Are smart locks secure? AV-TEST has the answer

Smart locks began appearing on doors when building automation and the Internet of Things (IoT) went mainstream. However, the public’s acceptance of smart locks has been less than stellar–initial cost vs. actual benefits are seemingly the primary reason why.

The low adoption of smart locks may soon change if the powers that be at Amazon have their way. The company recently introduced Amazon Key, a remotely-controlled building-access platform–consisting of Amazon’s Cloud Cam, a compatible smart lock, and smartphone app (shown to the right)–that allows Amazon-approved delivery personnel to open locked doors and leave deliveries inside the customer’s home or office. A slew of additional conveniences not related to package delivery may also help the acceptance of smart locks.

That said, the public’s interest in smart locks will only improve if the benefits outweigh the costs, and the technology is proven to be physically safe and electronically secure.

Security issues have already been reported about Amazon Key. Liam Tung in his ZDNet article Amazon: We’re fixing a flaw that leaves Key security camera open to Wi-Fi jamming writes, “A malicious courier could easily freeze the Key’s Cloud Cam and roam a customer’s house unmonitored.”

Concerns about smart locks and security were raised way back in 2013. My TechRepublic article High-tech home security products: Who are they really helping? quotes several experts who question the security of smart locks and the technology supporting them.

SEE: Internet of Things Policy (Tech Pro Research)

AV-TEST put six smart locks’ data security through their paces

Knowing what experts were saying about smart-lock systems four years ago and the likelihood of smart locks becoming popular, the people at AV-TEST, an independent IT-security testing lab, decided to see if things have improved. The lab’s engineers developed a test program and put these six smart locks through their paces:

Are smart locks secure? AV-TEST has the answer

Data security was the first thing considered by the engineers with special emphasis on acquisition, storage, and transmission of data; the following image depicts how they employed Wireshark to capture traffic between the smart lock being tested and the controlling smartphone application. Besides communications, the team examined each system’s hardware and software, tested the software-update process, and determined whether the associated smart-lock application had any security issues.

It seems smart locks have improved considerably in the past four-plus years. From the AV-TEST report: “Convenience does not have to mean less security. This reassuring conclusion can be made following the surprisingly strong results of the smart-lock testing.” Concerning the test results, the test engineers offer the following insights.

Installation: Despite physical differences, all smart locks evaluated by AV-TEST installed easily–systems manufactured by eQ-3 and Nuki being the easiest.

Local communications: All tested smart locks are locally activated via Bluetooth. “As a standard feature, the smart locks use encryption, mostly AES with at least 128 bits,” mentions the report. “Three locks, August, Danalock, and Nuki can encrypt at a higher rate–AES with 256 bits.”

The AV-TEST engineers report that smart locks by August, Danalock, and Nuki can integrate with local Wi-Fi networks; this allows location-independent remote control using the mobile device’s smart-lock app. According to the report, neither Bluetooth nor SSL-encrypted Wi-Fi connections introduce any detectable vulnerabilities.

Data protection: AV-TEST’s engineers measured each smart lock’s privacy policy against European data-protection law. One concern centered on whether systems save more data than what is needed to operate properly. From the report: “For August, Danalock, and Noke, the testers see a need for improvement, e.g., in terms of information on stored data and its use by third parties. An adaptation to European data-protection law would easily remedy these defects.”

SEE: Cybersecurity in an IoT and mobile world (free PDF) (ZDNet/TechRepublic special report)

Smartphone-app security: The report warns that apps are a potential target for attackers, in particular how each app manages access permissions and log files. All smart-lock systems but August and Danalock handled access and log files adequately. The engineers are concerned that August and Danalock generate comprehensive debug logs that provide clues to how the app functions. Additionally, August keeps debug logs in a protected area, whereas Danalock does not, making it possible to read the log files using tools like Android Logcat. The report suggests both August and Danalock need to improve security in this area.

One serious misstep: The AV-TEST paper took issue with the smart lock from Burg-Wachter because the lock system does not require the user to change the default admin password. “A dangerous complacency, as IoT devices with unchanged default login details are easy prey for attackers,” mentions the report.

Overall results

Each smart lock was rated on local communications, external communications, app security, and data protection, with three stars holding top honors. The following graph shows the overall results.

On a positive note, the AT-TEST report notes, “All in all, it appears the manufacturers of smart door locks, unlike many other manufacturers of smart home products, did their homework.”

The report concludes by saying, “The AV-TEST Institute rated five out of six of the locking systems evaluated in the quick test as having solid basic security with theoretical vulnerabilities at the most.”