Lockitron Community

Question about security: BlueBorne attack


Does Lockitron Bolt use a Linux kernel? Does it use BlueZ as its bluetooth transport?

If so, it’s vulnerable to the new BlueBorne attack which seems very bad. It gives the possibility that someone could open the lock via bluetooth without any credentials.

Here’s information about the attack: https://www.armis.com/blueborne

Can someone at Lockitron comment on whether we are vulnerable to this attack and if so, when there will be an update?



No, Lockitron doesn’t use classic Bluetooth (2.1) nor BlueZ (the specific Linux Bluetooth stack vulnerable to BlueBorne).

Both the crowdfunded Lockitron and Lockitron Bolt use Bluetooth Low Energy exclusively which BlueBorne does not affect.

That said, we are still tracking this issue closely. If anything comes up on the BLE side we will issue firmware updates.


Thank you for your reply. I’m glad you are on top of this.


Of course, there’s still a Lockitron problem related to this attack.

On Android, since only Nexus & Pixel phones are going to be patched to fix this vulnerability quickly, other Android users who care about security should keep Bluetooth turned off to avoid being exploited until they get the Sept 5 2017 Security Level from their manufacturer/carrier. This means that it will be tedious for those users without Bridge to use their Lockitrons without constantly toggling bluetooth on and off.

This also applies to iOS users who are using iOS 9.3.5 and earlier.