How Ethical Hackers Break Into Smart Locks — Real Techniques Explained (2026)
Mr Elite ··
21 min read
A $300 Bluetooth smart lock. A Flipper Zero. Ninety seconds. That’s the complete attack on a class of smart lock vulnerabilities that multiple manufacturers still haven’t patched, where capturing the BLE unlock signal once is enough to replay it indefinitely — from across the street, through a wall, or 24 hours later when nobody’s watching.
The physical security industry moved from mechanical keys to PIN codes to smartphone-connected locks and called it progress. What it actually did was add a software attack surface to a hardware security problem. Locks that took a skilled locksmith minutes to pick can now be compromised by anyone with a consumer-grade Bluetooth sniffer and 15 minutes of YouTube tutorials.
I want to be clear on scope: everything in “How Hackers Break Smart Locks” is documented security research and published CVEs, approached from an ethical security testing perspective. Understanding how these attacks work is essential for anyone doing physical security assessments, IoT security research, or making informed purchasing decisions for their own property.
🎯 What You’ll Understand After This
How BLE replay attacks work — and why fixed-code smart locks have zero defence against them
What a Flipper Zero actually captures and why researchers use it for smart lock testing
How to extract smart lock firmware via UART and JTAG debug interfaces that ship active
The cloud API vulnerabilities that bypass hardware security entirely
What a genuinely secure smart lock implementation looks like — and which properties matter
⏱️ 20 min read · IoT security research and physical security assessment context
⚠️ Authorised Testing Only: Smart lock security testing is only legal on devices you own in an environment where you cannot interfere with locks protecting others’ property. Professional physical security assessments require explicit written authorisation covering the specific access control systems in scope. Capturing or replaying signals from locks you don’t own is illegal under computer fraud and property access laws in most jurisdictions.
BLE Replay Attacks — The Most Common Smart Lock Vulnerability
Bluetooth Low Energy sends packets. When you unlock your smart lock with your phone, the app sends a specific BLE packet sequence to the lock. If that sequence is the same every time — a fixed code — then capturing it once and replaying it is a complete bypass. The lock has no way to distinguish a replayed valid unlock from a live unlock. It sees the right packet. It opens.
This isn’t a subtle vulnerability. It’s the Bluetooth equivalent of a door that opens to anyone who says the right word, regardless of who’s saying it or how many times they’ve said it before. And it’s present in a significant number of consumer smart locks — devices people install on their front doors and call an upgrade from a physical key.
BLE REPLAY ATTACK — HOW IT WORKS
# Step 1: Passive capture (attacker near the door, no interaction needed)
Attacker has BLE sniffer (Flipper Zero, nRF Sniffer, Ubertooth)
Target uses their phone to unlock their door normally
IDOR on lock_id parameter · Long-lived API tokens · No rate limiting on unlock API · Missing authorisation checks
4. Mobile App Layer
SSL pinning bypass reveals API traffic · Credentials stored in plaintext · API keys hardcoded in app · Exported activities enable intent hijacking
📸 Smart lock attack surface map — four distinct layers, each independently vulnerable. A lock that implements secure BLE rolling codes may still have an exploitable API IDOR. A lock with hardware debug interfaces disabled may still have a mobile app that stores credentials in plaintext. Comprehensive smart lock security testing covers all four layers, because a single-layer bypass is often sufficient for full access without touching the physical hardware at all.
What the Flipper Zero Actually Does to Smart Locks
The Flipper Zero became the consumer face of hardware hacking because it does something that previously required hundreds of dollars of specialist equipment with a $200 device the size of a key fob. For smart lock testing, the relevant capability is BLE sniffing in passive mode — the Flipper listens without transmitting, capturing BLE advertising and connection packets in real time.
The important distinction: the Flipper Zero captures BLE packets. Whether that capture can unlock a lock depends entirely on the lock’s implementation. Against a fixed-code lock, captured packets replay trivially. Against a properly implemented rolling code or challenge-response lock, raw packet replay doesn’t work — you’d need to break the cryptographic scheme, which is a fundamentally different attack.
