhere these days, and nothing compromises your opsec more than a bevy of smartphones, smart watches, fitbits, strange electronic conference badges, and other electronic ephemera we adorn ourselves with to make us better people, happier, and more productive members of society.

Bluetooth isn’t limited to wearables, either; deadbolts, garage door openers, and security systems are shipping with Bluetooth modules. Manufacturers of physical security paraphernalia are wont to add the Internet of Things label to their packaging, it seems. Although these devices should be designed with security in mind, most aren’t, making the state of Bluetooth smart locks one of the most inexplicable trends in recent memory.

At this year’s DEF CON, [Anthony Rose] have given a talk on compromising BTLE locks from a quarter-mile away. Actually, that ‘quarter mile’ qualifier is a bit of a misnomer – some of these Bluetooth locks are terrible locks, period. The Kwikset Kevo Doorlock – a $200 deadbolt – can be opened with a flathead screwdriver. Other Bluetooth ‘smart locks’ are made of plastic.

The tools [Anthony] used for these wireless lockpicking investigations included the Ubertooth One, a Bluetooth device for receive-only promiscuous sniffing, a cantenna, a Bluetooth USB dongle, and a Raspberry Pi. This entire setup can be powered by a single battery, making it very stealthy.

The attacks on these Bluetooth locks varied, from sniffing the password sent in plain text to the lock (!), replay attacks, to more advanced techniques such as decompiling the APK used to unlock these smart locks. When all else fails, brute forcing locks works surprisingly well, with quite a few models of smart lock using eight digit pins. Even locks with ‘patented security’ (read: custom crypto, bad) were terrible; this patented security was just an XOR with a hardcoded key.

What was the takeaway from this talk? Secure Bluetooth locks can be made. These locks use proper AES encryption, a truly random nonce, two factor authentication, no hard-coded keys, allow the use of long passwords, and cannot be opened with a screwdriver. These locks are rare. Twelve of the sixteen locks tested could be easily broken. The majority of Bluetooth smart locks are not built with security in mind, which, by the way, is the entire point of a lock.

[Anthony]’s work going forward will concentrate expanding his library of scripts to exploit these locks, and evaluate the Bluetooth locks on ATMs. Yes, ATMs also use Bluetooth locks. The mind reels.

53 thoughts on “The Terrible Security Of Bluetooth Locks

  1. I’ve been an outspoken opponent of these from the start. Most are made by non security or lock companies. Their #1 draw is ease of use. That is not the point of a lock. The ones that brag “simply approach the locked door with your phone in your pocket and it unlocks and lets you in”. Cringeworthy. So mom and dad go out for dinner, its 10pm at night, 14 yr old daughter is home, alone, or maybe keeping an eye on younger sibling. She is actively texting a friend when there is a knock at the door, she wanders to the locked front door with her phone in her hand and…..click whirr buzzz the door unlocks during her approach. Bad guy walks right in…I realize some require you to take an extra step but….

    1. That’s a completely different use case than the types of locks depicted in this article’s header. For a garden shed/ garage door/ bike lock, the proximity-based opening is a great idea, because it trades a lot of inconvenience for a little less security, in theory (no one’s going to sneak into your garden shed and steal your fertilizer why you’re 5m away).

      For front-door mechanisms, this might be different, indeed.

      Anyway, any lock’s function is *always*, and has always been, a trade-off between security, convenience and cost. You could buy a 10 000€ lock for your front door, but maybe then a burglar would just throw in a window. You could reinforce all windows with steel bars, but that would make your 14yo daughter, rightfully so, feel like in prison.

      I don’t think negativism as in “I’ve always told you this is a bad idea” helps in any way.

      I do agree that locks, to have any justification for being called “locks”, need to provide a certain minimum amount of security, and these locks don’t keep their promise on the convenience/security tradeoff scale.

      But let’s not act like wireless automatic entry systems are a new thing. They’ve been used on commercial grounds for decades now, because you don’t want your truck drivers to get out of the cockpit, insert a key, wait until the gate is open, get back into their driver’s seat, drive through the gate, repeat for closing it behind them…

      Oh, and cheap-as-straw garage door openers. Technology of the 80’s. Deployed in millions. “hacked” thousandfold.

