What door locks teach us about IoT cybersecurity

Would you be surprised to learn that the first mechanical lock and key were invented about the same time as the first message encoding keys? Mechanical security keys, for doors, gates, living spaces, etc. date back over six thousand years to the time of the Pharaohs. Not surprisingly Simon Singh’s great history of encryption technology, The Code Book, also traces encryption keys back as far as the hieroglyphics of Ancient Egypt. But I would argue that only recently, with the advent of the Internet of Things (IoT), have mechanical and cyber security converged for the general public in the form of passwords and fingerprints on smartphones combined with keyed door locks as so called “smart locks.” 

This convergence creates an opportunity for shared learning from two worlds — mechanical and cyber security. Cyber security has fundamentals, as I discussed with Todd Carpenter here previously. One of the most basic is that designers have to be accountable to customer expectations as well as needs, i.e., the security system has to be convenient and easy to use. An unused security system or practice is not secure.  Padlocks have three numbers not seven. Most home security panel access codes use four numeric digits not fifteen and while 32 character, illegible, daily-changed passwords provide more access security, they are not viable in today’s average workforce. 

So I thought, what can IoT and cyber security developers learn from the mechanical lock world and what can the consumer home security community, e.g. locksmiths, learn from the cyber security world? Since consumers are users of both types of systems, what are best practices in terms of security design?

I brought these questions to locksmith and home security expert Ralph Goldman.  Ralph is the lead writer for the Lock Blog. He has more than 20 years of security experience and his knowledge spans lock manipulation, security assessments, lock history, and more recently the integration of IoT technologies like Bluetooth and Wi-Fi into the home security marketplace. 

What’s happening with Smart Locks?

Scott Nelson: Ralph, you have worked with and studied physical locks, safes, and home security for over 20 years. Like everything else in our world, the IoT is coming to the lock and home security world. Is this a good thing?

Ralph Goldman: Scott, I really do think that it has the potential to revolutionize the entire security field. My biggest concern, however, is what the revolution will look like in the end. If future looks anything like the current state of the smart lock industry, I think we should be worried.

As you have said, there is a need to balance convenience with security. Most people are not going to implement and engage a method of protection that takes too long to use. The issue with many of the IoT security products on the market is that they are centered around convenience to the exclusion of security.

People want a security camera to have network security for privacy reasons. But with a smart lock, physical and mechanical security are in fact the biggest concern. Many recent smart lock products only add convenience to unlocking a door. Some smart locks even add hazard to the mechanical security by compromising the lock cylinders.

However, others, like the Haven door lock, give me hope. They use the convenience of wireless to add security measures to your front door that were once impossible. The system sets up on the inside of the door, at the bottom of the frame. When in the unlocked position, the smart lock lays flat against the floor, like an extension of the frame. When locked, a steel plate rises up and secures the door at its strongest point. There is no way to pick this mechanical — almost no way to anticipate its existence. Using a door blocker like this used to only be possible while someone was inside the home. With the IoT aspect in place the barrier can be unlocked remotely from either side of the door. The integration of wireless adds something to mechanical security that I have not seen in the consumer market before.

So there are some companies learning from the mistakes of the past and we see ingenuity and originality entering the market. Though I can’t speak to the quality future products, I am optimistic that the best ideas will win the day with consumers.

New innovations

SN: The Haven lock is exciting because it shows how the new communication technology, i.e. wireless communication, augments the use of a mechanical security feature. However, you have written that “any lock can be picked” and most digital security experts will say “any information system can be hacked.” But break-and-enter criminals have very different skill sets than hackers. Are we safer with so called “smart locks” that use both digital and physical security factors? Are you seeing a change in the skills needed by the criminals to perform a break and enter?

RG: Safe answer is “It depends”, but the short answer is, “No.” As you have said “any system can be hacked” so this will always be a way to open a smart lock. When you have a physical key, the hole you put that key can be picked, bypassed, etc. A smart lock that uses a lock cylinder (the part that accepts your key) and a digital protocol can be opened with either method. A criminal can take their pick on how they wanted to open your door.

Now as long as your smart lock does not have a lock cylinder, it cannot be picked. Smart locks that do away with a physical key altogether, or use one in conjunction with a digital key would be more secure. Then a criminal would need to have both skill sets to open the lock.

SN: That’s interesting. In some cases, the smart locks have actually added threat vectors instead of blocking them. That’s a step backward.

Two-factor security in IT systems is common practice, but often both factors are digital, e.g. password and security question. Biometrics like the finger print scan on my iPhone can combine physical factors with digital. Should this be a new best practice for both home security and IT system security? Does it make a difference in your experience?

RG: Biometrics are a promising option. As long as there is no mechanical key override a lock like this cannot be picked — unless you are Tom Cruise in a Mission Impossible movie. But this brings us to a very important point, which is that most criminals do not pick locks.

Most of the time a criminal is going to look for the simplest way to bypass your security. Say that your iPhone could be accessed by simply smashing it open. If someone can damage a security mechanism such that it fails, it will not matter that they did not have your fingerprint to open it. On a door lock this comes down to the hardware being used. If there is high metal content in the lock, long screws securing the strike plate to your door frame, and some form of shielding around the installed hardware, then the lock is more secure. However, there have been too many examples of locks that add features and are hard to pick, but are quite easy to overwhelm. These issues can be addressed in future iterations, but upgrades to mechanical products are not as easy as software updates.

