Please don't buy this: smart locks - Malwarebytes Labs

Please don’t buy this: smart locks

Posted: October 26, 2017 by William Tsing
Last updated: October 19, 2018

We all like buying the latest and greatest tech toy. It’s fun to get new and novel features on a product that used to be boring and predictable; a draw of the original BeBox (amongst many) was a layer of “das blinkenlights” across the front. But sometimes, the latest feature is not always the greatest feature. And sometimes, some things should not be on the Internet at all. For readers concerned with privacy, or who simply do not want to introduce additional hassle into their tech maintenance routine, we introduce the first entry in our series called “Please don’t buy this.” Today’s feature: smart locks.

The cool new thing

Recently, Amazon announced a new service combining a selection of smart locks, a web-connected security camera, and a network of home service providers that work in concert to allow remote access to your home. Ignoring the question of allowing third-party contractors vetted by an unpublished standard unsupervised access, lets take a look at why smart locks might not be the best purchase.

Amazon’s program actually works with three different existing smart lock products, as seen here.

“Smart lock” is a bit of a catchall term covering a wide variety of technologies, so what are the Amazon locks dependent on, and what security vulnerabilities do those technologies include? It’s a bit of a mystery, as the Amazon sales pages don’t include that information, nor does the “technical specification” page of one of the manufacturers.

What we can surmise is that these locks will require replaceable batteries, and that at least one of the locks affords the user Wi-Fi access. While allowing remote unlocks to your home without any in-person authentication is a pretty transparently bad idea, a number of other smart locks have attempted a more secure approach using Bluetooth low energy, which affords some additional security features that the original protocol does not.

Unfortunately, while the protocol itself has a generally good security profile, implementation and associated companion apps put out by lock manufacturers aren’t quite as good. In tests at last year’s Defcon, 12 out of 16 smart lock models failed under sustained attack. Most of these failures concerned either encryption implementation, or shoddy code in associated apps.

Why it’s less cool than it appears

Setting aside poor security design and implementation, “smart” devices like these tend to come with fuzzy legal boundaries surrounding ownership and maintenance. Last year, a home automation hub company called Revolv was shut down during acquisition. Rather than simply failing to provide updates, the devices were disabled.

This was an inconvenience for users, but what if it was your front door? Given the current state of mobile OS fragmentation, would it be that much of a surprise if a lock company simply declined to provide security updates? We couldn’t find any information on the means by which the new Amazon compatible locks are updated, how authorized delivery personnel will interact with the locks, and if any third party has access to data communicated by the lock and/or accompanying phone apps.

These are questions that would be concerning for any device. But when that device affords access to your home, considerably more transparency about the device’s underlying technology should be mandatory.

Lock it up

A physical deadbolt has security flaws as well. But deadbolts have a standardized design, commonly accepted standards that they are evaluated against, can be repaired or replaced by anybody, and are unequivocally owned by you. Can a smart lock’s EULA claim the same? Smart locks could achieve acceptable purchase status if they met the following criteria: