Note that requiring a server account login before the user is allowed to manage a Bluetooth device is an explicit violation of the App Store Review Guidelines, so now that awareness is being drawn to this lock they may find themselves banned on iOS soon unless they fix it.
"Apps may not require users to enter personal information to function, except when directly relevant to the core functionality of the app or required by law."
Losing access to a lock is bad stuff. I went with a smart lock that has a physical key.
The article says don't buy a smart-lock, but the convenience of having one-time access codes, scheduled access, delivery access, and linked to a security camera make the downsides (increased attack vectors) something I'm willing to live with.
And we, on HN, can make an informed decision about that calculated risk. The general public just sees "Encrypted Android App with Smart Unlock" and thinks they are safe.
Is that any different than virtually any other cyber security issue--the general public is not well equipped to do Risk Mitigation compared to more savvy individuals?
Or any other physical security issue? There are massive differences in the security of standard physical locks. How much does the average person know about that? How many people are buying locks based on an informed decision about its pick resistance and physical strength, versus buying whatever looks nice?
It's a problem with the way technology scales. Previously difficult things become cheap to do at massive scales, and companies make tons of money doing it.
But it also make vulnerabilities scale in the same way - exfiltrating 150,000,000 SSNs isn't much harder than 150 - and the penalties for security lapses don't scale anything like the profits that operating at these scales does.
What's the solution to that? Bigger penalties so that companies prioritize security? Require companies handling data and devices to carry insurance against huge hacks? I don't know, but we need to get somewhere better than "Ignore it because consumers generally don't understand the risks and apology letters are cheap."
The one good thing about IoT locks compared to other internet security issues is that you need physical access to do anything with it. The script kiddies spamming SSH authentication attempts at every webserver from somewhere on the other side of an ocean can't break in to your house with this. Other IoT devices like security cameras are still a concern though; a vulnerability in those could scoop up a lot of private videos.
Inside most modern car keyfobs there is an "emergency" physical key...or should be (recently saw one where the space was empty as the dealer had failed to include it) It's not marked or obvious from the outside of most I have seen and some prying in some innocuous looking seam will be needed. One of those things that seems obvious once you know it but may not have run across.
In my experience, there's usually a subtle release mechanism or button that you need to squeeze and the physical key will slide out readily.
On some of mine, the physical key is also the pry-tool used to open the body of the fob for battery changing. :)
On my Toyota, this mechanical key can be used to lock the doors while the engine is running (pitstop mode), which is otherwise not possible. On my friend's Mercedes, it does not respond to the mechanical key (wait, what?) while the engine is running.
Yeah but after that? How often do insurance companies go after the "dumb" lock manufacturer? Could the same be said about "smart" lock manufacturers? I would guess that this idea of a lawsuit against one of these companies is only an issue of "when" not "if".
I’ve been getting into home automation recently and I’ve given myself a rule: nothing cloud connected. If I can’t run it off my local server, I don’t want it. I have much more motivation to secure my home than any company ever will.
I suppose a z-wave lock could pass muster, but that’s one area that I don’t really want to automate anyway. An unconnected electronic lock meets my needs and is no more vulnerable to hacking than a physical lock.
You know, I already have a bunch of Ubiquiti network gear but it hadn't even occurred to me to look at their security cameras. Not in the budget yet but once it is that's probably what I'll go with!
I don't have a lot hooked up yet, mostly just the software infrastructure. I'm building it all around Home Assistant. That integrates nicely with my Unifi network controller, which gives me presence detection (phones connecting / disconnecting). I have one Sonoff wifi switch which I reflashed to work with MQTT, mostly as a proof of concept, but now that I know it works I'll probably get a pile more. And I have a Honeywell T6 Pro thermostat (z-wave) on the way.
I can think of obvious reasons you'd want at least some devices cloud connected - for one, if some sort of disaster (fire, tornado, etc) hits your home, you probably want your surveillance getting off-site in realtime.
Fair point. I suppose I should have said "nothing someone-else's-cloud connected". I'm actually considering setting up remote access on my system, but if I do it will be through a server I control.
Exactly. I have hard time finding automated vacuum cleaner that doesnt connect to cloud, do you have some suggestion for vacuum cleaner that doesnt suffer on features?
Yup, totally agree. One thing I have found is that many of these devices use the venerable and cheap ESP8266 chip which is extraordinarily easy to hack. It can't really be factory flashed so the programming pins are almost always padded out on the PCB. So I get WeMo or cheap knock offs for example, and reflash 'em with my own code so it basically is only on my wifi network.
Yup, that’s what’s in my Sonoff switch. I love the ESP8266, it’s the reason I got a serial programming cable in the first place, long before I was interested in home automation.
