Are All Smart Locks Hackable?
Posted by ZeroDayGear.com on May 20th 2021
Are All Smart Locks Hackable?
When homeowners think of the best available home security technology, many imagine electronic locking systems, also known as smart locks. In addition to being more convenient to use, most smart locks are often described as safer, more reliable, and more advanced than traditional solutions.
However, you may have also heard that no security system offers 100% security against all attacks and that even the latest smart locks are vulnerable to motivated hackers. Find out exactly how secure smart locks are and what vulnerabilities and types of attacks hackers exploit to defeat them.
How Secure Are Smart Locks?
Although we often think of smart locks as the best choice for home security, their primary advantage is convenience rather than increased safety.
The typical smart lock eliminates the user’s need to carry a key, card, or chip or remember a keypad code. Instead, they leverage something that over 85% of Americans already own and use every day: the smartphone.
With a smart lock, you can use your phone as the key, allowing you to lock and unlock the front door with the device you already use. A smart lock typically works alongside a corresponding smartphone application, letting you remotely engage or disengage your front door lock.
Some take advantage of close-range wireless connectivity, such as Bluetooth, to automatically detect how close you are to your home, unlocking it when you’re nearby and locking it again when you’re out of range.
Should I upgrade to a smart lock?
Despite the many conveniences and quality-of-life upgrades they can offer, smart locks aren’t necessarily more secure or robust than traditional mechanical door locks. While they use technology to make using the lock easier and faster, the underlying hardware is comparable in quality.
You shouldn’t view the smart lock itself as a security upgrade but as more of a convenience upgrade. Higher-priced smart lock systems typically improve your home’s level of security by integrating into a complete home security package, such as security cameras, alarms, unauthorized entry notifications to your smartphone, and in some instances, automatically calling local law enforcement.
Types of Hacking Attacks Used on Smart Locks
The typical smart lock doesn’t feature a lock that can be picked with a standard lockpick set, making them effectively immune to such attacks. However, a sufficiently determined and technologically-minded hacker still has several tools and measures to defeat your smart lock. Here are a few examples.
A Bluetooth sniffer is a debugging tool used by cybersecurity experts to intercept and analyze Bluetooth wireless traffic.
Their primary purpose is to help trained individuals detect and fix issues with Bluetooth devices. Malicious people can use these tools to analyze Bluetooth communications between your phone and your lock, intercept data, and look for potential exploits.
For example, a hacker relying on a Bluetooth sniffer may try to look for plain-text passwords (not encrypted), gain access to your smart lock app’s account and potentially change your information to let themselves inside.
Although the hacker must be physically close to your lock to use a Bluetooth sniffer, if successful, even the smart lock company would be unable to help you, as the changes made to your account would appear legitimate on their end.
If the hacker knows which make and model your smart lock uses, they can look for a copy of the application software and use decompiling tools to observe its programming and look for potential exploits.
For example, applications intended for Android devices are typically compiled into the .APK file format (Android Package). In that instance, a hacker can use a freely-available decompiler such as Bytecode Viewer to try and reverse-engineer the application.
Although these tools have legitimate uses, such as debugging, editing, and security testing, hackers with advanced programming knowledge can use them to find vulnerabilities and write malware designed to attack your smart lock application. Hackers can use this hacking method to obtain your passwords and account information.
A fuzzing attack describes a software vulnerability testing method where a hacker sends a large amount of random data to a target system. Fuzzing has valid applications as a low-cost method to detect weaknesses in computer applications; however, it can also be used by malicious actors to damage equipment or break into properties.
Many cheaper smart locks are designed to unlock themselves when they fail and enter an error state. Fuzzing a smart lock typically involves sending large amounts of data over Bluetooth or Wi-Fi until it fails, letting the hacker inside your home.
In the context of information and network security, device spoofing is a specific type of hacking attack where the hacker’s device or communication is disguised to appear legitimate, often intended to impersonate an authorized device and access data.
When a hacker uses a device spoofing attack on a smart lock, they are essentially tricking the lock into thinking the hacker’s device is the owner’s. Although the most common objective is to unlock the door directly, more determined hackers can use device spoofing and other attacks to obtain your account password.
Many smart locks possess voice activation commands, either integrated into the locking device or designed to work with a personal home assistant like Google Home or Amazon Alexa. Although they can be very convenient, they are also vulnerable to a potentially simple hacking trick: voice spoofing.
Voice spoofing is when a hacker uses recordings of your own voice (often illegally acquired) speaking the unlocking commands to let themselves past a voice-activated security system.
How to Prevent Attacks on Your Smart Lock
Although there is no such thing as 100% security, there are still measures you can take to protect yourself from potential hackers.
- Use long, strong passwords with as few dictionary words as possible. Don’t hesitate to use 16 characters or more, with multiple uppercase and lowercase letters, numbers, and symbols. Don’t forget to change your passwords regularly.
- If possible, choose a smart lock app with multi-factor authentication (MFA) and activate it as soon as possible. With MFA enabled, a hacker won’t be able to get into your app’s account even if they have your password unless they also have your phone.
- Ensure that the smart lock itself and the companion application both feature strong encryption, such as AES-256. Quality encryption ensures the lock doesn’t store your passwords in plain text and makes it nearly impossible for a hacker to decrypt.
- Avoid cheaper models from unknown brands and stick to reputable, established manufacturers. Although their products may be more expensive, they typically have better quality control and are less likely to be vulnerable to hacking attacks.
- If your smart lock comes with optional voice-activated features, avoid enabling them as they can be spoofed easily.
- Don’t neglect the smart lock’s build quality and hardware security; choose a robust model that is resistant to wear, tear, and damage. Advanced software security features won’t matter if the hacker can break your smart lock off your door with screwdriver tools and brute force.
Shop High-Quality Locksmithing Equipment at Zero Day Gear
Zero Day Gear is an online retailer of quality locksmithing and lock-picking equipment. Our Michigan location and rapid order processing allow us to offer fast shipping (all orders shipped within one business day) to our customers in the United States and internationally.
For questions or inquiries regarding locks or home security, call us at (855) 937-6329 or contact us via our online form.