Image via LockState
An automatic firmware update broke LockState’s internet-enabled “smart locks” for around 500 customers earlier this month, including around 200 Airbnb hosts who use the locks to remotely manage rental access. Customers have to replace their locks or ship them back for repairs. (The locks can still be operated with a physical key.)
Smart locks, like so many “Internet of Things” devices, are vulnerable to a host of tech issues. Last year security consultant Anthony Rose revealed huge security flaws in Bluetooth-enabled door locks. Of the 16 locks he tested, Rose managed to break into 12.
Smart locks don’t seem any more foolproof than when our sister site Gizmodo explored smart-lock security four years ago. We asked five security experts whether these locks are fundamentally insecure.
None of these experts is ready to entirely write off all smart locks. “Like so much of technology, you simply have to decide who to trust and how much to trust them,” says security technologist, author, and Harvard lecturer Bruce Schneier, who testified before US Congress last year about the “catastrophic risks” of insecure internet-enabled devices.
“There is always a risk that a net-enabled lock will get bricked or hacked,” says MIT professor Stuart Madnick, “most likely due to the actions (or carelessness) of the owner.” But he points out that old-fashioned key-and-lock solutions have their own user-created risks: “One of my popular sayings is: ‘You may buy a stronger lock for your door, but if you still leave the key under the mat, are you really any more secure?’”
Madnick compares the trade-off to the increased risks of driving a car instead of a horse. “Are you willing to trade your car in for a horse?”
Jeremiah Grossman, Chief of Security Strategy at cybersecurity firm SentinelOne, compares smart locks to older remote systems like prison security doors and receptionist-controlled buzzers. He says internet-connected locks can sometimes be an appropriate solution:
Would I personally entrust the security of my home to such a device? Not at the moment, but in the future as the devices get better and more secure I might trust them more. Should others use them? Sure, depending on their living situation. And people might consider using them for doorways where what they’re securing isn’t critically important to them.
That’s one hell of a caveat for a $500 lock. Grossman recently tweeted about deeper implications of an insecure smart lock update system:
If someone coopted a ‘smart’ locks vendor’s software update system, imagine what could be done, how much potential damage inflicted.
— Jeremiah Grossman (@jeremiahg) August 15, 2017
But Grossman says we shouldn’t ask whether smart locks are “fundamentally insecure” but whether they are “secure enough for a given application.”
Alan Grau, co-founder of security software provider Icon Labs, puts it similarly:
There is no question people are going to use smart locks despite the risks. I think the questions to be asked are not if these solutions should be used, but rather what are the risks? How do these risks compare to traditional locks? What can [lock makers] do to ensure that a reasonable layer of security is built into these devices?
Security reporter Brian Krebs had the harshest words, saying it bothers him that so many people are installing smart locks. To break through a lock, he says, an attacker has always had to be on-site. “With internet-enabled locks, you’ve removed that expensive (and from an attacker’s perspective, risky) cost from the equation.” He still won’t write off the technology entirely. “I am not saying there can’t be remotely-enabled locks that are also secure. But I’d wager on balance that most of those in use today are probably nowhere near as secure as they should be.”
With all these caveats, the consensus seems to be that smart locks trade off a lot of expected security for more convenience. Before you buy a smart lock, research its known security issues, and know that new ones could crop up. But remember that if you use it wrong, any lock is insecure.