Hacking the Internet of Things: Locks and Thermostats

At Defcon last weekend, researchers demonstrated hacks against Bluetooth door locks and Internet-enabled thermostats.

Posted on August 10, 2016 at 6:06 AM • 29 Comments


DavidAugust 10, 2016 6:29 AM

This hyped-up IoT thing is nonsense. The last thing I want or need is a crappy "Smart" Thermostat or Door Lock that has even the remotest possibility of spying on me. I do have network connected devices and sensors around me - but I built them, understand them, and keep them safely sequestered and monitored. It's hard enough trying to keep the computer under control these days, and I won't let my SIM card come anywhere near an Android or Apple device.

keinerAugust 10, 2016 7:03 AM

@David, same here, but face it: This war is lost. All devices with "smart" in the name are for idiots. And idiots only.

ianfAugust 10, 2016 8:38 AM

@ David has network connected devices and sensors around me - but he built them, understands them, and keeps them safely sequestered and monitored.

This is all dandy, but oh-so-elitist and thus otherworldly an approach. Because the IoT creeps upon us… due to manufacturing economies of scale, soon no home electronic devices will come WITHOUT such capability, whether enabled by default or not. And even if the latter proves to be the rule on delivery, there's no certainty that the device will stay that way, won't ever be physically connected (it presumably already is within the WiFi cover, and there might be such a chip there already "for backup purposes") just because the ["RJ45"] socket is there, gaping empty, silently pleading to be "of service."

So while your, and others, current IoTbGone strategy is fine, it is also short-sighted AND self-centered. So much brain power that rests here, yet nobody IN THE KNOW thinks about the needs of soon every Jane, Dick and Joe rhyme intentional.

rAugust 10, 2016 9:14 AM


Cody Wilson's micro mill could be used to manufacture your own locks, we're safe on that front.

Might even be a good niche market to get one's feet wet in, all things considered.

David LeppikAugust 10, 2016 9:58 AM

@David, @ianf:

I bought the lowest-end model of my car (Nissan Leaf) because it was the only one without a cellular connection. The iPhone app turned out to be a front end for a PHP web service that used the VIN as the only authentication. If they can't get that right, I'm pretty sure the cellular connection is just as unguarded.

The model I got didn't have much difference between trim packages, at least not that I cared about. With the latest models, the low end has a significantly lower driving range than the trim packages with cellular connectivity. The Nissan Leaf is all-electric, so we're talking 84 miles per day [135 km] vs. 107 miles [174 km.]

Even if you choose not to pay for the cellular service, Nissan can still connect to your car. And this is pretty typical for cars these days.

So yeah; you can't just opt out forever.

markAugust 10, 2016 12:15 PM

Just read the other day about a couple of researchers demonstrated a hacked thermostat... with ransomware.

When the power? gas? company called me last year, to ask if I wanted a WebEnabledThermostat!!! I told them not ever gonna happen....

rAugust 10, 2016 12:25 PM


When the power company calls you soliciting sales for 'smart' devices that are dumb enough to get hacked (remotely) please remember: they're called the 'power' company for a reason.

ianfAugust 10, 2016 12:36 PM

@ rrrrrrrrrr

I don't know what said “Cody Wilson's micro mill” is or might be capable of, but ABANDON ALL HOPE YE, WHO EXPECT THE MASSES TO MILL THEIR OWN LOCKS. Nor will such be needed, as I'm sure there will be entrepreneurs filling in niche markets for those of us who care about those non-internetty things (and there are enough of us to make such cottage industry globally viable).

The problem is more of e.g. the other IoT locks around becoming intelligent, then vicious BoaFs, then goading up on the one door in their midst—yours—for non conformance to the norm, and locking up access-ways etc. Still, nothing that a generous single nighttime serving of SuperGlue couldn't teach'em.

Might even be a good niche market to get one's feet wet in, all things considered.

There, you see? Already it's working! Just make sure to also list your nearest pigeon-coop pickup mail address on the website to underline your analog-friendliness.

@ David Leppik, David Notleppik

[…] “So yeah; you can't just opt out forever.

I do opt out by not having a car, but then I live in a SOCIALIST WESTERN EUROPE, where it still is possible to live a life without relying on one. In fact, often not having a car (to pay for & maintain) is what distinguishes an affluent mellow lifestyle from a oscillating riches rabbit race. But of course, I have that option.

As for future ever-tighter data harvesting society (for whatever reason), you could ride a car with all comms circuits ripped out, and still be noticed by fast-mounted sensor units along the routes as "data paths of self-unidentified points." That in turn could lead to either targeted photographic, or manual investigation, nasty prospect both.

So, perhaps, there will be aftermarket devices to beam out (or respond to) signals that will "mollify" any sensors of the infrastructure. If not ones that consciously add chaos to the harvest, as an expression of backlash (we could call it "digital monkeywrenching" after the analog sabotage that Ted Kaczynski engaged in for years, puncturing tires, pouring sugar into tanks of parked snowmobiles' etc to slow down the advance of modernity in his nick of woods).

@ lion137

Never mind the Internet of compromised things, what Jeff Atwood is talking about here is even scarier:

    How your home router may be compromised from inside the house: a malicious website scripts your own browser to access the web-based admin pages of the router, and reset (or use the default) admin passwords to reconfigure it. GAME OVER.

@ Marcos Malo: illuminate me re: lightbulb attack FX

rAugust 10, 2016 1:08 PM


"There, you see? Already it's working! Just make sure to also list your nearest pigeon-coop pickup mail address on the website to underline your analog-friendliness. "

Are you trying to set me up for bird flu or salmonella poisoning?

Maybe west rhine?

Marcos MaloAugust 10, 2016 1:12 PM

Hey, I'm the non-techie here. I believe there is info on that link that shows the lightbulb (or possibly the lightbulb's hub) leaking the local wifi password.

