Why smart locks are no safer than traditional key entry systems: Internet Scambusters #888
They’re high-tech gizmos that look like they’re more than up to the job of protecting our homes, but are smart locks, or keyless entry systems, really safe?
Sometimes, they can be hacked, but even without that, crooks have other ways to bypass them, as we report in this week's issue.
We also have an urgent warning about counterfeit fire extinguishers, with details of how to identify them.
Let's get started...
Are Home Smart Locks Safe?
Smart locks are one of the big developments of recent years in consumer technology.
They're "smart" because we can communicate with them and control them wirelessly or, at least, without a key. So, we see them increasingly on outside doors of homes.
They may have a number pad to gain access, they may be controlled by a signal sent from a key fob (known as a proximity lock), or they may use a biometric scanner, such as a fingerprint reader.
But we also see reports of smart locks being hacked, giving rise to concerns that, while they may be more convenient, they're not as safe as a traditional lock and key.
For example, a Houston, Texas, family recently returned home to find their smart-lock-protected house being burglarized.
What puzzled them was how the alleged thief managed to get through the number-protected entry gate into their home complex, then past two keypads to enter the building.
Eventually, they realized the only person who had all three codes was their dog walker, who they hired through a cell phone app. The homeowners concluded the alleged burglar must have gotten the codes through the app or the dog-walking service.
It's not clear from news reports whether the app or the walking service itself was hacked. But the incident underlines something we know to be true -- that whenever information is stored on an electronic device, it's potentially vulnerable to theft.
Going back a number of years, some smart lock makers used to have a "secret" code their engineers could use to gain access. This number was widely available on the Internet but we suspect, for that very reason, this practice has been discontinued.
Can They Be Hacked?
But can home smart locks themselves be hacked? It's certainly a possibility if the device is connected to an insecure home network, accessible via the Internet, or if a locking app doesn't require advanced security to protect data.
Professor Stuart Madnick of the Massachusetts Institute of Technology (MIT), says: "There is always a risk that a net-enabled lock will get bricked (broken) or hacked, most likely due to the actions or carelessness of the owner."
If the door lock is controlled just by a simple number push-pad that is not online, this obviously can't happen, although it may be possible for a would-be burglar to guess the code if it's something as simple as 1234 or 1111, or the same as the street number of the house.
In some cases, locks are directly controlled by a Bluetooth signal built into smart phones. In other words, the phone is not using a home network but sending a signal directly to the lock. In this case, security may depend on how safe the opener app is, especially if a person's phone is stolen or hacked.
A couple of years back, researchers at a hackers convention showed how 12 out of 16 Bluetooth-controlled locks they tested were easy to hack using a variety of techniques including password guessing and spoofing the unlocking device.
As for fingerprint readers, according to the National Association of Realtors, a team of hackers in Britain easily opened a lock by inserting a paperclip into its backup key chamber.
What Can You Do?
Here are some of the things you can do to cut the risk of your home smart lock being criminally misused:
- Use a difficult-to-guess access number, preferably with six digits or more, or a complex password. Memorize it; don't write it down.
- Don't share the code with anyone that you don't know well and trust thoroughly.
- Make sure your home network is properly protected by up-to-date security.
- Consider using a surveillance lock. This won't stop a burglar, but it'll take a photo of whoever is coming into the home.
- Use a keyless lock that has an alert feature when it's used and especially when the wrong code is entered.
- Don't hide your "spare" traditional key near the door. No matter how clever you think you are, thieves know where to look.
Studies and research suggest that smart locks are no better at protecting your home than a traditional lock and key.
Joey Lachausse of Associated Locksmiths of America has been quoted online saying: "Smart locks are more convenient, but not any stronger than regular locks."
In fact, it's worth remembering that most burglars enter homes via windows or already-unlocked doors, or by forcing doors, not by unlocking them. In the end, your home is only as safe as the precautions you take to protect your home by using strong deadbolts and strike plates, keeping windows locked and installing an alarm system.
In coming years, we're likely to see much smarter smart locks, but for now they appear to offer no security advantage over traditional lock systems.
Alert of the Week
Counterfeit fire extinguishers, marked with the names of well-known legitimate brands, like Kidde, are being sold in the US and Canada.
They also carry a fake "UL" mark, falsely implying the devices have been tested by the Underwriters Laboratory, a leading safety testing organization.
For details on how to identify these fakes, see this posting from UL: UL and ULC Warn of Counterfeit UL Marks on Fire Extinguishers (Release 19PN-11).
That's all for today -- we'll see you next week.