Why Are Some Smart Locks So Dumb?

White Paper – Smart Lock Choices in Israel

The first thing I learned as a locksmith is that there isn’t a lock that can’t be opened. We go to great lengths to keep criminals locked out, but in reality, it is just a game of how to slow them down or make the defeating of a lock so hard and arduous that the criminals move on to find easier, lower hanging fruit. That said, I’m not going to leave my door open, nor install a simple lock that can be easily opened. I’m not a sucker and you should not be either.

Today, with the growth of wireless communications, IOT, miniaturized electronics and digital devices, many people are installing smart locks on their doors. After all, we have become used to pushing coded buttons on bank machines and swiping our fingerprints to unlock our phones, so why not enjoy the convenience of a smart lock that can be opened without a key?

On my doors at home, I use traditional mechanical locks and selected a cylinder with an excellent reputation (Mul-T-Lock Interactive+ with side pins). While some of my friends, including locksmiths, have installed smart locks on their doors, I have chosen the more traditional path of “wait and see”. I do not want to be a guinea pig in the race for the latest in lock technology. I believe that my conservative approach and decision to not be the first to try the new technology has proven to be the correct path.

It Finally Hit the Fan

At the 2016 DEF CON hacker conference, Anthony Rose and Ben Ramsey made headlines around the world when they revealed their research on smart locks that use Bluetooth Low Energy (BLE). In their presentation called, Picking Bluetooth Low Energy Locks from a Quarter Mile Away, they explained that 75 percent (12/16) of locks that they tested had insufficient BLE security and that vendors prioritized physical robustness over wireless security.

Rose and Ramsey identified other vulnerabilities in smart locks:

Plain text password
Replay attack
Fuzzing
Decompiling APKs
Device spoofing

You would think that their announcement would have turned the smart lock world upside down, but the response was shocking. Rose explained, “We figured we’d find vulnerabilities in Bluetooth Low Energy locks, then contact the vendors. It turned out that the vendors actually don’t care. We contacted 12 vendors. Only one responded, and they said, ‘We know it’s a problem, but we’re not gonna fix it.’ ”

The revelations were shocking and the experience teaches us that we, as consumers, have to follow the proverb, “let the buyer beware” (caveat emptor), because in a world of “information asymmetry”, buyers typically have less technical information than the seller about the good or service that we are purchasing. When it comes to security, we have to be cautious about the relatively new field of smart locks and do our own due diligence to determine if the lock will satisfy our need for security.

Recent Changes to Smart Locks

In recent years awareness of the shortcomings of the technology has grown and some vendors have attempted to improve their products. So, I decided to reexamine the products on the market to see if the locks are any more secure than they were in 2016. While there have been advances, the potential weakness still lies in the communications. A quick search on the internet reveals some locks have been found to have vulnerabilities. There is no getting around it, the issue is still due to the Bluetooth or Wi-Fi. With every feature that makes access easier, the possibility opens of creating another way into your home.

Bluetooth Communications

Search the internet for “how to hack a smart lock” and find thousands of links to articles on issues with smart locks. And the common thread between the vulnerabilities: Bluetooth communications.

If you use an app on your phone to open your door and lose your phone, it can be worse than losing a key, where someone would not necessarily know which door matches the key. With a lost smart phone, anyone can quickly find out where you live based on the information in your phone (each photo you take at home has your GPS coordinates built into the EXIF of the image).

Even if you do not use an app on your phone, some external devices, such as a fingerprint scanner or a code pad can use Bluetooth to communicate with the smart lock.

The biggest threat to security of smart locks is wireless communications that make them so convenient to use, but at the same time are the cause of most of the problems. The Bluetooth and Wi-Fi capabilities can be the Achilles heel of these devices. If you take away their ability to communicate with your phone, a code or fingerprint reader or the internet, chances of higher security rises dramatically.

I do not feel comfortable with locks that use Bluetooth for wireless communications, even if a manufacturer uses advanced encryption standards, it is a way into the lock that might be found to be hackable in the future. I would prefer to forgo the convenience of a smartphone app or remote communication for the increased security and peace of mind.

So how do we choose a lock that offers security and convenience? We looked at the offerings and found a number of good locks — with and without Bluetooth, and we weighed the features and tried to decide what worked best for us. Homeowners may find that they are comfortable with locks that we did not choose. It is really up to the individual to decide what works best for them.

Below are some of the features that we looked at.

Locking — Automatic or Manual?

There are two types of smart locks on the market: those that unlock the door with a motor and those that you unlock by turning a knob (like you do when you unlock a door with a key). While the convenience of an automatic unlock seems alluring, it comes with a price. Some of the high quality locks are automatic, our preference is for manual locks, here’s why:

Motorized mechanisms can wear out and can be expensive to replace.
When a motor locks the door, it extends the two or three side bolts as well as the top bolt into the doorframe. If the door is partially opened, the bolts can hit the doorframe and can damage the lock.
Doors settle and if your door is out of alignment, the lock that you have accustomed to automatically locking behind you may remain unlocked when you think it is locked.

Availability of Keys

Even though you might not be using a key on a regular basis, each of the locks that we looked at has a physical key for backup and Shabbat use. The mechanical system is just as pickable as a regular lock, so this is an important aspect that can’t be ignored. Another consideration is whether a key be copied.

