Drilling open a smart door lock in 4 seconds

The BBC asked us to have a look at some smart locks for a TV show recently. We didn’t have much prep time, but were genuinely shocked by just how easy this one was to compromise.

Usually, we spend time looking at Bluetooth/RF, the mobile app, the API and then move on to hardware. This time we didn’t need to.

It took us 4 seconds.

Pineworld Smart Door lock

We bought ours from Amazon UK for £140. That’s not some cheap door lock, so we had reasonable expectations of it.

It had some fair physical security defences, including drive-shaft shimming prevention, use of a clutch to prevent the door handle being forced, a motor, gearbox and non-magentic components to protect against strong magnets.

However, like so many smart locks, its casing was made from an aluminium alloy. Why? Because consumers want attractive looking locks, with complex shapes and a range of colours. This is both easy and cheap with aluminium, and less so with steel.

Time for my physical hacking box

I usually bring lockpicks and other useful tools for picking locks, but today’s weapon of choice was a drill:

Opening up the part of the lock that sits on the outside of the door, it quickly becomes obvious that there is a major problem:

The latch that is operated by the backup key is exposed.

So I drilled the side of the lock housing:

I think it took less than 2 seconds to drill the case.

And now I can insert a small screwdriver, move the latch and open the door. How do you know where to drill it? The lock has the manufacturers logo on the front face – drill the side of the lock in line with the top of the logo. How helpful!

This is crazy

Here’s a £20 lock that has good physical security. See the raised plate over the mechanism, above the keyhole? That’s hardened steel that will take me a long time to drill through, making a lot of noise in the process. See the bolt? That has rollers in it that help prevent it being cut off.

What’s gone wrong here?

Quite simply, in the rush to make stuff ‘smart’, manufacturers have forgotten about physical security. Or they simply don’t have expertise in physical security at all.

Other vulnerabilities

Whilst we were at it, we noticed some fairly significant failings in the smart components of the lock too:

• The lock uses a hardcoded, static MQTT key to authenticate to the API. We confirmed this by factory resetting the lock and comparing the keys before and after.
• It was vulnerable to Wi-Fi de-auth / evil twin attacks. So one could deauth the lock, spoof the AP, intercept traffic and open it, in certain circumstances.

What makes smart door locks so hard to get right?

It is not difficult to do physical security products – the market is mature and the attacks are well known. Case hardened materials, minimising attack surface by shielding the shackle have been know about for years

There needs to be a user interface exposed on the outside of the door, rather than simply a handle and key. This means that the smart look door lock can be identified from the outside: thieves can target homes with known bad locks.

There will need to be electronic components exposed externally, such as a PIN pad of fingerprint reader. This means that electronics will be available.

For ease of manufacture, cases will usually be light alloys. These are also easy to melt, if setting fire to stuff is your thing!