It’s a well known fact that consumers tend to lack confidence with using IoT devices to keep their homes safe; one study suggests that more than half believe that IoT products do not have the necessary security in place.
With the many horror stories of the last few years – one white hat hacker after another exposing critical security flaws in some of the most high-profile smart locks on the market – it should hardly come as a surprise that consumers tend to take a particularly dim view of smart locks and other so-called intelligent entry systems.
Woeful password protection and poor security protocols have left a number of smart lock manufacturers red-faced after they left open to digital exploitation by malicious parties. This kind of weakness is undesirable in any internet-connected device but, when you consider that the smart lock’s primary purpose is to be secure, it becomes an inexcusable failure.
Despite this, smart locks are growing significantly in popularity – a Next Market Insights report predicts the market for smart locks will become a $3.6 billion sector by 2019, while Grand View Research has claimed that this could rise as high as $24.2bn by 2024. These bullish claims suggest that the smart lock will become a force majeure in the smart home scene over the next few years, but will customers be able to buy such items confidently, knowing that their homes will actually be secure?
The good: reasons why you might consider a smart lock
The central idea behind the smart lock is that it’s an evolution of the traditional door lock, one that connects your door to the rest of the home’s technology eco-system and makes it easier for homeowners to secure their properties and grant access to themselves and others, while still restricting access for those who are unwelcome in the home.
At its heart, choosing a smart lock is a matter of convenience. Keyless access – whether via geofencing, Bluetooth, NFC, Wi-Fi or a protocol such as ZigBee or Z-Wave – is as easy as holding a fob or phone close enough to the door for it to unlock. This can be particularly useful for residences that frequently see a high turnover in visitors – for example, a second home shared among various family members or a temporary rental property.
In this instance, a homeowner might grant temporary access to someone via an app, which will let them access the property using their phone’s in-built Bluetooth or NFC for the duration of their stay, thereby eliminating the rigmarole of handing out keys and keeping track of who has which set in their possession. One option along these lines is a smart keybox such as igloohome, which is Airbnb’s preferred keys and access vendor. This device holds multiple keys or key cards in a locked box that can only be accessed using a temporary unique pin that expires once their stay has ended.
Another, more common use for a smart lock might be to grant access to cleaners or professional dog walkers that need access to a property when the owner is out. As smart lock systems will usually record all uses for the owner to see, it ensures that they can check these access permissions are only being used when they should – granting significant peace of mind as to who is entering the house and when.
Being able to monitor the property has the additional advantage of keeping homeowners abreast of attempts at forced entry. By having notification alerts when an incorrect passcode is entered, users can know if someone is trying to access their home without permission and – if needed – change the pin code. If the smart lock is paired with a video entry system, then the homeowner will be able to see who is waiting outside and let them in.
The bad: where the problems lie with smart locks
It’s not just that some smart locks have been proven to be insecure; it’s the multitude of ways in which hackers have managed to expose so many devices that is truly worrying. Defcon 2016 was particularly notable for a talk given by Anthony Rose and Ben Ramsey from Merculite Security, who revealed that a test of several commonly available smart locks had shown 75 percent of them had ‘insufficient’ BLE security protocols.
While some of the identified flaws were laughable in their simplicity – particularly the use of plain-text passwords – the highlighted exploits included a whole range of weakness, from replay attacks (where a third party is able to ‘eavesdrop’ on a password exchange and repeat or delay it), to fuzzing (where massive amounts of random data force a system to crash), and the ability to decompile APKs (Android application packages), which allows a third party to view the code inside an Android app. Even where digital attacks didn’t yield results, some could be broken by physical means (as was proven to be the case with the first generation Kwikset Kevo doorlock).
A further problem for smart locks is the often patchy integration between smart locks and the rest of the smart home. While Z-Wave locks (such as the Schlange Connect) will normally be able to integrate with other elements in a smart home built on this protocol and other smart locks connect directly to the home’s wi-fi network (the August Smart Lock being on of those), each smart lock comes with its own unique list of compatible protocols and devices. This makes it important to do your homework before you specify, or ask your smart home installer for advice as to which locks will work best with the home technology being proposed for your property.
One important aspect to consider is your ability to insure your home could be compromised by installing smart locks on your external-facing doors. In the UK, many insurance policies dictate that your lock must comply with BS3621, so it is imperative that any smart lock you choose at least matches this level of security.
The ugly: when is it safe to use a smart lock?
“Consumers who want to use smart locks for more critical applications should wait a couple more years for the next generation of smart locks to arrive. These locks will likely allow quick and easy updating of software, use a more secure protocol, and perhaps leverage personal biometric features instead of a physical key. Biometrics can still be hacked, but they are much more difficult to be lost or stolen.”
– David Maciejak, Head of FortiGuard Lion Asia-Pacific Research and Development, Fortinet
While the smart lock market as a collective is improving its security chops all of the time (Kwikset’s recently released 2nd gen Kevo, for example, is physically more robust and performed well in independent security tests), many smart lock devices might be less secure than a video entry system. Some of these, such as the Mobitix T25 door station, can in turn be integrated with smart home platforms such as Crestron, Savant and Control4 for a seamless link between access control and the rest of the property.
A video entry system doesn’t completely resolve the demand for keyless access; for homeowners where this is a priority, then the Yale Keyfree Connected Smart Lock is an option. As well as being BS3621-approved, this Z-Wave-based system is endorsed by the UK national police service’s Secured by Design scheme, supports SmartThings and also works with Yale’s own smartphone alarm and CCTV systems. It features a numbered keypad with support for 4- to 10-digit PIN codes, remote fob access and a conventional lock so it can always be accessed, even in the unlikely event that the batteries have run down without being replaced.
Another possibility is the Gate smart lock (see header image), which by November 2016 had raised more than $250,000 of pre-orders on IndieGoGo for its all-in-one lock. This device incorporates a key cylinder, keypad entry and a motion-activated camera so that homeowners can see who is at the door. Gate offers remote locking and unlocking via WiFi cloud-based communication, and uses 256-bit encrypted AES with TLS/SSL cryptographic protocols to protect the unit against malicious attacks.
“For some properties, particularly where caregivers or other third parties might need frequent access, a smart lock system can make it much easier to control who is entering and leaving the home. However, making sure there is some sort of fail-safe (such as an override mechanical lock cylinder) ensures that – even if the device stops receiving or runs out of power – it remains secure and grants access to those who need it, no matter the scenario.”
– Krystian Zajac, Managing Director, Andrew Lucas London
For internal use, having a smart lock system to restrict access certain areas (such as a home office or storage rooms that you don’t want the kids to roam around in, or securing bedrooms and other private areas when hosting parties) makes a lot of sense. However, for keeping the property’s exterior secured, you should definitely opt for a safety-first approach. No matter how convenient it might be, if a smart lock doesn’t improve on – or, at the very least, match – the security of the traditional lock you’re already using, it’s simply not worth the effort.