Three reasons not to use smart locks

Better put them on something not very valuable or necessary. Here we explain why.

Risks associated with smart locks

Smart locks can be really handy. There are plenty of them on the market and lots of different types to choose from. Some are able to detect when the owner (or, rather — their smartphone) is approaching, and open without a key. Others are controlled remotely, allowing you to open the door to friends or relatives without being home. Still others also provide video surveillance: someone rings the doorbell, and you immediately see on your smartphone who it is.

However, smart devices carry risks that users of traditional, offline locks never have to worry about. A careful study of these risks reveals a full three reasons to stick to the old way. Let’s take a look at them…

First reason: smart locks are physically more vulnerable than normal locks

The problem here is that smart locks combine two different concepts. In theory, these locks should have a reliable smart component, while at the same time provide robust protection against physical tampering so they can’t be opened with, say, a screwdriver or penknife. Combining these two concepts doesn’t always work: the result is usually either a flimsy smart lock, or a heavy-duty iron lock with vulnerable software.

We’ve already talked about some particularly egregious examples of locks incapable of doing their jobs in another post. They include a cool padlock with a fingerprint scanner — under which there happens to be an opening mechanism potentially accessible to anyone (a lever). Plus a smart lock for bicycles — which can be taken apart with a screwdriver.

Example of a physically vulnerable smart lock

The top panel with the fingerprint scanner is easy to remove with a knife. The opening mechanism is accessible under the panel. Source.

Second reason: issues with the “smart” component

Making the “smart” component secure enough is also not easy. It’s important to remember that developers of such devices often prioritize functionality over protection. The most recent example is the Akuvox E11, a device designed not for the home use, but for offices. The Akuvox E11 is a smart intercom with a terminal for receiving a video stream from the built-in camera, plus a button to open the door. And, as it’s a smart device, you can control it via the smartphone app.

Akuvox E11 smart intercom

The Akuvox E11 lock has multiple vulnerabilities, allowing unauthorized access to the given premises without any problems. Source.

The software has been implemented in such a way that anyone can gain access to both video and sound from the camera at any time. And if you’ve not thought about isolating the web interface from the internet, anyone will be able to control the lock and open the door. This is a textbook example of insecure software development: video requests miss authorization checks; part of the web interface is accessible without a password; and the password itself is easy to crack due to encryption with a fixed key that’s the same for all devices.

Want more examples? Here you go… This article talks about a lock that allows nearby intruders to get your Wi-Fi network password. Here, a smart lock protects data transfer poorly: an attacker can eavesdrop on the radio channel and seize control. And here is another example of a poorly secured web interface.

Third reason: the software needs to be updated regularly

A typical smartphone receives updates for two or three years after its release. As for low-budget IoT devices, support may be withheld even earlier. Updating a smart device via the internet is fairly straightforward. However, maintaining support for devices requires resources and money on the part of the vendor.

This in itself can be a problem, such as when the vendor disables the cloud infrastructure and the device stops working. But even if smart-lock functionality is preserved, vulnerabilities that were unknown to the vendor at the time of release could yet appear.

For example, in 2022, researchers discovered a vulnerability in the Bluetooth Low Energy protocol, which many companies have adopted as the standard for contactless authentication when unlocking various devices (including smart locks). This vulnerability opens the door (so to speak) to so-called relay attacks, which require the attacker to be close to the smart-lock owner and use special (but relatively inexpensive) equipment. Armed with this hardware, the attacker can relay signals between the victim’s smartphone and the smart lock. This tricks the smart lock into thinking that the owner’s smartphone is nearby (and not in a shopping mall three miles away), whereupon it unlocks the door.

Example of a relay attack-vulnerable smart lock

A Kwikset lock vulnerable to a relay attack using a bug in the Bluetooth Low Energy protocol. Source.

Since smart-lock software is highly complex, the probability of its containing serious vulnerabilities is never zero. If one is discovered, the vendor should promptly release an update and send it to all sold devices. But what if the model was discontinued or is no longer supported?

With smartphones, we solve this problem by buying a new device every two to three years. How often do you plan to replace a door lock connected to the internet? We generally expect such devices to last for decades, not a couple of years (until the vendor pulls support or goes bust).

So, what to do?

It should be understood that all locks (not only smart ones) can be cracked. However, when deciding to install a smart device instead of a standard lock, think carefully: do you really need to be able to open the door from your smartphone? If you answer yes to this question, at least consider the following points:

  • Look for information about the particular device before purchasing.
  • Read not only reviews about convenience and features of the smart lock, but also reports of potential problems and risks.
  • Go for a newer device: chances are the vendor will maintain support for it a little longer.
  • Once you’ve bought a device, study its networking features and think carefully about whether you need them; it would make sense to disable any that could be dangerous.
  • Don’t forget to protect your computers, especially if they’re on the same network as the smart lock. It would a double-shame if a malware infection on your computer were to also cause your home’s doors to be flung open.