FLIPPER ZERO BLE CAPABILITIES — WHAT IT CAN AND CAN’T DO
# What Flipper Zero CAN do for smart lock research
✓ Passive BLE packet capture (no transmission)
✓ BLE replay of captured fixed-code unlock sequences
✓ Sub-GHz signal capture for RF-based locks (433/868 MHz)
✓ NFC/RFID read and emulation for access card cloning
✓ Infrared capture and replay for keypad illumination
# What Flipper Zero CANNOT do
✗ Break AES-128 encrypted BLE channels
✗ Bypass properly implemented rolling codes
✗ Crack BLE pairing keys via passive capture only
✗ Access cloud-connected lock APIs
# For deeper BLE research: specialist tools
nRF Sniffer + Nordic USB dongle — full BLE protocol decode
Ubertooth One — BLE 2.4GHz spectrum analysis
GATTacker — BLE MITM proxy for connection-level analysis
🛠️ EXERCISE 1 — BROWSER (15 MIN · NO INSTALL)
Research Published Smart Lock CVEs and Security Disclosures
⏱️ 15 minutes · Browser only — no hardware required
Before touching hardware, understand the published research. Every attack documented here has published CVEs and security disclosures. Find them and map the attack types to the techniques.
Step 1: Search for published smart lock CVEs
Go to: nvd.nist.gov
Search: “smart lock” in the CVE description field
Note the vulnerability types — what categories appear most?
Step 2: Find the LOCKState and Tapplock research
Search: “Tapplock smart lock vulnerability 2018”
Search: “LOCKState smart lock CVE”
What attack types were used? Could these be prevented today?
Step 3: Find the August Lock research
Search: “August smart lock security research CVE”
What was the specific vulnerability class?
Was it BLE, API, or firmware?
Step 4: Find the Bitdefender IoT smart lock research (2016)
Search: “Bitdefender smart lock Bluetooth replay attack”
How many locks were found vulnerable to replay in that study?
What percentage of the market did that represent?
Step 5: Check the NVD for recent 2024-2025 smart lock CVEs
Search NVD: smart lock 2024
Are the vulnerability types changing or is it the same categories?
✅ The CVE research reveals the same vulnerability categories reappearing year after year across different manufacturers: BLE replay (fixed codes), hardcoded credentials, API authorisation failures, and firmware extraction. These aren’t novel attacks — they’re well-documented failure modes that manufacturers continue to ship. The Bitdefender study found 75% of tested locks vulnerable to BLE replay. That percentage hasn’t improved dramatically in the years since. This is the IoT security problem in miniature: known vulnerabilities, known mitigations, consistent failure to implement them.
📸 Screenshot the NVD search results for smart lock CVEs. Share in #iot-security
Rolling Code Bypass — When the Defence Fails
Rolling codes are the theoretical defence against replay attacks. Each unlock generates a different code — the lock accepts code N, then advances to expect code N+1. Replay of code N fails because the counter has moved. This is solid in principle. The implementations are where it breaks down.
The most common rolling code failure mode is desynchronisation recovery. When a user locks themselves out — maybe they pressed the unlock button 50 times while out of range — the lock needs a way to resync. Many manufacturers implement this by accepting a large window of future codes. If the window is wide enough, capturing a few consecutive codes gives an attacker a valid code from within that window. The resynchronisation feature that makes the product usable also breaks the rolling code protection.