      Differences are that

      a) people didn’t look as closely as they do now, in forums like Hackaday. I assure you, there’s been lively discussion on how to circumvent wireless entry systems in the 90’s. It just didn’t happen on Hackaday, because that didn’t exist back then.

      b) things weren’t so common. Sure, a couple of private home owners had a wireless buzzer for their garden porch, so they didn’t have to run a wire, but if someone took the effort of hacking that: congrats, they just gained entry to something guarded by 70cm high door; also, heck, no one saw a need to wirelessly unlock a hang-on lock, because… you’d still need to manipulate it to open whatever was secured with that.

      c) things weren’t connected.

      Personally, I think only c) makes an honest difference. I can’t really see any difference in the dishonesty in marketing and the impact that a) and b) signify.

      1. There used to be a newsgroup and later a website called “Risks Digest” that used to do a great job of exposing electronic / digital / “modern technology” dangers. I used to read it quite avidly.

      2. A little less? Riiight. (Having said this, most padlocks are shimmable…sooo…)

        The mind **DOES** boggle. I was another vocal opponent to this crap (and it IS that).

        Unlocking by “ease” is stupid. Unlocking by remote (and this falls under this…) is even stupider. I used to fucking cringe every time one of my former business venture’s business partners would do their “smart home” demo where they did a remote unlock through their system. Bad idea. VERY bad idea. I got the idiot to quit doing the demo and take it out of the product lineup. Big liability item. The fact that 12 out of 16 didn’t even get basic security thinking right is telling and should tell you it’s NOT a good thing after all.

        This is, quite simply little better.

    2. Right, even if using some well implemented excessively paranoid encryption, the use case for bluetooth proximity locks is highly limited if they automatically unlock. The bluetooth entertainment system in one of our vehicles for instance… I have a hell of a time “kicking off” my wife’s device as long as she’s home, so basically any locks on the property, car, shed, bike, that were paired to that device would be sitting unlocked most of the time, because its bluetooth transceiver seems to have near 60ft range. Be a bit useless for bike locks outside the house when you might lock a bike alongside a building you’re going to be in. Even if it’s a large building you could be unwarily unlocking the thing as you move in range. You’d wanna stick an antenna on the things with negative gain so you had very restricted proximity zones…. and from messing about with trying to modify USB wifi sticks… even cutting the antenna feed near the output, leaving maybe a millimeter or two of board trace… tends to only halve range over board squiggle antenna. (Pick up 30 or so APs in my neighbourhood off internal antennas, was trying to get a highly directional antenna on it but was still getting the nearest/strongest with the merest solder pad left to tack on coax.)

    3. There are probably a dozen Canadians reading the post and wondering why the heck the door would be locked if your 14 yr old daughter, or indeed if ANYONE is home. Heck some Canadians probably leave their front doors unlocked when they go away on holiday, especially during the winter in cottage country, in case any frostbitten snowmobilers want to come in, warm up, clean your kitchen and chop some wood for you :-D

      1. Talked to the window guy a few months back. “C’mon on in and check the new window we got for you before we install it in your cabin,” he says.

        Arrive before closing. No one there. Called the shop and it went straight to voicemail. Waited a bit then went back home.

        Guy calls me up about 30 minutes later. “Didja see the window?” No… no one was there.

        “Oh, I never lock my door. Just go on in any time. It’s leaning against the wall. Just be sure to tun the lights off when you leave.”

        I just asked him when he would be in next time.

    4. Or a group of chinese and russian hackers meet up with islamic terrorist at your door, your 9yo innocent child walks past the door and boom they are inside and they ALREADY KNOW YOUR IP and COULD START HACKING YOU RIGHT THEN AND THERE. And while they walk in a flock of Zika infected mosquito fly into your house! At that moment a couple of jehovah witnesses passes by and sees an open door…

      1. I like the concept for TV shows and movie plots though, person accidentally unlocks the door,while passing it, killer gets in, what will happen next? Oh how technology betrayed us!
        You’d think that at the very least CSI could go with a plot line like that.

      2. Hm… Does that mean I can lock the sonofabitch in a manner I can’t unlock it? Hey, there’s a DoS attack someone can do. Lock the fucker so that the “directional antenna” won’t see it.

        Seriously? Any clue how 2.4 GHz works? At close proximity, there’s very little way to suppress lobes on the pattern that would keep it from unlocking at normal BT distances, and most of the designs there are largish for a device the size of these locks. Shielding might work some…but then you have an all but permalock if I flip the SOB then.

  2. Hmm, no links to the talk. That’s a little disappointing. I was wondering whether his testing revealed any decent bluetooth locks, not that I’d use one myself. I did look at getting one of those smart locks coming out of the big tech companies, touchscreen displays to enter a PIN, connected to wifi so you can remotely unlock etc. They’re probably equally bad for security but they’re just so cool!

