{"id":26880,"date":"2019-05-06T08:44:53","date_gmt":"2019-05-06T12:44:53","guid":{"rendered":"https:\/\/www.kaspersky.com\/blog\/?p=26880"},"modified":"2019-11-15T06:26:31","modified_gmt":"2019-11-15T11:26:31","slug":"why-smart-padlocks-suck","status":"publish","type":"post","link":"https:\/\/www.kaspersky.com\/blog\/why-smart-padlocks-suck\/26880\/","title":{"rendered":"Why buying a &#8220;smart&#8221; padlock is a bad idea"},"content":{"rendered":"<p>Recently I\u2019ve been binge-watching the <a target=\"_blank\" href=\"https:\/\/www.youtube.com\/channel\/UCm9K6rby98W8JigLoZOh6FQ\/\" rel=\"noopener noreferrer nofollow\">LockPickingLawyer<\/a> channel on YouTube. There\u2019s a whole lot to learn from these videos, especially if you were never into the lock-picking business. But one particular thing made a big impression: how badly \u201csmart\u201d padlocks perform when it comes to physical security.<\/p>\n<p>Disclaimer: I think it would be excessive to use ironic quotation marks throughout this text, so I\u2019m not gonna do it. Just keep in mind that every time I use the word <em>smart<\/em>, I\u2019m using mental air quotes \u2014 \u201csmart.\u201d And for that matter, <em>lock<\/em> might as well be \u201clock.\u201d<\/p>\n<p>Let\u2019s start with the eGeeTouch smart luggage lock, which is supposed to be unlocked with either a smartphone app or an NFC (near-field communication) tag. Never mind that a TSA master key that <a target=\"_blank\" href=\"https:\/\/www.businessinsider.com\/3d-printing-plans-of-tsa-master-keys-released-online-2015-9?r=UK&amp;IR=T\" rel=\"noopener noreferrer nofollow\">anyone can print on a 3D printer<\/a> can open every baggage lock, thus rendering all baggage locks useless. This little padlock makes it even worse. It is so badly designed that it can be fully disassembled and easily opened with nothing more than a pocket knife \u2014 even a plastic card might do.<\/p>\n<p><span class=\"embed-youtube\" style=\"text-align:center; display: block;\"><iframe class=\"youtube-player\" type=\"text\/html\" width=\"640\" height=\"390\" src=\"https:\/\/www.youtube.com\/embed\/q5hkOPKd9bw?version=3&amp;rel=1&amp;fs=1&amp;showsearch=0&amp;showinfo=1&amp;iv_load_policy=1&amp;wmode=transparent\" frameborder=\"0\" allowfullscreen=\"true\"><\/iframe><\/span><\/p>\n<p>The same goes for this Pavlit fingerprint padlock. Remove the plastic front panel with either a screwdriver or a pocket knife and you will see the switch that unlocks the shackle. By the way, this padlock has one more critical vulnerability \u2014 it is susceptible to shimming.<\/p>\n<p><span class=\"embed-youtube\" style=\"text-align:center; display: block;\"><iframe class=\"youtube-player\" type=\"text\/html\" width=\"640\" height=\"390\" src=\"https:\/\/www.youtube.com\/embed\/uVvEkcN5tW8?version=3&amp;rel=1&amp;fs=1&amp;showsearch=0&amp;showinfo=1&amp;iv_load_policy=1&amp;wmode=transparent\" frameborder=\"0\" allowfullscreen=\"true\"><\/iframe><\/span><\/p>\n<p>Another example: the TurboLock TL-400KBL bicycle smart lock. This padlock is designed to be opened either by a smartphone app connected by Bluetooth, or by entering a PIN with a keypad. Even if you\u2019re no physical security expert, you can spot this padlock\u2019s weakness: It\u2019s made of plastic and presumably isn\u2019t hard to break or even burn. But such destructive actions won\u2019t be necessary in this case, because the padlock can be conveniently disassembled with a screwdriver. It\u2019s as easy as taking apart a plastic toy.<\/p>\n<p><span class=\"embed-youtube\" style=\"text-align:center; display: block;\"><iframe class=\"youtube-player\" type=\"text\/html\" width=\"640\" height=\"390\" src=\"https:\/\/www.youtube.com\/embed\/mGpMaShltbc?version=3&amp;rel=1&amp;fs=1&amp;showsearch=0&amp;showinfo=1&amp;iv_load_policy=1&amp;wmode=transparent\" frameborder=\"0\" allowfullscreen=\"true\"><\/iframe><\/span><\/p>\n<p>Let\u2019s take a look at the Uervoton fingerprint padlock. It has a metal body that looks pretty solid. No way can it be opened with a pocket knife or a screwdriver, right? Unfortunately, the design is terrible: a bunch of screws on the lock\u2019s surface are easy to unscrew. After that, the lock literally falls apart.<\/p>\n<p><span class=\"embed-youtube\" style=\"text-align:center; display: block;\"><iframe class=\"youtube-player\" type=\"text\/html\" width=\"640\" height=\"390\" src=\"https:\/\/www.youtube.com\/embed\/7Uje4pxfSlI?version=3&amp;rel=1&amp;fs=1&amp;showsearch=0&amp;showinfo=1&amp;iv_load_policy=1&amp;wmode=transparent\" frameborder=\"0\" allowfullscreen=\"true\"><\/iframe><\/span><\/p>\n<p>Finally, we have the BoxLock, probably the most reasonable example of a smart lock. This padlock works with barcodes. You can program it to be opened with a barcode printed on a delivery package. At first glance, this padlock looks quite beefy, but it\u2019s not nearly as tough as it seems. It can be disassembled with a screwdriver even while locked.