Regarding how many osrams you can give your sexual partners, I don't think that is the goal of the Internet of Tantra. I don't think there is a goal. A goal might lead to your partner faking his or her osrams.
Anyone remember the Philip K Dick story that starts with the protagonist not being permitted to leave his domicile by the intelligent door that demands payment per use? Iirc, the protagonist needs to leave to get the 5¢ required to exit and is finally able to negotiate credit with the door.

Bespoke mechanical door locks fabricated by your friendly neighborhood locksmith sounds like great idea if the locksmiths are trustworthy and truly have the skill to give each customer a unique lock. However, the how of fabrication really becomes important. Are they using a CAD program to design it? Is the fabrication being done via a CAM process? Are the computers running the design and fabrication processes secure?

Marcos El MaloAugust 10, 2016 1:16 PM

Probably best if you don't allow your SIM card to come into contact any device whatsoever, to preserve the security of both the SIM and the devices.

rAugust 10, 2016 1:17 PM

@ianf, Sancho_Panza

ianf said @ https://www.schneier.com/blog/archives/2016/08/hacking_the_int.html#c6730955

"slow down the advance of modernity in his nick of woods"

Neck or knicking ianf?

r said @ https://www.schneier.com/blog/archives/2016/08/friday_squid_bl_538.html#c6730827

"knicking the heels"


Single mispelling: freudian slip or bitbucket? maybe both?

Windmills are fun, would burners can be.

ACK! connection fused!

Quick, roll back that glorious bean footage.
Let's play it in slow motion next.

Clive RobinsonAugust 10, 2016 2:27 PM

@ ianf,

What's chafing you today? Or are you trying to prolong the inevitable by following the advice in the BBC link and hoping that by being a Grumpy old git you can live longer (still as a grumpy old git)?

ianfAugust 10, 2016 3:58 PM

@ Clive,

other than encoding/ repeating this link from lion137's post, I DID NOT SUBMIT other links in this thread/ topic. Perhaps you had someone else in mind, OR this was a sneaky trick question from your end whether I'd owe up to something I didn't do?

In any event: nothing is chafing me today, and I'm no mo grumpy by design than otherwise. #itsathanklessjobbutsomebodysgottodoit

CallMeLateForSupperAugust 10, 2016 4:12 PM

On the bright side, a fart lock owner can take solice, if she locks herself out, from the fact that the cussed thing is fall-over easy to hack, and a fart thermostat owner can relive the good ol' days of Win 3.1 by cycling through gaudy custom wallpapers, until her new eToy gets pwned.

DavidAugust 11, 2016 1:31 AM

@Marcos El Malo, Functioning without a cellphone is not an option for me as long as I want to keep food on the table. But basic voice and SMS is all I require. So I intentionally use the dumbest cell phone I can find that isn't made in China, a surprisingly easy task if you live in a country that has lots of recycled/refurbished devices. I do have a cellular capable Android device or two, but as I said, they never get a SIM card, plus they are sequestered in an untrusted zone.

AnonAugust 11, 2016 8:14 AM

What is the problem with simply putting a SIM card into an Apple or Android device? Remote compromise of the device through it simply having cellular access? Ignoring of course the fact it is a mobile smartphone, and all that implies.

The IoT is already out of control. Even if I had such devices (to the best of my knowledge I don't), there is no way I would give them internet access!

In the case of the vibrator that reports on usage, if someone insists on such a device, then just install the app on a device that is isolated? Unless the app logs everything anyway, and waits for an internet connection to send complete usage history?

I definitely think the law should be changed so that any device or app that "phones home" should be highlighted as such, along with a bullet-point list of data collected/sent from the device. It's the only way to get on top of this whole mess.

Anon10August 11, 2016 9:34 PM

The lock hacks are interesting, but the bluetooth is usually not the weakest link for residential buildings. Unless there's a high grade deadbolt and high security strike plate, the door is easy to kick in. The real issue is if you're robbed, how do you file an insurance claim without any sign of forced entry?

This guy you know? August 16, 2016 2:44 AM

Existential grid threat...

Damaging someone's home gear is costly. Bringing down an entire grid? Priceless.

What is the sound of all the water heaters and furnaces turning on or off at once? Possibly silence.

The people don't have much money, the grid operators have the money.

If someone is willing to shoot up a substation ( the Metcalf incident $15.4 million in damages ), they'd be willing to do a lot.

Clive RobinsonAugust 16, 2016 3:11 AM

@ This guy you know?,

The people don't have much money, the grid operators have the money.

And the one thing neither of them has is "Time".

It does not matter how much money you have it won't buy you time when you most need it, only planning ahead will get you out of that fix.

Due to the --supposed-- issues with "fickle shareholders", the power companies have steadily cut back on staff and the preventative maintenance they did, as well as nolonger "carrying spares". The big downside of this is that it has caused their suppliers to cut back not just on staff but production capacity as well. Thus the lead time on some infrastructure critical parts has more than trippled, and as there are no spares "on hand" the effect of "time" will be significant.

So if the attackers pick the right time of the year then,

What is the sound of all the water heaters and furnaces turning on or off at once? Possibly silence.

Might quickly become "The silence of the grave" for many as the time runs out...

Charles KempAugust 16, 2016 2:19 PM

I didn't know that you could hack Bluetooth door locks. It might be a good idea to have that secured so that people can't get into your home unannounced. I think since the product is relatively new, you should not have to worry as much but know that you should keep the password private.

KennSeptember 1, 2016 2:02 AM

@Charles Kemp, same there here, I always have that thinking that Bluetooth door locks can't be hack at all. I've been to IoT events before discussing security in all devices and it was fruitful but this one didn't mentioned on the event.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.