This 'Smart' Lock May Have Dangerously Dumb Security

The Sesame smart lock being used. Credit: Candy House, Inc.The Sesame smart lock being used. Credit: Candy House, Inc.

Knock, knock! Who's there? You are. Welcome home!

That's the promise of Sesame, a new "smart lock" being marketed in a Kickstarter campaign as "your keys, reinvented." (It's not connected to a very similar Indiegogo campaign.) Not only can you open the Sesame lock with a smartphone app, but you can also speak into the app, let in designated friends who have the app and even create a customized knock pattern that will open your front door.

Sound neat? Maybe not. Some of Sesame's features are perfect examples of how brilliant ideas about convenience can fail to take security into account. Of all the dumb ideas coming out of the so-called "smart home" or Internet of Things, these features may be the dumbest yet.

MORE: How the Internet of Things Could Kill You

The Sesame smart lock does have a lot of promise. It's inexpensive ($99 retail when it comes out in the summer, $89 via Kickstarter now), rather elegant (it looks like an egg timer) and simple to install. It doesn't replace the existing deadbolt, but instead fits over the latch on the inside of the door).

Yet the lock is perhaps too convenient, allowing three separate modes of communication with the user: Bluetooth, Wi-Fi and sound.

Shave and a haircut, you're in

"Just lock and unlock your door using the Sesame app on your phone," the Sesame press release says. "Better yet, open Sesame with a custom knock on your phone or door."

For the custom knock to work, the phone on which the Sesame app is installed has to be within Bluetooth range of the lock, theoretically 33 feet (10 meters). A representative for Candy House, Inc., the Palo Alto, California-based company that makes the Sesame lock, told us that the feature's default range is 15 feet, which can be adjusted by the user. (The lock itself senses the knock via a built-in accelerometer.)

Despite the proximity requirement, I might be able to leverage this feature to steal my neighbor's stuff. First, I'd have to listen to him perform his custom knock a few times. Then, the next time he left his apartment and turned the corner for the elevator, bingo — especially if he'd extended the range to the full 30 feet, and if he was wearing headphones so he couldn't hear me knocking.

If I wanted to be really brazen, I'd call a few friends and stage a home-invasion robbery when I knew my neighbor and his phone definitely would be home. Duplicating his custom knock would be like playing "Simon," but with an actual reward.

Speak the magic words

The Sesame Kickstarter campaign comes with a promotional clip starring Adam Lisagor, the droll, bearded hipster who has become the king of tech-startup videos. "Open sesame," Lisagor speaks into his iPhone, and the door opens — but not before he taps the app with his thumb.

Sesame Smart Lock

However, Sesame's promotional campaign states that the lock can, indeed, be opened by voice. That's amazingly convenient, and amazingly scary. What if the user's phone were stolen? What would stop the thief from a) seeing that the user had a Sesame app and b) finding out where he or she lived? Couldn't the thief just cruise over to the house and speak the magic words?

"If there is no fingerprint and passcode to protect the phone, the app will ask for [an] account password every single time," reads a post by Candy House in the comments section of one of the company's promotional YouTube clips. "Besides, you can log out [of] your account from the lost phone by logging in [from] another device."

Thus, the only thing stopping a thief from walking into a house is a screenlock PIN, a fingerprint or a password. That's not much of a defense, because many people's passwords can be guessed, most people's PIN codes can be cracked and it's not hard to fool iPhone fingerprint readers.

I assume that Sesame will let the user customize his or her own magic words to open the lock. I also assume that "open sesame" will be the default phrase, and that at least half of all people who buy this lock will never change it, just as millions of people never change any default settings.

Unlocking the front door from across the world

The Sesame lock doesn't have a Wi-Fi chip, but a $50 optional accessory for the lock does. The accessory plugs into a nearby power outlet, connects to the lock via Bluetooth and routes the signal to the home Wi-Fi network.

In this way, the promotional video explains, the Sesame lock can be used to control the lock remotely via the Internet, and can also be instructed remotely to let in designated friends and guests who also have the Sesame app. 

"I can choose who has access, and who doesn't," Lisagor says in the video.

That's nice, but hooking the Sesame smart lock up to the home Wi-Fi network creates so many new angles of attack.

If you use WEP encryption on your Wi-Fi network (and I hope you use WPA2 instead), a savvy burglar could crack the network password in a few seconds. If you have a cheap home gateway router— such as one you rent from the cable company — there are probably half a dozen ways an attacker could take over the router. Neither method hacks the Sesame lock directly, but just being on the same local network gets you halfway there.