ROLLING CODE WEAKNESSES — WHAT RESEARCHERS LOOK FOR
# Weakness 1: Wide acceptance window
Lock accepts codes N through N+2000 (vs ideal: N through N+3)
Attacker captures codes N+5 and N+6 while legitimate user is present
Uses N+5 to unlock later — still within acceptance window
# Weakness 2: Predictable PRNG seed
Rolling code generated from: seed = device_id XOR timestamp_at_pairing
Device ID visible in BLE advertising packets
Timestamp brute-forceable from pairing date range
Full code sequence computable without physical access
# Weakness 3: Counter not tied to cryptographic state
Counter transmitted in plaintext within BLE packet
Attacker increments counter field in captured packet
Lock accepts because code content (not counter) validated
# What good rolling code looks like
Narrow window (3-5 codes maximum)
CSPRNG seeded from hardware entropy at pairing
Counter embedded in encrypted payload — not plaintext
Firmware Extraction via Debug Interfaces
Open any consumer smart lock and you’ll likely find a PCB with a microcontroller that has UART or JTAG debug pins active. These interfaces exist for manufacturing testing and developer debugging — and manufacturers frequently forget to disable them before shipping. A UART connection gives you a shell. JTAG gives you full flash read/write access.
What you find in extracted firmware: hardcoded API credentials, encryption keys, pairing secrets, plaintext passwords in configuration files, and the complete application logic. I’ve seen smart lock firmware where the “master PIN” that bypasses all access controls was stored in plaintext in a configuration file that was trivially extractable via UART. Every lock using that firmware had the same master PIN.
SMART LOCK FIRMWARE EXTRACTION — METHODOLOGY
# Step 1: Open the lock (your own hardware only)
Remove screws from interior housing
Identify main PCB and microcontroller (IC markings)
Search: “[IC part number] datasheet UART JTAG pins”
# Step 2: Find UART pins with multimeter
Set multimeter to DC voltage, probe test points
TX pin: oscillates near VCC during boot (3.3V or 1.8V)
RX pin: stable at VCC when idle
GND: continuity to ground plane
# Step 3: Connect and capture boot messages
USB-to-UART adapter (CP2102 or FT232) → set voltage match
minicom -D /dev/ttyUSB0 -b 115200
Boot: [INFO] Starting firmware v2.3.1
Boot: [INFO] API endpoint: https://api.lockbrand.com/v2
Boot: [WARN] Debug mode enabled — DO NOT SHIP ← common finding
Premium smart locks often have the most hardened BLE implementation and the weakest API security. The thinking is that the physical layer is what matters — but the cloud API controls everything the BLE layer does. Lock and unlock remotely. Share access. Revoke permissions. If the API has an IDOR on the lock_id parameter, none of the BLE security matters — an attacker unlocks your door from their laptop.
The IDOR pattern I’ve seen most often: the app sends POST /api/v2/lock/unlock with a body containing {"lock_id": "LS-00492"}. Change the lock_id to another user’s lock identifier — found via enumeration or disclosed in a previous API response — and the API unlocks their lock. No BLE proximity required. No hardware at all.
# Setup: proxy smart lock app traffic through Burp
Install Burp CA cert on test mobile device
Set mobile proxy to Burp: 192.168.x.x:8080
Operate lock normally → capture all API traffic in Burp
# Test 1: IDOR on lock identifiers
Find unlock endpoint: POST /api/lock/{id}/unlock
Try sequential or guessable lock IDs
200 OK on different lock_id = IDOR → Critical finding
# Test 2: API token expiry
Capture auth token from normal unlock
Wait 24 hours → replay the same token
If still valid: long-lived tokens without expiry → Medium finding
# Test 3: Horizontal privilege escalation
Create two test accounts → lock owned by Account A
Use Account B’s token with Account A’s lock_id
If unlock succeeds: missing authorisation check → Critical
securityelites.com
UART Debug Interface — Smart Lock Boot Output
[INFO] Bootloader v1.2 starting…
[INFO] Firmware v2.3.1 loaded
[INFO] BLE MAC: AA:BB:CC:DD:EE:FF
[INFO] API endpoint: https://api.lockbrand.com/v2/device
[INFO] Device key: 3f7a2c1d-9b4e-…
[WARN] Debug mode ENABLED — disable before shipping
[INFO] Master PIN loaded: 4829 (factory default)
[INFO] BLE advertising started
[INFO] Ready
CRITICAL: Master PIN and API device key exposed in UART boot log
Debug mode still active in production firmware · Factory default PIN unchanged across all units of this model
📸 Simulated UART boot output from a consumer smart lock — the type of output security researchers routinely find when connecting to active debug interfaces. The highlighted lines show two Critical findings: an exposed factory master PIN and an active device API key, both present in the boot log of a production device. The “DO NOT SHIP” warning in the firmware suggests these interfaces were supposed to be disabled before manufacture. On the actual device, they weren’t.
