Fortinet, the global leader in high-performance cybersecurity solutions, on October 26, 2016, dispensed advice for users of smart locks, which are finding broader and more numerous applications across Asia Pacific.
The lock and key were created about 4,000 years ago, when human beings reached a point in their evolution that they wanted privacy and the safeguarding of their possessions. The objects were first made of wood but evolved to become metallic. In the last few years, the metallic key has increasingly been replaced by the smartphone or smartwatch, but the lock still exists largely in its original form, although it’s getting smarter too. Electronic locks can be embedded with software and remote sensing technology so that it can be opened from a distance, without physical contact.
The market for smart locks is huge. Analysts have forecast the global smart lock market to grow more than 10 times over five years to reach $3.6 billion by 2019.
“With technology permeating every aspect of our lives, consumers today have gotten used to accomplishing their daily tasks quickly, simply and elegantly. Smart locks, which allow hands-free operation, access management and remote activity monitoring, fits beautifully into this lifestyle,” said David Maciejak, Head of Fortinet’s FortiGuard Lion R&D team in Asia Pacific.
Smart locks can be programmed to open or close based on the key’s distance from the lock, through a feature called geo-fencing. Access management, meanwhile, allows the lock’s owner (such as someone renting out his home through Airbnb) to grant access to specific devices by sending virtual keys to his guests and revoking them later. Remote monitoring comes on top of that, letting the lock owner receive alerts and keep a record of when the lock was opened or closed.
There is, however, one downside to all this cleverness – the software underpinning smart locks today are quite easily hacked. The worse ones transmit their locking/unlocking codes in plain text, allowing hackers to intercept them with network sniffers. Others feature weak usage of cryptographic standards, letting attackers pick up and store the signals when the lock is used, and send the signal again later to unlock the device.
Electronic keys can also be spoofed. Every Bluetooth device has a unique 6-byte device address, most of the time presented as a 12-digit hexadecimal value. This is similar to the hardware MAC address in the Ethernet world. Experienced hackers can quite easily clone a Bluetooth device address, giving them the “key” to open a smart lock.
Like many things, smart locks of better quality (i.e. higher security) come at higher prices. Consumers wanting to use smart locks should be prepared to pay more for increased security. In addition, they should:
- Restrict the use of smart locks to less critical applications – for instance, it’s not wise to lock your home with them, but using them on your suitcase of travelling clothes is probably fine.
- If you are using your smartphone or smartwatch as a key, disable its Bluetooth capability. This will automatically disable geo-fencing.
- Manually update the lock and key’s software regularly if possible, or enable auto updating if this feature is available on the lock/key’s operating system. Such updates allow flaws in the software to be patched by the manufacturer.
“Consumers who want to use smart locks for more critical applications should wait a couple more years for the next generation of smart locks to arrive,” said Maciejak. “These locks will likely allow quick and easy updating of software, use a more secure protocol, and perhaps leverage personal biometric features instead of a physical key. Biometrics can still be hacked, but they are much more difficult to be lost or stolen.”
Maciejak identified electric car maker Tesla Motors as a manufacturer to watch on how security can be improved without impacting user experience. Tesla is already capable of conducting over-the-air software updates from a home Wi-Fi network. This is a big plus for customers because they do not have to drive their vehicles to their dealers.
“When such unobtrusive approaches are adopted more broadly by device manufacturers, smart locks will truly be ready for prime time,” said Maciejak.