We haven't even discovered how the lock communicates with its master over the Internet, or how it will authenticate messages from him or her. It might be possible to stage a "man-in-the-middle attack" that would intercept and then change messages between the two, with neither being aware of the changes.

Because the Sesame app won't be available until May, we also don't know how the "friends and family" open-door policy works. If I were a determined burglar, the first thing I'd do is download the app to my own phone, and then try to spoof my way onto every Sesame lock owner's guest list.

MORE: How to Secure Your (Easily Hackable) Smart Home

Turn the virtual knob

There's a less exciting, but much safer, way to open the Sesame smartlock: Stand in front of the door, open the app on your phone and tap the big animated knob, which then remotely turns the real knob. No voice, no knock, no friends, no Internet. The only connection is a short-range one through Bluetooth 4.0, which is a pretty secure protocol, as Lisagor reminds us in the video.

"It's got military-grade encryption," he says. "No one's hacking this thing."

"Military-grade encryption" is an empty marketing term — the U.S. military uses the same protocols as everyone else — and it's charming that Lisagor thinks a hacker would begin an attack on the Sesame smart lock by trying the toughest thing first. Still, as many security experts can tell you, what matters is not the strength of the encryption, but its implementation.

The strongest Bluetooth encryption in the world couldn't stop a skilled hacker from putting a corrupted version of the Sesame app in the Google Play app store. (It would be harder, but not impossible, to do so in the Apple App Store.) Bluetooth encryption also couldn't stop malicious software already on the phone from intercepting the communication between the app and the Bluetooth chip.

There's always keys

Unforeseen security risks are factors that every "Internet of Things" device, from refrigerators to cars, has to contend with. Some cars, for example, don't isolate their entertainment systems, which may have cellular, Wi-Fi and Bluetooth connections, from the computer systems that control the brakes or the steering. Compared to the potential havoc those vulnerabilities might cause, the Sesame smart lock's flaws look mild.

Perhaps the safest way to open the Sesame smart lock is the old-fashioned way — with a physical key. (Because the Sesame augments rather than replaces the existing lock, the old keys will always work.)

Of course, most regular keys can be copied, and many locks can be picked or opened with special "bump" keys. But physical lock makers have had centuries to improve their technology, while smart-lock makers have had only a few years.

No house is perfectly impregnable. There's always a way to get in, such as a second-story window or a battering ram. What you want to do is make it as inconvenient as possible for a burglar to get in — and in this respect, the Sesame smart lock may be taking a step backward.

Paul Wagenseil is a senior editor at Tom's Guide focused on security and gaming. Follow him at @snd_wagenseilFollow Tom's Guide at @tomsguide, on Facebook and on Google+.

Create a new thread in the Off-Topic / General Discussion forum about this subject
This thread is closed for comments
3 comments
Comment from the forums
    Your comment
  • hoffitron
    I think most burglars would smash a window before attempting to brute-force their way onto someone's WLAN. It's a lot easier, from their perspective.

    With respect to accessing a phone, if someone has your phone, they could just as well have your key. And your key doesn't require a passcode OR a fingerprint to work.

    So, while the knocking and voice control are definitely less secure than a key, that doesn't hold for the simple "tap to unlock" use case.
    0
  • superpotential
    I think this came out first. http://time.com/3721905/open-sesame-android-wear/
    That makes this the 3rd Sesame in 3 weeks. Have people seriously run out of ideas?
    0
  • Rogues
    I share your concerns with the knock part... there are definitely some concerns there, but when you talk about losing your phone, you're way off. If you do not lock your phone, you should have way more concerns than someone now having possible access to your home. These days, everyone's banking and other personal info are on the their phone; people are starting to use it as their digital wallet. Your first concern over a lost phone should not be your smart lock but should be possible identity theft. Both Apple and Google offer services to remotely wipe and disable lost phones. A properly secured phone really negates any points about this. And if you think about it, it's better than a lost key; you can't remotely disable a lost key... you have to change out the locks completely.

    Phishing on the App Store? Come on, man, this is ridiculous. So we have to assume a hacker some how gets his fake sesame app on the App Store, then this hacker also happens to get you to be stupid enough to download it AND this hacker has to live close enough to you to actually gain access to your home. That is a lot of work. I'd sooner just use a bump key or break a window to gain access.

    Usually "hackers" are more interested in the digital side of your life, such as your banking info and identity. Breaking and entering is a different ball game from identity theft. These criminals are generally two very different types.
    0