I’ve seen a lot of buzz over the last few months about electronic locks for your home. They offer a lot of interesting features that, I’ll admit, look pretty tempting. Granting a temporary key with an expiration date? That’s cool. Unlock with a phone? Awesome. Remote monitoring? Nice. But I simply will not trust them. You shouldn’t either.
As much as we like to think that everyone who can compromise a computer is some kind of genius “hacker”, the reality is much more depressing. A few guys have the skills to break those systems from scratch in very little time. More often than not, they release those compromises in the form of an easy-to-use tool that anyone can grab. Most “hackers” are really just script kiddies with the will to use these tools nefariously.
Traditional mechanical locks require someone with the skills and knowledge to pick locks. It also requires some time investment, be it 30 seconds or 30 minutes. This greatly decreases the odds of someone successfully compromising the lock and getting access to somewhere they shouldn’t be. An electronic lock, however, is only secure until someone figures out how to compromise it and publishes the details on how to do so. Once that’s out of the bag, any unskilled someone with a cell phone can pop open any lock they want so as if they’re an authorized user. The skill barrier to compromising the lock has been eliminated.
I’d like to say this is news, but it’s not. Contactless cards like HID have been clonable for many years using $10 in parts from Radio Shack, plans from the Internet, and an 8th grade education. This system is used to secure most corporate buildings. Even if it’s secured with a PIN, obtaining it from a public keypad is trivial at best. Again, the problem is that it takes one person with real skill to build a tool that enables any unskilled person to compromise the system.
Can electronic locks be made to be secure? Sure, it’s possible, but nobody wants to give up the convenience. We like remote management. We like distributing keys across the Internet. We lap up the marketing from lock makers that their solution is somehow unique in the technology rather than the implementation and/or service. Even if we do everything right, it takes one guy exploiting one flaw releasing an easy-to-use tool to break the entire thing. Even if the flaw gets patched, it means the locks have to get patched too. You either need to be a sysadmin OR depend on the lock provider to continue providing updates. History seems to indicate that providers will stop providing updates to electronic devices after a few years, but you’re likely to keep a lock around for decades.
Despite offering numerous convenient upsides, the downside is a drastic reduction in the core purpose of the lock: keeping unauthorized people out. I’m not willing to make that trade, and I’d imagine that neither are you.