September 10, 2016
Is Your Home’s New Smart Deadbolt Secure?
Much has been written in previous months about the explosion in growth of the (IOT) Internet of Things, and the security risks posed by that growth. Where PCs, laptops, and smartphones all have fairly robust security measures in place to prevent hackers from gaining easy access, the same cannot be said of the growing legion of internet-connected objects ranging from smart lightbulbs and thermostats to smart door locks.
The door locks are actually a bit of a surprise, given that the entire reason they exist is for added security, but even here, we find an almost complete lack of digital security. This point was driven home in a painful way at this year’s DEFCON conference, in Las Vegas.
Researchers tested 16 Bluetooth “smart” door locks and found all of them to be vulnerable. In fact, 12 of the sixteen could be hacked by a complete novice.
In some cases, the problems were basic, such as sending passwords across wireless connections in plain text format, opening the door to easy interception and use by anyone with a mind to do so. Others utilized barely tested, proprietary encryption protocols, which were found to be entirely inadequate.
In all cases, the smart door locks were found to be easily hacked, in attacks that could be accomplished in mere minutes.
While such technologies are attractive and convenient, it is clear that they’re not yet ready for prime time and widespread use, which is unfortunate, given the explosion in their popularity. Perhaps you are even using such technologies in your home or to help secure your business. If you are, you should think twice, and start asking hard questions of the vendors who have provided you with the technology.
So far, there has been remarkably little interest on the part of smart lock vendors to do anything to remedy the problems found. That may soon change, because the researchers who demonstrated how easily these devices could be hacked have promised to release their findings into the public domain, in hopes of spurring action on the part of the manufacturers. In the meantime, however, there’s literally nothing you can do to make these devices more secure.