The locks we looked at either came with a high quality cylinder or a locksmith can choose the cylinder to use, making them all good choices regarding mechanical security.
While some keys are supposed to require a magnetic card for duplication, we have seen shops that will duplicate keys without the cards. If someone has access to your key, changing a code does not stop an intruder from entering if they have copied your key.
Many key blanks are readily available on the market, enabling key copy shops to quickly duplicate your key. If you are using your apartment as a vacation home or BNB, any guest with access to the key might be able to easily copy the key.
Some locks only come with a single key and making copies can be as high as 100 ₪ per key, making it very expensive for a family.

Batteries

Smart locks are not so smart when they run out of power. Different locks use various batteries, some rechargeable, some disposable.

A smart lock that does not use a motor to lock and unlock does not have the same power requirements of a manual lock.
Some locks need to be recharged and as the internal battery ages, the ability to hold a charge might decrease, which can be inconvenient to recharge or replace.
Locks with low power consumption and that use inexpensive AA batteries are our our favorites, but only if the batteries are easy to replace.

Build Quality

When investing in a secure smart lock, we looked for one that will last. Replacing a broken cylinder (high quality) is about 650 NIS, but replacing a smart lock can be anywhere from 2,000 to 4,000 NIS.

There are reports on the internet about some locks that have been defeated not by hacking, but by prying open the lock and opening the door with a screwdriver.
We looked for locks that were made of metal and looked like they could withstand the test of time.

Memory

We compared the memory of locks to ensure that they could store hundreds of possible codes and fingerprints, enabling you to give DIFFERENT codes to children, cleaners or other service staff. That way, if a cleaner stops working for you, the code can be revoked, without affecting access for other people. You want to ensure that a code is not used by multiple people.

Warranty and Service

Warranty and service are important features to consider for an electronic device. If something goes wrong, who are you going to call? What are they going to do?

All the locks we looked at had at least one year warranty. One brand offered the purchase of an extended warranty.
In buying a smart lock, ask the vendor if they offer round the clock support. We like one lock that offers a 24/7 support center to give you peace of mind knowing that help is a call away.

We have nothing worth stealing

Security is not just about protecting possessions; it is about making sure that you keep out people that you don’t want in your home. What would you do if you or a member of your family returned home to find someone inside your apartment? What would you do if a violent criminal entered your home in the middle of the night while you are sleeping?

Conclusions

After a careful review of the products in the market, we have concluded that one lock fits our requirements and are comfortable using it in our own home and recommending it for the homes of clients. While there are other good smart locks on the market that offer excellent security, we decided to go with a smart lock that is designed in Israel and does not use Bluetooth at all.

The smart lock that we chose offers the following features:

NO BLUETOOTH! — the fingerprint scanner and code pad are hardwired inside a stainless-steel housing. Without Bluetooth, it has less chance of being hacked.

Manual lock closure — the lock does not use a motor, which ensures that you and your family have verified the locking and it does not depend on a motorized mechanism that can fail.

Secure source of key blanks — we selected a smart lock that makes it extremely difficult for someone to copy a key. Once your lock is installed you register with the company/ Key blanks are only available directly from the company and you have to show your proof of purchase. The lock comes with three keys.

Reduced chance of battery failure — our choice uses commonly available AA batteries that only need to be replaced about once every 9 to 12 months. In the event that you come home and discover that the batteries are dead, you can use an ordinary 9-volt battery to give you sufficient power to unlock the door.

Build quality — our choice of smart lock is made of solid metal alloy and has a solid reputation of lasting for years.

Memory — the lock that we selected lets you save up to 250 separate fingerprints.

Security — use either the fingerprint reader or a 6-digit code. With the 6-digit code on the premium model, there are ~ one million possible code combinations. If someone attempts a brute force attack and tries different combinations, the lock shuts down for five minutes after three failed attempts.

Limit access — you can program specific hours and days when a code can be used, ensuring that the access is used only when you want it to be used.

Quality — the lock was designed in Israel, a country known for its high-quality security products.

Warranty — the lock comes with a one-year warranty, which can be extended to add an additional one or two years at any time during the first year.

Support — the lock is designed by an Israeli hi-tech company and offers phone support 24/7.

Why Install a Smart Lock in Israel?

Go to the beach or shopping without carrying a key.
Travelling abroad? Don’t even think about leaving a key hidden under the rug or a plant. Now you can use your fingerprint.
Enables friends and family that are arriving from abroad to enter the apartment when we you are not home or are asleep.
Running a BNB is easy now. Guests can arrive when it is convenient for them, 24/7. You can change the code when they leave.
Kids are forever losing keys. Replacing a good cylinder a few times and buying extra keys is close in price to installing a smart lock.
Dog walkers, delivery or service people (with surveillance cameras) can be given a code so they can enter when you are at work.
Have a neighbor water your plants when you are away.

[vc_btn title=”Call Doctor-Lock 058-453-5593″ color=”warning” size=”lg” align=”center” css_animation=”bounceInDown” link=”url:http%3A%2F%2Fwww.doctor-lock.com%2Fen%2Fcontact-us-2%2F|”]