Published on August 16th, 2020 📆 | 3933 Views ⚑0
Use A Smart Lock? Get In The Sea, 73% Of Security Professionals Say
I decided to take the question of smart lock security to a cross-section of security professionals, including hackers and lock-pickers. The question I asked was a straightforward one: would you use a smart lock to secure your home, office or anything? Some 73% of the 549 respondents to my polling said: “Get in the sea.”
It’s one thing when your smartphone refuses to install a security update, or a Windows 10 security patch leaves users still exposed to the threat it was meant to fix. It’s quite another if a vulnerability in your smart lock allows a hacker to walk in and steal your stuff. This juxtaposition of cyber and physical risk might put you off of investing in smart locks. Understandably so, at first glance, but first looks are often deceptive.
Smart lock cybersecurity issues
There has been a myriad of reports about smart locks not being so bright when it comes to cybersecurity vulnerabilities—everything from Wi-Fi snooping credential theft through to smart hub weaknesses. Most recently, I was contacted by Craig Young from Tripwire, who found one lock vulnerable to physical bypass from a hacker with little more than a media access control (MAC) address and a smartphone app.
That last example was a smart lock from U-Tec, whose spokesperson told me that the issue concerned was fixed as soon as Young disclosed the problem to them.
“User security is our top priority,” the spokesperson said, “that’s why we strive to have the latest technology to maintain our users’ data protection. We appreciate Craig’s comments for letting us know about it and are open to any other suggestions from experts on the subject.”
Meanwhile, Young himself says that he generally doesn’t advise consumers to use internet-connected locks. “If the risk of strangers finding and opening your lock isn’t enough discouragement,” Young says, “just consider what you will do if you’re locked out because the lock maker got hit with ransomware or simply pushed a bad update.”
And, as Comparitech privacy advocate, Paul Bischoff, said: “Unlike a traditional lock, a vulnerability found in a smart lock usually affects all smart locks of the same model. If that vulnerability reaches zero-day status, suddenly thousands of locks are compromised instead of just one.”
Which you might think is the end of the “would a security professional use a smart lock” debate, but you would be very wrong indeed.
Smart locks? Get in the sea
I decided to gauge the feeling amongst security professionals by setting up a Twitter poll as my following is largely infosecurity-based. Hackers, researchers, CISOs, and lock-pickers were amongst the 549 people who responded.
The question was a relatively simple one aimed directly at infosec Twitter: Would you use a smart lock to secure your home, office or anything, knowing what you do about security?
Of the three options, only 9.8% responded, “Yes, I already do.” The overwhelming majority, 73% in fact, fell into the “No, get in the sea” camp.
But it was the 17.1% who said it depends and tweeted their reasoning, that informed the debate the most in my never humble opinion.
While there were plenty of straightforward no way comments, others pointed out many traditional locks are notoriously easy to pick anyway. But it all comes down to both threat modeling and how you define smart. Let’s start with the latter. If by smart you mean an electronic lock, say fob or fingerprint operated, then there’s an argument to be made these are more secure than many “dumb” locks as they cannot be drilled or “bumped.”
Lock bumping is a method of opening the type of pin tumbler locks that are commonplace and uses a special “bump key” deploying Newton’s cradle effect to open the lock. Indeed, it has been suggested that there are probably far more criminals who have the expertise to pick a lock than there are cybercriminals who can hack a smart lock.
Of course, if the lock has a keypad to enter codes, then number usage wear might give away the digits involved and make guessing a PIN way too easy.
However, if you define smart as networked, connected to the internet or your smartphone via an app, then many security professionals would consider this quite dumb indeed.
Why so? Because then you are at risk of vulnerabilities that exist within the firmware of the lock, which is now just another Internet of Things device, your network, your hub, the app and so on.
Threat modeling is the, erm, key here
Then there are the threat models to consider. Ask yourself what it is you want to protect, who you want to protect it from and what will happen if you fail. The chances are very high that your threat model will not be the same as my threat model.
Indeed, when it comes to locks, there are going to be different threat models within a single home or office. This is where questions like “is the door I’m locking next to a window that could be broken and entry gained that way?” come into play.
In that case, a metal grill would make more sense than worrying too much about the lock itself, as would some method of reinforcing the doors by of deadbolts and another grill. It all depends on what you are protecting, from who and how high a risk there is of the worse happening—threat models.
So, while the vast majority of security professionals would not, according to my polling at least, use a smart lock at this point in their development, that doesn’t mean they are a total dead duck.
Would I use one? Sure, a stand-alone smart electronic lock that utilizes a PIN plus a secondary factor such as a fob, and some locks require both to open.
Would I use an internet-connected, unlock via an app, smart lock? Get in the sea…