Smart locks seem to be the new trend in home security, but are they any more secure than the traditional locks people have used to protect their homes for decades?
Yes, like most other digital devices, smart locks can be hacked. In fact, most smart locks have more than one vulnerability that puts them at risk for hacking, including plain text passwords, decompiling APK files, device spoofing, and replay attacks.
LockSmart’s 2005 disaster, in which 500 of their customers experienced smart lock failure after an automatic firmware update, is the best example of how things can go wrong with a smart lock.
Of course, some models are more secure than others, and as they evolve, it’s likely that they will become better at their job. However, it seems that for now, these modern devices are more for convenience than security.
If you already own a smart lock or are considering buying one, you should be aware of the ways your device could be compromised:
Plain Text Passwords
When you create a password for a personal account, an app, a website, or any other service, you are the only person who should ever know that password, and that includes the company with whom you are creating a password.
This is why when you forget your password, the company usually can’t just tell you. You have to create a new one because even they don’t know what the password was. All they have is an encrypted representation of what your password was.
The password you enter to get into your account can be compared with the representation to see that it matches, but it doesn’t work backwards.
You cannot reverse engineer an encrypted representation of a password.
Unfortunately, there are some companies who don’t have this important step in their password process, and if the lock you bought has a plain text password with no encryption process, that means you’re vulnerable.
If a hacker were to break into the lock company’s database, all of your passwords would just be there for the taking.
It doesn’t even take a hacker. Anyone with access to the database could share or use a password, which means most of the employees at the company you bought your lock from could use them at any time.
Needless to say, it’s an extremely insecure system.
However, knowledge is power, and now that you know about this issue, you can avoid being taken advantage of by companies who forego the safer encryption process.
You’re most likely to run into this issue with the super cheap smart lock models, so if you’re looking for a bargain, make sure the company you buy from doesn’t have plain text passwords by checking online or asking them directly.
Decompiling APK Files
Android Package Kits (APKs), also known as Android Application Packages, are used by Android to distribute and download apps.
The first batch of digital smart locks mostly only catered to iPhones, but more and more security companies have been clueing into the demand for Android-friendly smart locks.
Nowadays, most popular smart lock models have apps for both iPhone and Android users, but the expansion may have opened a new door to potential home invaders.
It would certainly be difficult, but an experienced hacker with specialized software could plant a virus into the APK file used to download the smart lock’s app onto your phone.
With the virus in place, the hacker could gain access to the app and then use tools to interpret the code in the APK file, gaining access to your lock and, therefore, your home.
This approach is more difficult for smart lock users to combat, but like the plan text password issue, it will be more likely to happen if you purchase a cheap smart lock whose company didn’t have the funding to install software to prevent this.
Device spoofing is basically identity theft for your devices, and it’s no joke.
Once again, this isn’t something that any Joe Schmoe can do, but dedicated hackers have several different ways they can impersonate your device to gain access to your information.
Device spoofing can be done by compromising your IP address, modifying your devices Domain Name System (DNS), or sending spoofed Address Resolution Protocol (ARP) messages.
All methods will result in the exposure and, probably, theft of your information.
Fortunately, if you know about these invasive methods of digital thievery, you can take several courses of action to repel and prevent them.
Those methods include packet filtering, avoiding trust relationships, using spoofing detection software, and using cryptic network protocols.
Packet filtering will help combat attacks on your IP address, as they will catch any falsified IP packets sent from the hacker designed to overload your device.
IP attacks can also be thwarted by avoiding trust relationships with online companies that only use IP addresses to verify identities.
If a hacker can replicate your IP address to those companies, they can easily get in and steal your information without much difficulty.
Using spoofing detection software is a good idea for several reasons, but it will be particularly helpful in working against ARP attacks if you do decide to get a smart lock.
And lastly, there are cryptic network protocols that you can use to decrease the likelihood that your home will be broken into using any of these device spoofing techniques.
A replay attack is like the digital version of eavesdropping.
If the attacker gets access to an encrypted message that the victim sends, the attacker can replicate that encrypted message and send it to the recipient at a different time, pretending to be the victim sending the same message again.
Depending on the recipient of the message, the attacker can get any kind of information they want, including passwords and other signals that activate your door’s smart lock.
Unfortunately, stopping this kind of attack on your smart lock is more difficult than stopping it for other systems because you are not really aware of the message that’s being sent from your phone to your lock when you use a Bluetooth-based smart lock.
If you have a smart lock that allows you to create and use passwords, this kind of attack can be prevented by changing the password often, if not every time you use the device.
Screwdriver attacks are not digital, code-hacking attacks, but they have been proven to be effective.
These kinds of attacks occur when a home invader takes a flathead screwdriver and physically removes the lock from your door.
This can be done by any determined criminal and doesn’t take much know-how.
Screwdriver attacks have been a documented issue with some smart lock models that aren’t securely fastened to the door.
If you have a camera system along with your smart lock, it may dissuade potential invaders because of the risk of being recognized.
Otherwise, there’s nothing smart lock owners can do about this particular threat but wait for smart lock manufacturers to continue developing their products to be immune to these attacks.
Conclusion: Is a smart lock worth it?
Determining whether these potential threats are a true concern will be up to you, the consumer.
Locks have always been pickable, so perhaps the switch from physical picking to digital hacking is not as much of an issue as some people make it out to be.
However, if you do deem the convenience of a smart lock worth the risk, this article listed multiple ways you can protect yourself against attacks from hackers, and they could give you some peace of mind until smart lock producers figure out a way to neutralize these threats.
Are fingerprint door locks safe?
Fingerprint door locks are more difficult to hack than other smart lock models that use Bluetooth. However, they can be dangerous in a power outage, as most of them are not equipped to function properly without a constant flow of power.
Which smart lock is the safest?
How do smart locks work?
Many smart locks use a Bluetooth signal to communicate with your mobile device. When you arrive, the lock will sense the presence of your phone and unlock your front door. When you leave, it will sense the departure of your phone’s Bluetooth signal and lock the front door. Most smart locks also have the option to be connected with your home’s WiFi, in which case you can access the lock through your phone even while you’re away from home.