Are Smart Locks Secure Or Just Dumb?

Are Smart Locks Secure Or Just Dumb?

Keys have been around for hundreds, if not, thousands of years. We’ve all used them. We generally understand how they work and how vulnerable they can be. Some are better than others. And now that the simplest of devices in the home are connecting to the cloud, it’s time to figure out just how safe or smart these new-fangled smart locks really are.

So far there are four known companies specialising in smart locks. The latest, Goji, launched this week with a neat little feature: a camera. August, co-founded by Yves Behar — the guy who designs wares for Jawbone, Jimmy Jane, and generally anyone that will pay him — launched last week and has already chalked up over 17,500 reservations. Since its debut onShark Tank a year ago, UniKey has struck deals with Kwikset and Weiser for its deadbolt “touch-to-open” replacement. And Valley darling Lockitron is set to begin shipping its latest iteration in a month’s time.

While each company’s traditional lock alternative comes with a set of proprietary security traits, they all still rely on the built-in protective features of Bluetooth SMART (aka 4.0 aka low energy). Which, for some reason, has a lot of folks concerned.

Just How Secure Is Bluetooth SMART (aka low energy)?

Each of the four companies claims to use the same security protocols as those used in online banking. What that essentially means is that anytime your smartphone is “talking” to any one of the four smart locks, that conversation is wrapped in 128-bit AES encryption, the lowest level of encryption used by government agencies in the US, for instance. TOP SECRET information requires 192- or 256-bit AES encryption, but 128 is good enough for SECRET level classified intel.

Is it vulnerable? Yes. Would a skilled hacker who could potentially break into government websites, military servers, or banks be that interested in getting into your smart locked home? Sure, but that individual would be wasting their, ahem, talents on some low hanging fruit. No offence.

Besides, in the case of smart locks, the real issue isn’t how Bluetooth transfers the initial data securely. It’s how each user or digital key is being authenticated. Unlike Bluetooth version 2.1, the latest version doesn’t actually require two devices to initially pair with each other the way you would have to pair your smartphone to a Bluetooth headset, for instance. So more common Bluetooth-based attacks like Bluejacking, Bluesnarfing and Bluebugging are a non-issue. Bluetooth SMART was “built from the ground up with a whole new radio architecture,” says Bluetooth SIG CMO Suke Jawanda. “It’s actually a step up in the security architecture, as well.” Of course, there’s not much doubt that the Special Interest Group was going to tell me that Bluetooth SMART/4.0/le is safe.

It’s not all PR chatter, though. The new spec features adaptive frequency-hopping, too, which basically scatters whatever encrypted data you’re sending across the 2.4GHz spectrum. Jawanda goes on to say that the biggest “challenge” from a security vulnerability standpoint though, is how companies implement the latest version of Bluetooth. If it isn’t done per spec, then that device might not benefit from what security features are baked into Bluetooth. Each company has said that they’ve implemented the latest version per spec, so each should be pretty well secured.

How Do They Do It?

As far as we know, this is how each service essentially works based on multiple interactions with each company. All of this is obviously subject to change, since most of them haven’t yet launched.

UniKey‘s whole lock replacement Kevo system is the less jarring of the four smart lock solutions, as it looks exactly like any deadbolt you’ve ever seen before. UniKey doesn’t actually rely on Bluetooth’s security protocol but instead relies on a public-key infrastructure system to authenticate users. Without getting into the nitty gritty of it, what that means is that every communication between the phone and lock is a unique transaction. So even if someone were able to sniff out a key, they wouldn’t be able to use it again.

As UniKey President Phil Dumas told me, “There are more possible combinations to our lock than there are hydrogen particles in the observable universe.” And because the Kevo system sits on both sides of the door, it knows if you’re on the inside or outside of the door essentially eliminating any false unlocks. But then again, you have to tap the lock itself before it locks or unlocks anyway. Oh, and all updates to the Kevo’s firmware are downloaded and pushed through your smartphone.

Lockitron, which originally launched in early 2011 with a whole lock replacement, has since opted for an add-on solution for your existing lock setup but only on the interior of the door. Compared to Kevo, Lockitron connects to both Wi-Fi and Bluetooth. While each exchange between your smartphone and Lockitron can also be done over just Bluetooth, you can remotely lock or unlock your door over Wi-Fi or send a notification when the knock sensor has been triggered. That extra layer of connectivity also comes with a smidge of added security. And even if you don’t have a Bluetooth SMART-enabled smartphone, (iPhone 4S/5 and some Android devices) admins and those they issue digital keys can still get in and out through the mobile web. Lockitron works with Electric Imp on the Wi-Fi side of things and uses “industry standard TLS to secure device connections,” which is the successor to Secure Sockets Layer (SSL), a cryptographic protocol used on the Internet that provides communication security.

