We Asked Five Security Experts If Smart Locks Are Safe
Earlier this month, an automatic firmware update removed LockState internet-connected smart locks for about 500 customers, including about 200 Airbnb hosts that use locks to remotely control rental access. Customers must replace their locks or send them back for repair. (Locks can still be operated with a physical key.)
Smart locks, like many IoT devices , are vulnerable to a variety of technical issues. Last year, security consultant Anthony Rose identified serious flaws in the security system for Bluetooth-enabled door locks. Of the 16 locks she tested, Rose managed to pick 12.
Smart locks don’t seem more secure than when our sister site Gizmodo researched the security of smart locks four years ago. We asked five security experts if these locks are really insecure.
None of these specialists are ready to completely write off all smart locks. “As with many other technologies, you just have to decide who to trust and how much to trust them,” says Bruce Schneier, security specialist, writer and Harvard professor, who testified before Congress last year about the “catastrophic risks” of an unsafe Internet. -included devices.
“There is always a risk that the network lock will be locked or broken,” says MIT professor Stuart Madnick, “most likely due to the actions (or negligence) of the owner.” But he notes that old-fashioned key-and-lock solutions have their own user-generated risks: “One of my popular sayings is, ‘You can buy a more secure lock for your door, but if you leave the key under the door anyway.’ checkmate, are you really safer? “
Madnick likens the trade-off to an increased risk of driving a car instead of a horse. “Are you ready to trade your car for a horse?”
Jeremiah Grossman, head of security strategy at cybersecurity firm SentinelOne , compares smart locks to older remote systems like prison security doors and administrator-controlled buzzers. He says that sometimes blocking with an internet connection might be a suitable solution:
Could I personally entrust the security of my house with such a device? Not now, but in the future, when devices become better and more secure, I can trust them more. Should others use them? Of course, depending on their life situation. And people might consider using them for doorways where what they protect is not critical to them.
That’s damn dangerous for a $ 469 castle. Grossman recently tweeted about the deeper implications of an insecure smart lock update system:
But Grossman says we shouldn’t ask if smart locks are “fundamentally unsafe” but “safe enough for a given application.”
Alan Grau, co-founder of security software vendor Icon Labs, puts it in much the same way:
There is no doubt that people will use smart locks despite the risks. I think the questions should not be asked about whether these solutions should be used, but rather about what are the risks? How do these risks compare to traditional locks? What can [lock manufacturers] do to provide a reasonable level of security in these devices?
Security reporter Brian Krebs said the harshest words ever, saying that he was worried that so many people were installing smart locks. According to him, in order to pick the lock, an attacker must always be in place. “With internet blocking, you’ve removed this costly (and, from an attacker’s perspective, risky) cost from the equation.” He still won’t write off technology entirely. “I am not saying that there cannot be remote locks that are also safe. But on the whole, I’m willing to bet that most of the ones in use today are probably nowhere near as safe as they should be. “
With all of these caveats, it looks like smart locks are inferior to the more expected security for convenience. Before buying a smart lock, research known security issues and be aware that new ones may arise. But remember that if you use it incorrectly, any blocking will be insecure.