This 'Smart' Lock May Have Dangerously Dumb Security

This 'Smart' Lock May Accept Dangerously Impaired Security

The Sesame smart lock being used. Credit: Candy House, Inc. — (Epitome credit: The Sesame smart lock beingness used. Credit: Candy House, Inc.)

Knock, knock! Who'southward there? You are. Welcome dwelling!

That's the promise of Sesame, a new "smart lock" beingness marketed in a Kickstarter campaign equally "your keys, reinvented." (Information technology'due south not continued to a very similar Indiegogo campaign.) Not just can you open the Sesame lock with a smartphone app, but you tin also speak into the app, allow in designated friends who have the app and even create a customized knock pattern that volition open your front door.

Sound nifty? Mayhap not. Some of Sesame'due south features are perfect examples of how brilliant ideas virtually convenience can fail to take security into account. Of all the impaired ideas coming out of the and then-called "smart abode" or Internet of Things, these features may be the dumbest yet.

More: How the Internet of Things Could Kill You

The Sesame smart lock does have a lot of promise. It's inexpensive ($99 retail when information technology comes out in the summer, $89 via Kickstarter now), rather elegant (it looks like an egg timer) and simple to install. It doesn't replace the existing deadbolt, just instead fits over the latch on the within of the door).

Nevertheless the lock is perhaps also user-friendly, allowing 3 split up modes of communication with the user: Bluetooth, Wi-Fi and sound.

Shave and a haircut, you're in

"But lock and unlock your door using the Sesame app on your phone," the Sesame printing release says. "Ameliorate yet, open up Sesame with a custom knock on your phone or door."

For the custom knock to work, the phone on which the Sesame app is installed has to be within Bluetooth range of the lock, theoretically 33 feet (10 meters). A representative for Candy House, Inc., the Palo Alto, California-based visitor that makes the Sesame lock, told us that the characteristic'south default range is xv feet, which can be adjusted by the user. (The lock itself senses the knock via a built-in accelerometer.)

Despite the proximity requirement, I might be able to leverage this feature to steal my neighbor's stuff. First, I'd have to listen to him perform his custom knock a few times. Then, the side by side time he left his apartment and turned the corner for the elevator, bingo — specially if he'd extended the range to the full 30 feet, and if he was wearing headphones so he couldn't hear me knocking.

If I wanted to exist really brazen, I'd call a few friends and stage a home-invasion robbery when I knew my neighbor and his phone definitely would exist abode. Duplicating his custom knock would be like playing "Simon," but with an bodily reward.

Speak the magic words

The Sesame Kickstarter campaign comes with a promotional clip starring Adam Lisagor, the droll, bearded hipster who has become the male monarch of tech-startup videos. "Open sesame," Lisagor speaks into his iPhone, and the door opens — but not before he taps the app with his thumb.

Nonetheless, Sesame'south promotional campaign states that the lock can, indeed, exist opened by vocalization. That's amazingly convenient, and amazingly scary. What if the user's phone were stolen? What would finish the thief from a) seeing that the user had a Sesame app and b) finding out where he or she lived? Couldn't the thief just cruise over to the house and speak the magic words?

"If there is no fingerprint and passcode to protect the phone, the app will ask for [an] account password every single time," reads a post by Candy Firm in the comments section of i of the company'south promotional YouTube clips. "Besides, you can log out [of] your account from the lost phone by logging in [from] another device."

Thus, the only thing stopping a thief from walking into a house is a screenlock Pin, a fingerprint or a password. That'south not much of a defense force, because many people's passwords tin can be guessed, well-nigh people's Pin codes can be cracked and it's not hard to fool iPhone fingerprint readers.

I assume that Sesame volition let the user customize his or her own magic words to open the lock. I as well assume that "open sesame" will exist the default phrase, and that at to the lowest degree one-half of all people who buy this lock volition never alter it, just as millions of people never modify any default settings.

Unlocking the front end door from across the world

The Sesame lock doesn't have a Wi-Fi scrap, just a $l optional accessory for the lock does. The accessory plugs into a nearby power outlet, connects to the lock via Bluetooth and routes the signal to the home Wi-Fi network.

