Tuesday, 20 September 2016

Smart locks - two steps forwards, one step back

In the last month the world of smart locks has seen some major steps forwards (some new smart locks have launched offering new features, reductions in pricing, and easy installations) but at the same time, smart locks have also taken some steps backwards with hacking and vulnerabilities (e.g DEFCON hackers found 12 out of 16 Bluetooth smart locks open to hacks).

Here are some of the highlights/low-lights of August/September 2016;
Amadas (a Korean manufacturer) launched a Kickstarter campaign and within a week hit its goal of $70,000. Two really neat features of the Amadas smart lock included the solar emergency recharge system, and the its simple installation/near comprehensive door installation compatibility. According to Amadas 'while the lock is designed to operate for an entire year with two AA batteries, the Amadas emergency charging solar panel can recharge the lock for one time use within 20 seconds. Consumers can use their smartphone’s flashlight to quickly charge the lock, ensuring they’re never locked out of their home'. Being able to install the lock in under 2 minutes with only a screwdriver is pretty exciting too.

A week after hitting their Kickstarter goal, the Amadas Kickstarter campaign quickly turned from highlight to low-light, cancelling their campaign. According to the Amadas CEO quoted on a Techcrunch interview "the campaign wasn’t as clear as we hoped. The challenge is that the backers and the company had some misunderstandings about the features of the product". The problem, the team points out, is that its solution is Bluetooth only, but a lot of the competitors in the market offer remote unlock solutions over Wi-Fi. The challenge was that many of the backers assumed that Amadas’ solution would also support remote unlocking from anywhere in the world.

The PIN Genie Smart Lock

 Another smart lock off to a good start on Kickstarter in the last week is called PIN Genie. Whilst they have not yet reached their $50,000 goal, their $146 Early Bird Genie Pro has proven popular with the reward sold out(no longer available). This is 30% off their retail price of $209. PIN Genie also have a light version of the lock available as a reward for only $111, but this works with PIN only and not smartphone unlocking. Either way, these prices are very affordable and some of the lowest we've seen on Kickstarter campaigns. On their Kickstarter campaign pages PIN Genie boasts of a feature they call "Peep-Proof" which is a scrambling numberpad (the positions of the numbers on the pad constantly change after a PIN has been entered, so robbers can't watch you enter your PIN nearby and copy it to let themselves in). Although this is a neat feature, its not exactly 'world first' as PIN Genie claim on their Kickstarter campaign pages. Many Chinese lock manufacturers and Samsung with their Ezon Touch, have been offering this scrambling feature for a number of years now.

Moving onto the DEFCON hacking conference and the news of 12 out of 16 Bluetooth Low Energy energy smart locks were vulnerable to hacking, which got some pretty good press coverage, one has to ask the question about the security and the use of BLE in smart locks. Though a few of the manufacturers with hacked locks claim they encrypt a user’s password when it’s transmitted via Bluetooth, two of the hackers still reported having the ability to swipe the password out of thin air before sending it back to the lock itself. By doing this, the smart lock would then unlock itself without the original owner knowing or either of the researchers needing to decrypt and encrypted password.

Although the DEFCON hacks sounded very serious, this next smart lock vulnerability that made news recently reads like a script in a Mel Brooks movie. The article in Forbes on September 17th, titled  "Neighbor unlocks front door without permission with the help of Apple's Siri" is quite hilarious, and so as not to lose any of the comedic value of the story, here it is cut straight from the Forbes article;
According to a Reddit post by user “sportingkcmo,” he had his house equipped with an August Smart Lock, a Bluetooth-enabled door lock that users operate using their phone, as well as Apple's AAPL +0.02% HomeKit, which enables users to interact with smart home gadgets using Siri. According to his post, the user had set up his iPad Pro in the living room to connect to the lock through HomeKit.
Unfortunately, the setup opened up a huge security hole that serves as lesson of how smart home technology can backfire: His neighbor, who was coming by to borrow some flour, was able to let himself in by shouting, “Hey Siri, unlock the front door.”
The iPad was apparently able to hear the neighbor’s command through the front door and then sent the unlock command to the August Smart Lock. (The August Smart Lock also supports Amazon’s voice assistant service, Alexa, but users can’t unlock the door with Alexa. Users can only lock and check the status of the lock with Alexa.)

Adding any commentary on the above story will only distract from its ironic poignancy! So in summary, although its still early days yet with smart locks, start-ups, lock manufacturers, and tech companies are trying to solve shortcomings with other features, which often lead to more shortcomings. For example with a long battery life solution, we wouldn't need Amadas' solar emergency recharge feature. With a more reliable/cheaper/more secure long range technology we wouldn't need BLE and Wi-Fi. With cheaper and smaller hardware/modules, prices will come down, and installations will be easier. As the Internet of Things (IoT) world grows, with new technologies and standards watch out for some new "real" solutions to the smart lock problems within the next year that will solve all the problems once and for all.

A New Year means New Technologies to Unlock Time Access control for Everyone

Welcome to 2017! What a year 2017 is shaping up to be for the security, smartlock and access control industry with the emergence of new low ...