Technology is great. I mean look at the Internet and Space Stations and the LHC… and then we have electronic door locks. Don’t get me wrong, I think that electronic door locks are great, I mean inserting a key and turning it is for chumps and why would you do that when you can swipe your RFID card on a reader and *click* get into your house.
In a previous role I spent the majority of my time configuring and working on electronic access control systems, so I’m aware of how much physical and logical security have meshed together. Our security posture was fairly straight, we followed a number of principles such as defense in depth, secure defaults etc. One of the overriding principles we had was that of the air gap. That is, the system that controls those doors, does not come in contact with the Internet or any other networks that pose significant risk. So it doesn’t fill me with comfort when I read about new products like this.
Schlage LiNK deadbolts operate using keyless entry with four-digital access codes on an 11-digit keypad. The LiNK deadbolts can also be operated using Schlage’s LiNK Web portal, which employs Secure Sockets Layer (SSL) protection.
Schlage LiNK deadbolts leverage Z-Wave, a wireless home automation technology that helps to unify home electronics into a single integrated wireless network using Z-Wave accessory modules — everything from lighting to temperature control, pool systems and more.
Personally I would have some concerns about linking my front door to the Internet or a wireless network, but that’s probably just me and the security/risk hat I wear. What concerns me is the people doing the sales pitch for these sorts of devices would not be ensuring that the consumer is doing a risk assessment against their use, the only assessment the consumer has to do is “can I afford it?” or “how cool will I look when I can unlock my door from work for the plumber”.
Would the consumer be enquiring into the level of diligence that the producer had applied to ensuring the security of their locks and their web portal? Probably not. The sales pitch would probably go something like “Yes of course we are protected over the Internet, we utilise Secure Sockets. Yes their secure, those same sockets are the same that get used by your bank”.
For all the bleeding-edge customers of these locks their fortunate because the probability that someone wanting to get in their house without authorisation knows about the technology is low, so contact with an external threat source is also low. On the other hand, the probability that people with malicious intent will want to break into the web portal is probably quite high, not strictly because they want to break into the house, just because the portal is a juicy target. The impact of this event is potentially much larger though, because if the vulnerability of the portal is such that you can enumerate doors, it means you may be able to unlock a large number of doors. This isn’t taking into account how easy it is to phish users of their passwords and simply log into the portal as them, maybe it utilises some form of two-factor? In which case you may as well just give them a key.