IoT - where the S really is for Security
I dont recall who or where (apart from being a thread here) this was posted originally, but its worth repeating
Hardware biz Lockstate has managed to brick hundreds of internet-connected so-called smart locks on people's front doors with a bad firmware update. The upshot is you can't use the builtin keypad on the devices to unlock the door. Lockstate's smart locks are popular among Airbnb hosts as it allows them to give guests an entry …
Well, it looks like no one can use the lock now, so I guess it's even more secure than a normal keyed lockset?
A physical button to revert the lock to a "safe mode" where remote/bluetooth functionality is disabled, but keypad access is still allowed would seem to be a prudent guard against this type of thing. But switches are expensive; some places have the nerve to charge you as much as $0.50.
A physical button to revert the lock to a "safe mode" where remote/bluetooth functionality is disabled, but keypad access is still allowed would seem to be a prudent guard against this type of thing. But switches are expensive; some places have the nerve to charge you as much as $0.50.
Where would this button be placed and how would it work?
It can't be on the inside because the problem is the keypad doesn't work and the Airbnb tenant doesn't have a physical key.
It could be on the outside but then anyone can walk up, press the button and the property owner is prevented from gaining remote access.
@2+2=5: It can't be on the inside because the problem is the keypad doesn't work and the Airbnb tenant doesn't have a physical key.
I assume the tenants would call the owner who does have a physical key to get inside. Or even to partially dismantle the lock with a set of physical tools to get to the reset switch.
Have you ever watched a hotel employee opening a room safe left locked by a previous guest?
@ T. F. M. Reader
If the owner has to turn up with the key then the 'reset button' might just as well be taking the batteries out for a couple of minutes. I inferred from the article that a consequence of the bug is that an affected property owner has to be physically present to fix things. The button suggestion from 'vir' doesn't solve this problem.
"an affected property owner has to be physically present to fix things. "
The property owners surely still have the option of doing what absentee landlords in the holiday let business have done for decades, at least until AirBnB and the IoT in general "disrupted" things: pay someone local to the property to look after the property in the absence of the owners.
Anyone see a big problem with that?
It would also allow any entrant to disable the electronic lock for everyone else by giving it a reset. Not so good either.
That said, it's not the kind of lock I'd ever want on my premises - I'm not even sure you can get insurance if your locks are basically controlled by an untrusted 3rd party (the lock supplier who holds the central account). I can see why some may like it but my needs lie a bit higher, to the point where I had to choose between Assa Abloy disc based locks or EVVA Triple K - at which point I found a Youtube video about someone picking the EVVA one. Grr.
if your locks are basically controlled by an untrusted 3rd party (the lock supplier who holds the central account)
"The crashed locks – which connect to your home Wi-Fi for remote control and monitoring as well as firmware updates – are now going to be out of action for at least a week."
Doesn't read as 'a third party controlling the lock', unless pushing (b0rked) firmware updates counts as such too.
I suppose you could have it on the inside; as you said, if you're on the outside and the lock installs a bad update, you're out of luck. If the lock is anything like the August one I used to use (don't shoot!), it updates via a user command on the app, not over WiFi and not automatically. In this scenario, the app could tell you to make sure you're inside before initiating the install. Just a thought; I don't design smart locks so you're safe for the time being.
<qoute>Where would this button be placed and how would it work?</quote>
It could be incorporated into the key lock mechanism actuated by the use of a 'special key' which is longer and reaches deeper into the lock cylinder to activate the switch. A 'standard key' being shorter, does not trip the switch.
A mistake was made.
Instead of faffing around with the usual "only a small number of customers was affected", the company responsibly owned up to the blunder, contacted the affected users (meaning the company knows who was affected), offered two means of repair/replacement and foots the bill in either case.
That points to a seriously well-organized company that is probably intent on keeping its customers and showing how professional it can be in handling issues.
From where I stand, although I have no use for their product, I do appreciate how they are dealing with the situation and wish that more examples of that behavior were available.
Yep. Compare their behaviour with a company like TalkTalk. Whilst it's a cock-up, and undoubtedly a PITA to the affected customers, the company's response seems professional and pro-active. They responded quickly, reached out to customers proactively, set up a dedicated email address for customers to contact them with and arranged compensation.
The company is also a supporter of Net Neutrality. In all, they seem a good company.
"That points to a seriously well-organized company that is probably intent on keeping its customers and showing how professional it can be in handling issues."
