The Safety.com Guide to Smart Lock Security Vulnerabilities

Home security is a hot issue. In 2018, the [global] smart home security market was estimated to be about 2.14 billion in U.S. dollars. This rise also led to the proliferation of smart locks. By 2022, the market is expected to grow to 4.37 billion, according to Statista. Wholesale sales of smart locks in the U.S. in 2017 amounted to $260 million dollars. Smart locks are convenient – but at what cost to you the homeowner? 

Abdul Rehman, a cybersecurity editor at VPNRanks says, “It’s really amazing to be able to do all the basic house chores just by tapping on your smartphone. But is it really secure? Be it security cameras, smart locks, or any IoT (Internet of Things) device, everything that is connected to the internet, can be hacked. So, as amazing as they are, smart locks can be hacked and controlled to invade your privacy and monitor your entire home.”

What are smart locks?

Like traditional locks, smart locks need two parts to work correctly: the key and the lock, or the hardware and the software. The key is not like a traditional physical key, but instead receives an encrypted signal from a key fob, smart home hub, or smartphone that is configured to lock and unlock your door once it has received instructions from an authorized device.  The lock is exactly that, a lock.

The process is slick and easy, but few models are exempt from flaws.  In fact, smart locks came under fire in 2019, when F-Secure, a Finland-based security company disclosed that their KeyWe Smart Lock was compromised by hackers who intercepted network traffic between their device and the app, allowing doors to be unlocked and leaving homeowners unaware. 

“Many network-sniffing devices are helping thieves and hackers get the security key of homes. Beside KeyWe Smart Lock, many other brands are offering promised security for families, but in reality, all of them possess security risks,” says Phil Strazzulla, CEO & Founder, Select Software Reviews. “Some brands don’t allow for updates, and so homeowners are living with the risk of a hacker being able to open their doors until they have updated the software or replaced the unit altogether.”.

How smart are smart locks?

There are nearly a dozen smart lock brands currently on the market. Most can be purchased on Amazon or through Best Buy, and cost between $260 and $99.  A few of the most popular models do their best to update components and software often, given the spillover of bad press from past vulnerabilities.

In late 2019, a report from cybersecurity firm Bitdefender, detailed the vulnerability with the August Smart Lock. It seems that even though the communication between the device and the smartphone app was encrypted, the key is hardcoded to the app. This essentially allowed a hacker to intercept the owner’s wifi password. Granted, the vulnerability was specific to when the device was set-up. But Bitdefender also identified a way to knock it off-line so the user would have to put the device in set-up mode again. Unfortunately, according to Casey Crane, a cybersecurity journalist for SectigoStore.com, the flaw with the August Smart Lock is still not fixed. 

Smart locks are internet-enabled devices, which is their biggest strength, but also their greatest weakness. Crane goes on to say, “A lot of IoT smart lock devices are insecure for two primary reasons. One, they’re connected via routers that still use the factory-set default passwords. And two, the communication channels between the locks and the apps that remotely control them may not be secure. Data such as passwords transmits across the internet in plaintext form, meaning that hackers can read it easily through man-in-the-middle attacks or by using sniffing tools. This is why it’s important to use secure, encrypted communication channels.” 

Not to be outdone, a new report coming out of the National University of Singapore shows how you can open an old-fashioned keyed lock–once only accessible by picking the lock with your smartphone. It seems you use your phone to record the sound and capture all the information you need to create a working duplicate of a key.

Smart lock pros and cons

Few people will be surprised when the day comes that you open every door in your home with a virtual key via a smart lock. Until then, there are pros and cons to be considered before you change all the locks in your home.

Pros

  1. Convenience:  No more fumbling around with a key to open your doors. No more losing or misplacing your keys or locking them inside the house by mistake.
  2. You’re on top of things: You know when your child gets home, even if you’re not around. You also can see if you locked the door or forgot to lock the door right on your phone. 
  3. Save yourself the worry. Traditional lock-picking or lock-bumping is an art. But once someone has mastered it, he or she can pick the lock on your front or back door. Most smart locks have no key slot, which lessens the risk of this kind of break-in. 
  4. Connectivity. Other smart home devices can often be linked to smart locks, so you may be able to turn up the heat or turn on the lights when you open your door. 

Cons

  1. You need a smartphone. Smart locks rely on your phone via wifi or Bluetooth to open your doors. If you lose your phone, you’re locked out. 
  2. Cost. Smart locks cost much more than a standard lock and key. 
  3. You might get hacked. Smart locks are vulnerable to hacking. Crane says that one of the most important ways that manufacturers of smart locks can improve security is, “by patching gaps in their defenses through regular patches and updates. However, when updates or patching fails, it leaves your device vulnerable to attack — which means that the rest of your network (and any other devices connected to it) are also at risk.”
  4. You’ll pay for batteries. The old locks and keys didn’t rely on batteries to open your doors. So, if your batteries die, you’re not getting into your house. 

Too long, didn’t read? 

Smart locks will no doubt replace standard locks and keys. But until manufacturers develop a way to stop hackers from opening the doors of your house, many people will trade convenience for safety. But as wholesale sales of smart locks in the U.S. in 2017 amounted to $260 million dollars, it seems the vulnerabilities of smart locks have not impacted people’s love of smart devices in general. 


Kathryn Pomroy