Smart Locks: balancing between convenience and security
Smart Locks are the perfect example of how IoT development transforms the world around us. They take an existing (in this case - a thousand-year-old) technology and make it more convenient with wireless access, dedicated apps, sharing and fingerprint authorization. Working in the security industry we know that convenience often leads to better security: if a protection system is too complicated, users often tend to avoid it. But modern technologies sometimes make locks weaker than they originally were. This is the key takeaway of our most recent research on the security of three different smart locks.
Riscure’s research was preceded by a number of other works. Earlier this year Pent Test Partners released an interesting research on the Tapplock smart lock that showcases weaknesses often found in many other IoT devices: insufficient cryptography, an absence of checks when authorizing a user, hard-coded credentials that allow taking control of any device remotely within two minutes. And it’s not just about securing your school locker, backyard gate or bicycle shed. Amazon offers their customers convenient delivery and the capability of a smart lock in a single package. In this case, researchers discovered the possibility to disable the included video camera or managed to leave the door in the unlocked state after the delivery. These more complicated attacks actually impact the environment in which the lock itself is only part of the security system. But the result is the same: convenience that sometimes comes at the cost of weaker security.
We believe that these are temporary difficulties of a developing industry. Developers of IoT devices including smart locks have a chance to improve the security of their products to the point where they provide sufficient robustness. In order to gather the requirements for a reasonably secure smart lock, we have looked into three different devices from three vendors. We are not releasing detailed vulnerability reports just yet, to provide developers with sufficient time to mitigate discovered issues. In one case we had to deal with a reasonably secure lock: within the (quite limited) evaluation time frame we have only found a way to perform a Denial-of-Service attack, preventing even legitimate users to unlatch the lock.
The same device had a notable privacy issue. Another lock was prone to a physical attack. And the final device under review had a weakness in a cryptographic protocol, allowing unauthorized remote unlock an hour-long attack. Based on these findings and combining them with our overall experience in connected device security, our experts have identified 13 ways to improve the security and privacy of a smart lock. We believe it is the first time the basic ‘rules’ or ‘steps’ that (when properly implemented) enable better security in an IoT device, were summarized and shared with the public.
The full document is available here. It covers the topics of implementing robust cryptography, relay attacks, secure coding practices and even attacks on hardware and privacy issues. We believe that for every device type a comprehensive set of requirements and security checks can be created so that in the end a more robust solution is produced. This is why we are sharing these essential steps to improve the security of a smart lock.
If you are developing a smart lock or a similar IoT device and would like to discuss the findings in deeper detail, don’t hesitate to contact us via firstname.lastname@example.org.