back to article IoT manufacturer caught fixing security holes

In a shocking development, smart lock manufacturer August has been caught promptly patching security holes discovered in its product. At this year's DEF CON, security researcher Anthony Rose gave a presentation where he outlined how a whole range of "smart locks" were hackable. "Smart locks appear to be made by dumb people," …

  1. vir

    A Sad State of Affairs

    It's one thing to create a piece of "security" hardware with inherent flaws (either software or hardware). It's an entirely different level of cluelessness or even malicious ignorance to refuse to address these flaws when they are brought to your attention. Good on August for addressing the ones they know about. Does anyone know if they have a bug bounty program?

  2. J. R. Hartley Silver badge

    Insurance

    My house insurance company would love me to install one of these 'smart' locks so they could refuse to pay me out in the event of a break in. The scumbags.

    1. gerdesj Silver badge

      Re: Insurance

      "My house insurance company would love me to install one of these 'smart' locks so they could refuse to pay me out in the event of a break in. The scumbags."

      Sadly, I have to let light into my house - the wife insists on it - apparently plants die without light and anyway the place looks weird in permanent fluorescent lighting. So I now find that the rotters are getting in by smashing the glass. I fitted Pilkington's finest and they break in by bashing down the brickwork now. Bugger.

      I can't imagine anything dafter than fitting one of these things to enhance the security of your home. OK not everyone can fit a portcullis but since I put mine in, I've never been burgled via the front door.

      1. Roland6 Silver badge
        Pint

        Re: Insurance

        OK not everyone can fit a portcullis but since I put mine in, I've never been burgled via the front door.

        That's what happens when you go for the budget version, should also fitted the moat and drawbridge...

        1. Darryl

          Re: Insurance

          ...don't forget the arrow loops

  3. Mark 85 Silver badge

    The scumbags.

    I misread that at first and wondered which group were scumbags, the insurance company or the lockmakers.... then realized it was "both". Have an upvote.

  4. veti Silver badge

    Reflexive luddism

    Mutter "smart" grumble locks groan real keys mumble solved problem simmer hiss get off my lawn.

    But seriously: for once, I can actually see a plausible use case for these things, and I quite look forward to the year 2050 when they might actually be fit for purpose.

    1. boltar Silver badge

      Re: Reflexive luddism

      "I can actually see a plausible use case for these things"

      Well don't leave us in suspense - what is it? Because I sure as hell can't see one. The usual use case for IoT is to do something remotely. I can't see any good reason for wanting to unlock your house remotely unless you're really so naive and trusting as to want to allow workmen in unsupervised.

      1. veti Silver badge

        Re: Reflexive luddism

        "Did I remember to lock the door this morning? Let me check."

        "Little Johnny gets out of school at 3:15 every day, home at 4, an hour and a half ahead of either of us. Instead of giving him his own key (which he'll undoubtedly lose, sooner or later), how about he texts us when he's home and we open for him then? You can even check the camera if you're nervous."

        "Hi, it's Jenny, I'm on my way back from Brazil and I need a place to crash in $HOMETOWN. Is it OK if I use your spare room? I'll be arriving about lunchtime, leaving the next morning."

        Yep, I can certainly imagine wanting to control my locks remotely.

    2. RockDoctor

      Re: Reflexive luddism

      They probably do have a use case. But not for "border" security. Within a building, for keeping the cleaner out of the executive drinks cabinet, or allowing fire escape from the clean room, but only allowing regular access and exit via the decontamination chambers. No - that latter has the "glass bolt" to compete against.

  5. Amos1

    I put one in, a Kevo

    I finally sold my 1999 car and ended up with a 2016 model that doesn't even have an ignition key. Just keep that fob thingy in your pocket. I actually got so enamored of it that I hated digging into my pocket just to lock and unlock the house. So I put a Kevo on the door between the house and the garage interior. It's very convenient but there's no way I would put one on an exterior door or, God forbid, hook it to the Internet. Kevo has sent a few firmware updates already. It goes to your phone and you just put your phone near the lock for the ten minutes or so it takes to do the update.