<\/p>\n<p><span class=\"embed-youtube\" style=\"text-align:center; display: block;\"><iframe class=\"youtube-player\" type=\"text\/html\" width=\"640\" height=\"390\" src=\"https:\/\/www.youtube.com\/embed\/qTY3ePV4RY4?version=3&amp;rel=1&amp;fs=1&amp;showsearch=0&amp;showinfo=1&amp;iv_load_policy=1&amp;wmode=transparent\" frameborder=\"0\" allowfullscreen=\"true\"><\/iframe><\/span><\/p>\n<p>There\u2019re many other reviews of smart locks on the LockPickingLawyer channel. But almost all of them have the very same issue: they are designed as consumer electronic devices, and that design makes them vulnerable to the easiest of physical attacks.<\/p>\n<p>Conventional locks have a completely different design. First of all, their bodies are always made from one solid piece of metal. Second, the screws are usually hidden and there\u2019s always at least one screw that can be accessed only when the shackle is unlocked. Third, to be resistant to shackle shimming, good padlocks employ ball bearings in the unlocking mechanism. There\u2019s a lot more, of course, but those are the basics, and even inexpensive padlocks follow the rules. This Yale padlock is a good example:<\/p>\n<p><span class=\"embed-youtube\" style=\"text-align:center; display: block;\"><iframe class=\"youtube-player\" type=\"text\/html\" width=\"640\" height=\"390\" src=\"https:\/\/www.youtube.com\/embed\/vaF4T-1mbgc?version=3&amp;rel=1&amp;fs=1&amp;showsearch=0&amp;showinfo=1&amp;iv_load_policy=1&amp;start=129&amp;wmode=transparent\" frameborder=\"0\" allowfullscreen=\"true\"><\/iframe><\/span><\/p>\n<p>Unfortunately, smart lock manufacturers seem to be unaware of these design features and leave their customers vulnerable to the easiest attacks. So think twice before buying a smart padlock \u2014 it\u2019s very likely you will be paying much more and getting much less security in return. And you probably do want your lock to be secure; why else would you be buying one?<\/p>\n","protected":false},"excerpt":{"rendered":"<p>It seems the only reason to buy a \u201csmart\u201d padlock is to make lock-pickers happy.<\/p>\n","protected":false},"author":421,"featured_media":26879,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[2683],"tags":[658,794,1373,659],"class_list":{"0":"post-26880","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-threats","8":"tag-internet-of-things","9":"tag-iot","10":"tag-locks","11":"tag-smart-devices"},"hreflang":[{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/why-smart-padlocks-suck\/26880\/"},{"hreflang":"en-in","url":"https:\/\/www.kaspersky.co.in\/blog\/why-smart-padlocks-suck\/15749\/"},{"hreflang":"en-ae","url":"https:\/\/me-en.kaspersky.com\/blog\/why-smart-padlocks-suck\/13278\/"},{"hreflang":"en-us","url":"https:\/\/usa.kaspersky.com\/blog\/why-smart-padlocks-suck\/17658\/"},{"hreflang":"en-gb","url":"https:\/\/www.kaspersky.co.uk\/blog\/why-smart-padlocks-suck\/15803\/"},{"hreflang":"es-mx","url":"https:\/\/latam.kaspersky.com\/blog\/why-smart-padlocks-suck\/14468\/"},{"hreflang":"es","url":"https:\/\/www.kaspersky.es\/blog\/why-smart-padlocks-suck\/18348\/"},{"hreflang":"it","url":"https:\/\/www.kaspersky.it\/blog\/why-smart-padlocks-suck-2\/17278\/"},{"hreflang":"ru","url":"https:\/\/www.kaspersky.ru\/blog\/why-smart-padlocks-suck\/22693\/"},{"hreflang":"tr","url":"https:\/\/www.kaspersky.com.tr\/blog\/why-smart-padlocks-suck\/5937\/"},{"hreflang":"fr","url":"https:\/\/www.kaspersky.fr\/blog\/why-smart-padlocks-suck\/11698\/"},{"hreflang":"pt-br","url":"https:\/\/www.kaspersky.com.br\/blog\/why-smart-padlocks-suck\/11772\/"},{"hreflang":"pl","url":"https:\/\/plblog.kaspersky.com\/why-smart-padlocks-suck\/10710\/"},{"hreflang":"de","url":"https:\/\/www.kaspersky.de\/blog\/why-smart-padlocks-suck\/19127\/"},{"hreflang":"ja","url":"https:\/\/blog.kaspersky.co.jp\/why-smart-padlocks-suck\/23170\/"},{"hreflang":"ru-kz","url":"https:\/\/blog.kaspersky.kz\/why-smart-padlocks-suck\/18346\/"},{"hreflang":"en-au","url":"https:\/\/www.kaspersky.com.au\/blog\/why-smart-padlocks-suck\/22586\/"},{"hreflang":"en-za","url":"https:\/\/www.kaspersky.co.za\/blog\/why-smart-padlocks-suck\/22520\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/www.kaspersky.com\/blog\/tag\/smart-devices\/","name":"smart devices"},"_links":{"self":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/26880","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/users\/421"}],"replies":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/comments?post=26880"}],"version-history":[{"count":2,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/26880\/revisions"}],"predecessor-version":[{"id":29454,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/26880\/revisions\/29454"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/media\/26879"}],"wp:attachment":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/media?parent=26880"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/categories?post=26880"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/tags?post=26880"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}