Threat Research
About 4000 years ago, as we began the development of our modern way of life, people started to also want their own privacy and the ability to safeguard their possessions. The lock and key concept was created at that time. The first were made with hardwoods, then metals. Some were amazingly intricate. But eventually, they evolved to become the latest iteration of that ancient concept, something we have seen developing over the last few years: the smart lock. The key has been replaced by your smartphone or smartwatch, but the lock is still there and it is getting smarter.
The smart lock is also a good example of the convergence of the Internet of Things (IoT) with security. Usually, people buy locks for something they want to protect from others. For example, you buy a lock for your bike to prevent it from being stolen, or a lock for your front door to prevent intruders. Today, these locks are available in a variety of configurations, from the traditional key and lock model, to combination locks, to smarter versions with touchpads and alarm systems.
Many newer smart locks and security systems for your home can be accessed, monitored, and managed remotely. In some models, you can be alerted that someone is at your front door while you are away, look at a camera feed on your phone, see that it is a friend who has arrived early for dinner, speak to them through your remote connection telling them you will be home in a few minutes, and even unlock the door for them while you continue to pick up a few last minute things at the store. Likewise, keyless entry systems for cars have become surprisingly sophisticated, and can also be considered to be smart locks.
The market behind these new advanced security solutions is huge. Analysts are forecasting that the global smart lock market will grow at an astonishing rate of 75% during the coming few years, eventually reaching $3.6 billion by 2019.
These devices are quite appealing. Ironically, their hardware is not much more secure than a traditional deadbolt. What has happened is that the traditional lock has been wrapped in a layer of monitoring and communications software, and has been linked to such things as video cameras, lighting systems, and alarms. While you can argue that combining these things can make a homeowner more secure, there is also a downside, as the software being used has also created lead to a larger attack surface for criminals to exploit.
Frankly, the primary goal of many of these smart locks is to be convenient. They also create a sense of increased security, which may not actually be true. But that’s what people are looking for, and they are willing to pay for it. But there are pros and cons to this new technology
On the pro side, this new technology provides real security conveniences for property owners, such as:
Some of the more simplistic concerns about smart lock technology are a bit more technical in nature. A technophobe might ask, what happens if the battery on a fob or in your phone dies, or if access to the Internet is down? First, in the unlikely event that the battery is dying, you will certainly receive a bunch of warnings - not only visual feedbacks and sounds from the lock itself but also messages within the app – that the battery needs to be changed. But ultimately, the answer is simple: in most configurations you can always still use your physical key on the old dumb deadbolt.
But what if you have lost your key or you just left it inside your apartment? There is a solution for that as well. Some locks now come with an external connector to which you can pin an external battery allowing you to jump start the lock and then replace the dead battery.
But these concerns are really just the tip of the iceberg.
Smart locks utilize a variety wireless technologies, such as Bluetooth Smart (aka Bluetooth Low Energy, BLE was release in 2010 as part of version 4), Wi-Fi, Z-Wave, ZigBee, Apple HomeKit, and more. The main difference between these options is that some are intended to be simpler and less expensive than other wireless technologies, especially for small and low-power devices (such as those working on batteries.) Here is a quick overview:
That’s the case for the ZigBee solution, the first version of which was created all the way back in 1998, and was then later standardized as IEEE 802.15.4. It’s a wireless mesh network standard that can be used instead of Bluetooth or Wi-Fi for short-range wireless communication from approximatively 10 to 20 meters.
Figure 1: ZigBee module (ref: Wikipedia)
One challenge is that using many different protocols can sometimes lead to interoperability issues. So it’s good to see that some vendors are willing to open their standards, like Sigma Designs, which just released its new Z-Wave specifications (which is also identified as the G.9959 radio standard). Currently, they claim to have certified their solution on more than 1500 products. Open source projects like OpenZWave can also significantly improve the user experience.
HomeKit, Apple’s own home app guidelines, were released two years ago, but according to the specialists, it will start to really gain momentum in the IOS 10 release coincided to launch with the release of the first Apple’s home app. This year, nearly 100 products have been certified. As anyone who has built apps for Apple devices, Apple’s guidelines are quite strict, and most of the time require IoT vendors to adapt not only their software (a proprietary authentication module is required) but also their hardware to satisfy Apple’s requirement. Note: as of now, Siri is used as the primary interface for controlling your HomeKit accessories.
In the final notice, it’s almost impossible to draw a winner. There are currently multiple different standards competing and as it’s a really competitive market we can forecast that more will arrive in the coming years. One special note for Wi-Fi and BLE, for the latter the interest group behind it was clever enough to have it evolves various times from the first version released by Ericsson in 1994.
Now, it brings key features like mesh network, 6LowPAN support (stands for “IPv6 over Low power Wireless Personal Area Networks”, defined in RFC 4944) and even a lower power consumption than competitor like ZigBee. However, the main key advantage is its wide user base. Nowadays, almost every device supports it, with the race to miniaturization it will mostly be unlikely that smartphone manufacturers will embed redundant chips no matter how small it is.
While these solutions and approaches listed above, along with a number of others, are vying for top positions as market leaders, they are certainly not all as secure as they claim. Smart locks include embedded software because to be smart the lock has to communicate, and to sell it needs all kinds of nifty features, which is where most of the differentiation between solutions exists. While some vendors have actually put a lot of effort into their product security to try and make them unbreakable, if there is anything a cybersecurity professional knows, it’s that software code is a rich attack surface, and that hackers always find a way.
This past August, at the DEFCON 2016 security conference in Las Vegas, for example, the security of smart locks was challenged by two talks that were dedicated to the topic.
Security researchers Rose and Ramsey publicly demonstrated security flaws in 12 (out of 16) popular smart locks. At the end of their presentation, only four locks still stood. But if that wasn’t enough, the very next day a researcher called Jmaxxz presented his findings on how to bypass even more security features.
Below is the list of common software vulnerabilities that were identified in many of today’s smart lock solutions:
Summary
At its core, SmartLock technology is really just a variation on the ancient lock and key concept, but with a lot of software wrapped around it to make it more convenient, and in some cases, easier to monitor. But these new applications and services also add risk because they also provide a growing set of opportunities for criminals to circumvent those locks, and sometimes at a distance. At the moment, the caveat is that most attacks require close proximity to the key. But with the advent of smartphone-enabled applications, this may change.
In part two of this two-part series, we bring a number of SmartLock technologies into our lab for a deeper dive into how they work and an analysis of their strengths and weaknesses.
-= FortiGuard Lion Team =-