Well compared to this, you could always buy basically anything else, including the cheapest normal lock they have at the corner drugstore. It might be not too hard to cut, but at least it has an actual key and won’t open right up for any cellphone ever made.
There is a YouTube channel called Bosnianbill that is also testing smart locks sometimes. He is not looking at the IoT side of such locks but it’s still interesting to watch him take apart these locks.
Master Lock: https://youtu.be/YsKMsvx8vvo
Noke: https://youtu.be/PqeWupKN2W0
Just to make this not all snark at poor security, here’s an idea I came up with in a few minutes for how to make a smart lock that’s actually secure:
Lock will Bluetooth pair with anything that asks, but requires a long random key to open. The key is in a QR code and printed as a number on a couple of sturdy slips of paper that are in the package the lock comes with. You download the app, scan the QR code, and you can open the lock. Anyone else can get the app and pair with the lock, but can’t open it because they have no way to get the code.
I’m not a security expert, and I only spent a few minutes on this, so it may have some holes. But it’s definitely better than what this smart lock is actually doing.
That sounds good, there are so many other issues that you’d need to address too like preventing replay attacks, customers who switch phones and have lost the QR code, how would you manage temporary keys?, etc
It requires more work than this, although most consumer hardware manufacturers are so clueless, they’re not aware of the problem at all, much less how difficult it is. I work for a company that sells security solutions for IoT (Afero) and I could tell you stories that would make your toenails fall off.
Once again the S in IoT stands for security.
Gah, just realized this is flagged as authored by me.
This is not my work.
Wow, that’s awful! I wonder if anyone has some good lock recommendations that have passed testing with good marks?
You should see the mechanical lock they have that flings extra keys at anyone who rings the doorbell.
Well compared to this, you could always buy basically anything else, including the cheapest normal lock they have at the corner drugstore. It might be not too hard to cut, but at least it has an actual key and won’t open right up for any cellphone ever made.
Also, according to the author the Tapplock was easier to cut than a normal hardware store padlock: https://twitter.com/cybergibbons/status/1007144017149063168
…can be opened with a shim fashioned from a soda can.
There is a YouTube channel called Bosnianbill that is also testing smart locks sometimes. He is not looking at the IoT side of such locks but it’s still interesting to watch him take apart these locks. Master Lock: https://youtu.be/YsKMsvx8vvo Noke: https://youtu.be/PqeWupKN2W0
Just to make this not all snark at poor security, here’s an idea I came up with in a few minutes for how to make a smart lock that’s actually secure:
Lock will Bluetooth pair with anything that asks, but requires a long random key to open. The key is in a QR code and printed as a number on a couple of sturdy slips of paper that are in the package the lock comes with. You download the app, scan the QR code, and you can open the lock. Anyone else can get the app and pair with the lock, but can’t open it because they have no way to get the code.
I’m not a security expert, and I only spent a few minutes on this, so it may have some holes. But it’s definitely better than what this smart lock is actually doing.
That sounds good, there are so many other issues that you’d need to address too like preventing replay attacks, customers who switch phones and have lost the QR code, how would you manage temporary keys?, etc
It requires more work than this, although most consumer hardware manufacturers are so clueless, they’re not aware of the problem at all, much less how difficult it is. I work for a company that sells security solutions for IoT (Afero) and I could tell you stories that would make your toenails fall off.
Replay attacks.
Like, what happens if I sniff your traffic and play it back once I pair?
A system where both I and the lock talk to another service that generates one-time tokens would probably help.