No. If it really cared it wouldn't leave the lock unusable for days or even weeks. It would have paid for a local locksmith to provide a same-day service to replace each customer's lock with some temporary arrangement and then replace that it in due course with the official replacement - if the customer still wanted the official replacement.
Owning up to the mistake is not customer service. Even fixing it in the way they have is not customer service. Customer service is ensuring that the inconvenience to the customer is minimised.
No. If it really cared it wouldn't leave the lock unusable for days or even weeks. It would have paid for a local locksmith to provide a same-day service to replace each customer's lock with some temporary arrangement and then replace that it in due course with the official replacement - if the customer still wanted the official replacement.
I doubt a local locksmith would have a unit similar to the ones knackered by the update, and a temporary replacement would therefore likely be just some common conventional lock. The lock is still functioning as a conventional lock anyway, and given that the company is willing to send out a replacement first, you're not gaining anything by having a locksmith putting a temporary lock in. With only a short window where you have your AirBNB guests holding a physical key (the replacement lock will have a different one), I don't see that as a huge problem, and if you, as an AirBNB host, see that differently, then by all means arrange for that yourself
"a temporary replacement would therefore likely be just some common conventional lock. The lock is still functioning as a conventional lock anyway"
One if the issues cited was giving the physical key to the AirBNB customer. If a conventional lock is fitted once the repaired original is in place the conventional lock can be removed and the physical key for that ceases to be of concern to the owner.
"With only a short window"
That's 5 to 7 working days. Add in up to 4 calendar days to cover weekends, i.e. up to 11 days elapsed time. If you think that's short then you have a point but maybe their customers wouldn't agree with you.
If a conventional lock is fitted once the repaired original is in place the conventional lock can be removed and the physical key for that ceases to be of concern to the owner.
You get a new one sent out to you, with a different key. Once that one is fitted, the keys for the original lock, and any copies thereof, cease to be of concern to the owner.
I haven't used AirBNB myself, but someone who has told me they did receive a physical key (of a type that you'd need an owner certificate for to show a locksmith if you wanted a copy made, so at least a bit of a hurdle regarding copying) that would open the front door and their apartment, with a deposit as collateral. I don't see why that wouldn't work for those two weeks until you received the replacement.
Not watertight, but then neither would an IoT lock.
..... "If you think that's short then you have a point but maybe their customers wouldn't agree with you."
To me this is vastly simpler and easier than having to go back and forth with the manufacturer getting them to source a locksmith in the location the lock is fitted, then arranging a mutually convenient time for the locksmith to attend. This is going to take time as the locksmith will probably want paying in advance as the job is being done for a third party. After that I have to be at the property for him to arrive to fit a replacement which hopefully doesn't need too many new holes drilling in the door!. And then after that another site visit is required to swap out the temporary replacement.
To avoid that degree of hassle I and I suspect many of their customers many would find an 11 day turn around time quite acceptable and probably much quicker than getting a locksmith involved.
All smart locks are supposed to be about convenience, not security as burglars always search out the weakest point of entry. However, once the front door's deadbolt of any residence is placed on the WWW, it instantly becomes a hacker magnet waiting to happen. Just google "DEF CON 2016" and read just how easy these hackers hacked smart locks and smart homes.
"So why is a locksmith needed as this is exactly what the smart lock became after it was bricked by the bad firmware?"
The whole selling point of this (apart from being a cool IoT cloud thingy) is that the property owners don't want to give out the physical key. Unless a temporary lock is fitted, for which the key can be considered disposable when the original is refitted, then this is just what they have to do. If the repaired lock doesn't also have a change of physical key, their $469 has been wasted.
"That points to a seriously well-organized company that is probably intent on keeping its customers and showing how professional it can be in handling issues."
Commendable though that may be, does it not strike anyone as odd that shipping the affected lock back, getting it reprogrammed then shipping back to the customer will take 5-7 days but shipping a new replacement in advance of returning the failed lock takes over three weeks?
I wonder what happens when the customer ships the faulty lock back for reprogramming? Is there a module they send back, leaving the manual part of the lock in place or do they need to fit a standard lock in the meantime?
"shipping a new replacement in advance of returning the failed lock takes over three weeks?"
How long does it take for a containerload of Chinese tat to be ordered, manufactured, shipped to customer warehouse, clear customs at the destiination, be rebranded with brand-specific badges and reconfigured to an end-user-ready state, and be delivered ready to use?