Making it easy

SN: This is a great point for IoT security designers. Having your data encrypted to a FIPS 140-2 standard for data-in-transit doesn’t really matter if the database in which that data is eventually stored is clear text in the cloud with weak employee access controls. Similarly, perhaps more common today, if the data is streaming in clear text on a simple radio protocol on its way to a multi-factor secured cloud, you also have problems. Brute force is often a simple solution to protections made too simple. 

Let’s go back to the role of the user/consumer. I read your post about the two most popular smart locks. You said that these locks are not really security devices at all but just luxury items — convenience that does nothing to enhance security. What value is a “smart lock” that adds no security?

RG: Unfortunately, the trend is that convenience is the value smart locks offer. I see a disturbing shift in the market right now where people are looking at the things not for what they offer but rather for how those products unburden them from small acts of exertion or offer a bit more peace of mind. They can check to see if they remembered to lock their door, but there are issues with that as well.

One of the biggest issues is that the smart features will often hurt the mechanical security of a good lock. Remote locking can be problematic if there is an issue with how the strike plate is lining up with the bolt. Some of the concerns with security maintenance come down to the door and not the lock itself. If you have ever had to fidget with your thumb-turn or key to get the lock to work, then you understand the problem. With a motorized locking mechanism, that same amount of force or effort cannot be applied. This results in lockouts and even false readings that claim that an unlocked door is locked.

So there is no current product that adds real security value, but I don’t know if that is what consumers want. Reviews for these products show that the value the user sees is the investment in the technology. The idea, or hope perhaps, is that their contribution will lead to future advancements.

Learning from doors and keyboards

SN: User convenience is such a key factor in home security design it appears to be driving these new locks that actually reduce the actual security. What should IoT designers learn from the locksmith regarding adding convenience without compromising system security?

RG: Add security at points where the user is not involved. If the additional hassle were confined to the installation and setup, then there would be no issue with additional user engagement. With door security, for example, using more bolts to extend into the door or having a kit that strengthens the door beyond the lock is a good improvement. A more complicated device does not need to be complicated to use. 

DIY [Do It Yourself] may be convenient, but when it comes to home security, these systems are not more secure. Much in the same way that most people call an electrician to install household chargers for their electric cars, there is still a precedent for a professional locksmith for proper mechanical security system installation. I could imagine having accreditations and partnerships for the new “smart lock” security systems of the IoT.

I would point them towards ingenuity, and not doing what everyone else is doing. Mechanical security is not as one dimensional as most people think. If you approach product development from a direction that has not been addressed, you will create something unique.

SN: If you were to team up with a digital security expert, how would you combine your skills to make a more secure access control for either mechanical or IT systems?

RG: I would want to use our combined skills to do something practical. The general trend in the IoT world is a lot of promises and very little follow through. With two experts I would hope that we could think of a way to make an innovation, but I would want to keep my feet on the ground.

What knowledge of physical security brings to the table is how to keep the product safe from people that want to touch it or take it. “Touch” meaning having enough access to upload something, download something, or just break the device. And “take it” obviously meaning theft.

What I would want my digital partner to do is layer that security. They would have to prevent remote access so that the only way to interfere with the access control would be to overcome the physical security. For something more commercial, this security product could be like the Haven. Creating a barrier on the door on the secure side. For added protection there should be a battery port on the outside that could be used to give the lock power during an outage — accidental or intentional.

From there I would want a second level of encryption and protection in case the physical security was overwhelmed. This would have to fall into the purview of the digital security expert. If the interior of the device is accessed, it should not be simple to override the electronics and hack the device on-site. Of course we still have to have the convenience so that the only person struggling to use the security is an unauthorized user.

At the end of the day, if there is a way to open it, then it can be opened by unauthorized parties. In my world security is really about building enough protections so that the people who shouldn’t get in, don’t.

Simple steps for complex problems

SN: Ralph, this has been a great dialogue. I am amazed at how similar the practices of mechanical and digital security can be and excited about how they can work together to make stronger deterrents to unwanted access. I have three takeaways for security design based on our discussion of the convergence of mechanical and cyber security in the IoT. 

1. Find and strengthen the weakest link – Brute force techniques, whether physical or digital, will look for the easy weak link. A flimsy door lock controlled by a FIPS-140-2 standard, dual factor smartphone app is just more expensive, not more secure. Designers must keep a full systems perspective and get help from experts in both assessing and strengthening all parts of the system — particularly in areas that are new additions to either the developer or the user. 
2. Find ways to make new protections possible. Enabling mechanical lockouts from the outside is an example of using technology to make the previously not-possible possible. Biometrics, physical proximity, and real-touch systems are already good solutions to cyber security. The opportunity for developers in both areas today is the convergence of the technology ecosystems and the new ways to work together. As Singh told us in The Code Book, the battle of code makers vs. code breakers is ongoing just as it is with locksmiths vs lock picks.  Combining the disciplines with good security fundamentals has the opportunity to give the protectors the advantage again.
3. Add security at points where the user is not involved. “The best use of technology is the one that is invisible to the user” was a phrase my designer friend Brad Lohrding used to always say. Mechanical installation, data encryption/decryption and digital behavior tracking are good examples of security adds that are invisible to the user. The weakest link in both mechanical and information security systems is eventually the user. Users will make things convenient at the expense of security. Good security design, like good product design, uses the most appropriate technology in ways that users don’t even know.

Locksmiths and code-makers have been fighting their battles against unwanted access mostly in parallel for over six thousand years. The IoT is driving new products that are bringing the two together in the mass market worlds of door locks and smart phones.  Each can learn from the other, but consumers need the two groups to work together to make both the physical and digital worlds more secure.