In today’s rapidly changing technological world it’s becoming significantly more difficult to determine which new developments are improvements and which technologies are still too infantile to be considered trustworthy. This is especially true when it comes to personal safety, technology such as alarm systems and locks. In the field of the latter there has been a recent development that is getting a lot of traction: the smart lock. But just how feasible is this new technology?
I don’t think anyone could argue the fact that smart locks certainly bring a new level of convenience with them. The fact that you can use a smartphone and give out “temporary keys” (new codes for specific people that expire or work on a schedule) are appealing features. For example, Airbnb advocates using them to make it easier for guests to get in and out of their rented home without having the hassle of the key exchange. Or in a more personal setting, the fact that your cleaning lady can only enter your home in a specific time frame that you control with the touch of a button is certainly convenient. It’s also beneficial that when you’re dealing with kids and groceries (to name but two) or when you’ve locked yourself out, you can unlock your home from a distance with your smartphone. You can also see when your door is locked or unlocked and by whom (assuming you give people different codes). It also offers automatic locking based on geolocation or with a timer, so you don’t have to remember to lock the door every time you leave, it does it automatically. And lastly, it comes with a privacy setting (either on the lock itself by pressing a physical button for two seconds, or on your phone) so even people with access codes cannot enter when you don’t want them to.
The other side of the coin is that with the added level of convenience comes an added level of pricing. They are more expensive than a traditional lock would be, ranging between €150 and €250. There is also a school of thought stating that any lock that can be opened remotely is considered a failure at the specific purpose of a lock. Which also entails that the smart lock is susceptible to malicious parties such as hackers. It is battery controlled and generally takes four normal AA batteries – which is a good thing because other locks with just two batteries are running out too soon and frustrating people – but it comes at a cost in size. There have also been reports of the locks being disabled by the company itself, depending on the software involved. For example the Lockstate issue where Airbnb users were locked out of their rented homes due to a faulty software update: https://gizmodo.com/smart-locks-used-by-airbnb-get-bricked-by-software-upda-1797839523 (Gizmodo.com, 2018)
So how safe is it really?
This is likely the determining factor on the potential feasibility of the smart lock. While conducting research for this blog post I have found out that there are two main data transfer options available: Bluetooth or Thread.
Bluetooth transfers the initial data using the same security protocols as those used in online banking. What that essentially means is that anytime your smartphone is "talking" to the smart locks, the conversation is wrapped in 128-bit AES encryption. (For instance, the US government’s TOP SECRET information requires 192- or 256-bit AES encryption, but 128 is good enough for SECRET level classified intel.)
Multiple sources confirm that although there are always some loopholes (however unlikely), the new technology: Bluetooth SMART/4.0/le and/or WiFi “industry standard TLS to secure device connections" (which is the successor to Secure Sockets Layer “SSL”) is safe enough but it is advised to go with established brands rather than new startups.
For example, the Nest+Yale lock uses Google's Thread IoT protocol to communicate, putting a buffer between the lock and the internet and therefore adding to the security level. So, with this smart lock, it’s not your phone directly opening the lock – like a lot of other smart locks do by using Bluetooth. Instead you are sending a command through to a different system which then talks to the lock. If, for whatever reason, this system breaks down then you still have the codes that you punch into the lock itself to open it up. (Lifehacker.com, 2018)
Traditional locks work and you can buy these locks for €15 - €100. However, during the research required to write this blog I have found multiple sites advertising how to pick all sizes and types of traditional locks on all sorts of inventive ways. Therefore, it has led me to believe that no matter which type of mechanical lock you use, unless it entails a fortified box strike plate on a laser-key lock with multiple deadbolts, breaking these locks is quite easily done. On top of this, any burglar who's committed enough to get into your house can pop or break your window, pop out your sliding door or take a crowbar to your door to get in. Or someone could snatch your actual key and get in that way. Whether or not you have a smart lock is irrelevant in these cases. Hacking your way through the 128-bit AES encryption on top of whatever each company has piled on is just a waste of time.
Smart locks don't offer any higher or lower level of security than your basic deadbolt. They're not perfect by any stretch of the imagination. Nothing ever is. And even if they were, they're also entirely circumventable. But they’re safe for what they are, and they offer a higher level of convenience.
In my opinion, this should warrant these smart locks enough credibility to earn their place amongst potential choices. I would advise however, to go with established brands rather than new startups since the protocols used are generally more advanced.
By Anneleen Vandevyver
Legrand Integrated Solutions