Smart locks are designed for both convenience and security, however the possibility of being hacked is still present; therefore, we need to set our expectations straight because keys aren’t the only ones advancing to the digital age, burglars are too.
These looters aren’t limited to bursting through your door and accessing your house at night time, most would do so in clear daylight.
Can Smart Locks be hacked? Not all Smart locks are foolproof due to poor designs, non-secure communication protocols, and lack of software updates that present a supply of chain security. Hackers can also evade logging features and activate the debug mode then extracting the encryption key, and gaining access to your home.
In this article I’ll explain:
- how smart locks work
- what makes it vulnerable to hacking
- how to prevent that from happening
- and what are the most secure smart locks in the market
How Smart Locks Work
Smart locks use a network of architectures prevalent in IOT systems. IOT or Internet of Things is a system of internet-connected objects that collects and transfers data over a wireless network. Meaning, lifeless and everyday objects such as locks are leveraged with IOT-enabled sensors that allow users to access their doors remotely.
These intelligent deadbolts are now capable of locking and unlocking with the devices it’s paired to, such as smartphones.
In other words, smart locks are keyless door locks that open through the use of your smartphone acting as its digital key, allowing you to gain access and monitor the safety of your home regardless of your location.
However, these locks use different protocols, therefore you need to understand the uniqueness and vulnerability of each smart lock.
What Makes Smart Locks Vulnerable to Hacking
People buy smart locks for added security, so they wouldn’t have to worry about thieves going in and out of their homes while they’re away, but while these smart locks are named as one for obvious reasons, humans, especially bad ones, found ways to outsmart the system.
State Consistency Attack
Bluetooth smart locks work by pairing with a smartphone via BLE or Bluetooth Low Energy then uses the phone’s network to access the cloud server. Locks don’t store information, therefore access lists for the lock are stored on the smartphone.
With bluetooth smart locks, in the event that the person you’ve given access to disables the network connection of his phone at the time you decide to revoke their access, the cloud server will try to contact the phone to revoke it but fails because it is offline.
Unaware of the revocation, the person you’ve given access to will now access your home via bluetooth, and this log entry won’t be detected by your application because the phone’s network is offline.
Command Fuzzing Attack
Locks open in error state, and can be done through command fuzzing. There are what we call sniffer tools that monitor traffic and capture transferred data. Sniffer tools are widely available in the market making bluetooth devices vulnerable to it.
For example, if the hacker purchases a bluetooth sniffer, the hacker will use the sniffer to collect valid commands. He will then alter it by changing the third byte and make the lock crash so it will enter into an error state.
Depending on the feature of the smart lock, it will then unlock and the hacker can now enter into the owner’s home.
Brute Force Attack
Hackers can try and guess the password depending on the number of characters and time allowed. This kind of attack is by force, meaning it will involve several trial and errors, until the right combination is guessed. Here are 2 common ways of brute forcing:
First off, the attacker can make an unknown account and reset the password. A security blogger Jmaxxz found on one lock that if a user forgets a password, the lock sends a 6-digit code. The code will be anywhere between 000000 to 999999 with a total of 1 million combinations.
However, since resetting a code isn’t time limited, the attacker can input as many codes as he wants and reset the password while trying every combination. Approximately, with the use of modern technology, brute forcing this password should only take 12 days for the hacker to guess which combination is used.
Another way is to list all possible passwords that’s commonly used by users. Although the duration for this will depend on the available characters and length used, brute forcing regardless of the attack is still considered to be 100% accurate because every failed combination is a lead to the correct one.
Man-in-the-middle Attack API interception
API or Application Programming Interface is a programming tool that allows two applications to talk. For example, if you go to a restaurant, you need a waiter to deliver your order to the kitchen, that waiter is similar to the API. It aids in the transaction of one application to another.
Some cloud servers have an open API which enables third parties to develop their apps to control the lock. Because third parties have access to this API, various security design flaws and developer bugs can happen.
By simply understanding and studying its perimeters, hackers can sneak in the Trojan horse, and get information such as going through code that exposes the client ID and obtaining the OAuth token(Open Authorization), then injecting a new pin code to the web service that’s controlling the smart lock.
Real-Life Hacking Attacks
Again, thieves are not limited to offline activity. With technological advancement constantly moving forward, they have evolved into skilled hackers who can access your house with just a few clicks.
Cracking the system is not an easy-feat, but it doesn’t mean it’s impossible, especially in the hands of a skilled and determined one. Here are few examples of real-life hacking attacks from last year,2019, to present:
Network Eavesdrop Attack: Bitdefender on August Smart Lock
Around December last year, Bitdefender cybersecurity began their study on the August Smart Lock and was able to confirm its vulnerability in the same month.
