These smartlocks have stirred up much conversation in the security community. While some people are pretty happy with the implementation, others feel that they shouldn’t be depended on.
First Published 22nd June 2018
The key to happiness is not in the lock.
4 min read | Reflare Research Team
The past weeks have seen multiple smartlocks (locks using an electronic locking mechanism that reacts to apps, fingerprints or other forms of identification) either get hacked or broken on a physical level. In this briefing, we will take a look at why it is so difficult for companies to create secure smartlocks and what these challenges mean for security in general.
What happened?
On June 1st 2018, YouTube channel JerryRigEverything published a video showing the disassembly of the popular TappLock One fingerprint lock. The lock was first funded using the crowdfunding platform Indiegogo but has since hit the open market and is available from common retailers. While the producers advertise “Unbreakable durability” on the lock’s website, the teardown revealed that the lock’s backplate could be easily removed using a suction cup. From there, the lock can be fully disassembled and opened in a matter of minutes.
Perhaps inspired by these findings, UK penetration testing firm Pen Test Partners LLP released a video on June 13th 2018 showing that the Tapplock could also be hacked to open within a few seconds as the cryptographic key required to do so was based on the lock’s MAC address - information that the lock actively broadcasts.
On June 15th 2018, a Twitter account dedicated to lockpicking uploaded an exchange with an unnamed lock manufacturer. In the exchange, the critical design flaw of having external screws on the lock (allowing the same sort of attacks that hit the Tapplock) was pointed out, leading the manufacturer to retort that “the lock is invincible to people who do not have a screwdriver”, therefore still a viable product.
Why are smartlocks so insecure?
These recent incidents are by no means unique. From weak encryption to screws to opening smartlocks with magnets, the security record on this class of devices is extremely poor. Why is this?
While many factors play a role, in our opinion the core problem comes down to specialization. The process of building a physical lock and the process of designing a digital authentication mechanism are both highly complex tasks requiring years of experience to do well. Slight mistakes can have fatal consequences and the weakpoints in a given design are often not obvious to those not intimately familiar with the technology.
Unfortunately, the companies that attempt to build smartlocks usually fall into one of three categories:
Lockmakers - who can construct solid locks but lack information security knowledge;
Tech Companies - who have varying degrees of information security knowledge but lack lock-making skills; and
Startups - who often have neither skillset.
Since both fields are highly specialized, those attempting to build smartlocks often lack the basic knowledge on the missing subjects required to understand how much knowledge they lack. Subsequently, overconfident teams build devices that are heavily lacking in physical security, information security, or both.
The broader picture.
The concept of non-overlapping specializations is not unique to locks. It affects the entire security industry. Whether we are dealing with car manufacturers implementing insecure car locks, web developers attempting to create their own cryptographic algorithm or any number of other recent examples, overconfidence in a non-existing capability is at the core of a large chunk of security breaches - be they physical or electronic.
The only way to protect your organization against inadvertently producing an affected product is to upskill staff through training and make sure that admitting to not knowing something is accepted in your organization’s culture.
Training is important as individuals with little knowledge about a given topic tend to greatly underestimate how complex the topic is. An open corporate culture is important as fear of admitting a knowledge gap can ultimately put the organization at risk.