  6. Steve Davies 3 Silver badge

    Household insurance

    Er???? Isn't it a condition of most Home Insurance Policies that you fit a lock approved to one of several BS (British Standards) otherwise you give the Insurance Company a huge loophole for them to wolk through and not pay you a penny in the event you are burgled?

    So, the questions are...

    1) Are any of these locks approved to any British Standard?

    2) If so what BS number is it

    and

    3) Do any UK Insurance companies accept that locks meeting that standard are ok for normal home insurance policies

    Yes, I know that it is early on a Friday and a Holiday weekend looms but isn't this a prime time for people to do DIY on their homes?

    1. Baldy50

      Re: Household insurance

      BS3621 is the most popular standard known to most for locks on doors. To make any lock even sit up to this standard it has to have the ability to be dead locked and the key taken away from both sides so no one can gain access or exit the door with-out a key.

      BS8621 is a new standard and not so popular to the masses, but has some distinct advantages for the domestic house and commercial applications. It has all the security benefits of the lock above save for the ability to get out without the use of a key. This is ideal where there are fire escapes or places where quick exit is required without the use of a key. Care must be taken when using this standard that windows or letter flaps are not in close proximity to the lock so someone can simply break a window and open the lock from outside.

      BS10621 Is another standard that is even not as popular as BS8621. This standard allows for the same specs as above save now the lock from key manipulation from the outside can bypass escape functions of the lock from inside. This is ideal where say you are the last person out of the building and you are locking the building down. If someone breaks in through a window they cannot use the door as a means of escape where you could with BS8621.

      So what do you get for your money with a BS3621 Locks

      The lock should be able to resist attack from drilling the case of the lock for at least 5 minutes. Using standard tools.

      The bolt must also resist attack for 5 minutes by cutting or drilling.

      There must be a mechanism in place to resist manipulation (Picking) off the lock (Keyway curtain or shroud is what we call this in the trade).

      The bolt must project at least 20mm into a full bodied steel keep when locked.

      There must be at least 1000 differs to the range of locks. This is how many key shapes will differ between locks. If there is a street with 1001 front doors with all the same make and model of lock fitted then somewhere one key will fit two doors.

      Also, key to the security is the impact on the locking bolt and a sidewards force of 10Kn is required before the lock fails.

      Lets assume the door and frame is built stronger than the lock and that the door is lying flat on two pedestals. You would need at the very least 40 bags of potatoes pilled on top of each other before the lock would give way.

      Judging by the design of the electronic catch side of the lock non would be passed by insurance companies.

      1. Ben Bonsall

        Re: Household insurance

        You would need at the very least 40 bags of potatoes pilled on top of each other before the lock would give way

        What's that in jubs?

        1. BinkyTheMagicPaperclip Silver badge

          Re: Household insurance

          Go on, it's Friday.

          Average breast size in the UK as of late 2015 : 36DD

          Weight of a 36DD breast as per a wikihow article : 36E (close enough)=1.7lbs per breast=3.4lbs for both, or 5.1lbs if you're Eccentrica Gallumbits or that woman off Total Recall.

          Weight of a bag of potatoes=2.5kg

          3.4lbs in kg=1.54221 (truncated at 5dp)

          40 bags of potatoes=2.5x40=100kg

          100kg/1.54221=64.84

          So, 65 pairs of jubs, assuming an average jub quantity per person of two.

          or 44 gallumbits worth of pressure on the lock.

          1. Andy The Hat Silver badge

            Re: Household insurance

            Brrrring ... NMI enabled ...

            The force is quoted as 10KN which is roughly 1000Kg static vertical mass. The average bag of spuds is 25Kg (we're talking proper sacks of spuds not your wussy, washed, sanitised and polished, placcy bag encased supermarket variety but proper man spuds ...)

            Thus it's 40 bags (at 25Kg) which makes your jubbliness a factor of ten out. So the lock should resist 650 Jub-pair interactions ... assuming they are placed gently on the door and not jiggled around or bounced up and down ... I'm going for a little rest ...