Three weeks sound about right? Maybe a little longer?
getting it reprogrammed then shipping back to the customer will take 5-7 days but shipping a new replacement in advance of returning the failed lock takes over three weeks
Not really - in the first case, they don't have to replace the unit, just reprogramme it. In the second case, they have to manufacture a new unit (because I very much doubt that they have enough in stock to replace all the borked units) and then ship it out.
And (in general) making new stuff takes longer than reprogramming old stuff.
This post has been deleted by its author
Agreed. It's not hard to have the firmware file(s) identify what models the update is valid for & have the existing firmware not run the update unless the intended model matches the physical model. All IoT crap should do such checks from the get go.
knocks my "Idiots or Twonks" into a cocked hat.
Seriously, this should be essential reading (and comprehension) for anyone thinking of buying this sort of crap.
I know that soon everything is supposed to be 'connected' but why?
I'd expect the Home and Contents insurers to start loading premiums for people who secure their homes with this stuff.
Then there are the Adverts for Alexa that tell it to use Hive to do something.
How secure will that be if all it takes is for someone to shout throught the letterbox, "Alexa open the front door for me please"
Madness (welcome to the house of fun) and it won't end well.
At least my home won't have any of this crap for the forseeable future.
I recently bought a Linksys EA7500 WiFi access point/router. The only easy way to set up this device is to subscribe to the Linksys "cloud" so that ALL CONFIGURATION is done via the Linksys cloud account.
*
This is so that "you can manage your router using your smart phone from anywhere on the planet".
*
So your home LAN is open to hacking from "anywhere on the planet"......REALLY?
*
It took a day and a lot of research to find out how to configure the device in the old fashioned way -- using a laptop and a CAT5 cable (and NO INTERNET ACCESS).
*
In the future it may be impossible to manage a computer-based device without "the cloud" -- if idiots like Linksys have their way.
*
Yup.......lovely!!!!
"The only easy way to set up this device is to subscribe to the Linksys "cloud" so that ALL CONFIGURATION is done via the Linksys cloud account."
To be fair, this sort of thing started because of NAT and the difficulty of creating universal and easy set-up for IT illiterate users. Then the marketing people realised the potential for user lock-in and subscription services so even with universal adoption of IPv6, we'll never get back to the direct connect methods now. "$x as a Service" is here to stay. After all, it's risky enought that company providing the service and "cloud" server might go bust, but there also the risk Google might buy them up and shut them down anyway.
Linksys EA7500
OpenWRT supports the EA8500, I think ... well, this page seems to infer that, at work, no time to read it all ...
https://wiki.openwrt.org/toh/linksys/linksys_ea8500
Punters, next time you buy a router/wifi access point, check out OpenWRT support -> All major router purveyors have had security blunders like root/root accounts, telnet access via "magical link" etc ... don't trust them, trust yourself, get OpenWRT!
Not at all.
I think this thing (it's a front door lock) is obscenely over priced for what it does, simply for the novelty of how it does it.
Crap can always be over priced for what it does (Google JML products for a company that sells nothing but such items).
For that kind of money I'm pretty sure you can get a very heavy door, with piano hinges and a high security multi bolt lock to go with it.
"Google JML products for a company that sells nothing but such items"
Don't you dare be so rude about one of Tony Blair's biggest financial backers:
http://www.telegraph.co.uk/finance/newsbysector/retailandconsumer/10310722/Rich-private-school-Oxford.-Meet-John-Mills-Labours-biggest-donor.html
where you can read this familiar sounding excuse:
"“If you sell 50m units of something or other you just can’t avoid some mistakes,” he says “There’s no defence. In that particular incident, the products were supplying hadn’t been finished properly and we had no way of knowing.”
Sadly for Mr Mills, Trading Standards found a way of knowing.
Sadly for the rest of us, Trading Standards didn't put him out of business. They rarely have the power (or funds) to do anything about people like that.
For that kind of money I'm pretty sure you can get a very heavy door, with piano hinges and a high security multi bolt lock to go with it.
A few days ago I was in a hardware store in Germany, and one of the things they had on sale was a burglary/vandalism resistant front door (including hinges, frame and five-point lock), for roughly double that price.
"I'd expect the Home and Contents insurers to start loading premiums for people who secure their homes with this stuff."
I'd expect the opposite. To the insurers, IoT = electronic = equals security = better so anyone NOT using this type of kit will see their premiums increased. As was predicted here by many, the insurers "black box" for young drivers to monitor their quality of driving to reduce premiums is now being advertised as a benefit to all drivers. Before long they will be standard and drivers without them will pay much more for choosing not to be tracked and watched by big brother.
