Monday, 20. October 2014

Smart Lock Devices: Security Risks and Opportunities

Security is one of the top concerns when consumers consider buying smart devices. With cybercrime making the headlines every day, one has to think: is this smart device vulnerable to cyber attacks? Are these technologies secure enough for us to rely on them in our everyday lives?

A good example of a technology that we need to assess for its security and reliability is the smart lock. One of the key characteristics of smart locks is the use of digital door keys, which are used to open them. Digital door keys are typically stored in the vendors cloud servers, along with other properties of the lock. This gives the owner great convenience, since they can “send” the keys to other people remotely in order to allow them temporary access.  It also enables the user to do comprehensive monitoring/reporting, for example, to detect any forced entry, to report any breakage to the lock, to send alerts to the user, etc.

Smart locks, however, raise certain security risks as well. For instance, attackers may choose to target the vendor’s cloud servers, which may exist anywhere in the world, to get access to key information. Or if the smart lock supports web access, the attacker may attack the portal through code injection, cross-site scripting, etc. They may also launch phishing attacks to be able to get the user’s credentials to the vendor’s web portal used to manage the lock.

The attackers can also target the communication between the owner’s smart lock and mobile device. Bluetooth Low Energy (BLE) is a popular protocol used for communication between the smart door lock and mobile device or mobile key fob. During the communication process, the digital key is sent from mobile phone to door lock over the air via BLE. The said communication is encrypted, but certain implementations can be subject to man-in-the middle (MITM) attack, as discussed in security community. Since this type of attack requires capturing of packet exchange during device setup, the time window for attack is short which reduces the attack surface significantly. However, it’s up to the vendor to provide a strong BLE security implementation.

Some brands of smart locks allow user to lock/unlock anywhere in the world.  You can use vendor mobile app, or vendor web portal to check the lock status and lock/unlock it with a click of a finger.  This can be a desired feature for many consumers because of the ease and convenience it offers. The feature, however, does increase the attack surface.  In this case, instead of using BLE, the commands to the smart lock are sent over the Internet to the home router, and then to the lock via home Wi-Fi network, the smart lock device is visible in the local area network. Traditional IP based attacks such as port scanning and remote attack via open ports/firmware vulnerabilities can be used to attack the device.

The Internet of Everything revolutionizes traditional hardware functionalities. While it creates security challenges, it also provides great opportunities. In the smart lock case, one can implement comprehensive monitoring/reporting, for example, to detect any force entry, broke of lock, send alert to user along with broken lock picture, and attacker picture, etc.  For critical IoE devices (such as door lock in a home), comprehensive monitoring/reporting is important to ensure software and hardware integrity to detect any malicious software/hardware attacks.

For more detailed discussion on consumer buyer’s guide for smart home devices, you can read our Security Considerations for Consumers Buying Smart Home Devices.

Post from: Trendlabs Security Intelligence Blog - by Trend Micro

Smart Lock Devices: Security Risks and Opportunities