Watch engineers hack a ‘smart home’ door lock

Watch engineers hack a ‘smart home’ door lock

My name is Atul Prakash I’m a professor in
Electrical Engineering and Computer Science at the University of Michigan. We are going
to be showing you how a hacker can open your front door. The idea is to improve the safety
of your home and to allow you to monitor what’s going on inside your house and to remotely,
potentially control it. Unfortunately this also opens the door to potential vulnerabilities
and we’re going to be showing you some attack that are possible which should give homeowners
some pause when considering deploying these kind of technologies. Okay, this attack involves
a homeowner who has installed a smart lock on their front door and is using a battery
monitor app to monitor battery levels. However, I have written this app and I’ve encoded malicious
instructions in it to send me an sms message whenever the user programs a pin code. This
will let me enter the house whenever I want. So I have received a sms telling me the code
the user has just programmed, and I’m just going to walk over to the home and unlock
the door. So as you can see the bolt turns and I can unlock the door. The second attack
exploits an app that the user has downloaded from the SmartThings app store that allows
homeowners to remotely lock and unlock door locks. I’ll send a message to that app using
my browser and it will let me program my pincode, even multiple pincodes if I want to. And it
will allow me sustained access to the home. As you can see the bolt turns and I can open
the door. We have reached out to Samsung and SmartThings team on the vulnerabilities that
we’ve found in their platform. So if you’re considering using these technologies you should
analyze from the perspective of what’s the worst case scenario, which in this case often
would be that a hacker has at least as equal access to your smart devices inside your house
remotely as you do.

67 Replies to “Watch engineers hack a ‘smart home’ door lock”

  1. This is just about reality. Safety really is an illusion, all it takes is someone smarter than the lock to break into anything… whether it be online virus protection, server protection, or even a simple door lock that can be opened with a crowbar.

  2. Umm… Wouldn't you need the homeowners address? And besides what good does it do them when the alarm goes off which isn't connected to the SmartThings device?

  3. …….one thing is for sure, George Orwell was on to to something….he was shown, he shared it, most don't see it……

  4. Yup, going back to flip phones. Closing up my windows like if theres a apocalypse. Getting a tiger to protect my door. writing all information in a freaking book then put on the tiger.

  5. The only reason this is possible is because Samsung opens the door to 3rd party apps, there are two ways it can be patched. 1. You make it so only Samsung has the ability to create the smart apps or 2. Samsung rewrites the platform so that 3rd party developers don't have access to personal/private variables such as pin codes and passwords.. etc

  6. As I have always have thought, key and lock will always be the easiest and cheapest way to, well, lock your door. If this digital lock is more expensive and yet provides no greater safety, what's the whole point? All the fluff is bullshit anyway, what's the point of opening the door remotely anyway? If you know me personally and need to get into my house for one reason or another, come see me and get the key yourself!

  7. how the fuck is this trending?. Why the fuck did i write this comment. I dont know. Is this real? Im messed up.

  8. As interesting as this is, you used a developer SDK on a test version that was never sent for approval. What would be impressive is if the apps you deployed were on the store and made it past their safety checks. Just because you can make a piece of software work on a bench doesn't mean it will go live. Windows/Android/iOS and other platforms have checks to prevent this type of thing(which I admit are not foolproof)

  9. I recently had a rental house re keyed and it takes a locksmith maybe 5 minutes to pick the front door. nothing new here

  10. Who the hell in ther right mind would have anything smart in ther home or on ther person ?
    Just carrying a phone is enuff.
    All that smart home stuff is pretty sick if you aske me, i can figure out what is in my fridge myself – i can turn on and off light myself – i can tell myself when i have pissed my pants dont need a sensor for that THX – and a lot of other stuff considered smart.

    This isent smart, its somthing ppl have come up with to sell you more of ther shit, and as this proove pretty unsafe and crappy shit.

    Dont buy smart,,,, be smart and your problems are over.

  11. no lock is fool proof, I rather have a huge deadbolt that someone has to pick or break into rather than electronic locks

  12. Two fundamental issues I see with this video. 1) These "hacks" are entirely based on an owner downloading a 3rd party app from an unverified developer. That's like taking your keys to a shady kiosk to have them duplicated, and the kiosk making an extra copy of your key. 2) It's not like our current locks are un-hackable. Burglars have been using lock picks for ages.