      1. Funny. Was just thinking that last night, drifting off to sleep. “Why don’t we run comprehensive coverage of DEFCON like we do of CCC? Oh yeah, it’s because they charge an arm and a testicle for the videos.”

        If I were giving a blockbuster talk, I’d rather it be widely available. IMO, limiting the dissemination does the speakers (the content providers, the workers, and the innovators) a disservice that’s only _just_ made up for by the incredible size and audience that DEFCON has attained.

        That said, it’s an incredible feat of wizardry that the CCC folks get a) their talks streamed live, b) raw footage online just after they end, and c) finished versions edited, and sometimes subtitled, usually within a day. That’s some amazing technical and organizational skills. Chaos? Bah! More professional than the professionals.

  3. Not much of a surprise here, recalling the old adage of “Locks keep honest people honest.”. Basically any lock you buy from a hardware store is vulnerable to $10 worth of lock picks and applied knowledge. Some lock designs in common use were put on the market 100 years ago, proved vulnerable to simple pick procedure not too many years after, and yet are still sold.

    There’s a spate of bike thefts going on around here lately, are the crims leveraging that “bic pen” attack on bike locks? Nah, they’re cutting them off.

    1. Yeah, it seems to me this concern is a bit overblown. Picking the lock just has to be slower/less convenient/noisier than breaking a window, unless we’re talking about security glass. The security measures should be proportional to the security risk.

      1. @CaptMcAllister
        Agreed. Some people fall down a rabbit hole trying to secure their home against, eg, the CIA. I figure if someone targets me in particular, I’m probably screwed. My goal is to be secure enough not to be appealing as a target.

        And, y’know, live in such shocking filth and squalor no one thinks to rob me.

  4. Problem appears when companies that have no expertise in security decide to make security-related stuff. Security experts are expensive, while average programmers are much cheaper, so they skip security evaluation and release product. People who buy such products are not security-aware so they don’t care much. Market gets flooded with security-related stuff that is completely insecure.

  5. I attended his talk. He did present a few good hacks, however he did also deviate from the truth a few times, I guess for the sake of the show. For example “thisissecret” had nothing to do with BLE (rather mobile-app storage), and he did not hack Danalock nor Masterlock. You should have seen the angry vendor’s engineer I talked to right after this presentation ;)
    Missing link to slides:
    https://github.com/merculite/BLE-Security/blob/master/DEFCON24.pdf

    There were several other presentations regarding Bluetooth Low Energy security at DefCon, It looks like the BLE hacking is on the rise this year, and several tools came out.

    My research regarding BLE security was presented at BlackHat. It summarizes possible attacks and describes several vulnerabilities I have identified in various devices (not only smart locks), but also Point-of-Sale, smart tokens, anti-theft devices etc.
    More info (whitepaper, slides, videos, sources…): http://www.gattack.io

    I have also released a BLE Man-in-the-Middle open-source tool:
    https://github.com/securing/gattacker
    BTW. very similar tool btlejuice was release by Damien Cauquil 2 days later at IoT Village:
    https://github.com/DigitalSecurity/btlejuice

      1. I guess you mean Damien’s talk? I’m sorry you have interpreted my presence as interruption, that was definitely not my intention. Why would I link to him? He was so kind to suggest it would be beneficial for the audience to know that we both did develop independently very similar (although different in details) tools, and compare advantages and disadvantages of both solutions. Unfortunatelly that last-minute idea was not possible to realize on stage. Yes, I did (probably ungracefully) try to help him by relaxing live demos tense (BTW I admire him for that bravery in such BLE-packed premises). Actually I suggested before talk, that in case something goes wrong, I will plead guilty of jamming :)
        And the logo is just for fun man, and as an irony of current infosec-hype trend (as you can read in “logo” section on gattack.io).
        I also did not claim my tool is better. Actually btlejuice has advantages – e.g. web interface my one lacks. GATTacker on the other hand has more complex (not necessarily always better) MITM core. We will probably publish a comparison summary. Peace!

  6. mwoa, arn’t those locks meant as secondary locks, quick and convenient for when you have to leave your whatever momentarily out of sight. That cheap locks are about as secure as wet cardboard for the determined hard core thug armed with a dedicated piece of hacking firmware (or a flathead screwdriver) seems like a given to me.

