Skip navigation

Open sesame! Smart Locks Undergo Security Check

Doors open by app as if by magic, even from across the globe. Smart Locks are affordable, can be installed without any technical skills and are child’s play to operate. But are they secure as well, or do they leave the gates wide open to uninvited guests? After all, the door to one's home represents the last bastion against unwanted visitors. This test resolves the question as to whether you are forced to fear digital intrusion or can enjoy the convenience of smart locks.

Six smart locks and an app-controlled bicycle lock in the test of the AV-TEST Institute.

The locks are required to undergo comprehensive tests for basic security. According to the test configuration, there was an evaluation of data traffic security, protection from manipulation as well as handling of user data.

Test: Smart Locks

AV-TEST evaluates IoT devices in comprehensive security tests. You can find the latest tests in our blog (www.iot-tests.org).

The giant wants inside the house

Amazon has not only the world's largest online shop but with Alexa, etc. it also offers a wide array of its own smart home products, which are being skillfully deployed by the electronic commerce company to boost revenues of the sales platform. The latest show-stopper is "Amazon Key". The objective: Suppliers open the door of Amazon customers per smartphone and can deliver orders even if the customer is not at home. The test phase for the smart home door system is currently being launched for Amazon Prime customers in the United States. Yet smart locks have already been available for some time from other manufacturers. And they can make life easier not only for suppliers.

Smart doormen with various functions

Let’s say your children are coming home from school, workmen require entrance, but you are stuck in traffic on the way home or waiting at a train station for a delayed train. Scenario to save the day up to now: One phone call to neighbors you trust, who have an emergency key, and the door is opened. At least if anyone is available.

A smart lock opens up an additional option: One click in the smartphone app suffices, and the door opens automatically. Per Bluetooth, Wi-Fi or cloud connection, entry doors can also be opened without a key and even from remote places. Some of the motor-controlled lock cylinders enable the setup of pre-programmed locking and opening times, as well as the assignment of access permissions for other users, to the extent that the corresponding app is installed on the mobile device and a relevant permission has been sent by the main user. Some smart locks additionally offer so-called geofencing functions: If a user authorized per app comes within wireless range, some smart locks automatically unlock. When a registered mobile device leaves the wireless range, the cylinder automatically locks.

Six smart locks put to the test

The IoT testers in the AV-TEST labs took a close look at six current smart locks from various suppliers:

• August, Smart Lock, USA
• Burg-Wächter, secuENTRY easy 5601, Germany
• Danalock, V3, Denmark
• eQ-3, Eqiva Bluetooth Smart Lock, Germany
• Noke, Padlock, USA
• Nuki, Combo, Austria
• Semptec, Urban Survival Technology NX-1448-919 Bluetooth cable lock, Germany

Simple systems, easy installation

Despite different locking systems, all smart locks evaluated by AV-TEST can be easily installed without technical skills or even by novices. The systems from the manufacturers eQ-3 and Nuki offer particularly easy installation. In this case, a mounting plate is simply fastened from the inside above the traditional European profile cylinder, the key is inserted, and the remote-control motor unit is mounted on top. The mechanism holds the key and moves it according to the commands transmitted per app. By contrast, the evaluated smart locks for profile cylinders from Burg-Wächter, Danalock and Noke require replacing the lock cylinder. But this is also usually accomplished with two screws. Also in the test line-up: A smart lock from the US manufacturer August for the one-cylinder deadbolt locks typical in North America, as well as a bicycle cable lock from the manufacturer Semptec, which was also tested for comparison due to its similar mode of operation (see box).

Test environment and evaluation of basic security

Within the scope of the test, the engineers at the IoT lab from AV-TEST evaluate the secure acquisition, storage, transmission and processing of the data generated when using the smart locks. As part of this, the products are subjected to a security evaluation under actual conditions. In the case of smart locks, this means that all products were tested reproducibly in an identical test environment. Depending upon the function scope, the testers analyzed the security of the devices themselves, e.g. the update functionality, and the Internet services connected when using data links such as Bluetooth, Wi-Fi, as well as the apps of the smart home products. Another integral element of the test involves taking data protection aspects into consideration. Here, the testers also check the privacy policy. What's more, in testing the devices, they investigate the question whether the data collected by the manufacturer is even necessary for operation and which rights the manufacturer has asserted for additional use of data.

Smart locks offer an overall solid level of protection

In the test, three stars could be earned – thus certifying a good level of protection – in the test categories of "local communication", "external communication", "app security" and "data protection". This was achieved by half the smart locks evaluated. Two additional test candidates did manage to earn two out of three possible stars, which still corresponds to proper basic security. Only one lock failed to convince the test laboratory, yet the defects discovered in the quick test can be easily remedied. All in all, it appears as if the manufacturers of smart door locks, unlike many other manufacturers of smart home products, did their homework. An important finding, after all, poorly-secured smart locks could open up a field day for burglars.

The AV-TEST experts only issued a warning concerning the bicycle lock also tested, which failed the security test, earning zero out of three stars.

Local communication: secure Bluetooth!

All the smart locks tested can be locally activated via wireless Bluetooth. And on all the units, the communication between the lock and the mobile device proved to be secure. For Bluetooth communication, the locks mostly send and receive in the 4.0 standard (1 milliwatt, low energy), which allows a maximum wireless radius of ten meters. Attacks on Bluetooth communication thus already presuppose very close proximity to the lock. As a standard feature, the smart locks use encryption, mostly AES with at least 128 bits. Three locks, August, Danalock and Nuki, even encrypt at a higher rate, relying on AES with 256 bits.