  13. i don't trust technology we all know it can be hacked. f### the bells and whistles they just break.

  14. all someone needs is cell phone jammer and u won't be able to control or be notified if something happens.

  15. Every time you call a REST API you need to have an authentication token generated when you initially logged in using your smart phone. But now this '''hacker" did not pass an Auth token in JSON which is bullshit and real lock makers don't make such crappy REST API. In short this demo is shit and assumes lock manufacturers are dumb which they are not.

  16. So they didn't really hack a door lock, which is what I came here for, they put some spyware crap on a phone. Yawn.

  17. SmartThings is so expensive and apparently now insecure. Buy somethings else. $40 for a multipurpose sensor. It should cost under $5. The production cost is well under $1.

  18. fuck smart locks or smart ANYTHING except TV because that shit is good lol
    … dead phone means your locked in or out if you lose your phone your fucked …. fuck smart home anything people will ALWAYS BE ABLE TO HACK THAT SHIT

  19. Let's see will i hack their door lock or just break the window right beside it .. tough choice for criminals

  20. My door was old and shifting in it's frame, so the previous doorknob stuck.>>> I took a few hours and followed the instructions to tighten my hinges and adjust the door frame so the lock closes without friction. I'm really glad I did, I'm not sure this would have worked properly without a careful install. It was definitely worth the trouble. I made some key copies, and I've literally only used a physical key once, and that was to test if the copies worked. I'm always forgetting if I locked the front door, so being able to check in with the Smartthings app has been f'n fantastic. This is a huge convenience that I didn't know I was missing out on until I tried it myself.

  21. I don't like the this door hacking method, it reminds me of my great-great uncle who was a Nazi during WW2, he killed tens of thousands of Jews, gay people, mentally Ill and deficient. He was a monster and the door lock is just like him.

  22. So both attacks require the "victim" to install malicious software from third parties?.. Got it.. they deserve it then.

  23. Just watching this doesn't look like the initial attack, both require access to the Smartthings IDE so make sure you have 2FA on. The Third party app may reveal a passcode change but does not reveal the locks location. So do not put street address as your hub name. What is really disturbing is that the spokesman says they let Samsung know but doesn't say when or what their response was… Going public like this is just creating FUD and does not add to the security.

  24. Just watching this doesn't look like the initial attack, both require access to the Smartthings IDE so make sure you have 2FA on. The Third party app may reveal a passcode change but does not reveal the locks location. So do not put street address as your hub name. What is really disturbing is that the spokesman says they let Samsung know but doesn't say when or what their response was… Going public like this is just creating FUD and does not add to the security. EDIT: Just noticed this is at least 2 years ago Wired just published on facebook… WTF

  25. It is definitely ill advised to hook up your electronic door lock to your phone or any other gear of any kind, especially IOT devices are a no-no.
    If you're going to use your smart lock with an RFID tag, use a shielded tag, where you have to slide part of the shield away in order to open your door.
    Presumably, no lock will ever be perfect, but you just need to make it difficult enough to not be worth the time/effort for the burglar. For regular people, this should work out ok.

  26. Jesus fucking Christ, I’m being stalked someone comes in and helps themselves to everything and anything, every time I leave my home. I just bought a Yale living lock, and I watch this shit! I might just as well leave the damn door open! I don’t understand why this is even allowed on here to show everyone how to do it? My life sucks!

  27. Seems like the main problem here is new apps are not screened at all. To launch other attacks,you need to break my wifi password….. Goodluck with that one!

  28. Or you can stick a pin in the hole at the bottom of the keypad.. its the release.. but either way if i want to break into a house i dont care what kind of smart crap they got. Or door locks, whatever. The only thing that would deter me is a posted sign and the sight of a cctv or camera system or if they had bars over all their windows and metal case doors with metal frames.. thatd be a house youd break in and never come back out alive.. or in handcuffs.. rig up those grates that slam closed over every window and door and a speaker sysyem indoors. somebody breaks in and all the sudden shit closes and a-voice comes over the intercom, “would you like to play a game?” Lol. Ask em where they live and go steal their shit leave a note “ good game” then let em go…

Leave a Reply

Your email address will not be published. Required fields are marked *