This 'Smart' Lock May Have Dangerously Dumb Security
The Sesame smart lock being used. Credit: Candy House, Inc.
Knock, knock! Who's there? You are. Welcome home!
That's the promise of Sesame, a new "smart lock" being marketed in a Kickstarter campaign as "your keys, reinvented." (It's not connected to a very similar Indiegogo campaign.) Not only can you open the Sesame lock with a smartphone app, but you can also speak into the app, let in designated friends who have the app and even create a customized knock pattern that will open your front door.
Sound neat? Maybe not. Some of Sesame's features are perfect examples of how brilliant ideas about convenience can fail to take security into account. Of all the dumb ideas coming out of the so-called "smart home" or Internet of Things, these features may be the dumbest yet.
The Sesame smart lock does have a lot of promise. It's inexpensive ($99 retail when it comes out in the summer, $89 via Kickstarter now), rather elegant (it looks like an egg timer) and simple to install. It doesn't replace the existing deadbolt, but instead fits over the latch on the inside of the door).
Yet the lock is perhaps too convenient, allowing three separate modes of communication with the user: Bluetooth, Wi-Fi and sound.
Shave and a haircut, you're in
"Just lock and unlock your door using the Sesame app on your phone," the Sesame press release says. "Better yet, open Sesame with a custom knock on your phone or door."
For the custom knock to work, the phone on which the Sesame app is installed has to be within Bluetooth range of the lock, theoretically 33 feet (10 meters). A representative for Candy House, Inc., the Palo Alto, California-based company that makes the Sesame lock, told us that the feature's default range is 15 feet, which can be adjusted by the user. (The lock itself senses the knock via a built-in accelerometer.)
Despite the proximity requirement, I might be able to leverage this feature to steal my neighbor's stuff. First, I'd have to listen to him perform his custom knock a few times. Then, the next time he left his apartment and turned the corner for the elevator, bingo — especially if he'd extended the range to the full 30 feet, and if he was wearing headphones so he couldn't hear me knocking.
If I wanted to be really brazen, I'd call a few friends and stage a home-invasion robbery when I knew my neighbor and his phone definitely would be home. Duplicating his custom knock would be like playing "Simon," but with an actual reward.
Speak the magic words
The Sesame Kickstarter campaign comes with a promotional clip starring Adam Lisagor, the droll, bearded hipster who has become the king of tech-startup videos. "Open sesame," Lisagor speaks into his iPhone, and the door opens — but not before he taps the app with his thumb.
However, Sesame's promotional campaign states that the lock can, indeed, be opened by voice. That's amazingly convenient, and amazingly scary. What if the user's phone were stolen? What would stop the thief from a) seeing that the user had a Sesame app and b) finding out where he or she lived? Couldn't the thief just cruise over to the house and speak the magic words?
"If there is no fingerprint and passcode to protect the phone, the app will ask for [an] account password every single time," reads a post by Candy House in the comments section of one of the company's promotional YouTube clips. "Besides, you can log out [of] your account from the lost phone by logging in [from] another device."
Thus, the only thing stopping a thief from walking into a house is a screenlock PIN, a fingerprint or a password. That's not much of a defense, because many people's passwords can be guessed, most people's PIN codes can be cracked and it's not hard to fool iPhone fingerprint readers.
I assume that Sesame will let the user customize his or her own magic words to open the lock. I also assume that "open sesame" will be the default phrase, and that at least half of all people who buy this lock will never change it, just as millions of people never change any default settings.
Unlocking the front door from across the world
The Sesame lock doesn't have a Wi-Fi chip, but a $50 optional accessory for the lock does. The accessory plugs into a nearby power outlet, connects to the lock via Bluetooth and routes the signal to the home Wi-Fi network.
In this way, the promotional video explains, the Sesame lock can be used to control the lock remotely via the Internet, and can also be instructed remotely to let in designated friends and guests who also have the Sesame app.
"I can choose who has access, and who doesn't," Lisagor says in the video.
That's nice, but hooking the Sesame smart lock up to the home Wi-Fi network creates so many new angles of attack.
If you use WEP encryption on your Wi-Fi network (and I hope you use WPA2 instead), a savvy burglar could crack the network password in a few seconds. If you have a cheap home gateway router— such as one you rent from the cable company — there are probably half a dozen ways an attacker could take over the router. Neither method hacks the Sesame lock directly, but just being on the same local network gets you halfway there.
We haven't even discovered how the lock communicates with its master over the Internet, or how it will authenticate messages from him or her. It might be possible to stage a "man-in-the-middle attack" that would intercept and then change messages between the two, with neither being aware of the changes.
Because the Sesame app won't be available until May, we also don't know how the "friends and family" open-door policy works. If I were a determined burglar, the first thing I'd do is download the app to my own phone, and then try to spoof my way onto every Sesame lock owner's guest list.
Turn the virtual knob
There's a less exciting, but much safer, way to open the Sesame smartlock: Stand in front of the door, open the app on your phone and tap the big animated knob, which then remotely turns the real knob. No voice, no knock, no friends, no Internet. The only connection is a short-range one through Bluetooth 4.0, which is a pretty secure protocol, as Lisagor reminds us in the video.
"It's got military-grade encryption," he says. "No one's hacking this thing."
"Military-grade encryption" is an empty marketing term — the U.S. military uses the same protocols as everyone else — and it's charming that Lisagor thinks a hacker would begin an attack on the Sesame smart lock by trying the toughest thing first. Still, as many security experts can tell you, what matters is not the strength of the encryption, but its implementation.
The strongest Bluetooth encryption in the world couldn't stop a skilled hacker from putting a corrupted version of the Sesame app in the Google Play app store. (It would be harder, but not impossible, to do so in the Apple App Store.) Bluetooth encryption also couldn't stop malicious software already on the phone from intercepting the communication between the app and the Bluetooth chip.
There's always keys
Unforeseen security risks are factors that every "Internet of Things" device, from refrigerators to cars, has to contend with. Some cars, for example, don't isolate their entertainment systems, which may have cellular, Wi-Fi and Bluetooth connections, from the computer systems that control the brakes or the steering. Compared to the potential havoc those vulnerabilities might cause, the Sesame smart lock's flaws look mild.
Perhaps the safest way to open the Sesame smart lock is the old-fashioned way — with a physical key. (Because the Sesame augments rather than replaces the existing lock, the old keys will always work.)
Of course, most regular keys can be copied, and many locks can be picked or opened with special "bump" keys. But physical lock makers have had centuries to improve their technology, while smart-lock makers have had only a few years.
No house is perfectly impregnable. There's always a way to get in, such as a second-story window or a battering ram. What you want to do is make it as inconvenient as possible for a burglar to get in — and in this respect, the Sesame smart lock may be taking a step backward.
- How to Secure Your IoT Devices
- 10 Things You Didn't Know Could Be Hacked
- Hacking the Internet of Things