back to article If you use ‘smart’ Bluetooth locks, you're asking to be burgled

Bluetooth-enabled locks are increasingly popular, but an analysis of 16 such devices shows 12 are easily hackable with inexpensive kit and some can be broken into from 400 metres away. In a presentation to the DEF CON hacking conference in Las Vegas security researcher Anthony Rose detailed how to hack these supposedly smart …

  1. This post has been deleted by its author

    1. Anonymous Coward
      FAIL

      Ever asked yourself WHY burglars don't just smash the window on a house to gain entry?

      They make a huge noise when doing so, especially double glazed windows which you have to hit in the right place anyway, if bloody obvious to any overlooking neighbors and you're likely to slice yourself to ribbons when climbing through. That's why if they are going to break the glass, it's usually a small plane to get access to a lock.

      1. Charles 9

        Besides, 7 times out of 10 they can just do what the SWAT do when they insist of coming in: use brute force to break the hasp or the frame. Because most door frames are made of wood, they don't take as much force as you think (OTOH, many commercial door frames are made of steel), and there's little you can do to stop them, especially when the house is empty (meaning possible countermeasures like door stops can't be used).

      2. Anonymous Coward
        Anonymous Coward

        > Ever asked yourself WHY burglars don't just smash the window on a house to gain entry?

        Don't know where you live, but there is as much science behind burglary as in any other trade, legal or not.

        In a nutshell, locks in general have minimal deterrence value in general, and zero deterrence within the burglar industry.

        You may find that houses with better locks tend to be broken into less often, but that's because they have better overall security.

  2. Richard Jones 1
    Flame

    Well at Least They are Cheap as Chips

    Oh hang on they cost four or more times what a proper locking lock costs, WTF?

  3. AMBxx Silver badge
    Thumb Down

    Insurance?

    My insurance company is pretty clear about the requirements for locks - 5 Lever mortice minimum, plus stuff on patio doors.

    Anyone know of insurance companies that accept bluetooth locks? Sounds unlikely! Might be useful for a shed, but certainly not a house.

    1. Anonymous Coward
      Anonymous Coward

      Re: Insurance?

      Make that a a 5 Lever with British Standard markings.

    2. Tech Hippy

      Re: Insurance?

      I'd imagine that many people using this stuff haven't considered advising their insurance company - I base this assumption on the surprise my insurance company greeted me with when I rang to advise them that we'd had all our door locks upgraded.

      1. Pascal Monett Silver badge

        Re: the surprise my insurance company greeted me with

        Which will be nothing next to the surprise of those morons buying these doomed-to-fail locks when they report a theft and their insurance says "um, sorry, but those BT locks are not approved and represent a security risk, so we're not going to pay for your stupidity".

        1. Anonymous Coward
          Anonymous Coward

          Re: the surprise my insurance company greeted me with

          Following a recent case in the Lords, the insurance companies would have to prove that the deficient locks were directly responsible for the claim. Somehow, I doubt most burglaries will be facilitated by the reprobates capturing and replaying some bluetooth data packets, but by smashing a part of themselves against the door til it opens.

  4. Mike 125

    ha ha

    >>If you use ‘smart’ Bluetooth locks, you're asking to be burgled

    It's funny because it's true.

  5. Filippo Silver badge

    Seriously? These guys make *locks*. Security is literally their core business! What the hell are they thinking?

    1. Anonymous Coward
      Anonymous Coward

      No, selling internet enabled tat is their business, security is an optional extra.

    2. Anonymous Coward
      Anonymous Coward

      Just because they can make a good mechanical lock doesn't mean they know anything about information security.

      1. BenM 29 Silver badge

        It would appear that most of the tested manufacturers know little to nothing about either information or physical security.... nand rather than xor I guess...

  6. This post has been deleted by its author

    1. Anonymous Coward
      Anonymous Coward

      Re: Stethoscopes

      "Try next door, they just have an up and over garage door with one of those locking catches you can rotate off its screws with a Stilson."

      Next door had a racing bicycle stolen from their locked integral garage. The up-and-over door was a common 1970s design.

      The policewoman who came to investigate showed them that a thump with your fist in the right place was "Open Sesame". The single sound could have been attributed to anyone in the row coming home late at night.

      Thieves recently tried to break into another neighbours' garage with a more secure door. The CCTV showed they used a bolt cutter to remove the external side bolts' locks. However they had assumed that external side bolts meant the original door lock's key was lost. They had not come prepared to defeat that.

      That door - and several neighbours' - now have ground obstruction locks as well. It sounds like a Hammer film when they open up their garages.

