It's better to hang them on something not very valuable and not the most necessary. Now we'll explain why.
Smart locks are a really convenient thing. There are many of them on the market of modern devices for the home and they are quite different. Some can detect the owner's approach by his mobile phone and open without a key. Others are controlled remotely: you can open the door for friends or relatives without being at home. Still others also provide video surveillance: someone rings the doorbell and you immediately see on your smartphone who has come to see you.
However, smart devices also carry additional risks that are absolutely not typical for regular "offline" locks. If you study these risks carefully, you can find as many as three reasons to give preference to the classics. We will discuss them in this post.
We have already told you about blatant examples of how this could not be done in another post. There you can get acquainted with a cool padlock with a fingerprint scanner - only under it is located an opening mechanism (lever) accessible to everyone. And also - with a smart lock for a bicycle, which can be disassembled with a screwdriver.
The top panel with the fingerprint lock sensor can be easily removed with a knife. The insides of the mechanism are immediately accessible under the panel, as a result the lock can be easily opened.
The Akuvox E11 lock has a lot of vulnerabilities that make it possible to gain unauthorized access to the premises without any problems.
The software part of the lock is implemented in such a way that anyone can view the video and sound from the built-in camera at any time. And if you suddenly decide to make the web interface of the device accessible from the Internet, anyone can also get full access to the lock and, accordingly, open the door “protected” by it. We are talking about a benchmark example of unsafe development: requests for video transmission are not checked in any way, part of the web interface is available without a password, and the password itself is easy to crack due to the use of encryption with a fixed key that is the same for all devices.
Want more examples? Here you go. Here is a story about a lock that allows nearby intruders to get the password to your Wi-Fi network. Here, the smart lock poorly protects data exchange: you can eavesdrop on the radio channel and intercept control. And here is another example of a poorly protected web interface.
This in itself can be a problem: when, for example, the manufacturer turns off the cloud infrastructure and the device stops working. But even if the functionality of the device is preserved, vulnerabilities may appear that the manufacturer did not know about at the time of the release of the lock.
For example, in 2022, researchers discovered a vulnerability in the Bluetooth Low Energy protocol, which has been adopted by many companies as a standard for contactless authentication when unlocking various devices (including smart locks). This vulnerability makes it possible to implement a so-called relay attack, in which an attacker needs to be near the owner of a smart lock with special (relatively inexpensive) equipment. With this equipment, a signal from a smartphone can be “forwarded” to the radio reception area of the smart lock. As a result, the smart lock thinks that the owner's smartphone is nearby (and not in a shopping center three kilometers from the house), and opens the door.
Kwikset lock vulnerable to relay attack using Bluetooth Low Energy protocol bug.
The software required to operate smart locks is very complex, and the probability of finding serious vulnerabilities in it is always non-zero. If this happens, the manufacturer of the problematic lock must release an update and deliver it to devices already sold. But what if the model is no longer produced or no updates are released for it?
With smartphones, we solve this problem by buying a new device every two or three years. But how often do you plan to replace an Internet-connected door lock? We actually expect such devices to work for decades, not a couple of years until the lock manufacturer stops supporting it or goes bankrupt.
Source
Smart locks are a really convenient thing. There are many of them on the market of modern devices for the home and they are quite different. Some can detect the owner's approach by his mobile phone and open without a key. Others are controlled remotely: you can open the door for friends or relatives without being at home. Still others also provide video surveillance: someone rings the doorbell and you immediately see on your smartphone who has come to see you.
However, smart devices also carry additional risks that are absolutely not typical for regular "offline" locks. If you study these risks carefully, you can find as many as three reasons to give preference to the classics. We will discuss them in this post.
Reason one: smart locks are physically more vulnerable than regular ones
There is a common problem: smart locks combine two different concepts. In theory, these locks should, on the one hand, have a reliable "smart part" and, on the other, provide serious protection against physical hacking, so that they cannot be opened with a simple screwdriver or a penknife. Combining these concepts does not always work: you get either a flimsy smart lock, or a reliable, heavy, iron lock with a vulnerable software part.We have already told you about blatant examples of how this could not be done in another post. There you can get acquainted with a cool padlock with a fingerprint scanner - only under it is located an opening mechanism (lever) accessible to everyone. And also - with a smart lock for a bicycle, which can be disassembled with a screwdriver.
