Can Smart Locks Be Hacked? And How to Prevent It

  AUTHOR: Carlos Paras
 UPDATED: January 15, 2024

Smart locks are one of the most important devices you can buy for your home automation and security system. There are many benefits to having a smart lock on your front door, such as: preventing intruders from entering, protecting your valuables from being stolen, and keeping your loved ones free from harm.

But are smart locks really safe? Can smart locks be hacked? These are two very important questions to consider before purchasing a smart lock.

In this article, we’ll cover the different types of smart locks and how they work. I’ll explain the different ways smart locks can be hacked and how you can prevent it from happening. And at the end of the article, I’ll list some tips and advice to help you choose a safe smart lock.

Smart Home Deals @ Amazon

How Smart Locks Work

In addition to safety features, smart locks can add a lot of convenience to your life. Smart locks can be controlled through Bluetooth (from short distances), or if connected to a wireless network, they can be remotely controlled from an app on a smartphone or computer from several miles away.

A smart lock can allow for hands-free access to lock or unlock your door. You can even let visitors in without having to get off the couch.

Through the app, the smart lock can send notifications of when it is locked or unlocked and it can also keep a log of those events.

Some smart locks have a geofencing feature which allows you to set up a perimeter around your house. Functions can be set to occur when your phone is detected entering or leaving that perimeter.

Smart locks can also be connected to a smart speaker like the Amazon Echo Dot (link to Amazon) or the No products found. (link to Amazon). Controlling the smart lock through a voice assistant gives the ability to control the lock with simple voice commands.

Related Article: What Is a Smart Door Lock? Access Control for Security Systems

Types of Smart Locks

If you’re in the market for a smart lock, it’s important to know that there are a variety of types available. While traditional locks use a simple key and tumbler design, smart locks use sophisticated technology to operate and keep your home safe.

The type of smart lock you choose depends upon which features you need for your particular application. Let’s briefly go over the types of smart locks and how each of them work.

Keypad or Combination Locks

Keypad locks, like the Nest x Yale Lock with Nest Connect (link to Amazon), allow you to program a code or combination to use when unlocking your door. If you enter the right combination, an electrical current will be generated to retract the lock bolt and unlock the door.

Most combination and keypad locks use a combination of numbers or letters for the key code. The safest keypad locks will only allow a few attempts to enter the correct code before it will temporarily block any more attempts to unlock the door.

Fob Enabled Locks

If you are not familiar with the terminology, a fob is a small device that has been programmed to give you access into a building or space. The most popular example of a fob is one that is used to disarm a car alarm or unlock a car door.

A fob can be easier and more convenient to use than a key to unlock a door.

The technology behind a fob enabled lock is Radio Frequency Identification (RFID). What is RFID? RFID is a system that uses electromagnetic fields to identify and track data stored on tags. This information is transferred using radio waves.

In the case of smart door locks, RFID is used to authenticate or validate that a person has permission to unlock a door.

Fob enabled smart door locks require a reader which is built into the lock. The key fob has a unique code programmed onto a small circuit or microchip.

This microchip transmits the code on a particular radio frequency which can be easily identified by the reader. If the reader identifies that the code is valid, it will then unlock the door.

The No products found. (link to Amazon) has a "double authentication" mode which requires both an RFID tag and a combination code to unlock.

Fingerprint and Biometric Locks

Biometric locks utilize the unique features of the person trying to gain access to determine whether or not to grant permission to enter. These features can include fingerprints, the retina or iris of the eye, the shape of the face, the voice, and even the DNA or the odor of an individual.

For residential biometric locks, the most common method of authentication is a fingerprint. The smart door lock will grant access to certain people by recognizing their unique fingerprints.

A fingerprint lock, like the Ultraloq U-Bolt Pro (link to Amazon) uses a scanner to take an image of a fingerprint. It converts the image into numerical data and then saves that information. When someone tries to gain access to a door, the lock will scan their fingerprint, convert it into data, and check it against stored data.

If there is a match, the lock will unlock. If there is no match, access is denied. Many fingerprint door locks also use a second form of authentication, usually a keypad code.

How Smart Locks Can Get Hacked

When installed and used correctly, smart door locks can be just as safe as conventional door locks. And with authentication features like a combination key code or fingerprint and facial recognition, they may be safer than traditional key and tumbler locks.

But if smart locks are not manufactured or programmed appropriately, they can have vulnerabilities.

In 2016, a security researcher named Anthony Rose tested 16 Bluetooth enabled smart locks and found that 12 of them had either “no security or poorly enabled security". Rose presented his findings at DEF CON 24.

The tools Rose used to hack the smart locks are affordable and easy to purchase: a Bluetooth sniffer, like the Ubertooth One (link to Amazon); a Bluetooth USB dongle, like the No products found. (link to Amazon); a Raspberry Pi (link to Amazon); and a high-gain antenna, like the No products found. (link to Amazon).

Now, let’s take a look at the ways Rose was able to break into the smart locks.

Plain Text Passwords

Out of the 12 smart locks that Rose was able to hack, four were sending plain text passwords. This makes it very easy for someone with a Bluetooth sniffer to grab a user’s password and gain access to their house and belongings.

