Smart home: beware unsecured connected locks

Do you know about connected locks?

Smart home has become a topic of interest. It is true that it’s very convenient to be able to use distant control for your house, with your smartphone. Unfortunately, connected objects are not always secured. This is even worse when it comes to your front door lock!

A study has shown that most connected locks found on the market can be easily opened by anyone with low IT skills.

At a conference in Las Vegas last August, cyber security researcher Anthony Rose has exposed the fragility of a specific connected object, i.e.: door locks. Anthony Rose simply wanted to make a test using equipment for detecting Bluetooth connections. Seeing a large number of locks appearing in his neighborhood, he then decided to intercept data sent and received by these devices. It is what is called “sniffing”. He was surprised they transmitted all data without any form of encryption.

It then pushed the experience further and purchased sixteen different connected locks to test each of them individually. And the result is frightening: twelve of the sixteen locks are indeed very badly or not secure at all. Four of them transmit passwords that are not even encrypted, ie, Quicklock Doorlock, Quicklock Padloock, iBluLock Padlock and Plantraco PhantomLock. Cybercriminals therefore have to intercept this data to know the password. The Quicklock brand is poorly secured: it only allows password length of 6 characters. Someone who would know even little about technology could take easily control and block access to the lock to its owner. The only way would be to remove the battery, which is however accessible when the door is opened.
For four other lock models, by simply intercepting trade, an intruder may actually copy the data associated with this code and reproduce it. Once the code is captured, the thief will return as many times as he wants, and thus activate or deactivate the lock as he or she wants. The list of products that have this vulnerability is: Ceomate Bluetooth Smartlock, Elecycle Smart Padlock, Vians Bluetooth Smart and Lagute Sciener Doorlock Doorlock Smart.
Finally, other products like Smart Okidokey Doorlock, Doorlock Danalock or Mesh Motion Bitlock Padlock also suffer varied vulnerabilities: hard-coded password with the same password, such as “thisisthesecret” installed by default on all products which is unfortunately impossible to modify. One also sees a lock which includes a defect and opens when modifying its unique identifier.

The researcher also said that the four locks that could not be compromised, namely Noke Padlock, Padlock Masterlock, Kwikset Kevo Doorlock Doorlock and August, however, are not free of defects. One of them, however seeming very robust, could still be decommissioned in seconds simply by pushing a screwdriver into it.
Over the 12 affected locks, manufacturers contacted by Anthony Rose, 10 did not respond, one closed its website but continues to market its products on Amazon, and the latter replied that he did not take into account special measures.

Certainly these are only 16 tested connected lock models. But on the smart home booming market, this demonstration reminds us once again that the Internet of Things has significant security risks for personal data. And simple techniques for this type of hacking are accessible on the Internet to anyone who does not even have depth IT knowledge.

For your smart home and all your other connected objects, use a VPN. Indeed a VPN enables data encryption. Encryption is a standard feature of VPN services that ensures that even if hackers or malware manage to capture your login and / or your data, it will however not be decipherable. A VPN mask the IP address and blocks the geo-location, keeping them safe from prying eyes. You can make people believe that your IP address is based in another country, even if you are quietly at home. So do not wait to protect your smart home.