Open sesame! Smart Locks Undergo Security Check
The giant wants inside the house
Amazon has not only the world's largest online shop but with Alexa, etc. it also offers a wide array of its own smart home products, which are being skillfully deployed by the electronic commerce company to boost revenues of the sales platform. The latest show-stopper is "Amazon Key". The objective: Suppliers open the door of Amazon customers per smartphone and can deliver orders even if the customer is not at home. The test phase for the smart home door system is currently being launched for Amazon Prime customers in the United States. Yet smart locks have already been available for some time from other manufacturers. And they can make life easier not only for suppliers.
AV-TEST evaluates IoT devices in comprehensive security tests.
Smart doormen with various functions
Let’s say your children are coming home from school, workmen require entrance, but you are stuck in traffic on the way home or waiting at a train station for a delayed train. Scenario to save the day up to now: One phone call to neighbors you trust, who have an emergency key, and the door is opened. At least if anyone is available.
A smart lock opens up an additional option: One click in the smartphone app suffices, and the door opens automatically. Per Bluetooth, Wi-Fi or cloud connection, entry doors can also be opened without a key and even from remote places. Some of the motor-controlled lock cylinders enable the setup of pre-programmed locking and opening times, as well as the assignment of access permissions for other users, to the extent that the corresponding app is installed on the mobile device and a relevant permission has been sent by the main user. Some smart locks additionally offer so-called geofencing functions: If a user authorized per app comes within wireless range, some smart locks automatically unlock. When a registered mobile device leaves the wireless range, the cylinder automatically locks.
Six smart locks put to the test
The IoT testers in the AV-TEST labs took a close look at six current smart locks from various suppliers:
- August, Smart Lock, USA
- Burg-Wächter, secuENTRY easy 5601, Germany
- Danalock, V3, Denmark
- eQ-3, Eqiva Bluetooth Smart Lock, Germany
- Noke, Padlock, USA
- Nuki, Combo, Austria
- Semptec, Urban Survival Technology NX-1448-919 Bluetooth cable lock, Germany
Simple systems, easy installation
Despite different locking systems, all smart locks evaluated by AV-TEST can be easily installed without technical skills or even by novices. The systems from the manufacturers eQ-3 and Nuki offer particularly easy installation. In this case, a mounting plate is simply fastened from the inside above the traditional European profile cylinder, the key is inserted, and the remote-control motor unit is mounted on top. The mechanism holds the key and moves it according to the commands transmitted per app. By contrast, the evaluated smart locks for profile cylinders from Burg-Wächter, Danalock and Noke require replacing the lock cylinder. But this is also usually accomplished with two screws. Also in the test line-up: A smart lock from the US manufacturer August for the one-cylinder deadbolt locks typical in North America, as well as a bicycle cable lock from the manufacturer Semptec, which was also tested for comparison due to its similar mode of operation (see box).
Test environment and evaluation of basic security
Smart locks offer an overall solid level of protection
In the test, three stars could be earned – thus certifying a good level of protection – in the test categories of "local communication", "external communication", "app security" and "data protection". This was achieved by half the smart locks evaluated. Two additional test candidates did manage to earn two out of three possible stars, which still corresponds to proper basic security. Only one lock failed to convince the test laboratory, yet the defects discovered in the quick test can be easily remedied. All in all, it appears as if the manufacturers of smart door locks, unlike many other manufacturers of smart home products, did their homework. An important finding, after all, poorly-secured smart locks could open up a field day for burglars.
The AV-TEST experts only issued a warning concerning the bicycle lock also tested, which failed the security test, earning zero out of three stars.
Local communication: secure Bluetooth!
All the smart locks tested can be locally activated via wireless Bluetooth. And on all the units, the communication between the lock and the mobile device proved to be secure. For Bluetooth communication, the locks mostly send and receive in the 4.0 standard (1 milliwatt, low energy), which allows a maximum wireless radius of ten meters. Attacks on Bluetooth communication thus already presuppose very close proximity to the lock. As a standard feature, the smart locks use encryption, mostly AES with at least 128 bits. Three locks, August, Danalock and Nuki, even encrypt at a higher rate, relying on AES with 256 bits.
Local communication: solid Wi-Fi
During the test period, only the Nuki lock could be integrated into home Wi-Fi. This is enabled by means of a Wi-Fi bridge, which is available for purchase as an accessory. Via this bridge, the smart lock from the Austrian manufacturer allows location-independent remote control of the lock through the app of the mobile device, as well as integration into other smart home systems, including control by means of voice commands through Amazon Echo. During the evaluation in the AV-TEST laboratory, neither the Bluetooth connection between the Nuki lock and bridge, nor the SSL-encrypted Wi-Fi between the bridge and the router revealed any apparent vulnerabilities.