I pretty much based my home automation on Sonoff devices. I use Espurna and it's fantastic, and I wrote a small server for updates. I compile my custom firmware (so I don't have to set up new devices all the time, I just flash and they're ready), drop it on a directory on my NAS and all the devices in the house automatically update themselves.
> DO NOT. Ever. Buy. A smart lock. You’re better off with the “dumb” ones with keys.
Well, physical locks are not necessary harder to pick lock than electronic locks. Buy your self a pick lock set, practice a bit and be amazed how many locks you can pick.
The same rule applies to smart locks as applies to dumb locks: A lock does no more than keep an honest man, honest.
Any monkey can buy lock picks and pick a door lock. It's not hard. Generally if you buy a decent rake, it'll open most locks quickly. It's arguably much more work to hack the _smart_ side of a lock than it is to just pick the _dumb_ part.
The caveat here is that smart locks are often "picked" en masse - once you break one in a lab, you can immediately and silently do the same to the rest globally. This is similar to software hacking.
The guidance here should be to only purchase smart locks from vendors that you can trust to patch zero-days quickly. How you qualify a vendor as such is a mystery - I don't know that there's been enough zero days on smart locks to verify.
Agreed. I've also learned the hard way that a heavy boot kicks through a door and windows are made of this easy to break material. Given access and time/privacy, there aren't many things that are secure from people that want inside.
LPL is an amazing lock picker, anyone with this level of skill is much better off working as a locksmith or a security consultant.
Most B&E’s aren’t exactly executed by master thieves they aren’t single pin picking your locks.
When selecting a door lock or a pad lock you should care only that it can be raked or bypassed, for bike locks you should also care that it can’t be easily cut.
For the most part your door is likely going to be the weakest link as most people don’t have reinforced doors and door frames.
Lockpickinglawyer is an absolute expert in his field though.
There's a difference between using a lock that requires an expert to pick, vs a smart lock that requires an expert to write an app that anyone can use to hack the lock.
I happen to like a challenge, and I can say through experience that picking any modern reasonably priced lock is not something you learn in a week. Besides, the vast majority of burglars do not pick locks - they pry open doors or windows, and if they cannot they either find a different house or break a window.
LPL is one of the best pickers in the world. He's one of about 10 people I know of who's ever picked a Mul-T-Lock MT5+, for example. His picking attacks are by no means typical. He also practices picking each lock before making the pick on video. That makes for better (faster) video, but is less real-world. Bosnianbill does more real-world style picking (and is only very slightly behind LPL in skill).
LPL's real good videos are his physical attacks. Whether it's twisting, core pulling, or breaking out the Ramset, all are more likely than a criminal trying to SPP a lock.
There are limits to how secure your house can (should) be without violating fire regulations (if applicable) - or safety.
If there's a fire or medical emergency (heart attack, allergic reaction/anaphylactic shock etc) - you generally don't want it to be too hard to break in...
The lock is only as good as the door it's attached to.. and the doors in a lot of new construction (especially in suburban McMansions) is really bad. You could probably kick most of 'em in.
One of the problems with many "smart" locks is that they tend to be made by people that don't have a lot of experience making locks. Many smart locks are vulnerable to many types of physical attack, including very old exploits that most locks (even many cheap locks) defend against.
For example, here[1] is a "keyless bluetooth padlock" that can be opened trivially by rapping the locking pall with any hammar-like tool ("rock"). (it also has far too much around the shackle, so can also be opened with a a simple shim (e.g. a small cutout from a cola can). Another common problem are locks that don't seal their electronics securely, so they can be attacked by simply unscrewing a panel, ripping out the electronics. and touching the battery wires to the locking pal's actuator.
However, that type of problem are simply poor designs. In theory, in the future better designs could be made that include protections against well-known attack methods similar to what is already included in many "regular" locks.
A fundamental concern with locks that depend on radio (or worse, the internet) is what the lock does when when the radio/internet communication fails (for any reason). Does the lock fail-open, or fail-closed[2]? Did the lock even address this important question? Does the lock open if someone unplugs the router? Or does it trap people behind the lock if a fire destroys the cable/DSL modem? Physical locks also have failure-mode concerns, but they tend to be limited to something happening locally, With "smart" devices, you are adding remote resources (like the internet router in another room, or remote servers, etc) as a critical component of the lock's security. That is a terrible idea if you that remote resource is intrinsically outside your control.
I'm a big fan of electronic locks, but I refuse to have a smart lock. I know enough about IOT and security to know that a lock with a wifi chip might as well not be there at all.
I just program a few extra codes into the lock ahead of time, and if I need to let someone in in an emergency, I just give them one of my burner codes and delete it when I get home.