Internet connected tat is NOT GOOD, m'kay?
When large corporations (who supposedly have staff who specialize in keeping bad actors out of their systems) seem to get hacked regularly, putting one's door lock on the Internet seems a bit, well, stupid.
Do not connect to the Internet that doesn't really need to be connected to the Internet. And if you do connect it, expect it to get p0wned - in this case by the manufacturer.
It's a lock, fer the cryin out loud. I wonder why a door lock would need a software upgrade in the first place -- how complicated can the software be?
It would be interesting to see the list of bug fixes that the firmware upgrade was intended to address. Maybe the CPU in the lock is mining bitcoins for the company in its spare time, and they had to introduce new logic to deal with the recent bitcoin forking?
Perhaps it's to fix a bug, like entering 99999999999999999999999999 causes a buffer overflow and the door opens?
Nobody codes for reliability these days, nobody check the code, just scribble a few lines, pretty print it and go down the pub for lunch and a beer or five. After lunch you return to the office and push the update out.
Companies are damned if they don't update their devices, now ones that do are being criticized?
Yes, they messed up during an update, but at least they were updating
Yes, I would never trust an IOT access to my residence, but they seem to be doing the correct thing towards fixing the problem
Who knows what they were fixing with the update - TLS v1.2 support, or as others have said - maybe issues with buffer overflows, etc.
This sort of stuff is just really the beginning (of the tip of the iceberg) in terms of breaches that will occur due to IOT security.
I, myself (which I am usually quick to criticize) am not ready to jump on them quite yet except for the fact that yes the entire issue was caused by updating the wrong device - that does indicate some sort of inexperience where there should have been none.
The 'Smart' bit is getting people to buy the crap in the first place.
It's all one big 'Snake Oil' peddling exercise. There's probably a secret society behind it that awards seats in a new sales 'magic circle' if you manage to convince enough people to buy your crap that you turn a profit.
It's pretty useful to be able to assign temporary pass codes to people for the lock and also see remotely if it's been used, if it's closed and locked or left open. These products are very popular with AirBnB hosts. Even as just an every day obsessive compulsive who always wonders if she's left the door unlocked when she goes away, a product like this has appeal.
All true, but as others have pointed out, none of that should have been too hard to write & debug correctly in the first place. It's only a lock with a few remote logging features & simple remote control features. So the need for updates likely is to (1) make fixes for poor initial coding and (2) add "features" that probably add data collection stuff of little benefit to the owner. It's just a lock. And as others have pointed out, the firmware updating process should include model info in the new firmware to be checked by the old firmware for a match before proceeding with the update.
But one of the problems is that even if the actual lock code is quite simple, the required code to keep it safe from hacking, MitM attackes etc. is not.
Lets assume they were originally using SSL or TLS 1.0 as the encryption management. In order to keep the device safe, that would need to be changed, and some of the ciphers and cryptography would have to be retired as a result of discovered vulnerabilities in the older, previously held secure, connection code.
The patches for the underlying technologies may be freely available. Packaging and deploying them to your IoT device is not. This is why cheap IoT tat is such a flawed idea at the moment.
My guess is that other official tennents in his bulding complex are renting out their properties via airBnB, against their contract conditions.
I'm assuming he doesn't like all these uncooth people in his building.
Not sure what's illegal though, unless they are a bunch of people who climbed over trumps wall.
Do I win a prize?
>Ever gone away and not been sure if you remembered to lock it?
A colleague once came back from a week long conference to find his front door wedged closed with a piece of paper. He subsequently discovered that his neighbours seeing the front door open and him obviously out, kindly latched the Yale lock just in case he had left his keys inside, then wedged the door closed with paper.
So unless your door has an auto closer, having a Yale lock etc. isn't a guarantee your door has actually locked as you pull it behind you in your rush to catch that taxi...
Personally, having had mortice locks for a few decades, I;ve got into the habit of checking the door has locked behind me.
Interestingly, the IoT potentially will create more stress: there you are in some far flung place that happens to have Internet and you take a look at your home and discover the front door is showing a status of not closed... Currently, I have a nice holiday and only have to worry about the front door when I get home and discover it unlocked.
>>"there you are in some far flung place that happens to have Internet and you take a look at your home and discover the front door is showing a status of not closed... Currently, I have a nice holiday and only have to worry about the front door when I get home and discover it unlocked."