🧠 EXERCISE 2 — THINK LIKE A HACKER (15 MIN · NO TOOLS)
Map the Attack Chain for a Real Smart Lock Compromise
⏱️ 15 minutes · No tools — pure threat modelling
A motivated attacker targeting a specific property doesn’t need all four attack vectors. They need one that works. Map the complete decision tree for each attack path and identify which gives the best ROI for a real-world attacker.
SCENARIO: A threat actor wants to enter a property secured by
a popular Bluetooth smart lock. They have no physical access yet.
They have 72 hours. They have: a Flipper Zero, a laptop, and
a willingness to spend $200 on additional hardware.
ATTACK PATH A — BLE Replay
Requirements: Must be within ~10m of the door while legitimate
user operates the lock. One-time capture needed.
Time: 30 seconds of capture. Unlimited replays.
Counter: Only works on fixed-code locks.
Question: How does the attacker determine if this lock uses
fixed codes before getting near the door?
(Hint: firmware version research, CVE database, YouTube demos)
ATTACK PATH B — Firmware Research
Requirements: Must have the same lock model.
Buy identical hardware for ~$200 → extract firmware → find hardcoded PIN.
Time: 4-8 hours for hardware analysis.
Counter: Works only if manufacturer used same PIN across devices.
Question: What information would confirm this is worth pursuing?
ATTACK PATH C — API IDOR
Requirements: Must create a legitimate account on the platform.
Find another user’s lock_id via enumeration.
Time: 30 minutes with Burp Suite.
Counter: Only works if IDOR vulnerability exists and is unpatched.
Question: How does the attacker confirm the target uses
this specific brand’s cloud platform from outside the property?
ATTACK PATH D — Mobile App Proxy
Requirements: Must intercept app traffic.
Find API endpoint, test for auth bypass.
Time: 1-2 hours.
Counter: SSL pinning may block interception.
Question: What’s the first test to run on the intercepted traffic?
WHICH PATH WOULD YOU CHOOSE FIRST and why?
✅ The attacker’s optimal first step is almost always OSINT — search the lock brand + model + CVE before getting near the property. If a relevant CVE exists for the firmware version, Path B or C may be viable with zero physical proximity. This is why firmware disclosure and prompt patching matter: a published CVE on an unpatched device is a publicly documented attack path that anyone can follow. The practitioner lesson: when assessing IoT security, CVE research before hardware analysis saves hours and often finds the real attack path.
📸 Write out your attack path decision and share in #iot-security. Tag #SmartLockHacking
What a Secure Smart Lock Actually Looks Like
Most smart lock marketing talks about AES-256 encryption and “military-grade security.” What they mean is: the BLE channel uses AES encryption. What they don’t say: whether the encryption keys are stored securely, whether the rolling code implementation is actually sound, whether the API has authorisation checks, and whether the hardware debug interfaces are disabled.
