Bypass Kwikset Smart Key

[Gisberto Letter]

Youcan find their 42-page slide presentation here, but the gist is that Rose and Ramsey were able to access multiple BLE locks from manufacturers Quicklock, iBlulock, Plantraco, Ceomate, Elecycle, Vians, Okidokey and Mesh Motion -- with roughly 100 bucks worth of hacking tools.

As you can see in the screenshot above, the team found four models from Quicklock, iBlulock and Plantraco that use plain text passwords, one of the easiest ways to access a smart lock. The other models were vulnerable to a variety of different hacks, including replay attack, fuzzing, device spoofing and decompiling APKs. Again, check out their presentation for more details.

Bluetooth locks from Noke, Masterlock, August and Kwikset managed to escape uncracked, but Rose and Ramsey did manage to bypass the Kwikset Kevo with a good old fashioned flathead screwdriver -- something we've also tested in our office.

Here's what an August representative had to say on the subject: "Yes, we have seen @Jmaxxz's presentation from DEF CON, which is impressive. Ultimately, what he showed was that a hacker could hack their own phone to obtain a one-time use key for their own lock. The ability for a user to download and access their own encrypted key has been removed. Our system has never been compromised and none of our users smart locks have been at risk."

As @Jmaxxz noted in his presentation: "Consumers are not able to evaluate security claims made by companies. We need more researchers investigating security claims made by companies on behalf of consumers."

The hacks outlined here all focus on Bluetooth-based smart locks, but other smart locks using both the Zigbee and Z-Wave wireless standards have been hacked before as well. Much like physical locks, no smart lock is perfect. The question you need to ask yourself then, is how much security you're willing to trade off for the convenience of controlling a lock with your phone.

The Kwikset/Weiser Kevo line of smart locks support Bluetooth Low Energy (BLE) passive entry through their Touch-to-Open functionality. When a user touches the exterior portion of the lock, the lock checks that an authorized BLE device is exterior to and within a short distance of the smart lock, and then performs a cryptographic handshake over a BLE connection to verify the identity of the device.

Testing of a relay attack against the Kevo smart lock was conducted using an internal NCC Group developed BLE link layer relay tool. This tool conducts a new type of BLE relay attack operating at the link layer, for which added latency is within the range of normal GATT response timing variation, and which is capable of relaying encrypted link layer communications. This approach can circumvent the existing relay attack mitigations of GATT response latency bounding or link layer encryption, and bypass localization defences commonly used against relay attacks that use signal amplification.

While this NCC Group developed tool has not been released to the public, it may also be possible to use existing public GATT-layer BLE relay tools to conduct the attack against Kevo devices if response timing requirements are not strict. GATT based relay attacks can only be used for unencrypted link layers, but this is not an impediment to the attack the Kevo devices as they do not use link layer encryption. NCC Group has not attempted to use GATT-layer relay tools against the Kevo products.

As currently defined, the Bluetooth Low Energy standard lacks a suitable mechanism for secure ranging. Angle of arrival and RSSI measurement do not protect against attacks where a relay transmits from the same location and with the same power as a legitimate device. Secure ranging is normally implemented using technologies that support time-of-flight measurement, such as Ultra-Wide Band (UWB). Nevertheless, there are some approaches that can be used to defend against BLE relay attacks.

Relay attacks are most useful against passive systems that do not require user authorization to perform an action. For a higher level of security, the mobile application could be modified to allow disabling the touch-to-open feature or allow requiring user interaction in the mobile app to authorize unlocking the lock. User interaction is less important for authorizing locking the lock, compared to unlocking. This would give the user a choice between more convenient and more secure modes of operation.

NCC Group is a global expert in cybersecurity and risk mitigation, working with businesses to protect their brand, value and reputation against the ever-evolving threat landscape. With our knowledge, experience and global footprint, we are best placed to help businesses identify, assess, mitigate respond to the risks they face. We are passionate about making the Internet safer and revolutionizing the way in which organizations think about cybersecurity.

How often have you driven out of your neighborhood, only to turn the car around to double check that your door is locked? When was the last time you left a key under the mat so your neighbor could water the plants while you were vacationing?

Now you can control your home security from the palm of your hand with a simple DIY home upgrade to our trusted Bluetooth smart lock, Kevo. Kevo Plus is the latest technology advancement to Kevo, allowing you to check if the door is locked or unlocked from your phone, and then lock or unlock it from anywhere in the world using an Internet-connected device like a smartphone or tablet.

If you already have a Kevo smart lock, visit MyKevo.com to upgrade your account to Kevo Plus for a one-time fee of $99.99. Kwikset will send you a free Bluetooth gateway that will establish online connectivity to your current Kevo lock to allow for remote locking and unlocking.

If you do not already have a Kevo lock, you can purchase one today at a variety of home improvement and consumer technology retailers. Visit Kwikset.com/where to buy for a list of retailers near you. Once you have purchased and installed your lock, follow the instructions above for upgrading to Kevo Plus and check your mail for the Bluetooth gateway!

While you are waiting for your Bluetooth gateway to arrive, upgrade to Kevo app versions 1.4 (iOS) or 1.1 (Android). Beyond establishing Kevo Plus compatibility, the app update includes InHome Locking and Unlocking*, which means you can lock or unlock Kevo from a phone or tablet when you are within Bluetooth range.

Say goodbye to the nights where you drag yourself out of bed to check if you locked the door before retiring for the night. With InHome Locking and Unlocking, you can check from your phone in bed if your door is unlocked and lock it if you forgot.

Your Bluetooth gateway arrived! Plug the Bluetooth gateway into an Internet router with an Ethernet connection to form a secure wireless connection between Kevo and the Bluetooth gateway. Make sure the gateway is within Bluetooth range of the lock to get the best connection. If you have more than one Kevo deadbolt and wish to control all Kevo locks remotely, you are in luck! One Kevo Plus gateway can connect to multiple Kevo locks.

*With InHome Locking and Unlocking, users will be able to lock and unlock Kevo with their smartphones if they are within Bluetooth range, whether or not they have upgraded to Kevo Plus. The Kevo app is available for free download from compatible smartphone app marketplaces, such as the Apple App Store or Google Play Store.

I have reset both lock and gateway multiple times, and all times, although the install process seems successful, I have never been able to successfully unlock via the gateway, and the gateway itself would lose connectivity. Aside from the install process, nothing indicates that the lock is accessible through the gateway.

I had so much success with the kevo that I ordered another one, and as a show of confidence I ordered 2 PLUS gateways, for each of my locks. The PLUS gateways now set gathering dust. The fact that I have 2 gate ways, both unable to setup properly, indicate there is an external factor preventing successful setup. With shipping into Australia, I forked up about over $250 for the plus modules which are now not providing me any additional functionality.

Also I have tried to order the Kevo Plus (I also live in Australia) and there is no option in your site to order to Australia.. when I spoke to your customer support, they simply stated the obvious and said it was not available in Australia.

Hi David,

Kevo Plus is not officially supported in Australia. Please send our team an email, custom...@kwikset.com, so that we may route you to the proper support staff.

Thank you,

Devon, Kwikset Community Manager

Sure that makes sense. I have 2 doors though outside range (two outside garages) that I would love kevo locks on and remotely accessable through the same account. Can you have multiple Kevo plus units Associated on the same account?

3a8082e126