It was found that the device communication with the smart phone app is encrypted or concealed through a code but is hardcoded into the application, therefore making it vulnerable for eavesdropping.
Attackers can easily eavesdrop and look for weak connections between clients and servers, then force the device to go offline leaving the owner no choice but to reconfigure to factory settings. Once this is done, hackers will then listen-in and get the Wi-Fi password.
Because August Smart lock relies on the connection to the local Wi-Fi network, hackers can easily use their phones as the access point where they input the Wi-Fi login credentials and gain full access to the lock.
Hub Attack: Security Flaw on ZipaMicro Z-Wave Smart Hub
Researchers Chase Dardaman and Jason Wheeler found security threats such as the possibility of opening any smart lock connected through Z-Wave Smart hub. They were able to do this by hacking the smart home controller, which is the hub, that controls the smart lock.
This allowed the researchers to access the device’s private Secure Shell or SSH key which acts as the highest level access among all access grants. According to them, every Zipato hub has been hard-coded with the same private key which is a major security oversight, thus allowing them to crack the code with no difficulty.
In just a few computer commands and programming code, locking and unlocking was made easy.
No Tampering Attack: NFC Wearable Ring by McClear
Steve Povolny, Head of the Advanced Threat Research of McAfee tried to hack a smart lock by stealing the ring’s UID. The ring is paired to the lock but without encryption or authentication to store information or important details to open it. He was able to steal the ring’s UID through his android phone using NFC data and Proxmark 3, an NFC reader.
However, hacking the lock requires social engineering, and one example was hackers pretending to ask the owner of the ring to take a picture of them while the NFC application is running silently in the background.
The victim then takes the photo, invincible to the fact that his ring is already being scanned. The UID is now read and he programmed it to an NFC card which was able to unlock the smart lock successfully.
Smart Lock Risk Prevention
Nothing is safe in this world and even smart locks aren’t smart enough for thieves whose determination of hacking your system is stronger. Since we’ve already established that smart locks can be hacked, here are ways to prevent this intrusion from happening:
Check for Updates
Smart locks need updates too. While not all smart lock apps notifies you of the updates, it would be best to constantly check the settings and updates section of the smart lock application.
Remember, software or firmware updates enable your device to run smoothly, and system updates prevent any malware attacks. Once you’ve updated this, it should reflect on your smart lock. If it didn’t, remove the batteries to reboot the lock and start the update again.
Do not use Public Wi-Fi
Data on Public Wi-Fi is often unsecured and unencrypted and makes you vulnerable to phishing or cybercrime attacks. Remember your phone acts as a digital key to your smart lock, and just like any regular key, it is your responsibility to keep it safe.
In fact, a weakness in wireless security was found by a security expert at Belgian University with regards to WPA and WPA2 that provides unique encryption keys for wireless clients who gain access.
While you’re connected to this public Wi-Fi and you access your smart lock application, attackers can easily hijack the information through a vulnerability known as Key Reinstallation Attacks or KRACKs where an attacker can set up a fake Wi-Fi access point and interfere with the network, thus stealing sensitive information such as passwords.
Not all smart locks offer this kind of added security, so you will have to check in with your provider first. This is important in preventing hacks because it gives another layer of hacking prevention.
Before gaining complete access to the lock, you, the owner, will receive a text message or call consisting of a pin that you have to enter after encoding the passcode you’ve chosen for your smart lock.
Check the ANSI Grade
Another way to prevent hacks is to check its ANSI (American National Standards Institute) grade. Specific tests are being done to receive the grade it is given such as security, quality, and durability.
All grades are expected to latch easily when pushed closed, with trim, latches, deadbolts and lock mechanisms to hold up to daily abuse and can still operate properly.
ANSI Grade 1: Highest Level of Residential Security
The lockset should run for one million cycles and should also be able to withstand 10 blows if an attacker tries to gain entry. It should also have a heavy-duty trim of 0,075 inches or 1.9 millimeters.
ANSI Grade 2: Intermediate Level of Residential Security
The lockset should run for 800,000 cycles and be able to withstand 5 blows if an attacker does try to enter. It should also have a trim of 0.100 inches or 2.5 millimeters.
ANSI Grade 3: Basic Residential Security
The lockset should run for 800 cycles and be able to withstand 2 blows if an attacker tries to enter. The smart lock’s trim should also be 0.100 inches or 2.5 millimeters.
Security Experts on Smart Lock Risks
Stuart Madnick, MIT Sloan Professor of Information Technology
According to Madnick, it is important that you understand that smart locks just like other IoT (Internet of Things) devices are likely hackable, therefore you need to understand the worst case situation and determine which is more important to you.
