Smart deadbolts offer a convenient way to get into your home or even allow someone temporary access. Unfortunately, you’re dependent on the deadbolt’s manufacturer to implement proper hardware and software security. This week, six vulnerabilities were found in the Hickory Smart Bluetooth Deadbolt during an assessment by Rapid7, an IoT Security Testing Service. Three of these vulnerabilities could be used to remotely unlock your door.
The biggest risks reside within the Hickory Smart mobile app on both Android and iOS. Both apps store critical data in an unencrypted format within a database on the phone. This data can be accessed by any malicious actor with access to the device.
Additionally, the Android app allows for the creation of a debug log. Developers should disable such features once an app is released to the public. Even temporary users granted access could use this log data to unlock the deadbolt in the future.
Previous Smart Lock Flaws
Hickory is just the most recent smart lock manufacturer found to have flaws. In June, researchers reported they hacked smart door locks from U-tech. The vulnerability allowed them to unlock the door easily. To make matters worse, the hack also provided enough data to tell the researchers exactly where it was physically located. On top of that, the same researchers said they were able to pick the lock manually with a simple thin pick.
Last year, researchers hacked into Tapplock’s “unbreakable” smart padlock in less than an hour. The vulnerability allowed them to open any Tapplock padlock in less than 2 seconds with just a smartphone. Tapplock’s product description may need to be modified.
In each of these cases, the manufacturers were notified 60 days before the results were publicized. The hope is that the manufacturer would use that time to upgrade security and patch any vulnerabilities.
Tapplock responded rather quickly and patched their security before the vulnerability went public. After patching, they notified customers of the need to install those security upgrades.
U-tech also responded quickly when they were notified. They reportedly fixed some of their issues this week. Unfortunately, the U-tech lock still seems susceptible to brute force attacks. Sadly, they haven’t warned their customers regarding the risks.
Lastly, Hickory remains silent across all fronts. No mobile app updates have been released. They haven’t commented at this time. No customers have been notified.
What Should You Do?
If you’re thinking about installing a smart lock, don’t just run out and buy the first one you see. Research the manufacturer. See if there are any reports of their locks being hacked. If you already own a smart lock (or any smart device), then be sure to check for security updates often. IoT devices offer a lot of conveniences, but they inherently pose a risk if improperly secured. Those devices need security updates from time to time just like your computer does. As an alternative to smart locks, physical keys do still work.
Looking for More Tips?
Blog posts with various IT tips and news are released every Friday. We publish new episodes of Tech Tip Tuesday as often as we can. You can view previous episodes in our Tech Tip Tuesday library. Click the Sign Up or Subscribe button on this page to subscribe and receive every tip directly in your inbox each week. Pit Crew IT Services can also help your organization with any IT needs you might have. Get started with a free consultation using the button below.