Lady bird

Smart Lock Security

Technology today has transformed the traditional locks to smart locks. Thanks to the advancement in the technical frontier. The days of the mechanical lock and keys has almost come to its end with the emergence of the smart locks. These locks can now be accessed from a mere Bluetooth to Over the Internet. As much interesting it sounds, they have become a nightmare. The very devices that are meant to secure your home are not very secure afterall.

Andrew Tierney, Security Consultant at Pen Test Partners spoke to about the security of smart locks. His talk on Z-Shave. Exploiting Z-Wave downgrade attacks at 2018 is on 14th September.

(1) According to you, how secure is a smart lock today? How easy is it to hack Smart Lock?

Andrew: In general, most smart locks are less secure than their mechanical counterparts, and certainly more expensive! Many of the locks we have looked at have had very poor security, but it's hard to tell from the outside.

(2) What is the attack surface for smart locks?

Andrew: Everything! BLE, Zigbee, Z-Wave, WiFi, RFID, electronics, the hardware itself, glitching, high power RF, conventional picking, bypasses and brute force!

(3) We have seen many attacks like device spoofing, replay attacks, fuzzing on application and software level which can be fixed through firmware updates. What can be attacked at the hardware level of smart locks?

Andrew: At the hardware level, we find that many locks still allow the firmware to be read out easily. This makes reverse engineering much easier. But more importantly than that, many of them still allow firmware to be written to them without any checks beyond a CRC, allowing malicious firmware to be loaded. We have seen a lot of problems with the sensing technologies used in locks - things like hall effect sensors being triggered by magnets outside the lock. And there is still the elephant in the room - de-auth attacks against WiFi. Why is no one talking about this? You can DoS most wireless cameras and locks trivially!

(4) In most cases of the smart lock hack, we have seen that basic replay attacks are common. Why is that? How Can OEMs stop those attacks?

Andrew: Why? Hard to say. One-way RF systems - like older car remote keyless entry - often suffer from replay because things like challenge/response and synchronization aren't possible. I think many of those designs have fed through to later systems, despite them using two-way RF systems like BLE and WiFi. The best solution is challenge response with nonces, by far. Still lots of gotchas.

(5) Vulnerabilities in these smart devices can be used by criminals to break into houses? How cheap can it be for criminals to hack? Is there any reporting of (smart) crimes?

Andrew: We've yet to hear of any electronic attacks being carried out in-the-wild against padlocks or door locks. Look towards cars though, and we are seeing advanced electronic attacks against them - relay attacks and hacks against various cars are common in the UK. I think it is only a matter of time before electronic attacks start getting used, but the technology needs to be more widespread before it becomes worthwhile. I think we will see jammers for common alarms and locks first.

(6) Where are the OEMs lagging when it comes to the security of smart lock devices?

Andrew: My biggest concern at the moment is where they let the conventional physical security down. £200 locks that can be picked in seconds, ripped clean off the door with simple tools etc. or opened with a magnet.

(7) How can Smart Lock OEMs work with security researchers to make more secure locks?

Andrew: Come to us whilst you are designing the lock, not after you have made it. A day or two of consulting at this stage is worth 10-20 of pen testing!

Lady bird

Subscribe with

Your subscription indicates that you have agreed the terms and conditions of Read our privacy policy