            The question arises as to whether a single 'Jub' is a valid unit as they are nearly always combined into pairs and are very difficult to separate ... unlike Bulgarian Funbags which are boxed as singles ...

            1. BlartVersenwaldIII
              Holmes

              Re: Household insurance

              Surely this is an invalid comparison, as I suspect if one learnt that a contingent of ladies were resting their mammaries on their front door, the inhabitant would succumb at the very least to curiosity and open the door anyway?

              Thus it might need only a single exposed jub in close proximity to the door in order to breach, and that's typically much more portable than 40 bags of potatoes. Most devices equipped with jubs usually come equipped as standard with independent ambulatory systems according to Wikipedia.

              N.B. Disclaimer etc: I am not a professional cat-burglar nor a potato salesman

      2. Fruit and Nutcase Silver badge
        Pint

        Re: Household insurance

        @Baldy50

        Thanks for the run down of the standards - very useful.

      3. Sgt_Oddball Silver badge
        Paris Hilton

        Re: Household insurance

        I think my flat has locks that conform to both BS8621 and BS10621 (two different locks, the second only used to double lock the door when we went on holibobs) but I'd seen a locksmith make short work of the lock by prying the faceplate off and using a tool to lever the whole lock in-situ snapping the thing where it was.

        That was an eye-opener... on the other hand.

        That was by a locksmith and the owner of the other flat had lost the keys.

        So my round about point is, what happens if you loose your phone? How the hell do you get home then?

      4. Cuddles Silver badge

        Re: Household insurance

        "Judging by the design of the electronic catch side of the lock non would be passed by insurance companies."

        Thanks for the summary copy and paste from Locks Online. I don't know the technical details of most "smart" locks, but there doesn't seem to be any reason they couldn't easily pass the standard. It simply comes down to making sure the bolt and surroundings are big and strong enough, and that's completely independent of whether a lock is smart or not. The existence of specific crap smart locks doesn't say anything useful any more than the existence of crap non-smart locks does.

        The actual issue with smart locks, which none of that quote addresses, is what the definition of a key actually is; ie. if a lock meets the standard in every other way, does using a phone app to operate it instead of a physical key matter? Given that the standard was originally written in the '60s and last updated in 2007, it's certainly not a question that will be explicitly addressed. So any answer isn't likely to come until the matter is taken to court when insurers start refusing to pay out to people who use them.

      5. Woodnag

        Differs

        "If there is a street with 1001 front doors with all the same make and model of lock fitted then somewhere one key will fit two doors."

        That's the most secure possibility. The other end case is that all 1001 take the same key.

        Since you're in the lock trade, what's happening with those loverley 10 pin Ingersoll SC71 locks now they are owned by Assa Abloy? AFAIK, it's the only really secure lock available to Jill Public. AT least in UK.

  7. Medical Cynic

    key taken away from both sides so no one can gain access or exit the door with-out a key.

    And no one can open the door when the house burns down, either.

    I'd rather be burgled than roasted - though neither would be the ideal outcome. My locks have thumbturns on the inside, so anyone trapped can get out.

  8. VinceH Silver badge
    Facepalm

    An IoT company fixing security holes should not be news. That it is speaks volumes - though not to those of us cynical of the subject.

  9. Lion

    Rush to market without due diligence

    Manufacturer 'caught' fixing security holes" - makes it sounds nefarious. Being caught responding properly after a royal screw up is better than being vilified for showing indifference. What they should have been called out on is their failure to fully investigate IoT before introducing it to their product line. Their core business is associated with security so it boggles the mind that they would be so insouciant when implementing IoT into the design.

    The manufacturing sector is being sold a message - it is cheap to bring a product under the IoT umbrella. The emphasis is primarily on ROI. Under IoT they can monitor the how, when, where and why a product is being used and get unbiased real time feedback. They are directed to use product promotions to say that monitoring the product will lead to improvements all for the benefit of the consumer.

    There are some security standards being proposed for IoT and they are coming from many directions. No one standard has been agreed to at this time so we are all left in the lurch. With IoT, consumer awareness is key, however it has been a massive failure to date.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019