Bluetooth has been around for a while. It’s how you connect to any number of doodads with your smartphone. Whether it’s your wireless headphones, speaker, Alexa, car, smart locks on the doors of your home, or smart toaster, it might use a Bluetooth connection.
The problem is, Bluetooth is one of the most insecure data connections available. Hackers are constantly exploiting Bluetooth connections to find backdoor entry points, which they use to steal your private photos, financial information, phone number, identity, or hack into your physical home by disabling your smart locks. That’s why no PointCentral smart home products rely on Bluetooth to communicate with each other—it’s just too vulnerable.
To help you understand what Bluetooth vulnerabilities could mean for smart home technology, let’s take a look at what’s wrong with Bluetooth when it’s used for smart locks, and why you might want to replace your Bluetooth smart locks with more secure ones.
What’s Wrong With Bluetooth Smart Locks?
One of the first tips from digital security experts is to “turn off the Bluetooth connection on your phone, and never turn it back on again” due to well-known security vulnerabilities related to Bluetooth. At the very least, you should turn it off when you’re not using it. As for your Bluetooth smart locks, you might want to simply toss them in the trash, or risk becoming the victim of a home invasion or robbery.
According to digital security specialist, Anthony Rose, found a lot of Bluetooth locks that belonged to his neighbors by using a range-finding tool while walking through his neighborhood. What he discovered about these locks is terrifying: “I discovered plain-text passwords being sent that anybody could read. I couldn’t imagine I was the only one that could see this,” Rose said at a DefCon security conference.
To investigate the matter further, Rose and his partner bought 16 different Bluetooth-enabled smart locks for doors to test the strength of their security. Most of the locks had seriously-flawed or nonexistent security: “I never imagined that I would come across 12 of the 16 locks that I bought having either no security or poorly implemented security,” he said.
The problematic locks they tested were made by Quicklock, iBluLock, Plantraco, Ceomate, Elecycle, Vians, Lagute Sciener, Danalock, Mesh Motion Bitlock, and Okidokey.
With the brands Quicklock, iBluLock, Plantraco, Rose found it easy to change the administrator passwords and lock the owners out of their homes. With the brands Ceomate, Elecycle, Vians, and Lagute Sciener, Rose was able to break into them with a replay attack (where validated passwords can get intercepted and “replayed” to the locks to break into them) even though the brands claimed that they used advanced encryption technology.
Finally, Rose and his partner were also able to break into an Okidokey Smart Doorlock (which boasted patented cryptographic solutions) by changing one of the bytes in the lock’s unique key to “00.” This confused the lock and caused it to open.
Unfortunately, you simply can’t trust the security on Bluetooth-enabled smart locks, but why?
Bluetooth Is a Tangled Web of Security Vulnerabilities
There will likely be hundreds more Bluetooth vulnerabilities related to smart locks revealed in the future. Even though developers are scrambling to patch up the Bluetooth security dangers we already know about, there’s only so much they can do. The truth is, this technology has more holes in it than a sieve, and new exploits continue to appear.
The reason Bluetooth is so vulnerable relates to the complexity of Bluetooth security protocols and the rising interconnectedness of devices. According to a cryptographer from John Hopkins University Matthew Green:
“I couldn’t possibly give an informed opinion on the true security of Bluetooth, and I strongly suspect that the protocol designers couldn’t either. That’s because all of the details are buried in hundreds of pages of unreadable specifications. Many device manufacturers have engineered around this by designing their own security as a kind of ‘add on’ layer that they use over Bluetooth. This is probably wise, given what a mess the protocol itself has been.”
The Bluetooth Special Interest Group (Bluetooth SIG) doesn’t have a clear answer to the Bluetooth security problem aside from advising you to “lock down” your devices:
“More and more devices are becoming interconnected, and that all of a sudden brings a whole other set of challenges that you need to be aware of when you’re creating a product … We encourage people to use the max level of security your product can support. We encourage you to lock it down.”
Lock It Down? How About Throw It in the Trash?
At PointCentral, we’re acutely aware of the rampant security vulnerabilities associated with some of the most popular wireless communication technologies – especially Bluetooth and Wi-Fi. That’s why PointCentral smart home components don’t rely on Bluetooth connections to communicate with each other. It’s also why we recommend that you don’t install any Bluetooth-enabled smart devices in your home.
Instead of Bluetooth and Wi-Fi, PointCentral smart hubs rely on secure, encrypted cellular connections, along with the newer, Z-Wave network technology, to pair with your smart home devices. Encrypted cellular and Z-Wave offer the highest level of information security in the industry.
To learn more about PointCentral’s advanced information security standards, please contact our team for a thorough review of our smart home technologies.