Local communication: solid Wi-Fi

During the test period, only the Nuki lock could be integrated into home Wi-Fi. This is enabled by means of a Wi-Fi bridge, which is available for purchase as an accessory. Via this bridge, the smart lock from the Austrian manufacturer allows location-independent remote control of the lock through the app of the mobile device, as well as integration into other smart home systems, including control by means of voice commands through Amazon Echo. During the evaluation in the AV-TEST laboratory, neither the Bluetooth connection between the Nuki lock and bridge, nor the SSL-encrypted Wi-Fi between the bridge and the router revealed any apparent vulnerabilities.

Upon completion of the test, other manufacturers such as August and Danalock followed suit and are now also offering a bridge for communication per Wi-Fi.

External communication: unencrypted update

The smart locks receive important updates in a Bluetooth connection with their apps, which deploy a secure SSL-encrypted online connection per smartphone or tablet to the corporate servers on nearly all products. Only on the lock from Burg-Wächter did the testers discover unencrypted data transfer and were therefore also able to intercept and read the transferred firmware updates. As a result, attackers are afforded the theoretical opportunity to push corrupted updates to the lock and thus to manipulate the functions of the smart lock.

Moreover, the testers took issue with the fact that the Burg-Wächter unit commits a typical cardinal error for smart home products: To operate the lock and app, there is no forced change of the default password for the admin account. A dangerous complacency, as IoT devices with unchanged default login details are easy prey for attackers. Via IoT search engines for IoT devices, such as Shodan, such devices are easy to locate. This led to points being taken off in the validation of "local communication".

External communication: access permissions per app

For some smart locks, access permissions can also be generated, sent and managed for third parties. For this, the Nuki lock, for example, uses the encrypted communication of the WhatsApp Messenger. The recipient receives an invitation per WhatsApp chat. This contains a valid link to a securely encrypted HTTPS address of the Nuki server. The invitation code can only be used with the Nuki app and expires after 48 hours.

App security: log files present a vulnerable target

As a basis for updates, for managing access permissions as well as most of the communication with the smart locks based on Bluetooth, the apps are a potential target for attackers. That is why apps, especially their programming and log files, should be protected as effectively as possible against potential attacks. In the quick test, four out of six test candidates demonstrated good protection from potential attacks to the app. Only the apps from August and Danalock generated comprehensive debug logs. These can provide potential attackers clues as to the functionality of the app, along with wide-ranging clues concerning user activities. In the August app, the engineers from AV-TEST found such logs only in an area already protected by the app. By contrast, on the Danalock app, it was possible to read out the logs with standard tools such as the Android LogCat. Here, both manufacturers ought to make improvements.

Data protection

Who leaves the house, when do they leave, who arrives, and when? Via the apps of some suppliers, information of this type can be reviewed by the owner of the lock – but is it truly only visible to the owner? The experts from AV-TEST evaluated the privacy policies of the smart locks, whereby European data protection law served as a standard. In this test item, Nuki made a particularly strong showing. The privacy policy of the Austrian company is directly tailored to the tested product. That is also due to the fact, however, that this still quite new supplier is currently only selling this one product. In addition, the Nuki privacy policy is easily accessible via the app as well as through the website, well-structured and written in understandable terms, and is thus exemplary.

Except for the US manufacturer August, all other lock suppliers retrieve only the information required to use the smart locks. Thus, the US manufacturer, for example, requests a photo during online registration. For August, Danalock and Noke, the testers see a need for improvement, e.g. in terms of information on stored data and its use by third parties. An adaptation to European data protection law would easily remedy these defects.

Conclusion

Convenience does not have to mean less security. This reassuring conclusion can be made following the surprisingly strong results of the smart lock test. Surprising because in terms of security, most devices tested in this product category are refreshingly different from other smart home devices. Such as unsecured IP cameras, also used for purposes of building security. All in all, the manufacturers of smart locks did a good job. The AV-TEST Institute rated five out of six of the locking systems evaluated in the quick test as having solid basic security with theoretical vulnerabilities at the most. The smart locks from eQ-3, Noke and Nuki pass the test with three out of three possible stars, offering a good level of security, exactly what one would want in a smart locking system. Due to avoidable and easily remedied defects, the smart lock from Burg-Wächter earns only one out of three stars and for this reason cannot currently be recommended. The fact that things can be considerably worse is manifested by the atrocious results of the app-controlled bicycle lock from the supplier Semptec (see box).

Fresh out of lock! Semptec protection fails the test.

The company goes under the boastful name of Semptec "Urban Survival Technology". At least as far as its app-controlled Bluetooth cable lock NX-1448-919 is concerned, the slogan unfortunately remains a forward-looking statement. Because the bicycle lock tested by the AV-TEST laboratory was anything but secure. Admittedly, the concept is indeed good: an app-controlled Bluetooth cable lock, which conveniently opens automatically as soon as the owner approaches. Which eliminates the need for unlocking the bike, and you can immediately start pedaling. In case of an unauthorized attempt to open it, the lock emits a piercing warning tone and sends a warning message to the smartphone of the owner.

But the good idea is poorly implemented, and locked bikes are anything but secure with the Bluetooth lock. As it is now, the Semptec lock transmits a message via an unencrypted Bluetooth connection, which can be manipulated by simple means. Intruders, for instance, could prevent the alarm from triggering. The selection of possible passwords is not much better. Here, the app only allows for the selection of a six-digit code, which can be easily cracked using a brute-force attack. This is additionally facilitated by the fact that the lock does not limit the consecutive login attempts to a particular number. Which means that it only takes up to four hours to crack the pre-set PIN. The testers took issue with several other security measures that were poorly-conceived or lacking altogether. But the Semptec lock was already excluded from earning a star in the test due to the previously-mentioned product errors.

Share this: