We Asked Five Security Experts If Smart Locks Are Ever Safe

An automatic firmware update broke LockState’s Internet-enabled “smart locks” for around 500 customers earlier this month, including around 200 Airbnb hosts who use the locks to remotely manage rental access. Customers have to replace their locks or ship them back for repairs. (The locks can still be operated with a physical key.)

Intelligent locks, like so many devices "Internet of Things", are vulnerable to a host of technological problems. Last year, security consultant Anthony Rose revealed huge security defects in Bluetooth locks. Of the 16 locks he tested, Rose managed to penetrate into 12.
Intelligent locks no longer seem infallible until our sister site, Gizmodo, explored intelligent locking safety four years ago. We asked five security experts if these locks are fundamentally insecure.
None of these experts is willing to fully write all the intelligent locks. "As much of the technology, you just have to decide who to trust and trust," says Bruce Schneier, security technician, author and lecturer, who testified at the Congress last year on The "catastrophic risks" of the unsustainable Internet Compatible Devices.

"There is always a risk that the net lock will be blocked or pirated," says Professor Stuart Madnick of MIT, "probably because of the owner's actions (or carelessness)." But it emphasizes this old-fashioned key Locking and locking solutions have their own user-created risks: "One of my popular utterances is:" You can buy a bolt stronger for your door but if You always leave the key under the carpet, are you really more secure? "
Madnick compares the compromise with the increased risks of driving a car instead of a horse. "Are you willing to trade your car for a horse?"
Jeremiah Grossman, Head of Security Strategy at Cyber Security firm SentinelOne, compares smart locks with remote old systems such as prison security doors and buzzers controlled by receptionists. He says that locks connected to the Internet can sometimes be an appropriate solution:

Would I personally entrust the security of my home to such a device? Not at the moment, but in the future as the devices get better and more secure I might trust them more. Should others use them? Sure, depending on their living situation. And people might consider using them for doorways where what they’re securing isn’t critically important to them.

But Grossman says we shouldn’t ask whether smart locks are “fundamentally insecure” but whether they are “secure enough for a given application.”

Alan Grau, co-founder of security software provider Icon Labs, puts it similarly:

There is no question people are going to use smart locks despite the risks. I think the questions to be asked are not if these solutions should be used, but rather what are the risks? How do these risks compare to traditional locks? What can [lock makers] do to ensure that a reasonable layer of security is built into these devices?

Security reporter Brian Krebs had the harshest words, saying it bothers him that so many people are installing smart locks. To break through a lock, he says, an attacker has always had to be on-site. “With internet-enabled locks, you’ve removed that expensive (and from an attacker’s perspective, risky) cost from the equation.” He still won’t write off the technology entirely. “I am not saying there can’t be remotely-enabled locks that are also secure. But I’d wager on balance that most of those in use today are probably nowhere near as secure as they should be.”

With all these caveats, the consensus seems to be that smart locks trade off a lot of expected security for more convenience. Before you buy a smart lock, research its known security issues, and know that new ones could crop up. But remember that if you use it wrong, any lock is insecure.