The far more likely scenario is that I worry about something I don't and being able to check that it's locked is what enables me to relax. In the unlikely eventuality that I have left it unlocked, I can call a friend and ask them to pop round and lock it for me. It's not like I am helpless to do anything about it just because I am away!
"Ever gone away and not been sure if you remembered to lock it?"
1. What Roland6 said.
2. The door has a glass panel on either side. Therefore with a cylinder lock (AKA Yale* lock) latch it can never be locked at all. If the back of the door is accessible from outside then it can't be locked without a key or combination on the inside as well as the outside. A glass panel in or beside the door combined with a cylinder lock is a gift to B&E merchants.
Some of the comments in this thread reveal a worrying naivety about keys. Does nobody change the door lock when they move into new premises? A few years ago my daughter moved into a new house having received "all" the keys from the previous owner. As she was moving in a neighbour rolled up with another front door key that she'd had for some time that the previous owner had forgotten about. I'd have changed her lock anyway but it moved things on a bit.
* Yale don't just make cylinder locks. In fact my mortice lock was made by Yale.
No.
You very quicky get into the routine of locking it when you close the door to leave -
unless you are going in and out regularly (i.e. getting shopping from the car) when you leave the door unlocked, you generally leave the door locked at all times.
If you do happen to leave your keys inside, you simply open the door again and get them.
The security of a manual push button lock is often poor as the order in which the buttons are pressed does not matter and each of the digits in the code need to be unique. For a 10 button lock with a 4 digit code rather than the intuitive 10,000 permutations it provides only C(10,4) or 210 unique combinations. Pretty easy to brute force.
Going up to a 5 digit code doesn't help much as that only gives 252 combinations. Of course if an attacker doesn't know if it's a 4 or a 5 digit code it will be harder for them as they need to try for both, and if they have no clue at all how many digits (1 to 10) are in the code then there are 1065 possibilities which is going to be slow to brute force, but still an order of magnitude down on the intuitive 10,000 possibilities.
"Which is why my front door is a manual number lock"
Depending on how mortified you are or are not in the mood to become, do or never do check out a few Youtube videos demonstrating how easily and quickly a typical* "number lock" gets pwned by anyone who also watched the same videos, using nothing but a thin "feeler" pick showed in next to the dials...
*there are things that can be done to prevent a lot of this, but it just doesn't seem to be present in the vast majority of these locks - "we don't give a shit" is not exclusive to IoT...
You're now in the software development (and support) business.
Either accept this (and set up processes accordingly) or get flushed down the pan of history.
A lock used to allow 3rd party access to living accommodation whose entry code can be re-written remotely you say?
How weak is the crypto? I fancy a holiday.
Despite the negative comments, remote control of physical access devices is what IT is all about. Saving time and effort. Allowing one person in a remote office to manage distributed real estate instead of sending someone out in a van to do it by hand.
The implementation, however, sucks.
Lessons like this are needed for each new technology to teach people to do it right. Shouldn't be, but it seems to be the only way people will learn.
Anyone with a Smart Meter in the UK should be taking note, of course. Just in case a remote update bricks the meter and also uses the "disconnect" feature for the mains supply.
Save more time to do what? Put more people out of work? Inflate the profits of tax-avoiding billionaires? Put even more power into the hands of people who should zero power and would serve us better by being locked away in a safe place...with a proper lock and key not one of these IoT things?
Can I perhaps offer an example?
Remote management of servers and routers instead of staffing all the data centres with identical skill sets?
Luddites may not like this but remote management of software and hardware (in a secure manner) is generally taken for granted.
Given the quantities allegedly involved (hundreds of locks affected?) and the cost of software development, I suspect the extra cost per unit might have been a bit more than 10p. Correction welcome.
On the other hand if company directors routinely got sued for realistic customer costs (plus a bit of punitive and exemplary damages) and regularly lost, that might cost enough to get the company management a bit more interested.
You're a bit behind the times. Infusion pumps (they do other stuff apart from insulin) had serial ports in the late 90's.
I'm pretty sure at least one model has a BlueTooth interface or some other species of exploitable connectivity.
IRL what has happened is every such pump has fail safed on the same day.
There's a delightful YT from a doctor who studies how (and why) large complex systems fail.
My wife is fitted with an Intrathecal Baclofen Pump. It releases minute doses of Baclofen (an anti-spasmodic) into the spinal fluid.
