Questioning Smart Lock Security

The benefits of installing a keyless smart lock to replace the physical key and cylinder include:

  • Identity: the removal of anonymity from each person that unlocks the assets you protect
  • Security: keyless smart locks do not have an external locking mechanism — fewer ways to defeat the lock
  • Data: the records of “who”, “when” and “where” and even “why” the smart lock was opened

While it is easy to understand these benefits, it can be challenging to understand the complexity of keyless smart lock security.

Ars Technica, The Register, and threatpost all highlight the problems that can occur when basic security measures in the domains of physical, transport, embedded, and cloud security are not addressed.

As an Enterprise Security focused company, Sera4 strives to educate everyone about the benefits of smart locks and keyless access control. We want you to understand the differences between a locking mechanism that can be opened with a phone and a complete cyber-secure platform that provides a set of tools to help secure and protect your assets.

The Four Domains of Keyless Smart Lock Security

When investigating a keyless access control solution, we encourage you to identify the following concerns and ask the right questions.

  1. Physical Security: the aspects that prevent theft or vandalism due to the hardware’s shape, size, and installation
    • Concern: Keyless smart lock hardware is perceived to be expensive and can disappear as fast as it is installed. Securing the theft of keyless smart lock hardware itself may be critical to your security program.
    • Example: Company XYZ installs a keyless smart lock. One week later after arriving on site, a user finds the door open, and the lock is missing entirely. The user can’t even secure the site before he leaves.
    • Question: Does your keyless smart lock provide options to install securely to the structure, preventing theft of the keyless smart lock itself?
  2. Embedded Security: the software that ensures data security and integrity within the keyless smart lock and the mobile device
    • Concern: Keyless smart locks need to track the time and date to allow and disallow users access within the desired time frame.
    • Example: User arrives on site, a day after his digital key expired. The user turns off his mobile radios, changes the date on his phone, and attempts to open the lock using his digital key from yesterday.
    • Question: How do you ensure timely access that isn’t dependent on the mobile device for date/time?
  3. Transport Security: the protocols and algorithms that ensure identity, digital keys and access logs are safely and securely transferred between lock, mobile device and the Cloud
    • Concern: Even using secure transport protocols, mobile devices transfer and store digital keys – exposing them to modification.
    • Example: User downloads digital keys onto his phone. User can root his mobile device, change the details of a digital key, e.g. user and time of access. User still has the code to get in, but the logs record a different user, and at a different time.
    • Questions:
      • Does a digital key incorporate the user, time, and permission to access the keyless smart lock?
      • Can the integrity of all three be assured and verified by the keyless smart lock before access is permitted?
  4. Cloud Security: the hardware and software components that allow the ubiquitous access of users, and prevent hackers from getting in to steal data or to provide unauthorized access
    • Concern: Compliance with global privacy laws imply responsibility to protect people’s information.
    • Example: Users access their account information at: https://(somewebsite.com)/user/1234. User manipulates the web address to: https://(somewebsite.com)/user/4567 and views the information of another user.
    • Questions:
      • How do you protect user information from others?
      • Do you understand and implement the concepts of Security by Design, Privacy by Design and RBAC (Role based access control)?
      • Are you compliant with country specific privacy laws (e.g. GDPR, LGPD, PIPEDA, CCPA)?
More Information

Learn more about how Sera4 addresses these questions and concerns:

AP3 Fact Sheet
Sera4 Embedded Security Fact Sheet

As always, feel free to Contact Us to ask any other questions you might have!

Comments are closed.