I don't really need a log of every entry because the camera pointed at my door already gives me one of those. :)
Why is a WiFi lock so bad? It opens you up more, but the number of people who can hack even the most insecure example is vastly smaller than the number of people who can kick down a door or break a window. Household locks are almost always just about deterring casual criminals, and internet vulnerabilities don’t move the needle much on that.
Scalability. Once you know how to pick one, you can pick them all quickly and remotely. Kicking down a door or picking a physical lock takes time and effort and exposes you to scrutiny while doing it.
Why? If you want to break into a house, it's a lot easier if you can just walk up to the door and look like you were invited in, then attracting attention picking a lock or kicking down a door.
It also means you can hire someone else to do your dirty work by tricking them into thinking they were invited in and asking them to "grab a few things for you".
Via WIFI? You are not more than a few hundred meters away. Doing that from across the street is much more convenient. Once they are done, they can just walk right in.
Doesn’t seem very scalable. Maybe you can knock over 10x as many houses in a night as a normal criminal. Normal criminals are 1000x (at least) more numerous, so it’s not a big increase in the threat.
I can imagine someone cracking these locks en masse, then setting up a website to sell the fruits of their labour. A local thief could log into a website, provide a street address and pay a fee, and the lock will be remotely unlocked.
Locks are often fairly weak against real attackers.
I enjoyed this youtube video of another smart (fingerprint?) lock being broken due to a digital reset. It has a plastic panel on the front where the fingerprint reader is. If you remove the panel with a razor blade (it's just attached with glue), it even has a reset button exposed which resets the fingerprint. https://www.youtube.com/watch?v=uVvEkcN5tW8
Doesn't this suggest that the unlock code comes from the "cloud" and not your phone/app?
So if you loose internet access you are not able to unlock? Or maybe it locally caches the key?
First, this is obviously hilariously bad from a system perspective (un-authenticated/unauthorized rebind of lock) [1]
OTOH it appears the problem is entirely server side, and could be patched/mitigated by the provider?
It still seems possible that the lock is secure-ish. It might conceivably have some form of anchored trust (pinned cert?) to communicate with the server - and a secure/better rekey flow could maybe be implemented?
Still sounds crazy to delegate authorization entirely to the cloud (I'm guessing you can open the lock wo internet, but not re-key).
I'm not even crazy about "find my phone"-services - and that's considering the vendor typically owns the hw, the kernel and can push updates (ie: all bets are off anyway).
[1] I'm also curious about the "lock code" field in the data - does the service advertise the pin if you give the correct serial/hw ID of the lock? Or something else?
66 comments
[ 0.24 ms ] story [ 114 ms ] thread”(v) Account Sign-In: If your app doesn’t include significant account-based features, let people use it without a log-in.”
The article says don't buy a smart-lock, but the convenience of having one-time access codes, scheduled access, delivery access, and linked to a security camera make the downsides (increased attack vectors) something I'm willing to live with.
But it also make vulnerabilities scale in the same way - exfiltrating 150,000,000 SSNs isn't much harder than 150 - and the penalties for security lapses don't scale anything like the profits that operating at these scales does.
What's the solution to that? Bigger penalties so that companies prioritize security? Require companies handling data and devices to carry insurance against huge hacks? I don't know, but we need to get somewhere better than "Ignore it because consumers generally don't understand the risks and apology letters are cheap."
The one good thing about IoT locks compared to other internet security issues is that you need physical access to do anything with it. The script kiddies spamming SSH authentication attempts at every webserver from somewhere on the other side of an ocean can't break in to your house with this. Other IoT devices like security cameras are still a concern though; a vulnerability in those could scoop up a lot of private videos.
Inside most modern car keyfobs there is an "emergency" physical key...or should be (recently saw one where the space was empty as the dealer had failed to include it) It's not marked or obvious from the outside of most I have seen and some prying in some innocuous looking seam will be needed. One of those things that seems obvious once you know it but may not have run across.
On some of mine, the physical key is also the pry-tool used to open the body of the fob for battery changing. :)
On my Toyota, this mechanical key can be used to lock the doors while the engine is running (pitstop mode), which is otherwise not possible. On my friend's Mercedes, it does not respond to the mechanical key (wait, what?) while the engine is running.
Been looking for that for a while but no way I ever trust a cloud connected one anf everything passable connects to cloud.
https://www.ui.com/unifi-video/unifi-video-camera-g3/
I'd love to know what products you are using.
It runs entirely locally.
Otherwise zigbee and z-wave products mostly work completely offline.
Some Xiaomi products (you need to be careful, as not all work offline) work offline and can be connected to local servers.
For shutters I use products by Rademacher. Its yet another base station (by now I have 4...), but they can be connected over http locally.
Not sure if all versions can be made to do this or just some.
Well, physical locks are not necessary harder to pick lock than electronic locks. Buy your self a pick lock set, practice a bit and be amazed how many locks you can pick.
