Cyber Security

Creators Of Easily Hackable ‘Smart Locks’ Agree To Improve Security

Maybe don't trust your home's safety to the internet of things

Cyber Security
SAFETECH
May 23, 2017 at 2:32 PM ET

A Utah company that that makes easily hackable bluetooth-enabled “smart locks” for household doors and padlocks has agreed to a settlement with the state of New York. 

In what’s believed to be the first settlement of its kind, Quicklock has agreed to the office of New York Attorney General Eric Schneiderman’s demands, and plans to substantially ramp up the security of its products.

In August 2016, two researchers from Merculite Security presented a paper in which they demonstrated that smart locks that rely on Bluetooth Low Energy was extremely susceptible to hackers. The technology is designed to keep bluetooth devices functional while consuming less power by limiting how much data needed to be exchanged for them to complete a task. A number of smart lock companies, including Quicklock, rely on it. Using a tool they built for about $200 with common parts, the researchers were able to override such locks from a quarter-mile away.

Schneiderman’s office launched an investigation, confirmed those and other vulnerabilities, and found that selling locks that were so susceptible to unwanted entry was a violation of state law.

While Schneiderman’s office told Vocativ that Quicklock won’t have to pay any monetary compensation, it will have to do a better job making sure its locks actually provide decent security. Terms of the settlement include that Quicklock “shall encrypt all passwords” in their devices, that customers will be prompted to change their default password when they set up their devices, and that the company hire staffers dedicated to addressing product cybersecurity.

“I am cautiously optimistic that this settlement could encourage other companies to make security a priority,” Ben Ramsey, one of the Merculite researchers who originally discovered the vulnerability, told Vocativ. “As consumers, we must demand encryption and authentication safeguards in the devices we buy.”

Quicklock didn’t immediately respond to comment. It will, however, have to submit further documentation to Schneiderman’s office upon request.