75 Percent of Bluetooth Smart Locks Can Be Hacked

UPDATED Aug. 10 to include names of two more uncracked locks.

LAS VEGAS — Many Bluetooth Low Energy smart locks can be hacked and opened by unauthorized users, but their manufacturers seem to want to do nothing about it, a security researcher said yesterday (Aug. 6) at the DEF CON hacker conference here.

Credit: Alexander Kirch

(Image credit: Alexander Kirch)

Researcher Anthony Rose, an electrical engineer, said that of 16 Bluetooth smart locks he and fellow researcher Ben Ramsey had tested, 12 locks opened when wirelessly attacked. The locks — including models made by Quicklock, iBlulock, Plantraco, Ceomate, Elecycle, Vians, Okidokey and Mesh Motion — had security vulnerabilities that ranged from ridiculously easy to moderately difficult to exploit.

"We figured we'd find vulnerabilities in Bluetooth Low Energy locks, then contact the vendors.  It turned out that the vendors actually don't care," Rose said. "We contacted 12 vendors. Only one responded, and they said, 'We know it's a problem, but we're not gonna fix it.'"

The problems didn't lie with the Bluetooth Low Energy protocol itself, Rose said, but in the way the locks implemented Bluetooth communications, or with a lock's companion smartphone app. Four locks, for example, transmitted their user passwords in plaintext to smartphones, making it easy for anyone with a $100 Bluetooth sniffer to pluck the passwords out of thin air. 

Two of those four models, the Quicklock Doorlock and Quicklock Padlock, sent the password twice, Rose said. He and Ramsey found that they could change the user password by returning the same command with the second iteration of the password changed to something else, freezing out the legitimate user.

"The user can't reset it without removing the battery, and he can't remove the battery without unlocking the lock," Rose said.

Other lock manufacturers said they encrypted the user password for Bluetooth transmissions, Rose said. Technically, they did. But with at least one, Rose discovered that he could simply grab the encrypted password out of the air, then send it back to the lock — and the lock would unlock without the password ever being decrypted.

An Okidokeys smart lock claimed to use a proprietary encryption format. Rose and Ramsey knew that roll-your-own encryption often has flaws, so they tried a "fuzzing" attack, sending random data to the lock to see how the software responded. By changing one byte in the encryption string, Rose said, the Okidokey entered an error state — and the lock opened.

"We contacted Okidokeys, and then they turned off their website," Rose said. "But you can still buy the locks on Amazon."

It was harder, but not impossible, for Rose and Ramsey to crack the Mesh Motion Bitlock bicycle lock. Using free software, they replicated the lock's wireless profile on an Android phone, then were able to stage a man-in-the-middle attack on the traffic flowing between the Bitlock, its smartphone app and Mesh Motion's cloud servers.

The pair found that the Bitlock's encryption depended on a predictable "nonce" numerical value to generate encrypted strings. Nonces are supposed to be random, but Rose and Ramsey found that the Bitlock's nonce function simply added one to the nonce used the previous time. Because of that, they were able to impersonate the legitimate user and open the lock.

"We contacted the Bitlock's manufacturer and told them about this," Rose said. "They said they'd fix the problem, but after three months they still haven't."

There were four smart locks that Rose said he and Ramsey failed to hack into, including models made by Kwikset and August. All four used encryption properly, offered two-factor authentication and contained no hardcoded passwords buried in the software. However, Rose said there was a YouTube videos that showed one secure model, the Kwikset Kevo, being opened with a flathead screwdriver.

(UPDATE: In an Aug. 7 presentation at DEF CON, another researcher showed how he'd defeated most of the security precautions on the August Smart Lock. UPDATE UPDATE: August contacted Tom's Guide about the previous sentence, and issued a statement, in part: "The ability for a user to download and access their own encrypted key has been removed. Our system has never been compromised and none of our users' smart locks have been at risk." UPDATE UPDATE UPDATE: The researcher who looked into the August Smart Lock, Jmaxxz, contacted Tom's Guide to say that "the August is still vulnerable. The information they have been feeding you is nearly completely wrong.")

Nevertheless, Rose said, the takeaway was that 12 out of 16 Bluetooth Low Energy smartlocks had broken security.

"Vendors prioritize physical robustness over wireless security," Rose said. "Our recommendation to anyone who owns one of these smartlocks is to turn off Bluetooth on the smartphone when it's not in use."

UPDATE: The two other uncrackable locks were the Noke Padlock and the Masterlock Padlock, per presentation slides posted on Github.

TOPICS
Paul Wagenseil

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.

Read more
best smart locks
The best smart locks in 2025
Lockly Styla smart lock
The best smart locks of CES 2025
Eight Sleep Pod 4 Ultra with head raised in beige bedroom
Eight Sleep smart beds reportedly have a secret backdoor that can be accessed remotely — everything you need to know
Find My iPhone
Apple Find My hack turns any Bluetooth device into a secret AirTag — what we know
best bike locks
Best bike locks in 2025: Tested and rated
Lockly Styla smart lock
I want to remodel my front door after seeing Lockly's Styla smart lock
Latest in Home Security
The Silent Beacon Bluetooth panic button worn on a wrist next to a Fitbit
I tried a physical panic button for 48 hours — and this tiny device already makes me feel safer
Ring Battery Doorbell Plus
7 Ring video doorbell tips everyone needs to know
A Tesla Powerwall next to a utility meter on the exterior wall of a green house
I deal with major snowstorms every winter and these Powerwall batteries are a game changer in my home
A Ring Outdoor Cam Plus on an exterior wall
Ring's new Outdoor Cam Plus security camera offers 2K video, better night vision
EufyCam 2C Pro on desk
EufyCam 2C Pro review
An Arlo camera on a house with a Toms Guide Price Drop tag
Presidents' Day home security tech deals: I picked the 6 best starter sales from $60
Latest in News
Prime Gaming's selection of free games for March 2025
Amazon Prime is giving away these 20 games in March — get Fallout, Saints Row 3, and more free games now
Hugh Grant as Mr. Reed in "Heretic"
Max top 10 movies — here’s the 3 worth watching right now
NYT Strands on a cellphone
NYT Strands today — hints, spangram and answers for game #371 (Sunday, March 9 2025)
Nintendo Switch 2
Nintendo Switch 2 price rumors and predictions — everything we've heard so far
Samsung Galaxy S25 Edge back
Samsung Galaxy S25 Edge latest leak hints at good news for pricing
Apple Intelligence logo on iPhone
Apple confirms Siri 2.0 is delayed — 'it’s going to take us longer than we thought'
  • carlhancock
    This isn't an issue unique to smart locks. The vast majority of traditional key based house locks installed in homes and sold in stores are insecure also. They are extremely easy to defeat using lock picks, etc. Without much skill at all. Most locks are a form of security theater or a deterrence. Unless you purchase high end or commercial grade locks, they aren't actually secure.
    Reply
  • Dancsa
    @CARLHANCOCK
    Technically you are right. Even I could open a regular lock after half hour trying with an 5USD pick set. The difference is: these smartlocks are expensive. The traditional 20USD lock can be picked trivially. Then a several hundred dollar lock should not be opened by unauthorized person with a cheap smartphone, by pressing a big red "HACK" button.
    Reply