Smart locks flunk the physical security test
Physical padlocks have gone through hundreds of years of evolution to become difficult to break. The tools used to unlock or remove them also improved better and, in some cases, disabling an expensive lock is a task for professionals. This evolution appears to have taken several steps back with the emergence of the smart factor, though.
When choosing a smart padlock, one not only has to pay attention to the software embedded in the device but also to its physical properties. Most of the time, connected locks are less secure than their mechanical counterparts.
Their popularity is increasing due to their convenience: support for multiple access codes, remote locking, unlocking and revoking access codes. All this is possible from a mobile app that can typically provide information about the time and user that entered the protected premises.
However, the security features are less advanced than the technology embedded. Problems range from improper protection of the firmware to poor defenses against wireless attacks (Bluetooth and WiFi).
But even if the software security part is done right, physical vulnerabilities abound. Metal bodies with a low melting point, or shackles that give way to regular bolt-cutters are typical vulnerable parts security researchers have found in smart padlocks.
“My biggest concern at the moment is where they let the conventional physical security down. £200 locks that can be picked in seconds, ripped clean off the door with simple tools etc. or opened with a magnet,” says Andrew Tierney with Pen Test Partners, a company that offers penetration testing services.
On top of this, manufacturers seem to miss protection against robbers armed with tools as simple as a screwdriver. One product that advertises biometric capabilities has screws visible on the body, and the lock falls apart when they’re removed. When asked about the “oversight,” the company replied that “the lock is invincible to the people who do not have a screw driver [sic].”
Security in the realm of electronic padlocks is no better than what is available in the Internet-of-Things segment. Instead of driving innovation from the higher standards available in mechanical locks, many manufacturers riding the “smart” wave prefer to use their own poor designs or promote connected capabilities to divert attention from their failure to build a quality product.
Image credit: JanBabyIoT lock padlock smart lock