{"id":15255,"date":"2019-05-06T06:30:07","date_gmt":"2019-05-06T14:30:07","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2019\/05\/06\/news-9004\/"},"modified":"2019-05-06T06:30:07","modified_gmt":"2019-05-06T14:30:07","slug":"news-9004","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2019\/05\/06\/news-9004\/","title":{"rendered":"Why buying a &#8220;smart&#8221; padlock is a bad idea"},"content":{"rendered":"<p><strong>Credit to Author: Alex Drozhzhin| Date: Mon, 06 May 2019 12:44:53 +0000<\/strong><\/p>\n<p>Recently I&#8217;ve been binge-watching the <a target=\"_blank\" href=\"https:\/\/www.youtube.com\/channel\/UCm9K6rby98W8JigLoZOh6FQ\/\" rel=\"noopener noreferrer\">LockPickingLawyer<\/a> channel on YouTube. There&#8217;s a whole lot to learn from these videos, especially if you were never into the lock-picking business. But one particular thing made a big impression: how badly &#8220;smart&#8221; padlocks perform when it comes to physical security.<\/p>\n<p>Disclaimer: I think it would be excessive to use ironic quotation marks throughout this text, so I&#8217;m not gonna do it. Just keep in mind that every time I use the word <em>smart<\/em>, I&#8217;m using mental air quotes \u2014 &#8220;smart.&#8221; And for that matter, <em>lock<\/em> might as well be &#8220;lock.&#8221;<\/p>\n<p> <a href=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/92\/2019\/05\/06084013\/why-smart-padlocks-suck-featured.jpg\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/92\/2019\/05\/06084013\/why-smart-padlocks-suck-featured.jpg\" alt=\"\" width=\"1460\" height=\"960\" class=\"aligncenter size-full wp-image-26879\" \/><\/a> <\/p>\n<p>Let&#8217;s start with the eGeeTouch smart luggage lock, which is supposed to be unlocked with either a smartphone app or an NFC (near-field communication) tag. Never mind that a TSA master key that <a target=\"_blank\" href=\"https:\/\/www.businessinsider.com\/3d-printing-plans-of-tsa-master-keys-released-online-2015-9?r=UK&amp;IR=T\" rel=\"noopener noreferrer\">anyone can print on a 3D printer<\/a> can open every baggage lock, thus rendering all baggage locks useless. This little padlock makes it even worse. It is so badly designed that it can be fully disassembled and easily opened with nothing more than a pocket knife \u2014 even a plastic card might do.<\/p>\n<p><span class='embed-youtube' style='text-align:center; display: block;'><iframe  src='https:\/\/www.youtube.com\/embed\/q5hkOPKd9bw?version=3&#038;rel=1&#038;fs=1&#038;showsearch=0&#038;showinfo=1&#038;iv_load_policy=1&#038;wmode=transparent' width=\"100%\" height=\"420\" frameborder=\"0\" ><\/iframe> <\/span><\/p>\n<p>The same goes for this Pavlit fingerprint padlock. Remove the plastic front panel with either a screwdriver or a pocket knife and you will see the switch that unlocks the shackle. By the way, this padlock has one more critical vulnerability \u2014 it is susceptible to shimming.<\/p>\n<p><span class='embed-youtube' style='text-align:center; display: block;'><iframe  src='https:\/\/www.youtube.com\/embed\/uVvEkcN5tW8?version=3&#038;rel=1&#038;fs=1&#038;showsearch=0&#038;showinfo=1&#038;iv_load_policy=1&#038;wmode=transparent' width=\"100%\" height=\"420\" frameborder=\"0\" ><\/iframe> <\/span><\/p>\n<p>Another example: the TurboLock TL-400KBL bicycle smart lock. This padlock is designed to be opened either by a smartphone app connected by Bluetooth, or by entering a PIN with a keypad. Even if you&#8217;re no physical security expert, you can spot this padlock&#8217;s weakness: It&#8217;s made of plastic and presumably isn&#8217;t hard to break or even burn. But such destructive actions won&#8217;t be necessary in this case, because the padlock can be conveniently disassembled with a screwdriver. It&#8217;s as easy as taking apart a plastic toy.