Once a year, security enthusiasts gather at the Las Vegas-based hacker convention DEF CON to call out vulnerabilities in the tech industry. At DEF CON 2016 -- the 24th such meeting -- presenters Anthony Rose and Ben Ramsey from Merculite Security focused on smart locks. And the news wasn't good. Specifically, the duo tested 16 different Bluetooth-enabled locks and found that 75 percent had "insufficient BLE security." You can find their 42-page slide presentation here, but the gist is that Rose and Ramsey were able to access multiple BLE locks from manufacturers Quicklock, iBlulock, Plantraco, Ceomate, Elecycle, Vians, Okidokey and Mesh Motion -- with roughly 100 bucks worth of hacking tools. As you can see in the screenshot above, the team found four models from Quicklock, iBlulock and Plantraco that use plain text passwords, one of the easiest ways to access a smart lock. The other models were vulnerable to a variety of different hacks, including replay attack, fuzzing, device spoofing and decompiling APKs.

Again, check out their presentation for more details. Bluetooth locks from Noke, Masterlock, August and Kwikset managed to escape uncracked, but Rose and Ramsey did manage to bypass the Kwikset Kevo with a good old fashioned flathead screwdriver -- something we've also tested in our office. All of this may seem like good news for August customers, but another DEF CON presenter, @Jmaxxz, was able to bypass an August Smart Lock the next day. Here's what an August representative had to say on the subject: "Yes, we have seen @Jmaxxz's presentation from DEF CON, which is impressive. Ultimately, what he showed was that a hacker could hack their own phone to obtain a one-time use key for their own lock. The ability for a user to download and access their own encrypted key has been removed. Our system has never been compromised and none of our users smart locks have been at risk." As @Jmaxxz noted in his presentation: "Consumers are not able to evaluate security claims made by companies.

We need more researchers investigating security claims made by companies on behalf of consumers." The hacks outlined here all focus on Bluetooth-based smart locks, but other smart locks using both the Zigbee and Z-Wave wireless standards have been hacked before as well. Much like physical locks, no smart lock is perfect. The question you need to ask yourself then, is how much security you're willing to trade off for the convenience of controlling a lock with your phone.sliding glass doors new orleans Snapchat's not just for sexting anymorebest french door refrigerator 2012 consumer reportsMy favorite part about the annual DEF CON security conference is the part where supposedly secure devices get torn to pieces. cheap grey upvc doors

For some pieces of hardware, there’s an excuse, but I think smart door locks fall into the “you only had one job” category. And that job was not to be hacked this hard. Researchers Anthony Rose and Ben Ramsey presented work they’d done highlighting vulnerabilities in Bluetooth locks. Using cheap, easily obtainable equipment, the researchers were able to hack a whole host of Bluetooth-connected locks from manufacturers like Quicklock, iBlulock, Plantraco, Ceomate, Elecycle, Vians, Okidokey and Mesh Motion.roller door motor for sale adelaide DON’T MISS: iPhone 7 display photo hints that the physical home button is here to staywindows and doors bellingham wa The news should be worrying for anyone who has hooked up a cheap Bluetooth lock for convenience. garage doors bolton uk

Sure, you can pick most any kind of lock, but fiddling with a smartphone is a lot less incriminating than trying to physically pick a lock, so I can imagine this kind of trick catching on for thieves. A few more popular locks from manufacturers like August weren’t hacked, although a separate presentation did find a (much less serious) vulnerability in August’s smart lock.hollow metal door core types More than revealing specific vulnerabilities, the research mostly proves how much of a security problem internet-connected home devices are going to be. Building a watertight, non-hackable device is hard enough for Apple with iPhones. For hardware companies with much smaller R&D departments, ensuring security is even harder. Couple that with the seriousness of hacking internet-connected home hardware, and it’s a real problem just waiting to happen.It’s an open secret that the Internet of Things (if we must call it so) is pretty terrible, whether in standards, interoperability or security.

You don’t really expect good security in a smart light bulb or coffee maker, though. A smart front door lock, however, really shouldn’t be quite this easy to hack. Two different presentations at DEF CON this year made it clear that there’s a long way to go before we should start trusting the average smart lock — or even the nice ones (though if you had to choose, the latter is the better). This may surprise you, or you might have been saying it for years. At all events, these guys proved it with gusto. Anthony Rose and Ben Ramsey, from Merculite Security, showed off a bit of lock hacking done with less than $200 worth of off-the-shelf hardware. Some opened easier than others, but in the end 12 out of 16 yielded. Locks from Quicklock, iBluLock, and Plantraco transmitted their passwords in plaintext, making them vulnerable to anyone with a Bluetooth sniffer. Others were tricked by the attacker simply replaying the same data they snatched out of the air when a legit user unlocked the door.

Another entered a failstate and opened by default when it received an encrypted string that was off by one byte. Worth noting as well: doing a bit of wardriving, the two found plenty of locks identifying themselves as such, making it easy for an attacker to find devices to listen in on. This was a pretty poor showing altogether, although a few resisted Rose and Ramsey’s attempts: the Noke and Masterlock smart padlocks survived, and a Kwikset Kevo did as well — until they opened it with a screwdriver. Okay, that’s cheating, but the point stands. Perhaps of most concern, only one of the 12 vendors the two contacted to inform them of these flaws responded — and even then, there was no plan to fix anything. One that Merculite failed to crack was the August door lock, a rather more well known brand than the others (MasterLock notwithstanding). Fortunately, someone else had already made it their mission to break the thing wide open. Jmaxxz’s entertaining, meme-filled presentation put the lie to several of the claims set forth by August, and although it’s unlikely your average B&E artist is going to bother to circumvent certificate pinning and paw through your logs, the security holes are real.