There's a lot to like in the idea of smart locks but there's been no shortage of recent incidents that might give you pause about buying in just yet.
Tapplock recently came under scrutiny when security researcher, Vangelis Stykas, found that anyone could obtain sensitive information to locate and open a lock, simply by pulling the information directly from a leaky company’s API server.
The researcher demonstrated how to retrieve the lock’s last known postal address, and enough data to create an unlock code, which could be used to locate and open any smart lock.
In a statement made by Tapplock, the company confirmed it had pulled the API, which the app relies on to wirelessly open the lock using Bluetooth, given the risk of a data breach.
“This patch addresses several security issues and upgrades Tapplock’s communication and authentication security protocols. We will continue to monitor the latest security trends and provide updates from time to time,” the company said.
However, the lock also features other detrimental flaws. Aside from the poor-quality aluminium alloy that the lock is built out of, YouTube user JerryRigEverything also found that you can potentially unscrew the back of the lock, rendering it useless.
In 2017, a botched wireless update for a remotely accessible smart lock system by LockState inadvertently bricked hundreds of the locks.
The locks suffered a “fatal error”, according to the company, rendering them unable to be locked. Customers have been asked to either return the impacted locks for repair, or request a replacement.
The company mistakenly sent out an over-the-air firmware update to its 6000i systems that was intended for its 7000i model locks. The update caused first-generation models of the 6000i locks to malfunction, rendering them unable to be locked and no longer able to receive over-the-air updates.
More than 500 customers using model 6000i RemoteLocks were impacted, and approximately 200 of these customers were Airbnb hosts.
A remote fix to this problem was deemed impossible by the company, meaning users had to physically replace the affected locks.
Amazon’s Amazon Key service is a smartlock and security camera pairing designed to let delivery people into the users house to drop off packages, will full video footage for accountability.
However, a vulnerability in the system was discovered by Ben Caudill of Rhino Security Labs late last year. He found that a delivery person could walk into a users home, drop off a package and leave. Then, instead of locking the door with their app, they can issue commands to the camera via a laptop or other device, causing it to freeze footage on a single frame.
While the camera is frozen, they can reenter the home, move out of the camera’s view, and restart it. While it will appear as though they have stepped outside and took a few seconds to initiate a lock, they are actually now in the users home, free to do as they please and leave through another exit.
Amazon said that it alerts users if their camera’s feed is frozen for an extended period, and that they have issued an update to help protect people against the vulnerability.
August’s locks allow users to grant someone ongoing, recurring or temporary access to their home via a digital key. Jmaxxz discovered a vulnerability with August’s guest access that allowed a guest to hack August’s software and enroll a new key. Once a guest enrolled a new key, they could control an August smart lock even after the homeowner removed them as a guest.
Thankfully, there have been no reports of break-ins due to this vulnerability and Jmaxxz noted that August, unlike the other companies whose locks were hacked, have been responsive and at least some of the issues have been fixed.
“I don’t think the current fixes are sufficient,” said Jmaxxz.
“However, August has deployed a number of important patches over the last couple of weeks, and I am hopeful they will be deploying the needed firmware updates soon.”