Handing Over the (Digital) Keys: Should You Trust a Smart Lock?

Lidia Davis at reviews.com wrote an interesting article addressing security concerns for digital locks. The original post can be found HERE.

Advancements in the home automation industry have afforded us the ability to steer clear of the mundane – and, frankly, annoying – tasks of everyday life, including that sweat-inducing episode of rummaging through your purse to find your house key while also holding six bags of groceries. But that innovative location-tracking feature on the smart lock that unlocks the door before you ever reach your doorstep poses yet another example of the privacy paradox — some may love the convenience and also wonder where all the data crunched into that convenience is going and who’s eyeing it.

We wondered, too. Do smart, or smartphone-controlled, door locks add extra layers of concern when stacked against their traditional, key-only counterparts? After a month of ongoing research we can say: yes and no. Deciding whether to trust a smart lock as a reliable gateway to your home involves careful consideration of what you value most.

For Lee Odess, vice president of solutions providers business at Schlage lock-maker Allegion, you don’t always have to sacrifice convenience for safety and vice versa. Odess says it’s all about how you personally define safety — for him, it’s about peace of mind. And when it comes to smart locks, there’s both online and physical safety components to consider.

But according to Odess, there’s already a different expectation, as these devices aren’t just smart gadgets that casually enhance the everyday — they’re also designed to protect the home.

“People are starting to ask the right questions,” Odess said. “It’s my belief that there’s a different expectation, because it’s [a smart lock] securing your home — not just turning your lights on.”

Automation and access control: Who can open (or know when you open) the door?

Smart locks use wireless protocols that allow you to lock, unlock, and connect the device to others in the home for seamless integrations, like turning on the lights when you walk in the door or integrating with a security camera that shows you who’s coming and going. The locks that work with Amazon Key even allow the delivery person entrance to your home (under your discretion) to deliver a package inside, safe from porch pirates. Eliminating the middle step of leaving a key under the doormat or in a lock box for by generating key codes that you can send to guests is pretty commonplace, too — and potentially attractive for those in the rental property or online booking industries, like Airbnb and VRBO.

It might help you sleep at night knowing the key to your home isn’t out in the open for burglars to find under the doormat or in a lock box vulnerable to tampering. The caveat, however, is that our phones, that send all of this information — including time-sensitive key codes — are (theoretically) hackable. Then there’s the issue of the infrastructure: When issues with Cloud services arise, as seen with Google, people have reported complications with entering their homes, controlling their thermostats, and monitoring security cameras, according to Fast Company.

While the terms “breach,” “hack,” and “security threats” are pretty attention-grabbing — “The vast majority of smart home users aren’t getting hacked,” according to The New York Times. For example, one study by the Massachusetts Institute of Technology (MIT) even found “no reason to believe that the August Smart Lock is any less secure than a conventional lock, and for a typical user, it seems unlikely to be a weak point in defense in home security.” Perhaps dissolving common fears and misconceptions, the study also didn’t glaze over any theoreticals.

“Unlike a conventional deadbolt and key, which could not be compromised en masse for thousands of homes at once, a savvy attacker discovering a new vulnerability could theoretically sell access to homes of August users worldwide.”

Security Analysis of the August Smart Lock, Massachusetts Institute of Technology

Inherent security flaws that lead to hacks aren’t the only avenue third parties can use to eye your data. Sometimes, it hits a little closer to home. If you have access to the app that controls a smart lock, you can probably see someone leaves and enters for the day, which can be beneficial in knowing your significant other made it home safely. But it could also inform someone of your whereabouts. Technically, if you don’t own the lock, the owner might be able to see your information, too

“If a lock is connected to the internet, then there is always the danger that it could be hacked,” Ray Walsh, digital privacy expert for ProPrivacy.com, said in an email to Reviews.com. “Of course, an internet-connected smart lock may be able to feed its owner additional information – such as an alert when someone unlocks it. This data certainly has its merits, but may only be so useful in the end,” Walsh said.

For example, although the privacy policy has since changed, Gizmodo found that smart lock company Latch stated GPS information could be stored and shared with owners and any subsequent owners in an archived link from May 8th. Latch says now that it doesn’t store or share any user information.

A lot of this deals with protecting the owner. For example, guests using an August lock can’t manipulate owner settings, which helps maintain confidentiality and creates a clear separation between who’s temporarily visiting and who’s living there. However, CNET reported how some have expressed concerns that this could open the door to an abuse of power in a landlord-tenant scenario.

What you can do to keep your information (and your home) more secure

Know what you’re signing up for

It’s not unheard of for these companies to change their privacy policies, so you might want to think about staying up to date and rereading when you can. For both the terms and conditions and privacy policy, there are a few keywords you can search to make sure you understand what’s happening. For example, how long will the company keep your data, and is the word “perpetuity” in there? If so, the company might have access to your data even if you decide to discontinue the service.

Use physical reinforcements

As Consumer Reports states, “New Technologies Don’t Solve Old Problems,” a smart lock won’t save you if you give everyone you know the PIN and fail to change it. Consumer Reports’ smart lock tests have found some are still just as vulnerable to physical tampering as your conventional or “dumb” lock. Dave Trezza, Consumer Reports engineer, told Consumer Reports that some of these strike plates — or reinforcements — have design flaws, including having screws that are too short. However, using hidden steel reinforcement plates near the cylinder can help hinder access via tampering.

Apply best practices for (digital) security

In our research, we’ve found that following general safety precautions should help you feel comfortable using your device. Two-factor authentication, strong passwords, and a secure network are all helpful. But more importantly, go for a brand you feel you can trust from the get-go. “Brands that care about the security of their users proactively assess the risks and provide updates that repair any vulnerabilities,” said Don Ham, vice president of strategic partnerships at Refresh Smart Home, in an email to Reviews.com. So, maybe you shouldn’t archive those emails on security updates from your smart lock company after all.

The bottom line

Securing that which secures your home seems to be a best practice in this field. Whether you trust a smart lock somewhat depends on how much you trust the lock’s physical structure, the internet, and fully agree to/understand the privacy policy and terms and conditions. Again, it’s all about how you define safety.

Leave a Reply

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.