Rose was even able to change the admin password on one of the smart locks which would effectively lock the owner out of their own system.

Replay Attacks

Four other smart locks that Rose tested were susceptible to replay attacks. A replay attack is a hacking method where a valid data transmission is intercepted from a network and then delayed or resent to the network by a hacker.

Since the data being resent is correctly encrypted, the network recognizes it as a valid command. It then carries out the action, either duplicating a transaction to benefit the hacker or allowing network access to the hacker.

In the case of smart locks, encrypted passwords can be captured then resent by a hacker to gain control of the smart lock and access whatever the user was trying to protect.

Decompiling APK’s

.APK files are used to install and run application software on Android operating systems. Hackers will sometimes look into an application’s source code to see if there are any useful clues to help them gain access to a system.

The process involves decompiling the .APK file into Java code so that it is easy to read. From there, the code can be edited and recompiled, or information can be gathered to use in another hacking method.

Rose used a program called Bytecode Viewer to view the code in a readable format. He found that one of the locks he tested had its password hard coded in the smart lock’s app code.

Fuzzing

Fuzzing is the act of repeatedly sending random data permutations to a program to reveal possible vulnerabilities or flaws. Fuzzing is most often used for debugging and testing purposes, but it can also be used nefariously by hackers.

Rose was able to hack one of the smart locks he tested by changing the bytes in its encryption key and continuously sending these malformed packets to the lock. This eventually caused the lock to enter an error state and unlock.

Rose contacted the manufacturer of the smart lock to inform them of this vulnerability. After they were told of the issue, the company quickly took down their website. However, their smart locks are still being sold on Amazon today (link to Amazon).

Device Spoofing

Rose was able to hack another smart lock using a technique called device spoofing. This is a process where a hacker impersonates a device on a network to gain access.

Rose used a Raspberry Pi (link to Amazon) to impersonate the smart lock and tricked its cloud server to send him its password. Rose then sent the password to the smart lock and opened it.

How to Protect Your Smart Lock from Being Hacked

The four locks that Rose couldn’t hack had a few things in common like: true AES encryption, 16-20-character passwords, and 2-factor authentication.

So, while some smart locks can be hacked, there are things you can do and things you can look for when shopping for a smart lock that can help lessen the chance of being hacked.

Here is a list of tips and advice for choosing the safest smart lock for your home.

Buy Smart Locks from Reputable Companies

There are many people (myself included), who are always looking for the best bargains and deals on anything they buy. But when it comes to the security of your home, you should never skimp on the quality of products that you install.

After all, there is something to the saying: “You get what you pay for.”

Schlage, Kwikset, Nest, and Yale are some of the more well-known, trusted brands in smart locks today.

Some lesser known and smaller manufacturers may not include adequate security protocols in their products or will try to build their own protocols in order to skimp on costs.

This practice can lower the price of their products to consumers, but compromises the ability to prevent the threat of hackers.

Make Sure the Smart Lock Uses Proper AES Encryption

Smart locks should, at minimum, use 128-bit AES encryption for all of its communication. AES is the standard encryption method used by the U.S. government and has become the standard for most of the private sector worldwide.

Make Sure the Smart Lock Uses 2-Factor Authentication

2-Factor Authentication (2FA) requires two forms of verification in order to gain access to a system. This makes things a lot tougher for hackers.

Examples of 2FA include using a pin code in addition to a voice command or making sure a user has a password in addition to a security fob before granting permission to enter.

Make Sure the Smart Lock Allows the Use of Longer Passwords

A smart lock should allow the use of long passwords that are at least 16 characters in length. Smart locks that use shorter passwords are more vulnerable to brute force attacks from hackers.

A brute force attack is one of the most popular methods of cracking passwords. With this method, a hacker will try many different variations of passwords in hopes that one of them will eventually work.

Keep Software and Applications Up to Date

Don’t be that person that never updates the apps on their phone. Updates happen for a reason and it’s usually to protect against newly found security threats or to improve the app’s functionality in some way.

Be sure to manually check for updates because some apps and programs don’t update automatically.

Check for the ANSI Grade

The ANSI (American Nation Standards Institute) grade is based on a system developed by the Builders Hardware Manufacturers Association (BHMA). It has more to do with the hardware of the smart lock, rather than the software.

There are specific tests and results that a lock must perform and meet in order to receive a grade. The ANSI grade rates the security, quality, and durability of a lock and is represented by three grade levels.

ANSI Grade 1 – Highest Level of Residential Security – Must endure 1 million opening and closing cycles, Withstand 10 strikes of 75 pounds of force, 1 inch bolt

ANSI Grade 2 – Intermediate Level of Residential Security – Must endure 800,000 opening and closing cycles, Withstand 5 strikes of 75 pounds of force, 5/8 inch bolt

ANSI Grade 3 – Basic Residential Security – Must endure 800,000 opening and closing cycles, Withstand 2 strikes of 75 pounds of force, 5/8 inch bolt

Please see our list of recommended smart door locks below.

Recommended Products

No products found.

No products found.