In this way, the promotional video explains, the Sesame lock can be used to control the lock remotely via the Net, and can likewise be instructed remotely to permit in designated friends and guests who as well take the Sesame app.

"I tin can cull who has admission, and who doesn't," Lisagor says in the video.

That's overnice, but hooking the Sesame smart lock up to the home Wi-Fi network creates and so many new angles of attack.

If you apply WEP encryption on your Wi-Fi network (and I hope you use WPA2 instead), a savvy burglar could crack the network password in a few seconds. If you have a cheap dwelling house gateway router— such as one you rent from the cablevision company — at that place are probably half a dozen means an attacker could accept over the router. Neither method hacks the Sesame lock directly, but just being on the aforementioned local network gets you halfway there.

We oasis't even discovered how the lock communicates with its master over the Internet, or how it will authenticate messages from him or her. It might exist possible to phase a "human being-in-the-eye attack" that would intercept and so change letters between the two, with neither being aware of the changes.

Because the Sesame app won't be available until May, we also don't know how the "friends and family" admissible policy works. If I were a determined burglar, the first thing I'd do is download the app to my own telephone, and then try to spoof my fashion onto every Sesame lock owner'south invitee list.

More: How to Secure Your (Easily Hackable) Smart Home

Turn the virtual knob

There's a less heady, just much safer, way to open up the Sesame smartlock: Stand in front of the door, open up the app on your telephone and tap the big animated knob, which then remotely turns the real knob. No voice, no knock, no friends, no Internet. The only connectedness is a short-range one through Bluetooth 4.0, which is a pretty secure protocol, as Lisagor reminds us in the video.

"It's got armed forces-form encryption," he says. "No 1's hacking this matter."

"Military-grade encryption" is an empty marketing term — the U.South. war machine uses the same protocols as everyone else — and it'southward charming that Lisagor thinks a hacker would brainstorm an attack on the Sesame smart lock by trying the toughest affair first. Still, as many security experts tin can tell you, what matters is not the strength of the encryption, but its implementation.

The strongest Bluetooth encryption in the world couldn't stop a skilled hacker from putting a corrupted version of the Sesame app in the Google Play app shop. (It would be harder, but not impossible, to do then in the Apple tree App Shop.) Bluetooth encryption too couldn't end malicious software already on the phone from intercepting the communication between the app and the Bluetooth chip.

There'south e'er keys

Unforeseen security risks are factors that every "Net of Things" device, from refrigerators to cars, has to contend with. Some cars, for instance, don't isolate their entertainment systems, which may accept cellular, Wi-Fi and Bluetooth connections, from the computer systems that control the brakes or the steering. Compared to the potential havoc those vulnerabilities might crusade, the Sesame smart lock's flaws look mild.

Perhaps the safest style to open up the Sesame smart lock is the one-time-fashioned manner — with a physical key. (Because the Sesame augments rather than replaces the existing lock, the old keys will always work.)

Of class, most regular keys tin can be copied, and many locks can be picked or opened with special "bump" keys. But physical lock makers accept had centuries to ameliorate their engineering, while smart-lock makers have had just a few years.

No house is perfectly impregnable. There'southward always a mode to arrive, such as a second-story window or a battering ram. What you want to do is make it equally inconvenient as possible for a burglar to get in — and in this respect, the Sesame smart lock may be taking a step backward.

How to Secure Your IoT Devices
x Things You Didn't Know Could Exist Hacked
Hacking the Internet of Things

Paul Wagenseil is a senior editor at Tom's Guide focused on security and gaming. Follow him at @snd_wagenseil .Follow Tom'due south Guide at @tomsguide , on Facebook and on Google+ .

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has as well been a dishwasher, fry cook, long-booty commuter, code monkey and video editor. He's been rooting effectually in the data-security space for more than than 15 years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom'due south Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown upwardly in random TV news spots and even moderated a console discussion at the CEDIA home-engineering conference. Y'all can follow his rants on Twitter at @snd_wagenseil.