  7. It’s really not that hard to do it even *close* to right.

    Even if all they did was put a barcode on the lock that had an HMAC key and didn’t expose that value over the air, that would have been enough to defeat the researcher’s methods here.

    If you’re wondering how that would work, the user during lock setup would communicate that key to the manufacturer’s servers (over SSL). From then on, the server would vend authenticated lock control messages.

    Could it be done better than that? Sure. The lock could get a random HMAC key assigned at manufacture time and the manufacturer could keep a secure database of those keys. Or the whole thing could be done with PKI (but that raises the cost of the lock significantly). But even not bothering to do that and just putting the HMAC key on a barcode on the lock (so long as you can’t see that from the outside) is probably good enough, but even *that* is more than the industry seems to be doing at the moment.

    1. To amplify on this… The commands to the lock don’t even need to be encrypted. They just need to be *authenticated* and some form of anti-replay system needs to be in place.

  8. As a former HW Engineer for a smart home lock company, I can say we went through great lengths make our products secure and that this type of attack would not have worked. On a related note, I think Apple should be applauded for making my life hell with their incredibly demanding security requirements for Homekit certification. Though I don’t like Apple very much, in this case they have created a very robust and security conscious spec. that includes scrutiny of not just the hardware but also auditing of the related apps and backend data handling. When someone finds a way to compromise Homekit, I’ll be sure to take note.

    From reading the slide deck, I think this hacker is kind of a hack.

  9. of physical security paraphernalia ALL WANT to add the Internet of
    [Anthony Rose] GAVE a talk on compromising

    Other than that I think everything has already been said.

  10. My original plans for IOT based home control was to extensively use BLE for wireless communications to sensors and actuators (like locks). Then I found out how bad BLE security was, never mind the implementations sitting on top of BLE and I changed to using WiFi wherever possible. At least Wifi has half decent security with WPA2. Of course, that isn’t everything that is needed as the application itself has to be secure, That is a whole other matter.

    Security is all about effort versus rewards. Picking a lock may be easy but each lock has to be physically picked individually, which is usually time consuming and has to be done at the location. With BLE and poor applications, there can be software based “picking” that makes the effort to pick low and it can be done from a distance, reducing suspicion. Not a good idea.

    At a whole other level are cloud based home control systems. They may be engineered to be quite secure, but if you can break into the cloud service, you could have full control over any connected device. More effort but much more return.

  11. I can understand people building some IoT devices to forget to think about security, but locks? It’s a freaking lock. The point is to provide security. There’s no excuse for it being an afterthought, even if your company’s idea of a “brute force attack” involves a crowbar.

    Although there are plenty of non-IOT locks where this seems to be the case too; if Brinks builds their armored cars out of the same poor quality steel they use for the Brinks branded doorknobs, I’d be tempted to see if I can knock off one of their armored cars with a can opener.

  12. About bluetooth ATM locks, they aren’t really insecure. Even if they don’t use encryption over the bluetooth connection, those locks use challenge/response one-time codes.
    The reason of not using encryption for the BT connection, is to make implementation easier for the CIT company or bank.

    Before, it was just a fixed PIN. The problem with those was that those leaked, or a untrustworthy CIT worker stole the money, and nobody were wiser because the locks didn’t log anything.

    After that, it was time-controlled fixed PIN’s. Same problem, but now just constrained to the time window where the PINs where valid.

    After a while, it came up with the idea of having touch “iButtons”, that were loaded with the correct encryption key. This touch iButton had to be “reloaded” with regular intervals to not stop working, and at the same time, the log of openings were transferred back.
    But same problem here – a untrustworthy CIT worker could just throw away the iButton and then say they lost it, and then the logs were lost too.

    You can’t just put the lock on the same encrypted internet connection as the ATM – as the safe lock is the only way in if theres a malfunction of the internet connection.

    The semi-latest generation, have a code that is displayed on-screen on the safe. This code must be called in to the survelliance centre, a response code is given, and then the CIT worker enters this. Then the survelliance centre does log the usage of the safe.

    The thing with bluetooth ATM locks, is that they just automate this with a single button press. The challenge is sent over bluetooth to the worker’s phone, which will “authenticate” against the survelliance centre over mobile internet and request a response code, and then the response is sent to the safe, and it automatically unlocks.
    The great thing with this, is also that GPS can be used to ensure that access to the safe is only granted at the very same location the safe SHOULD be, and the worker can also in the same way, signal duress by doing something before pressing the unlock button.

Leave a Reply to CB4Cancel reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.