From what I have seen, the interface is proprietary - not WiFi or Bluetooth so I suspect the manufacturers are using security by obscurity as a design parameter.
I would *hope* that said pump has been programmed with some sanity checks, and will be able to reject obviously incorrect settings (such as "increase dose by 10000%). However there's no way of knowing.
So what ARE the international standards (cf ISO27001) for medical implant software ? There must be some ...
"Lockstate Connect, which is a subscription-based service that allows full remote control of all compatible smart home devices."
Subscription based service.... Three words that mean I wont ever own a product.
At some point this company is going to decide to stop supporting these locks, they will shut doen the servers and your back to having a dumb lock a $600 dumb lock (With the added bonus that its probably also hackable) - Ill stick to physical keys thanks.
I wonder if any users have left their only physical keys inside the house whose lock is now bricked? This could get a bit messy and expensive. I know, as I've managed to lock myself out more than once (purely by my own actions, no internet required). Doors and windows aren't cheap.
If their only computer is also inside the inaccessible house, will they even have got the email?
the converse is the *increasing* number of companies that only offer phone support.
Quite aside from the fact that the paradigm of email support is completely different to phone support is the annoyance that not being able to use a computer to interact restricts people with disabilities.
I have had quite a few companies send me a letter after I sent them an email complaining that they were unable to contact me by phone. Clearly missing my opening paragraph where I state I cannot use a voiceline. Of course, if they can't get *that* right, what else can't they manage competently ????
Why would any sane person have an Electronic lock that's connected to the Internet 24x7?
Apart from this fiasco, it makes the lock vulnerable to hacking.
Better that users are emailed with updates and that locks are updated by USB stick, with socket under a plate locked by key on inside of door.
This design is inherently insecure. It's not like a TV setbox where a botched OTA upgrade is only inconvenient.
Yet cars and other things have this stupid design concept.
This past year, one of the thoroughly justified rants about a lot of IoT devices has been that their firmware can't be automatically updated, Even HP printers have been implicated in this blunder. Users have to go and fetch firmware updates themselves, if they're available, if the device will even accept an update.
But here we are with a laudable IoT device that is, thank you, automatically updated.
Except the update is deadly.
Little baby steps. IoT is juvenile technology. We're still stuck in The Dark Age of Computing.
"It's juvenile developers."
With greatest respect, that's bollocks.
It's incompetent, ignorant, and naive management AS WELL as juvenile developers.
The juvenile developers should have known that it was sensible, maybe even essential, to be able to identify that any firmware update was fit for use on the device it was being applied to. Maybe that wasn't in the spec, maybe they said it would cost $$$ to implement and thus it got rejected, maybe something else.
The incompetent, ignorant, and naive management should have realised that any update needs to be tested on a realistic sample of the market before being forced onto the whole userbase. If that can't be done, the process design is as broken as the company management.
"Just remember burglars are more agile than developers."
Not always. A few have got stuck in the windows they were trying to climb through (splendid recent example http://www.independent.co.uk/news/uk/home-news/burglar-jailed-after-getting-stuck-in-bathroom-window-a7562221.html ) and a few have fallen through roofs or roof-lights.
A physical key, plus one or more numeric codes with some method allowing them to be assigned and expired. Why does this thing even need firmware updates?
Oh yes, maybe it is because the WiFi module is vulnerable because "being connected" is so much more important than "being secure"...
it will be interesting when cases like this start hitting the news - and courts - on a regular basis. Certainly from a UK perspective where the concept of consequential loss is *very* narrow.
I wonder how many AirBnB "businesses" (quotes *not* ironic) will be able to recover their lost "profits" ????
They're probably hardened against that, being $800 locks.
It's like being able to open padlocks with bits of beercan or pick locks in about 10 seconds flat (I've seen an electric lockpick in action.. 10 seconds is an outlier - it's probably quicker than using the key..). A *lot* of locks are just security theatre, but most burglars don't know that, and of those that do, they'll go after the easy ones rather than the hard ones, so all you have to do is make sure you don't get your lock from the bargain bin like your neighbour did and you're probably safe
Okay, I understand when in the smart house system there are video cameras, light and smoke sensors, opening the gate system. But smart lock on the front door? I do not know about you, but I can not trust such device. I'm not saying that it's much safer to lock on a key, thieves do not usually stop it, but I somehow can not bring myself to believe that a smart lock is safer than a regular lock. Although the idea itself is quite interesting, I recently came across an interesting video where the guys themselves assembled such a smart lock)