Smart lock, paranoid look
Hi GT. I would like to offer the community my view on smart locks, a view from a security researcher and a paranoiac. This article was born as an attempt to give a detailed comment in response to this article Smart Dooris Lock . But in the end, the comment became too distracted from the article itself, and I decided to finalize it and submit it independently.
I am not a conservative in matters of progress. I believe that IoT is a very promising thing, I am waiting for cars without drivers, I believe in wearable electronics and the implantation of the NFC tag stops me only the lack of really interesting additional features that I would potentially receive. That is why I am pleased when things get the adjective “smart.” But not only the equipment should be smart, but also its developer (well, the user, preferably, too).
After such a small introduction, I immediately express the main thesis - a smart lock should not be able to open an apartment. Like this. Moreover, it is fundamentally mechanically that should not be able, and not by software prohibition.
Argument 1. I do not trust the developer
I don’t feel anything windikted by Alexander, but can he give a guarantee that there is no tab to open the lock? This may be a software tab that “catches” a special “data package-all-terrain vehicle” or a hardware tab, for example, on reed switches. Worst of all, it may be a banal bug of the real world. The author himself mentions
From the point of view of the lock, as I understand it, it is not particularly important which way to rotate, so potentially the phrase above can be read and how “... mistakenly open the door while it is closed ...”. In order to convince that there are no bookmarks in the code, the author suggests publishing the source code. I apologize, maybe I'm behind the times, but at the time when I was a programmer, the task of comparing source codes and a binary file was extremely intractable. I am silent, that the binary file from the lock still needs to be pulled out. Is this firmware the only one? Is there only one controller inside the lock? Does he have a bootloader? And you can not reflash it through the air?
Argument 2. The developer may be wrong.
And not necessarily the developer of an electronic lock. In fact, this argument is a modification of the previous one. Wireless drivers programmers are also people, and Ping of Death, although it was a long time ago, is not fiction. I would not want the door to open just because someone was walking nearby with a smartphone, whose bluetooth name starts with a number .
Argument 3. I do not trust Internet governance
If the lock can be controlled via the Internet, then the attack vector will increase many times. And where is this server? If developers have a centralized server, then they can open my lock with a probability of 99%. If the server rises at the client, then the first two arguments are applied to this server already.
And what to do?
Criticize - suggest. Since the lock cannot open the door, what can it do? For me personally, a frequent problem with the lock is that I cannot remember whether I closed it? Therefore, in a smart lock, I see first of all the functionality of monitoring closure over the Internet. So that at any time I could look at a special site that everything is fine - the door is closed. And if this is not the case, he could quickly notice it.
But this is not so simple - I, as a paranoid, do not want anyone to find out if the door is open for me or not. Cryptography FTW. The “handing bit for storage” protocol family seems to me to be perfect. This family of protocol schemas allows you to confirm some data without directly disclosing it.
Additionally, I would mention another function. Ability to close the lock. Pretty controversial functionality. Actually, the only application of it - in the morning they left and did not close the door, looked through the site or application and found out about it, locked the lock. But the existence of such problems adds a lot of problems.
Someone can close the door for you (all those 3 arguments that were higher). You went out to throw out the garbage and now you are standing in the same slippers outside. The more reliable the protection, the more inconvenient it will be to use. I see something like this scenario - on the lock you can set a code combination in the style of code locks. Only sending such a combination will close the door, and after closing the combination will be reset.
In addition, a little motor, in general, does not care which way to rotate. In addition, it is not always counterclockwise rotation closes the door. So it turns out that "software", if the door can be closed, then, potentially, it can be opened. Here, the solution is as follows: at the configuration stage, the user physically blocks the rotation of the lock to one of the sides (in the manner of a ratchet screwdriver). But then such a lock will be hard to open with a key.
In general, a rather controversial function, which, although it can help out, is potentially difficult to implement.
In this article, I tried to present my vision of a smart castle, and I invite those who want to discuss in comments.
I am not a conservative in matters of progress. I believe that IoT is a very promising thing, I am waiting for cars without drivers, I believe in wearable electronics and the implantation of the NFC tag stops me only the lack of really interesting additional features that I would potentially receive. That is why I am pleased when things get the adjective “smart.” But not only the equipment should be smart, but also its developer (well, the user, preferably, too).
After such a small introduction, I immediately express the main thesis - a smart lock should not be able to open an apartment. Like this. Moreover, it is fundamentally mechanically that should not be able, and not by software prohibition.
Argument 1. I do not trust the developer
I don’t feel anything windikted by Alexander, but can he give a guarantee that there is no tab to open the lock? This may be a software tab that “catches” a special “data package-all-terrain vehicle” or a hardware tab, for example, on reed switches. Worst of all, it may be a banal bug of the real world. The author himself mentions
“Also, Dooris may mistakenly lock the door while it is open, if you swing the door in a certain way while tapping on it.”
From the point of view of the lock, as I understand it, it is not particularly important which way to rotate, so potentially the phrase above can be read and how “... mistakenly open the door while it is closed ...”. In order to convince that there are no bookmarks in the code, the author suggests publishing the source code. I apologize, maybe I'm behind the times, but at the time when I was a programmer, the task of comparing source codes and a binary file was extremely intractable. I am silent, that the binary file from the lock still needs to be pulled out. Is this firmware the only one? Is there only one controller inside the lock? Does he have a bootloader? And you can not reflash it through the air?
Argument 2. The developer may be wrong.
And not necessarily the developer of an electronic lock. In fact, this argument is a modification of the previous one. Wireless drivers programmers are also people, and Ping of Death, although it was a long time ago, is not fiction. I would not want the door to open just because someone was walking nearby with a smartphone, whose bluetooth name starts with a number .
Argument 3. I do not trust Internet governance
If the lock can be controlled via the Internet, then the attack vector will increase many times. And where is this server? If developers have a centralized server, then they can open my lock with a probability of 99%. If the server rises at the client, then the first two arguments are applied to this server already.
And what to do?
Criticize - suggest. Since the lock cannot open the door, what can it do? For me personally, a frequent problem with the lock is that I cannot remember whether I closed it? Therefore, in a smart lock, I see first of all the functionality of monitoring closure over the Internet. So that at any time I could look at a special site that everything is fine - the door is closed. And if this is not the case, he could quickly notice it.
But this is not so simple - I, as a paranoid, do not want anyone to find out if the door is open for me or not. Cryptography FTW. The “handing bit for storage” protocol family seems to me to be perfect. This family of protocol schemas allows you to confirm some data without directly disclosing it.
Additionally, I would mention another function. Ability to close the lock. Pretty controversial functionality. Actually, the only application of it - in the morning they left and did not close the door, looked through the site or application and found out about it, locked the lock. But the existence of such problems adds a lot of problems.
Someone can close the door for you (all those 3 arguments that were higher). You went out to throw out the garbage and now you are standing in the same slippers outside. The more reliable the protection, the more inconvenient it will be to use. I see something like this scenario - on the lock you can set a code combination in the style of code locks. Only sending such a combination will close the door, and after closing the combination will be reset.
In addition, a little motor, in general, does not care which way to rotate. In addition, it is not always counterclockwise rotation closes the door. So it turns out that "software", if the door can be closed, then, potentially, it can be opened. Here, the solution is as follows: at the configuration stage, the user physically blocks the rotation of the lock to one of the sides (in the manner of a ratchet screwdriver). But then such a lock will be hard to open with a key.
In general, a rather controversial function, which, although it can help out, is potentially difficult to implement.
In this article, I tried to present my vision of a smart castle, and I invite those who want to discuss in comments.
All Articles