      1. Anonymous Coward
        Anonymous Coward

        Re: Stethoscopes

        > Thieves recently tried to break into another neighbours' garage with a more secure door. The CCTV showed they used a bolt cutter

        The fact that a) they brought incriminating tools with them and b) were caught on candid camera tells me those two were complete amateurs. Which makes them all the more annoying.

    2. Tweetiepooh

      Re: Stethoscopes

      Ours is the one with the door wide open that means everyone thinks we are in even when we aren't (OK happened once).

      More seriously our road is the one with "P" living on it since almost when it first opened, who knows everyone and has an interest in what's going on. That means we could leave our door open and any misinformed individual who came around and found the door not shut by "P" or another neighbour would likely find a "taxi" with blue lights waiting to take him to his next appointment on his exit.

  7. Anonymous Coward
    Anonymous Coward

    not that i'd every buy one of these for my front door, but any reason you missed out the biggest manufacturers of these devices?

    Yale make several - some up to £400, i trust old Yale hardware, have they taken the years of experience over to ZWave?

    Thatcham also appear to make them, again reputable brand moving into the new tech did they do it well or just buy a chinese brand ?

    Real world examples please...

    1. Pascal Monett Silver badge

      Honestly, I don't care if a BluTooth lock is well-made. As far as I'm concerned, putting any sort of wireless connectivity into a lock defeats the purpose entirely.

      I want my locks big, thick, sturdy and totally dumb, thank you very much.

      1. Triggerfish

        @Pascal

        Indeed I agree. In fact I am not really sure apart from a few circumstances, such as the disabled why they are needed.

        Making it electronic you are just adding another vulnerability level surely, and does that not defeat the purpose of securing something?

        Also what happens if there is a power failure? I assume they default to locked? So do you stay out of your house until the power is sorted?

        I'm really struggling to see the point of these things for general use.

      2. phuzz Silver badge

        Given how pretty much every car these days has some kind of wireless unlocking system, I'm going to guess that the general public want to be able to press a button to unlock their doors.

        (I've only started using the one on my car recently, since someone messed up the drivers door lock trying and failing to break in)

      3. Anonymous Coward
        Anonymous Coward

        "Yale make several - some up to £400, i trust old Yale hardware"

        Many cheap yale locks are a waste of time. It's only when you start looking at £25+ do they start to become any good.

        1. NotBob

          One was made by Kwickset, a big brand over here. Sadly, the mechanics were the weak point. That should be their strong suit...

      4. Pliny the Whiner

        "I want my locks big, thick, sturdy and totally dumb, thank you very much."

        This sounds a lot like my ex-wife.

      5. Anonymous Coward
        Anonymous Coward

        > I want my locks big, thick, sturdy and totally dumb, thank you very much.

        You wouldn't mind posting a picture of your car? Would love to see the locks!

    2. Velv
      Headmaster

      "Thatcham also appear to make them, again reputable brand moving into the new tech did they do it well or just buy a chinese brand ?"

      I may be wrong, but a quick google appears to confirm Thatcham remains the organisation that tests and certifies security devices and they aren't a "brand" as such.

  8. Nevermind
    Gimp

    What is this device/activity?

    "the good ones can't survive a screwdiver"

    Sounds smutty to me.

  9. Hud Dunlap
    Unhappy

    What about lightning?

    I only ask because I had bought an electronic lock years ago. Everything worked great until a thunderstorm hit and it had to be reprogrammed .

  10. Haku
    Coat

    If you have one of those vulnerable bluetooth locks

    how about an upgrade, available in 5 colours, including blue!

  11. sequester

    Masterlock: https://youtu.be/YsKMsvx8vvo

    Seems to be reasonably weatherproof, but three raps with a pretty normal-sized hammer and it literally comes apart at the seams.

    1. Anonymous Coward
      Anonymous Coward

      Masterlock: keeping standards as low as possible

      Masterlock have a very long and unsullied record of making utterly useless locks that pretty much anyone can pick with even rudimentary tools; they rely on the fact that not very many people actually even bother to try to pick their locks, and hence fail to realise how utterly useless they actually are.

      Their Bluetooth lock is simply more of the same. The lock is waterproof and reasonably secure against Bluetooth hacking, but true to form Masterlock have skimped on the physical security. A few good whacks with a hammer (or a brick if you cannot risk getting lifted for going equipped) and the whole thing breaks apart.

      Save your money for an Abloy high security padlock. It isn't Bluetooth, but it isn't going to get bumped, picked or smashed in a hurry.

      1. DavCrav

        Re: Masterlock: keeping standards as low as possible

        "A few good whacks with a hammer (or a brick if you cannot risk getting lifted for going equipped) and the whole thing breaks apart."

        Out of interest, if plod catches you with half a housebrick in your pocket at 1am, do you think the excuse "I'm a builder" is going to work any more than it would if you were caught with a hammer?