Any monkey can buy lock picks and pick a door lock. It's not hard. Generally if you buy a decent rake, it'll open most locks quickly. It's arguably much more work to hack the _smart_ side of a lock than it is to just pick the _dumb_ part.
The caveat here is that smart locks are often "picked" en masse - once you break one in a lab, you can immediately and silently do the same to the rest globally. This is similar to software hacking.
The guidance here should be to only purchase smart locks from vendors that you can trust to patch zero-days quickly. How you qualify a vendor as such is a mystery - I don't know that there's been enough zero days on smart locks to verify.
Most B&E’s aren’t exactly executed by master thieves they aren’t single pin picking your locks.
When selecting a door lock or a pad lock you should care only that it can be raked or bypassed, for bike locks you should also care that it can’t be easily cut.
For the most part your door is likely going to be the weakest link as most people don’t have reinforced doors and door frames.
I've been burgled 4 times in my life, all 4 were either jimmied window or jimmied door (usually a screwdriver as a prying tool).
There's a difference between using a lock that requires an expert to pick, vs a smart lock that requires an expert to write an app that anyone can use to hack the lock.
LPL's real good videos are his physical attacks. Whether it's twisting, core pulling, or breaking out the Ramset, all are more likely than a criminal trying to SPP a lock.
I get why people are hard on smart locks, but I really don't see them as any more insecure then regular locks.
If there's a fire or medical emergency (heart attack, allergic reaction/anaphylactic shock etc) - you generally don't want it to be too hard to break in...
For example, here[1] is a "keyless bluetooth padlock" that can be opened trivially by rapping the locking pall with any hammar-like tool ("rock"). (it also has far too much around the shackle, so can also be opened with a a simple shim (e.g. a small cutout from a cola can). Another common problem are locks that don't seal their electronics securely, so they can be attacked by simply unscrewing a panel, ripping out the electronics. and touching the battery wires to the locking pal's actuator.
However, that type of problem are simply poor designs. In theory, in the future better designs could be made that include protections against well-known attack methods similar to what is already included in many "regular" locks.
A fundamental concern with locks that depend on radio (or worse, the internet) is what the lock does when when the radio/internet communication fails (for any reason). Does the lock fail-open, or fail-closed[2]? Did the lock even address this important question? Does the lock open if someone unplugs the router? Or does it trap people behind the lock if a fire destroys the cable/DSL modem? Physical locks also have failure-mode concerns, but they tend to be limited to something happening locally, With "smart" devices, you are adding remote resources (like the internet router in another room, or remote servers, etc) as a critical component of the lock's security. That is a terrible idea if you that remote resource is intrinsically outside your control.
[1] https://www.youtube.com/watch?v=vIbXC5LR8aQ
[2] https://en.wikipedia.org/wiki/Fail-safe#Fail_safe_and_fail_s...
I just program a few extra codes into the lock ahead of time, and if I need to let someone in in an emergency, I just give them one of my burner codes and delete it when I get home.
I don't really need a log of every entry because the camera pointed at my door already gives me one of those. :)
Scalability. Once you know how to pick one, you can pick them all quickly and remotely. Kicking down a door or picking a physical lock takes time and effort and exposes you to scrutiny while doing it.
It also means you can hire someone else to do your dirty work by tricking them into thinking they were invited in and asking them to "grab a few things for you".
From another country, maybe.
Via WIFI? You are not more than a few hundred meters away. Doing that from across the street is much more convenient. Once they are done, they can just walk right in.
I can imagine someone cracking these locks en masse, then setting up a website to sell the fruits of their labour. A local thief could log into a website, provide a street address and pay a fee, and the lock will be remotely unlocked.
I enjoyed this youtube video of another smart (fingerprint?) lock being broken due to a digital reset. It has a plastic panel on the front where the fingerprint reader is. If you remove the panel with a razor blade (it's just attached with glue), it even has a reset button exposed which resets the fingerprint. https://www.youtube.com/watch?v=uVvEkcN5tW8
https://www.youtube.com/watch?v=WeCGTosv-_c
OTOH it appears the problem is entirely server side, and could be patched/mitigated by the provider?
It still seems possible that the lock is secure-ish. It might conceivably have some form of anchored trust (pinned cert?) to communicate with the server - and a secure/better rekey flow could maybe be implemented?
Still sounds crazy to delegate authorization entirely to the cloud (I'm guessing you can open the lock wo internet, but not re-key).
I'm not even crazy about "find my phone"-services - and that's considering the vendor typically owns the hw, the kernel and can push updates (ie: all bets are off anyway).
[1] I'm also curious about the "lock code" field in the data - does the service advertise the pin if you give the correct serial/hw ID of the lock? Or something else?