Upon completion of the test, other manufacturers such as August and Danalock followed suit and are now also offering a bridge for communication per Wi-Fi.
External communication: unencrypted update
The smart locks receive important updates in a Bluetooth connection with their apps, which deploy a secure SSL-encrypted online connection per smartphone or tablet to the corporate servers on nearly all products. Only on the lock from Burg-Wächter did the testers discover unencrypted data transfer and were therefore also able to intercept and read the transferred firmware updates. As a result, attackers are afforded the theoretical opportunity to push corrupted updates to the lock and thus to manipulate the functions of the smart lock.
Moreover, the testers took issue with the fact that the Burg-Wächter unit commits a typical cardinal error for smart home products: To operate the lock and app, there is no forced change of the default password for the admin account. A dangerous complacency, as IoT devices with unchanged default login details are easy prey for attackers. Via IoT search engines for IoT devices, such as Shodan, such devices are easy to locate. This led to points being taken off in the validation of "local communication".
External communication: access permissions per app
For some smart locks, access permissions can also be generated, sent and managed for third parties. For this, the Nuki lock, for example, uses the encrypted communication of the WhatsApp Messenger. The recipient receives an invitation per WhatsApp chat. This contains a valid link to a securely encrypted HTTPS address of the Nuki server. The invitation code can only be used with the Nuki app and expires after 48 hours.
App security: log files present a vulnerable target
As a basis for updates, for managing access permissions as well as most of the communication with the smart locks based on Bluetooth, the apps are a potential target for attackers. That is why apps, especially their programming and log files, should be protected as effectively as possible against potential attacks. In the quick test, four out of six test candidates demonstrated good protection from potential attacks to the app. Only the apps from August and Danalock generated comprehensive debug logs. These can provide potential attackers clues as to the functionality of the app, along with wide-ranging clues concerning user activities. In the August app, the engineers from AV-TEST found such logs only in an area already protected by the app. By contrast, on the Danalock app, it was possible to read out the logs with standard tools such as the Android LogCat. Here, both manufacturers ought to make improvements.
Except for the US manufacturer August, all other lock suppliers retrieve only the information required to use the smart locks. Thus, the US manufacturer, for example, requests a photo during online registration. For August, Danalock and Noke, the testers see a need for improvement, e.g. in terms of information on stored data and its use by third parties. An adaptation to European data protection law would easily remedy these defects.
Convenience does not have to mean less security. This reassuring conclusion can be made following the surprisingly strong results of the smart lock test. Surprising because in terms of security, most devices tested in this product category are refreshingly different from other smart home devices. Such as unsecured IP cameras, also used for purposes of building security. All in all, the manufacturers of smart locks did a good job. The AV-TEST Institute rated five out of six of the locking systems evaluated in the quick test as having solid basic security with theoretical vulnerabilities at the most. The smart locks from eQ-3, Noke and Nuki pass the test with three out of three possible stars, offering a good level of security, exactly what one would want in a smart locking system. Due to avoidable and easily remedied defects, the smart lock from Burg-Wächter earns only one out of three stars and for this reason cannot currently be recommended. The fact that things can be considerably worse is manifested by the atrocious results of the app-controlled bicycle lock from the supplier Semptec (see box).
Fresh out of lock! Semptec protection fails the test.
The company goes under the boastful name of Semptec "Urban Survival Technology". At least as far as its app-controlled Bluetooth cable lock NX-1448-919 is concerned, the slogan unfortunately remains a forward-looking statement. Because the bicycle lock tested by the AV-TEST laboratory was anything but secure. Admittedly, the concept is indeed good: an app-controlled Bluetooth cable lock, which conveniently opens automatically as soon as the owner approaches. Which eliminates the need for unlocking the bike, and you can immediately start pedaling. In case of an unauthorized attempt to open it, the lock emits a piercing warning tone and sends a warning message to the smartphone of the owner.
But the good idea is poorly implemented, and locked bikes are anything but secure with the Bluetooth lock. As it is now, the Semptec lock transmits a message via an unencrypted Bluetooth connection, which can be manipulated by simple means. Intruders, for instance, could prevent the alarm from triggering. The selection of possible passwords is not much better. Here, the app only allows for the selection of a six-digit code, which can be easily cracked using a brute-force attack. This is additionally facilitated by the fact that the lock does not limit the consecutive login attempts to a particular number. Which means that it only takes up to four hours to crack the pre-set PIN. The testers took issue with several other security measures that were poorly-conceived or lacking altogether. But the Semptec lock was already excluded from earning a star in the test due to the previously-mentioned product errors.