3 DAYS LEFT UNTIL TNW Conference 2021 – join us in Amsterdam for face-to-face business!

The heart of tech

This article was published on August 9, 2016

    Buying a smart lock might be a dumb investment

    Buying a smart lock might be a dumb investment
    Bryan Clark
    Story by

    Bryan Clark

    Former Managing Editor, TNW

    Bryan is a freelance journalist. Bryan is a freelance journalist.

    We’ve known for some time that the Internet of Things (IOT) was basically a connected dumpster fire. Time and time again, these connected devices have proven that, while convenient, they aren’t necessarily safe. In fact, many manufacturers have a rather apathetic view on security, which leads to a lack of trust in connected products.

    Smart door locks are no exception.

    Two different presentations at hacker conference DEF CON this year make it clear there’s a long way to go before the convenience of a smart lock properly aligns with user safety.

    Anthony Rose and Ben Ramsey, from Merculite Security, proved that connected door locks are every bit as vulnerable as their analog counterparts — or even more so — with $200 worth of off-the-shelf hardware. While it’s clear that not all smart locks are created equal, the duo tested 16 locks from top manufacturers like iBluLock, Masterlock, and August — 12 of the 16 failed.

    August-open-phone

    Some, like Quicklock, iBluLock and Plantraco, transmitted passwords in plaintext, making them vulnerable to anyone sniffing Bluetooth traffic.

    Others, like Lagute, Vians and Ceomate were vulnerable to a replay attack, which is simply snatching the signal out of the air when a legit user locks/unlocks and then re-using it after they leave. Replay attacks, it should be noted, have been around for decades and were commonly used to open garage doors. The idea that a decades-old vulnerability exists on modern smart locks is nothing short of mind boggling.

    That said, some — like the August door lock we reviewed in April — held up admirably and didn’t allow the hackers to gain access. But then again, you can’t argue with results, and 12 of 16 locks having easily-exploitable vulnerabilities certainly doesn’t leave us with a feeling of confidence when buying a smart lock.