Bluetooth Home Door Locks Easy Prey for Hackers, N.Y. Says

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Jimmy H. Koo

New York May 22 settled allegations that Bluetooth-enabled door manufacturer Safetech Products LLC left locks vulnerable to hacks by failing to secure passwords and other security information.

The settlement with the Lehi, Utah-based company “marks the first time an Attorneys General’s Office has taken legal action against a wireless security company for failing to protect their customer’s personal and private information,” New York Attorney General Eric T. Schneiderman (D) said in a statement.

Peter Tran, general manager and senior director at cybersecurity solutions company RSA Security LLC, told Bloomberg BNA May 22 that “internet of things devices like smart home technology inherently have three attributes that make them vulnerable—they are smart, connected, and unsecure.” Off-the-shelf smart home devices, including locks, cameras, TVs, and appliances “don’t have standardized security bench mark testing and each are driven by different manufacturer’s specified mobile applications,” Trans said.

According to Schneiderman, security researchers in August 2016 discovered that Safetech’s Bluetooth-enabled locks transmitted passwords between the locks and the user’s mobile phone in unencrypted plain text. This lack of protection could allow potential hackers to intercept the passwords and unlock the door, according to the researchers.

“There’s no unified security testing or Good House Keeping seal of approval for smart homes, so it’s a potential hacker’s learning lab to hone their own skills.” Trans said.

The default passwords on the connected locks weren’t secure and could easily be cracked, Schneiderman said.

Settling the allegations, Safetech agreed to implement a comprehensive security program, encrypt all passwords used in its products, and prompt users to change the default password after an initial setup.

Safetech didn’t immediately return Bloomberg BNA’s email request for comments.

To contact the reporter on this story: Jimmy H. Koo in Washington at jkoo@bna.com

To contact the editor responsible for this story: Donald Aplin at daplin@bna.com

For More Information

Full text of the announcement is available at http://src.bna.com/o6e.

Copyright © 2017 The Bureau of National Affairs, Inc. All Rights Reserved.

Request Bloomberg Law: Privacy & Data Security