New York Attorney General settles with Bluetooth lock maker over insecurity claims

Computer-controlled locks are some of the more popular Internet of Things devices making it into the home, and in the first settlement of its kind, the New York Attorney General has reached an agreement with a manufacturer to make them more secure against hackers.

At last year's DEF CON hacking conference, two researchers detailed how they tried to defeat 12 Bluetooth-controlled locks and found that for most of them it was easy. Of the dozen locks tried, eight were breakable by sniffing communications between the machinery and the app controlling it, and one of the remaining devices was so poorly made it could be opened with a screwdriver.

Two of the devices mentioned, the QuickLock Padlock and QuickLock Doorlock sold by SafeTech in Utah, were beatable because the signals were sent in plain text rather than being encrypted. Now the AG has announced he has done a deal to harden up the security of the locks.

"Today's settlement with SafeTech marks the first time an Attorneys General's Office has taken legal action against a wireless security company for failing to protect their customers' personal and private information," said Attorney General Eric Schneiderman.

"Companies employing new technologies must implement and promote good security practices and ensure that their products are secure, including through the use of encryption. Together with the help of companies like SafeTech, we can safeguard against breaches and illegal intrusions on our private data."

SafeTech was surprised by the original analysis, since the researchers hadn't tried to contact the firm, and it placed a warning about the unencrypted data on the devices before the AG's office got in contact. It also encrypted communications on the locks intended for consumer sales.

"It is encouraging to see governments, companies, and consumers start to take security seriously in smart devices," Ben Ramsey from Merculite Security, one of the original researchers, told The Reg.

Under today's deal the firm has also undertaken to perform risk assessment on its products, and assign a staff member to oversee security procedures. Staff will undergo additional training in building secure systems.

Communications left open for a reason

"I've got no problem with the Attorney General's office and the settlement," SafeTech's founder Ryan Hyde told The Register. "We only sell a very small number of consumer devices; the bulk of sales are for companies that want to build their own apps, so we leave the communications open for them to develop their own security."

He explained that SafeTech went into business to sell these commercial systems, and companies are looking for other functions built into its locks – notably data tracking and traceability. A significant portion of sales are to companies looking for "lockout-tagout" systems.

When working inside dangerous machinery, it's normal for the staff inside to take the keys to turn the device with them, to avoid it being inadvertently turned on with them inside. The SafeTech keys are built to do this without needing to have multiple locks and keys hanging off a worker's belt.

He also pointed out that the locks tested by the hackers are more resilient than first thought. The device's Bluetooth is range-limited to around 50 feet and only activates when the lock is physically moved – a battery-saving measure. They are also blocked against brute force attack, Hyde said.

No doubt one of the reasons the AG targeted SafeTech is that it's an American firm. The bulk of these Bluetooth locks are built in China by small companies, and as such are out of the AG's reach.

"I'm as frustrated with Chinese knockoffs as anyone," Hyde said. "I believe that other attributes such as memory and data logging for localized security systems in locks is where I see the future." ®