        1. Triggerfish

          Re: Masterlock: keeping standards as low as possible

          I would not be suprised if most burglaries happen during the day. Everyone I know who has ever been robbed in their house it's been a daytime job. Figure less chance of people being in than at night.

        2. Thecowking

          Re: Masterlock: keeping standards as low as possible

          Nah, you just say you're saving up for a house.

          Apologies to the late, great Pratchett for stealing that one.

        3. Arachnoid

          Re: Masterlock: keeping standards as low as possible

          Theives quite openly use angle grinders to saw through chains and steal bikes in busy places so a hammer is not going to draw any more attention.

          1. Charles 9

            Re: Masterlock: keeping standards as low as possible

            And if someone happens to walk up and ask what the **** they're doing?

  12. Pax

    Link to full report on all devices?

  13. Rob Crawford

    <sigh>

    Dunno why the said Masterlock was OK as only takes 2 hammer blows to open their bluetooth padlock.

    Actually it's fairly easy to break modern double glazing and it's quieter than regular glass, you just have to know how.

    The purpose of any lock is to cause a thief to think it's too much bother, I will rob somebody else instead.

    If the average thief knew how vulnerable many modern locks are then we would be in a considerably worse position.

    Instead I have seen window frames pulled out, holes cut in the side of bungalows and caravans, snapped euro locks, slates lifted (and piled very neatly) from roofs, flat roofs cut through, melted uPVC frames and hundreds of broken windows.

    Main entrance method though is the already open window or unlocked door.

    1. Androgynous Cupboard Silver badge

      Re: <sigh> @Rob Crawford

      I certainly hope you're a policeman. If not, you should move neighbourhoods.

      1. ShadowDragon8685

        Re: <sigh> @Rob Crawford

        Might be a claims adjuster, too.

  14. Yugguy

    Yet another solution

    For which there never was a problenm

    1. Chris G

      Re: Yet another solution

      The problem is now , for the most part makers of Internet of Things things seem to be split into two main groups; the ones that are too dumb to make smart things or the ones that rely on their customers being too dumb to know if a smart thing is really smart.

  15. Flash_Penguin

    Some are tougher than others.

    If you think Bluetoothlocks with no external mechanical attack vectors are a bad idea you should check out Bosnian bill on YouTube.

    He was impressed with a Bluetooth lock when he tried to get in one mechanically.

    Watch his other stuff to see how quickly he gets in to 5 lever locks. And the noke stuff got through defcon? Might have to get one.

    https://m.youtube.com/watch?v=PqeWupKN2W0

  16. Simon Harris
    Pint

    "the good ones can't survive a screwdriver"

    How about a Harvey Wallbanger?

    Well, it's the only alcoholic icon available --------------------------------------------->

  17. allthecoolshortnamesweretaken

    Convenience over security. Every smeggin' time.

    1. Charles 9

      It's what the customers want, so what are you going to do?

  18. John H Woods Silver badge

    I use a whitetooth packet sniffer for security

    He's 40kg, and he will sniff your packet. Chances are he's friendly but do you want to risk it?

    1. ShadowDragon8685
      FAIL

      Re: I use a whitetooth packet sniffer for security

      Go ahead and get cocky. Post a sign at your house that says "We don't lock the doors; beware of dog." See how fast it gets your ass taken to the cleaner's.

      If your dog isn't a TRAINED guard dog, his loyalty and silence can easily be bought for the price of a juicy steak or other shank of meat from the nearest supermarket.

      The average domestic dog is only scary because the lizard brain associates the sounds an angry dog can make with those an angry wolf will make, but Rover, Yeller, Killer, etc, is a domesticated animal who's probably been socialized all his or her life with people, and is used to taking food from them. So if the thieves come prepared with so much as some dog treats your pooch likes, they can easily get the dog to behave while they pillage your home; or just lure him into a room they're okay with not looting and close the door on him.

      1. Charles 9

        Re: I use a whitetooth packet sniffer for security

        "If your dog isn't a TRAINED guard dog, his loyalty and silence can easily be bought for the price of a juicy steak or other shank of meat from the nearest supermarket."

        Trained or simply xenophobic. If your dog's the type that tends to charge and bark at any newcomer to the house, there may not be time for the bribe. Dog socialization can be quite specific to a family since dogs think in terms of packs.

  19. kakamistrz

    SureKey: the smart key cover

    “Did I lock the door?” 30% people wonder after they leave home. This is a known short-term memory problem resulting from the automation of everyday activities. You can go back and check your lock or save your time and increase your confidence with SureKey. Offline and standalone :) SmartLocks will never be fully secure.

    SureKey: the smart key cover that reminds you whether or not your door is locked and helps you track your keys

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon