Image via LockState
An automatic firmware update broke LockState’s internet-enabled “smart locks” for around 500 customers earlier this month, including around 200 Airbnb hosts who use the locks to remotely manage rental access. Customers have to replace their locks or ship them back for repairs. (The locks can still be operated with a physical key.)
Smart locks, like so many “Internet of Things” devices, are vulnerable to a host of tech issues. Last year security consultant Anthony Rose revealed huge security flaws in Bluetooth-enabled door locks. Of the 16 locks he tested, Rose managed to break into 12.
Smart locks don’t seem any more foolproof than when our sister site Gizmodo explored smart-lock security four years ago. We asked five security experts whether these locks are fundamentally insecure.
None of these experts is ready to entirely write off all smart locks. “Like so much of technology, you simply have to decide who to trust and how much to trust them,” says security technologist, author, and Harvard lecturer Bruce Schneier, who testified before US Congress last year about the “catastrophic risks” of insecure internet-enabled devices.
“There is always a risk that a net-enabled lock will get bricked or hacked,” says MIT professor Stuart Madnick, “most likely due to the actions (or carelessness) of the owner.” But he points out that old-fashioned key-and-lock solutions have their own user-created risks: “One of my popular sayings is: ‘You may buy a stronger lock for your door, but if you still leave the key under the mat, are you really any more secure?’”
Madnick compares the trade-off to the increased risks of driving a car instead of a horse. “Are you willing to trade your car in for a horse?”
Jeremiah Grossman, Chief of Security Strategy at cybersecurity firm SentinelOne, compares smart locks to older remote systems like prison security doors and receptionist-controlled buzzers. He says internet-connected locks can sometimes be an appropriate solution:
Would I personally entrust the security of my home to such a device? Not at the moment, but in the future as the devices get better and more secure I might trust them more. Should others use them? Sure, depending on their living situation. And people might consider using them for doorways where what they’re securing isn’t critically important to them.
That’s one hell of a caveat for a $500 lock. Grossman recently tweeted about deeper implications of an insecure smart lock update system:
If someone coopted a ‘smart’ locks vendor’s software update system, imagine what could be done, how much potential damage inflicted.
— Jeremiah Grossman (@jeremiahg) August 15, 2017
But Grossman says we shouldn’t ask whether smart locks are “fundamentally insecure” but whether they are “secure enough for a given application.”
Alan Grau, co-founder of security software provider Icon Labs, puts it similarly:
There is no question people are going to use smart locks despite the risks. I think the questions to be asked are not if these solutions should be used, but rather what are the risks? How do these risks compare to traditional locks? What can [lock makers] do to ensure that a reasonable layer of security is built into these devices?
Security reporter Brian Krebs had the harshest words, saying it bothers him that so many people are installing smart locks. To break through a lock, he says, an attacker has always had to be on-site. “With internet-enabled locks, you’ve removed that expensive (and from an attacker’s perspective, risky) cost from the equation.” He still won’t write off the technology entirely. “I am not saying there can’t be remotely-enabled locks that are also secure. But I’d wager on balance that most of those in use today are probably nowhere near as secure as they should be.”
With all these caveats, the consensus seems to be that smart locks trade off a lot of expected security for more convenience. Before you buy a smart lock, research its known security issues, and know that new ones could crop up. But remember that if you use it wrong, any lock is insecure.
Comments
3 responses to “We Asked Five Security Experts If Smart Locks Are Ever Safe”
But if he breaks a smart lock, and is not on site, then what do you lose? He can’t rob your house remotely.
Yes, it’s not the best wording. My take out was you pay a hacker $50 to break a lock at 2am – then you open the door and rob the joint.
I suppose one of the big differences is, with an internet-enabled lock he can toil away until he achieves his goal from the safety of his computer and unless he is very careless, you are known the wiser until he is successful. An old-style burglar, on the other hand, is only interested in a lock that he can pick quickly to minimise his risk of being caught
If someone wants to break in, they will. So for the regular Joe, it probably makes no difference.
Businesses are a different story, as you’re at a higher risk of being targeted.
We use a PIN-coded lock at home. Two, in fact. Which I think is a really nice middle of the road. Can’t be hacked, doesn’t need a spare key, and just as much effort to ‘pick’ (perhaps more) than a regular lock.
Most burglars don’t walk into the front door because this is in general the hardest thing to open whatever lock you use. Windows and back doors are much more easier to cut or kick and get in. So, no worries smart locks are as secure as any other locks. I was robbed in my life 3 times. Once through a window, they just smashed it. Twice through the back door, they used a big hammer to smash the lock and kick in the door. The door was completely destroyed.