A genuinely secure smart lock implementation needs all five properties to resist every attack covered above. Missing one is enough for a determined attacker to find a path. Here’s what each property actually means in practice:
SMART LOCK SECURITY — FIVE PROPERTIES THAT MATTER
# 1. Cryptographic BLE authentication
Challenge-response or narrow-window rolling code
Nonce-based — each unlock session generates fresh challenge
Defeats: replay attacks, static packet capture
# 2. Hardware security
Debug interfaces disabled in production firmware
Flash encryption enabled (e.g. ESP32 Secure Boot)
Firmware signed — only manufacturer-signed updates accepted
Defeats: UART/JTAG extraction, firmware tampering
# 3. Short-lived API tokens
Tokens expire in minutes for unlock operations
Server-side revocation — token invalidated immediately on logout
Defeats: API token replay from captured traffic
# 4. Object-level authorisation in API
Every API call validates: requesting user owns/has access to lock_id
Lock IDs non-sequential and non-guessable (UUID v4)
Defeats: IDOR attacks across user accounts
# 5. SSL pinning in mobile app
App validates server certificate against pinned hash
Burp CA cert interception blocked
Defeats: MitM API traffic interception
securityelites.com
Smart Lock Security Assessment — Checklist
✓
BLE Layer: Capture unlock sequence → test replay → verify rolling code or challenge-response
✓
Hardware: Identify UART/JTAG pins → test for active debug interface → attempt firmware extraction
✓
Firmware: Binwalk extraction → strings for credentials → analyse BLE auth implementation
✓
API: Burp proxy → test IDOR on lock_id → check token expiry → test horizontal privilege escalation
✓
Mobile App: SSL pinning bypass → intercept app traffic → test all API endpoints for auth issues
📸 Smart lock security assessment checklist covering all four attack surface layers. A professional IoT security assessment runs through all five checks. Many consumer security tools (including Flipper Zero) only address Layer 1 (BLE). The most impactful findings — IDOR, hardcoded credentials, missing API authorisation — come from Layers 3 and 4, which require no specialist hardware at all, just a Burp Suite proxy and a test account on the lock’s cloud platform.
🛠️ EXERCISE 3 — BROWSER ADVANCED (15 MIN · NO INSTALL)
Find Smart Lock Security Research and Responsible Disclosure Programmes
⏱️ 15 minutes · Browser only
Security research is only valuable if it reaches the manufacturers and ultimately gets fixed. Before you test anything, know where findings go.
Step 1: Find three smart lock brand security disclosure programmes
Search: “[Brand] smart lock security disclosure programme”
Try: August, Yale, Schlage, Kwikset, Nuki
Which brands have a formal disclosure programme?
Which have a HackerOne or Bugcrowd programme?
Step 2: Find the NVD entries for smart lock CVEs
Go to: nvd.nist.gov
Search: smart lock bluetooth
Find the 3 most recent CVEs
What was the CVSS score and attack vector for each?
Step 3: Find the ICS-CERT smart lock advisories
Go to: cisa.gov/uscert/ics/advisories
Search for smart lock or Bluetooth lock advisories
What vulnerability categories appear in ICS-CERT advisories for IoT locks?
Step 4: Research responsible disclosure timelines
Search: “smart lock CVE responsible disclosure timeline”
How long did manufacturers take to patch?
What happened when patches weren’t issued?
Step 5: Find an academic paper on smart lock security
Search: “smart lock security bluetooth vulnerabilities site:usenix.org OR site:ieee.org”
What methodology did researchers use?
How many locks were tested in the study?
✅ The research landscape for smart lock security has been active for a decade — and the same vulnerability categories keep appearing in new products. The responsible disclosure process matters because manufacturers with active security programmes patch faster and communicate timeline expectations. If a brand doesn’t have a disclosure programme, CERT/CC provides coordinated disclosure support. The academic research is worth reading: large-scale studies of consumer smart locks consistently find majority-vulnerable rates, which drives the industry-wide standards work that eventually produces more secure defaults.
📸 Screenshot the NVD search results for smart lock CVEs and share in #iot-security
✅ Smart Lock Security — Full Picture
BLE replay, rolling code bypass, firmware extraction via UART, API IDOR, mobile app interception — five attack surfaces, each independently exploitable on consumer smart locks. The five security properties that close each one. And the responsible disclosure process that connects research to fixes. For anyone doing physical security assessments or IoT research, this is the complete framework.
