301.519.9237 exdirector@nesaus.org

2.13.20 – SSI – Are consumer-grade smart locks ready for widespread adoption? Here are four key questions to ask before installing.

At last month’s Consumer Electronics Show, dozens of IoT companies clamored to show off new access-control solutions ranging from smart padlocks to web-enabled parcel lockers. But while IoT technologies are all the rage, there are legitimate concerns about the security of consumer-grade Web-connected devices — and for smart locks, which exist solely to keep your home, business and belongings secure, there’s simply no margin of error.

Physical security has always been a battle between convenience and security. The earliest “smart key,” back in the middle ages, was a skeleton key designed to open any lock in the castle — a convenience for the feudal lord who didn’t want to cart around a huge bunch of individual keys, but also a boon for any thief who managed to lay their hands on one.

In the IoT era, we’re still fighting that same basic battle: on the one hand, we want to do away with jangling bunches of keys and make ingress and egress smarter and more convenient. On the other, though, we know that convenience can often involve trade-offs, and that it’s all too easy for new technologies to introduce new vulnerabilities.

So are consumer-grade smart locks ready for widespread adoption? If you’re considering an IoT access-control solution for your home or business, there are four key questions to ask:

1. How secure is the hardware?

With any smart lock, it’s important to know that the hardware you’re using will keep the door closed when it needs to be closed, and open it easily when an authorized user needs access. That’s easier said than done. At CES, McAfee unveiled new research showing that some consumer-grade technologies such as Web-enabled garage doors and ring-operated smart locks could easily be defeated by a savvy attacker, allowing them to breeze into your home.

2. Who’s really in charge?

Be wary of companies that might have an ulterior motive for wanting control of your doors. Amazon is one of the biggest players in consumer smart lock technologies, for instance, but they’re looking to popularize their technology not simply to serve your security needs, but also to streamline their delivery services and to lock consumers into their retail ecosystem.

Companies could also look to monetize information you’d prefer to keep private, such as data about who’s entering your home or business, or could even limit your doors’ usability unless you opt in to their other smart-building and delivery services. It’s always safer to stick to a company that’s narrowly focused on selling you access-control services — that way, you can be sure you’ll remain in control not just of your doors, but of your data, too.

Privacy is a big deal when it comes to smart locks. Do you really want everyone knowing who’s visiting your home, or when your property is standing empty? Obviously, you can reduce the risk by using proper cyber-hygiene — if you’re still using “Password1” as your password, it might be time to rethink things. But it’s also important to pay attention to how smart-lock companies handle your data.

Make sure you read the small print to understand whether data you’d prefer to keep private will be shared with third parties. Pay attention to how your data will be stored, too. If your information is held on servers outside the United States, for instance, it might be governed by the laws and regulations of a country with weak privacy protections — and that could leave you vulnerable.

4. How secure is the device in the real world?

Here’s another hard-won lesson from enterprise-grade IT security: even the most secure gadgets can be defeated by their own users. Scribble your password on your monitor or tell people your PIN over the phone and you’re effectively leaving your door wide open. You can reduce those risks by educating users, but it’s also important to make it easy for people to do the right thing.

If a gadget makes users jump through too many hoops, they’ll find ways to circumvent them, typically at the expense of overall security. Look for solutions that reduce friction and make your life easier — think Cloud-based phone apps, not fiddly electronic fobs — so that real-world user behavior doesn’t cause you security problems.

The IoT is going to dramatically change access control for businesses and consumers alike. But there’s a steep learning curve for providers and users, and inevitably there will be mistakes along the way. To avoid running into trouble, make sure the companies you’re working with are using enterprise-grade security, and taking your security and your privacy seriously.

The bottom line: smart building technologies are here to stay, and if we get it right, we’ll all be far better off. But it’s important to be careful along the way, and to wisely pick the technologies that you use. Trading convenience for security is no smarter now, than it was in the middle ages.

Eric Trabold is the CEO of Nexkey, an end-to-end provider of mobile access control solutions.