{"id":47866,"date":"2023-04-14T07:49:47","date_gmt":"2023-04-14T11:49:47","guid":{"rendered":"https:\/\/www.kaspersky.com\/blog\/?p=47866"},"modified":"2023-05-12T07:36:46","modified_gmt":"2023-05-12T11:36:46","slug":"3-reasons-not-to-use-smart-locks","status":"publish","type":"post","link":"https:\/\/www.kaspersky.com\/blog\/3-reasons-not-to-use-smart-locks\/47866\/","title":{"rendered":"Three reasons not to use smart locks"},"content":{"rendered":"

Smart locks can be really handy. There are plenty of them on the market and lots of different types to choose from. Some are able to detect when the owner (or, rather \u2014 their smartphone) is approaching, and open without a key. Others are controlled remotely, allowing you to open the door to friends or relatives without being home. Still others also provide video surveillance: someone rings the doorbell, and you immediately see on your smartphone who it is.<\/p>\n

However, smart devices carry risks that users of traditional, offline locks never have to worry about. A careful study of these risks reveals a full three reasons to stick to the old way. Let\u2019s take a look at them\u2026<\/p>\n

First reason: smart locks are physically more vulnerable than normal locks<\/h2>\n

The problem here is that smart locks combine two different concepts. In theory, these locks should have a reliable smart component, while at the same time provide robust protection against physical tampering so they can\u2019t be opened with, say, a screwdriver or penknife. Combining these two concepts doesn\u2019t always work: the result is usually either a flimsy smart lock, or a heavy-duty iron lock with vulnerable software.<\/p>\n

We\u2019ve already talked about some particularly egregious examples of locks incapable of doing their jobs in another post<\/a>. They include a cool padlock with a fingerprint scanner \u2014 under which there happens to be an opening mechanism potentially accessible to anyone (a lever). Plus a smart lock for bicycles \u2014 which can be taken apart with a screwdriver.<\/p>\n

\"Example<\/a>

The top panel with the fingerprint scanner is easy to remove with a knife. The opening mechanism is accessible under the panel. Source<\/a>.<\/p><\/div>\n

Second reason: issues with the \u201csmart\u201d component<\/h2>\n

Making the \u201csmart\u201d component secure enough is also not easy. It\u2019s important to remember that developers of such devices often prioritize functionality over protection. The most recent example is the Akuvox E11, a device designed not for the home use, but for offices. The Akuvox E11 is a smart intercom with a terminal for receiving a video stream from the built-in camera, plus a button to open the door. And, as it\u2019s a smart device, you can control it via the smartphone app.<\/p>\n

\"Akuvox<\/a>

The Akuvox E11 lock has multiple vulnerabilities, allowing unauthorized access to the given premises without any problems. Source<\/a>.<\/p><\/div>\n

The software has been implemented<\/a> in such a way that anyone can gain access to both video and sound from the camera at any time. And if you\u2019ve not thought about isolating the web interface from the internet, anyone will be able to control the lock and open the door. This is a textbook example of insecure software development: video requests miss authorization checks; part of the web interface is accessible without a password; and the password itself is easy to crack due to encryption with a fixed key that\u2019s the same for all devices.<\/p>\n

Want more examples? Here you go\u2026 This article<\/a> talks about a lock that allows nearby intruders to get your Wi-Fi network password. Here<\/a>, a smart lock protects data transfer poorly: an attacker can eavesdrop on the radio channel and seize control. And here<\/a> is another example of a poorly secured web interface.<\/p>\n

Third reason: the software needs to be updated regularly<\/h2>\n

A typical smartphone receives updates for two or three years after its release. As for low-budget IoT devices, support may be withheld even earlier. Updating a smart device via the internet is fairly straightforward. However, maintaining support for devices requires resources and money on the part of the vendor.<\/p>\n

This in itself can be a problem, such as when the vendor disables the cloud infrastructure<\/a> and the device stops working. But even if smart-lock functionality is preserved, vulnerabilities that were unknown to the vendor at the time of release could yet appear.<\/p>\n

For example, in 2022, researchers discovered<\/a> a vulnerability in the Bluetooth Low Energy protocol, which many companies have adopted as the standard for contactless authentication when unlocking various devices (including smart locks). This vulnerability opens the door (so to speak) to so-called relay attacks, which require the attacker to be close to the smart-lock owner and use special (but relatively inexpensive) equipment. Armed with this hardware, the attacker can relay signals between the victim\u2019s smartphone and the smart lock. This tricks the smart lock into thinking that the owner\u2019s smartphone is nearby (and not in a shopping mall three miles away), whereupon it unlocks the door.<\/p>\n

\"Example<\/a>

A Kwikset lock vulnerable to a relay attack using a bug in the Bluetooth Low Energy protocol. Source<\/a>.<\/p><\/div>\n

Since smart-lock software is highly complex, the probability of its containing serious vulnerabilities is never zero. If one is discovered, the vendor should promptly release an update and send it to all sold devices. But what if the model was discontinued or is no longer supported?<\/p>\n

With smartphones, we solve this problem by buying a new device every two to three years. How often do you plan to replace a door lock connected to the internet? We generally expect such devices to last for decades, not a couple of years (until the vendor pulls support or goes bust).<\/p>\n

So, what to do?<\/h2>\n

It should be understood that all locks (not only smart ones) can be cracked. However, when deciding to install a smart device instead of a standard lock, think carefully: do you really need to be able to open the door from your smartphone? If you answer yes to this question, at least consider the following points:<\/p>\n