🧠 Quick Check
A smart lock manufacturer claims their product is “AES-256 encrypted.” A security researcher demonstrates a BLE replay attack that unlocks the device. How is this possible if AES-256 is in use?
❓ Frequently Asked Questions
Can smart locks be hacked with a Flipper Zero?
Many consumer smart locks using fixed BLE unlock codes are vulnerable to replay attacks with a Flipper Zero. The device captures the unlock packet sequence and retransmits it. Smart locks with rolling codes or challenge-response authentication resist this specific attack, though they may have other vulnerabilities. Multiple researcher demonstrations exist on YouTube showing Flipper Zero attacks against named consumer products.
What is a BLE replay attack on smart locks?
A BLE replay attack captures the Bluetooth signal sequence that unlocks a smart lock and retransmits it later. Locks with fixed unlock codes — the same signal every time — are completely vulnerable. Properly implemented rolling codes generate a different signal per unlock; poorly implemented rolling codes have wide acceptance windows that allow captured future codes to be replayed within the window.
Which smart locks have known security vulnerabilities?
Multiple popular brands have published CVEs covering fixed BLE codes vulnerable to replay, hardcoded credentials in firmware, IDOR in companion app APIs, and active debug interfaces. Specific CVEs are on the NVD — search by brand name. Vulnerability status changes with firmware updates; always check the current version against published advisories before drawing conclusions.
How do ethical hackers extract smart lock firmware?
Via hardware debug interfaces — UART for interactive shell access, JTAG/SWD for full flash dumps. The process requires opening the housing, identifying the processor via IC markings and datasheets, locating debug pins with a multimeter, and connecting with a USB-to-UART adapter or JTAG debugger. Many consumer smart locks ship with debug interfaces active and unlocked in production hardware.
Is testing smart lock security legal?
Only on hardware you own in a controlled environment where you cannot interfere with others’ property. Professional physical security assessments require explicit written scope of work from the property owner. Capturing signals from or interfering with locks you don’t own is illegal under computer fraud and property access laws in most jurisdictions. Own the hardware before testing it.
What makes a smart lock secure against these attacks?
Five properties: (1) challenge-response or narrow-window rolling code BLE authentication (defeats replay), (2) disabled debug interfaces and encrypted flash in production hardware (defeats firmware extraction), (3) short-lived API tokens with server-side revocation (defeats API replay), (4) object-level authorisation in the cloud API (defeats IDOR), (5) SSL pinning in the mobile app (defeats traffic interception). No single consumer lock currently implements all five.
How Hackers Exploit Bluetooth Devices 2026— The broader Bluetooth attack surface beyond smart locks — BLESA, BIAS, Bluetooth impersonation, and the attacks that affect every Bluetooth device you own.
How Hackers Bypass 2FA in 2026— Smart lock companion apps increasingly use 2FA for account access — understanding bypass techniques is essential for the full API security assessment.
Kali Linux Day 11 — Aircrack-ng Tutorial— Wireless protocol analysis skills that transfer directly to BLE traffic capture and 2.4GHz spectrum analysis for smart lock research.
NVD — Smart Lock CVE Database— The authoritative source for published smart lock vulnerabilities — check before any smart lock security assessment to understand the known attack surface for specific firmware versions.
CISA ICS-CERT Advisories— Government-coordinated IoT security advisories including smart lock and access control system vulnerabilities with manufacturer response timelines and mitigation guidance.
ME
Mr Elite
Owner, SecurityElites.com
The smart lock firmware finding that stayed with me was a major brand where the “master PIN” — the one that bypasses the app, bypasses the BLE, just opens the lock — was in plaintext in a configuration file. Same master PIN across every device in that product line. The manufacturer’s response when I reported it was to ask me not to publish until they could issue a firmware update. They issued the update six months later. That’s the responsible disclosure process working as designed — slowly, with pressure, but working. Every researcher who finds one of these and goes straight to Twitter instead of the manufacturer’s disclosure programme adds to the timeline problem. Report first. The disclosure period is the price of fixing it.