He also said that risks are always present even on old-fashioned key-and-lock solutions not mainly because of the lock but because of the owner. He also quoted one of his favorite sayings that goes, “You may buy a stronger lock for your door, but if you still leave the key under the mat, are you really any more secure?”
Dr. Eric Cole, Cybersecurity Expert
In his video, Dr.Cole stated an example about being in an airplane and overhearing a conversation of how cool the smart lock app was because he gets to see the front yard, what his kids and family are doing.
He then interjected by stating a possibility that a hacker could be accessing it, and is seeing the exact same thing. Now the hacker can observe what the entire family is doing.
He then pointed out in the video that as long as the risk of an adversary potentially accessing the lock is recognized, and you do something to prevent or minimize it from happening, then using a smart lock is okay.
Maik Morgenstern, Chief Technology Officer, AV-Test
According to Morgenstern, good and certified products are characterised by reasonable patch management. Patch management is defined as keeping the systems up to date to reduce system-related failures.
Their team tests high levels of security when a product is launched such as well-implemented encryption for data transport between the device and the online service, as well as between the online service and the app.
He said that it is important to choose a security-certified product that is kept up to date by the manufacturer. He also added that he chooses smart locks because of convenience and didn’t want to miss the kind of comfort it gives when it comes to functionality.
Most Secure Smart Locks in the Market
Security is always in question when purchasing these digital locks, but while not all smart locks are security-smart, there are some that stand out. Here are a list of the most secure smart locks in the market:
Ultraloq U-Bolt Pro $200-$220
Ultraloq U-Bolt Pro is given the Grade 1 residential security rating and can be unlocked in 6 different ways including a numeral code, physical keyway, smartphone app, auto unlock, magic shake and fingerprint.
You also wouldn’t worry about people sneaking up on you because it adds random digits to protect your passcode. Should you want to use the application, you can easily manage the users by adding and deleting any time you want, along with the log records.
Installing this is also pretty easy as it requires no wiring and drilling; you only need a screwdriver to attach the lock to the door with 4 screws.
Schlage Sense Smart Deadbolt $229-$250
Schlage Sense Smart Deadbolt is given the highest residential security rating Grade AAA/Grade 1, and is ADA-compliant so people with disabilities won’t worry about using it. Installation is also pretty easy because you can do so with just a screwdriver.
The lock comes with a smartphone app that you need to install and gives you access to adding and deleting access codes, monitor usage of the locks and change its built-in alarm settings.
Yes, this lock comes with a built-in siren which makes it a mini security system where if someone tries to bust through the lock, it will emit an ear-splitting shriek.
Kwikset Halo Smart Lock Deadbolt $240-$250
Kwikset Halo Smart Lock is also given the highest residential security rating Grade AAA/Grade 1 and comes with 250 user codes with 4-8 digits in length allowing you to label each respectively.
You can also set-up your access codes following a specific date and time. For example, if you want your dog walker to have access to your home between 12nn to 1pm, then you can do that. It also provides a one-time code that expires after your chosen time, let’s say within 24 hours.
However, what makes this lock standout is its 20 minute fire range, meaning if your house is caught on fire, the lock will work for 20 minutes thus allowing you to unlock the door and do what needs to be done.
It also comes with a secure mode that disables all codes from working, and gives you an audit trail allowing you to see everything that happens with the lock.
Lastly, should you want to skip the automated way of opening the door, Kwikset Halo Smart Lock is designed with a key override allowing you to use your physical key instead.
Yale Assure SL Lock $250-$299
Yale Assure Lock is given the Grade 2 residential security rating, and can be accessed through access codes. It requires you set a 4-8 digit entry code on the keypad and has smart home integrations such as Z-Wave Plus, Zigbee and im1 Homekit.
In the event of low battery, Yale has a back-up battery terminal where you can insert the 9v battery to give you a temporary surge of power.
Smart Locks by nature is insecure, and you need to accept the risks that come with it. You need to be prepared and ask yourself if you can live with the pros and cons, the upside and downside of buying one.
The only thing that will keep you safe is not just the lock, but of how you take care of it. Remember, your smartphone is your digital key and not the smart lock. The smart locks role is to secure your home just like any other locks do.
What only differentiates it from the traditional key lock is it can run through a device, does not require manual access and, well, smarter, in terms of its adaptation to the digital age.
Therefore, it is your responsibility to ensure that no hackers can successfully get that key from you. You can prevent those threats from happening by not losing your phone, constantly checking and updating your lock’s application, knowing who to grant access to, and randomizing your pins and passcodes.
That’s it for this article. I hope you enjoyed reading it and if you think it might be useful for someone else then please share it on social media, email or your own website! It really encourages us to write more content and grow the site!
If you’re interested in reading more about smart light, smart garages and smart homes checkout some of the other houshia categories including: