Smart locks are quite a handy gadget. The market is filled with them and they are present in many forms and varieties. Some of them can detect owners/tenants/phones when they are ready to enter and do not require a key. Others are remotely controlled, allowing residents to open the door for friends or relatives whether or not they are at home.
There are many that provide video surveillance. This helps them identify whether the person who rang the bell is a stranger or not.
A note of caution: Smart devices (especially smart locks) carry risks that most users of traditional and offline locks do not need to worry about. A careful study of these risks reveals key reasons why smart locks should not be used. Time to have a good look at them.
1. Smart locks are more vulnerable than smart locks in physical terms
The problem is that smart locks combine two different kinds of concepts. Theoretically, these locks should have a smart component that is reliable. At the same time, they must provide strong protection against physical tampering. This prevents them from getting opened forcefully i.e. via a crowbar, a penknife, or a screwdriver.
Combining these two concepts proves that this does not always work. The outcome? A flimsy smart lock resulted in numerous break-ins and other issues. Also, a heavy-duty iron lock with poor software resulted in more burglaries.
A lot of technical experts have shared stories of locks that were not capable of doing their jobs. One of them is a good-looking padlock having a fingerprint scanner, under which there was an opening mechanism (a lever) anyone can access and tamper with. Smart locks for bicycles were taken apart using screwdrivers.
2 – The smart component has loads of issues and that
Creating the smart component as secure as possible is also not an easy job. It is important to remember that the developers of such devices usually prioritize the functionality aspect over protection and security.
Akuvox E11 is a fine example of such. It is a device designed for offices instead of residential use. It is basically a smart intercom with a terminal for receiving a video stream from the built-in camera along with a button to open the door. It is a smart device as it can be controlled through its app for smartphones and tablets.
Software in this one has been implemented in a way that anyone can obtain access to both the video and sound from the camera at any time of the day. For those who have not thought about isolating the web interface from the internet, anyone can control the lock and open the door.
A textbook example of not-so-secure software development can be understood from the following:
• Video requests miss authorization checks.
• A part of the web interface is accessible without a password.
• The password is easily hackable because of encryption with a fixed key, same for all devices.
3 – Software requires frequent updates
A typical smartphone usually receives updates for two to three years after its release. As for affordable IoT devices, support may be withheld after a brief period of time. Updating a smart device through the internet is quite straightforward. Yet, maintaining support for devices requires a lot of resources and money on the vendor’s part.
This can be quite a problem. Experts providing the best DDoS protection services in New York City reveal that when vendors disable the cloud and the devices stop working, vulnerabilities pop up. Even if the smart-lock functionality is preserved, there are vulnerabilities that despite being unknown to vendors upon the device’s release can appear without notice.
Last year, researchers found a vulnerability in the Bluetooth low-energy protocol. A lot of companies adopted it as a standard measure for contactless authentication whenever devices were unlocked (smart locks included).
Such kind of a vulnerability can open the door to relay attacks. This requires the attackers to be near the smart lock owner and use special but affordable equipment. Attackers using this hardware can relay signals between the victim’s phone and the smart lock. The smart lock is tricked into thinking the owner’s phone is nearby (not at a distance). The door is hence unlocked.