We all like buying the latest and greatest tech toy. It’s fun to get new and novel features on a product that used to be boring and predictable; a draw of the original BeBox (amongst many) was a layer of “das blinkenlights” across the front. But sometimes, the latest feature is not always the greatest feature. And sometimes, some things should not be on the Internet at all. For readers concerned with privacy, or who simply do not want to introduce additional hassle into their tech maintenance routine, we introduce the first entry in our series called “Please don’t buy this.” Today’s feature: smart locks.
The cool new thing
Recently, Amazon announced a new service combining a selection of smart locks, a web-connected security camera, and a network of home service providers that work in concert to allow remote access to your home. Ignoring the question of allowing third-party contractors vetted by an unpublished standard unsupervised access, lets take a look at why smart locks might not be the best purchase.
Amazon’s program actually works with three different existing smart lock products, as seen here.
“Smart lock” is a bit of a catchall term covering a wide variety of technologies, so what are the Amazon locks dependent on, and what security vulnerabilities do those technologies include? It’s a bit of a mystery, as the Amazon sales pages don’t include that information, nor does the “technical specification” page of one of the manufacturers.
What we can surmise is that these locks will require replaceable batteries, and that at least one of the locks affords the user Wi-Fi access. While allowing remote unlocks to your home without any in-person authentication is a pretty transparently bad idea, a number of other smart locks have attempted a more secure approach using Bluetooth low energy, which affords some additional security features that the original protocol does not.
Unfortunately, while the protocol itself has a generally good security profile, implementation and associated companion apps put out by lock manufacturers aren’t quite as good. In tests at last year’s Defcon, 12 out of 16 smart lock models failed under sustained attack. Most of these failures concerned either encryption implementation, or shoddy code in associated apps.
Why it’s less cool than it appears
Setting aside poor security design and implementation, “smart” devices like these tend to come with fuzzy legal boundaries surrounding ownership and maintenance. Last year, a home automation hub company called Revolv was shut down during acquisition. Rather than simply failing to provide updates, the devices were disabled.
This was an inconvenience for users, but what if it was your front door? Given the current state of mobile OS fragmentation, would it be that much of a surprise if a lock company simply declined to provide security updates? We couldn’t find any information on the means by which the new Amazon compatible locks are updated, how authorized delivery personnel will interact with the locks, and if any third party has access to data communicated by the lock and/or accompanying phone apps.
These are questions that would be concerning for any device. But when that device affords access to your home, considerably more transparency about the device’s underlying technology should be mandatory.
Lock it up
A physical deadbolt has security flaws as well. But deadbolts have a standardized design, commonly accepted standards that they are evaluated against, can be repaired or replaced by anybody, and are unequivocally owned by you. Can a smart lock’s EULA claim the same? Smart locks could achieve acceptable purchase status if they met the following criteria:
- independent, industry-wide security standards in design
- independent code auditing
- no Wi-Fi
- Conventional implementation of industry standard encryption
- no third-party data storage
- right to repair
Until smart locks can meet these standards, we respectfully suggest. . .Please don’t buy this.
The DEFCON article you link to is for Bluetooth locks, not WiFi. This puts a serious hole in the article.
Amazon Key will allow government agencies to conduct warrantless searches by using an NSL to Amazon requiring them to open the door, disable the IP camera, and allow agents to black bag the house.
It will also allow anyone who finds vulnerabilities in their(or any) smart lock unfettered access to peoples’ homes while making forced entry impossible to detect, since you don’t need to physically pick these weak digital locks.
People can barely keep their PCs safe yet they will be stupid enough to allow the control of their door locks to be handled over the internet?
This is a very narrow look at smart locks and lacks any meaningful depth. For instance, there are plenty of z-wave only smart locks that when paired with a local hub (such as Home Assistant) provide significantly less security concerns as you own the devices and no third party is involved.
Btw the defcon article you linked to is about Bluetooth locks, did you look at even just the headline?
It’s hard to say you’re fears aren’t unfounded, they’re just a little out there. I mean why would the government need to search your home anyway? Regarding this I would like to know Amazon’s policy though.