The top panel with the fingerprint lock sensor can be easily removed with a knife. The insides of the mechanism are immediately accessible under the panel, as a result the lock can be easily opened.
Reason two: problems on the side of the “smart” component
Making the “smart” component of the lock safe is also not easy. Here you need to understand that developers of such devices often prioritize functionality over protection. The most recent example: the smart intercom Akuvox E11 is a device designed not for home use, but for installation in offices. That is, it is exactly an intercom: it has a terminal to which a video stream from a built-in camera is transmitted, and there is a button to open the door. But since this intercom is “smart”, it can be controlled using an application on a smartphone.
The Akuvox E11 lock has a lot of vulnerabilities that make it possible to gain unauthorized access to the premises without any problems.
The software part of the lock is implemented in such a way that anyone can view the video and sound from the built-in camera at any time. And if you suddenly decide to make the web interface of the device accessible from the Internet, anyone can also get full access to the lock and, accordingly, open the door “protected” by it. We are talking about a benchmark example of unsafe development: requests for video transmission are not checked in any way, part of the web interface is available without a password, and the password itself is easy to crack due to the use of encryption with a fixed key that is the same for all devices.
Want more examples? Here you go. Here is a story about a lock that allows nearby intruders to get the password to your Wi-Fi network. Here, the smart lock poorly protects data exchange: you can eavesdrop on the radio channel and intercept control. And here is another example of a poorly protected web interface.
Reason three: software needs to be updated constantly
A typical smartphone receives updates within two to three years of its release. A more budget IoT device may cease to be supported by the manufacturer even faster. Updating a smart device over the Internet is quite easy. However, supporting existing devices requires money and resources from the manufacturer.This in itself can be a problem: when, for example, the manufacturer turns off the cloud infrastructure and the device stops working. But even if the functionality of the device is preserved, vulnerabilities may appear that the manufacturer did not know about at the time of the release of the lock.
For example, in 2022, researchers discovered a vulnerability in the Bluetooth Low Energy protocol, which has been adopted by many companies as a standard for contactless authentication when unlocking various devices (including smart locks). This vulnerability makes it possible to implement a so-called relay attack, in which an attacker needs to be near the owner of a smart lock with special (relatively inexpensive) equipment. With this equipment, a signal from a smartphone can be “forwarded” to the radio reception area of the smart lock. As a result, the smart lock thinks that the owner's smartphone is nearby (and not in a shopping center three kilometers from the house), and opens the door.
Kwikset lock vulnerable to relay attack using Bluetooth Low Energy protocol bug.
The software required to operate smart locks is very complex, and the probability of finding serious vulnerabilities in it is always non-zero. If this happens, the manufacturer of the problematic lock must release an update and deliver it to devices already sold. But what if the model is no longer produced or no updates are released for it?
With smartphones, we solve this problem by buying a new device every two or three years. But how often do you plan to replace an Internet-connected door lock? We actually expect such devices to work for decades, not a couple of years until the lock manufacturer stops supporting it or goes bankrupt.
What to do?
We understand that absolutely all locks (and not only smart ones) can be hacked. However, when deciding to install a "smart" device instead of a standard lock, think carefully: do you really need the ability to open the door from your smartphone? If you still answer this question positively, you should pay attention to the following points:- Research specific device information before purchasing.
- Pay attention not only to reviews about the convenience and features of the smart lock, but also to reports of potential problems and threats.
- Opt for newer devices: perhaps the manufacturer will support them a little longer.
- After purchasing a device, carefully study its network functions and think carefully whether you need all of them or whether it makes sense to disable some of the particularly dangerous ones.
- And don't forget to protect your own computers, especially if they are on the same network as smart locks. It would be a shame if a computer infection with malware also leads to the doors to your apartment being left wide open.
Source
