Buying a smart lock might be a dumb investment

We’ve known for some time that the Internet of Things (IOT) was basically a connected dumpster fire. Time and time again, these connected devices have proven that, while convenient, they aren’t necessarily safe. In fact, many manufacturers have a rather apathetic view on security, which leads to a lack of trust in connected products.

Smart door locks are no exception.

Two different presentations at hacker conference DEF CON this year make it clear there’s a long way to go before the convenience of a smart lock properly aligns with user safety.

Anthony Rose and Ben Ramsey, from Merculite Security, proved that connected door locks are every bit as vulnerable as their analog counterparts — or even more so — with $200 worth of off-the-shelf hardware. While it’s clear that not all smart locks are created equal, the duo tested 16 locks from top manufacturers like iBluLock, Masterlock, and August — 12 of the 16 failed.

The <3 of EU tech

The latest rumblings from the EU tech scene, a story from our wise ol' founder Boris, and some questionable AI art. It's free, every week, in your inbox. Sign up now!

Some, like Quicklock, iBluLock and Plantraco, transmitted passwords in plaintext, making them vulnerable to anyone sniffing Bluetooth traffic.

Others, like Lagute, Vians and Ceomate were vulnerable to a replay attack, which is simply snatching the signal out of the air when a legit user locks/unlocks and then re-using it after they leave. Replay attacks, it should be noted, have been around for decades and were commonly used to open garage doors. The idea that a decades-old vulnerability exists on modern smart locks is nothing short of mind boggling.

That said, some — like the August door lock we reviewed in April — held up admirably and didn’t allow the hackers to gain access. But then again, you can’t argue with results, and 12 of 16 locks having easily-exploitable vulnerabilities certainly doesn’t leave us with a feeling of confidence when buying a smart lock.