Lockitron co-founder Cameron Robertson wouldn’t say too much about how his smart lock authenticates and permissions digital keys beyond the aforementioned. Robertson also wouldn’t divulge how his system knows whether or not you’re inside the house or outside but it won’t be too hard to figure that out once the devices start shipping next month.

August, like UniKey’s Kevo, handles communication between the lock and a permissioned smartphone over Bluetooth. The lock itself never talks to August’s server, the cloud or even the Internet. Authentication is handled through the smartphone and the accompanying August app. August owners can also grant permission or deny access through the website. And each lock comes with its own key, so it’s not like issuing access to one lock grants access to all of them.

Jason Johnson, co-founder of August, won’t say how his system, which sits atop the interior of a door’s lock, identifies whether or not a user is on the outside or inside but says they have a bit of secret sauce that helps them figure it out. I imagine we’ll know more once the product is closer to shipping later this year. Also, August won’t allow customers to update the lock’s firmware on their own. It’s something the company is considering pending a security review.

Goji, which launched its Indiegogo campaign yesterday, is a little bit different in that it replaces your entire deadbolt system with a two-part contraption that includes a Wi-Fi-enabled camera and 24/7 customer service. It’s also the only one that’s glaringly obvious to the outside world that you don’t have a traditional system in place.

Two programmable key fobs and four admin accounts initially ship with Goji. Each of those admin accounts can issue digital keys, with the authentication process predominantly taking place via Bluetooth. Owners can also remotely lock or unlock the, uhh, lock since Goji is connected over Wi-Fi. That connectivity also enables the system to snap a photo of anyone entering your home and automatically pushing it to your phone. So long as your network stays up, of course. So how does Goji know if you’re inside or outside? A series of antennas sit on both sides of the door within both modules to magically figure it out.

Thrown for a Loophole

The problem with smart locks, though, is that like any electronic system they’re not foolproof. Take the following scenario, which could happen in some insane bizarro world, that would render each of the four systems somewhat vulnerable. Again, this is a unique situation that probably won’t happen very often, if ever, but it’s a vulnerability nonetheless.

Let’s say that the Wi-Fi network at your home goes down and your Goji or Lockitron are unable to download the latest list of blacklisted keys, an individual with a blacklisted key could still get in. How? If they’re clever enough to somehow take your Wi-Fi network down and have the foresight to only have Bluetooth switched on, their digital key could still work since their particular device never hit Goji or Lockitron’s server to have their permissions revoked. Again, a highly unlikely situation but it could happen.

While August and Kevo’s respective locks never talk to the cloud, it gets a little trickier to gain access to a home with a blacklisted key but it’s not impossible. When you, the owner, decide to blacklist a key via the web or your smartphone, you update the lock’s list of blacklisted keys anytime you interact with said key. At least that’s one way of doing it. The alternative to that is that both systems push updates to any smartphone that hit the server. So if someone, let’s say an ex signif or house cleaner, opens either app while connected, their key is automatically updated and revoked. But in the event that you’re unable to manually update the lock yourself, someone with a blacklisted key could still get in if they put their phone in aeroplane mode with Bluetooth still running.

Again, it’s a super unlikely scenario but stranger things have happened. Technology fails. People are crazy. While each company was able to offer guidance on what to do, the larger question looms as to what other loopholes exist if this one already does.

Smart, Secure or Just Dumb?

It’s easy to dismiss or turn your nose up at smart locks, but not everyone was enthused when the Nest thermostat launched either. Connected locks might not solve any obvious issues at the moment, but neither did the iPod. For urban dwellers like myself who have to pay ridiculous amounts of money for an extra set of keys, it even makes some economic sense. But they’re not perfect by any stretch of the imagination. Nothing ever is. And even if they were, they’re also entirely circumventable.

Any burglar who’s committed enough to get into your house can either a) pop or break your window or b) take a crowbar to your door to get in. Whether or not you have a smart lock is irrelevant to them. Hacking your way through the existing 128-bit AES encryption on top of whatever each company has piled on is probably just a waste of time. You could just buy a Halligan off Amazon for $250, which is what firefighters use to break down doors. And if you have a sliding door, they could just as easily pop that out. Or! Or someone could, you know, just snatch your actual key and get in that way.

In reality smart locks don’t offer any higher or lower level of security than your basic deadbolt. They’re safe for what they are, and probably convenient for some, but right now you shouldn’t think of them as anything more than a security parlor trick.