<\/p>\n<p><span class='embed-youtube' style='text-align:center; display: block;'><iframe  src='https:\/\/www.youtube.com\/embed\/mGpMaShltbc?version=3&#038;rel=1&#038;fs=1&#038;showsearch=0&#038;showinfo=1&#038;iv_load_policy=1&#038;wmode=transparent' width=\"100%\" height=\"420\" frameborder=\"0\" ><\/iframe> <\/span><\/p>\n<p>Let&#8217;s take a look at the Uervoton fingerprint padlock. It has a metal body that looks pretty solid. No way can it be opened with a pocket knife or a screwdriver, right? Unfortunately, the design is terrible: a bunch of screws on the lock&#8217;s surface are easy to unscrew. After that, the lock literally falls apart.<\/p>\n<p><span class='embed-youtube' style='text-align:center; display: block;'><iframe  src='https:\/\/www.youtube.com\/embed\/7Uje4pxfSlI?version=3&#038;rel=1&#038;fs=1&#038;showsearch=0&#038;showinfo=1&#038;iv_load_policy=1&#038;wmode=transparent' width=\"100%\" height=\"420\" frameborder=\"0\" ><\/iframe> <\/span><\/p>\n<p>Finally, we have the BoxLock, probably the most reasonable example of a smart lock. This padlock works with barcodes. You can program it to be opened with a barcode printed on a delivery package. At first glance, this padlock looks quite beefy, but it&#8217;s not nearly as tough as it seems. It can be disassembled with a screwdriver even while locked.<\/p>\n<p><span class='embed-youtube' style='text-align:center; display: block;'><iframe  src='https:\/\/www.youtube.com\/embed\/qTY3ePV4RY4?version=3&#038;rel=1&#038;fs=1&#038;showsearch=0&#038;showinfo=1&#038;iv_load_policy=1&#038;wmode=transparent' width=\"100%\" height=\"420\" frameborder=\"0\" ><\/iframe> <\/span><\/p>\n<p>There&#8217;re many other reviews of smart locks on the LockPickingLawyer channel. But almost all of them have the very same issue: they are designed as consumer electronic devices, and that design makes them vulnerable to the easiest of physical attacks.<\/p>\n<p>Conventional locks have a completely different design. First of all, their bodies are always made from one solid piece of metal. Second, the screws are usually hidden and there&#8217;s always at least one screw that can be accessed only when the shackle is unlocked. Third, to be resistant to shackle shimming, good padlocks employ ball bearings in the unlocking mechanism. There&#8217;s a lot more, of course, but those are the basics, and even inexpensive padlocks follow the rules. This Yale padlock is a good example:<\/p>\n<p><span class='embed-youtube' style='text-align:center; display: block;'><iframe  src='https:\/\/www.youtube.com\/embed\/vaF4T-1mbgc?version=3&#038;rel=1&#038;fs=1&#038;showsearch=0&#038;showinfo=1&#038;iv_load_policy=1&#038;start=129&#038;wmode=transparent' width=\"100%\" height=\"420\" frameborder=\"0\" ><\/iframe> <\/span><\/p>\n<p>Unfortunately, smart lock manufacturers seem to be unaware of these design features and leave their customers vulnerable to the easiest attacks. So think twice before buying a smart padlock \u2014 it&#8217;s very likely you will be paying much more and getting much less security in return. And you probably do want your lock to be secure; why else would you be buying one?<\/p>\n<p><a href=\"https:\/\/www.kaspersky.com\/blog\/why-smart-padlocks-suck\/26880\/\" target=\"bwo\" >https:\/\/blog.kaspersky.com\/feed\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p><strong>Credit to Author: Alex Drozhzhin| Date: Mon, 06 May 2019 12:44:53 +0000<\/strong><\/p>\n<p>It seems the only reason to buy a \u201csmart\u201d padlock is to make lock-pickers happy.<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10425,10378],"tags":[6269,10495,13367,10411,10438],"class_list":["post-15255","post","type-post","status-publish","format-standard","hentry","category-kaspersky","category-security","tag-internet-of-things","tag-iot","tag-locks","tag-smart-devices","tag-threats"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/15255","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=15255"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/15255\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=15255"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=15255"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=15255"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}