Home Publications Business 13 steps to improve security and privacy when developing a smart lock

13 steps to improve security and privacy when developing a smart lock

Author: Dennis Vermoen, Sander Degen

In a recent analysis of three popular smart locks, Riscure noticed that two of the locks were vulnerable to a variety of attacks, including physical attacks on the unit to cryptographic attacks on the wireless communication protocol. After reviewing the results, Riscure has developed 13 recommendations for smart lock developers to secure their devices better.

The highlights from this research include:

  1. Proper use of cryptography

While cryptographic algorithms to verify a user are considered secure, the way they are utilized in a system determines their security. Riscure recommends using standard algorithms as they have been tested for security compared to proprietary creations. Similarly, always use proper random number generators, avoid storing the same secret on all devices, don’t use weak key generation, and always store and transport keys securely.

  1. Closing test and debug functionality

Disabling debug interfaces is an invaluable step to securing a device. It helps ensure that all programming backdoors and other developmental tools which put a final product at risk are closed up. Many developers believe simply making the backdoors logically inaccessible is sufficient, and Riscure disagrees.

  1. Secure update mechanisms

When including update mechanisms, it is important to secure them. This whitepaper recommends ensuring update images are properly secured, firmware downgrades are prevented, and preventing any invoking of the update mechanisms externally.

  1. Do not trust the outside world

Since smart locks exist in a hostile environment, they are subject to external attacks such as eavesdropping technology which can hurt the security of the smart lock closure. Counter this by ensuring that all input from the external unit goes solely to the inside unit.

  1. Implement mitigation against relay attacks

Relay attacks work against proximity-based locks. By bridging the distance between a key device and the lock, the attacker can gain access despite the key not being nearby. Requiring an intentional action by the owner or putting in strict timing requirements can help to mitigate.

Discover our recommendations in our publication. Register to download the whitepaper below.

Recent publications

Share This