Smart Locks: Lessons for Securing Commodity Internet of Things Devices

Grant Ho and Derek Leung and Pratyush Mishra and Ashkan Hosseini and Dawn Song and David Wagner

EECS Department, University of California, Berkeley

Technical Report No. UCB/EECS-2016-11

March 12, 2016

http://www2.eecs.berkeley.edu/Pubs/TechRpts/2016/EECS-2016-11.pdf

We examine the security of home smart locks: cyber-physical devices that replace traditional door locks with deadbolts that can be electronically controlled by mobile devices or the lock manufacturer’s remote servers. We present three categories of attacks against smart locks and analyze the security of five commercially-available locks with respect to these attacks. Our security analysis reveals that flaws in the design, implementation, and interaction models of existing locks can be exploited by several classes of adversaries, granting them capabilities that range from unauthorized home access to irrevocable control of the lock. To guide future development of smart locks and similar Internet of Things devices, we propose several defenses that mitigate the attacks we present. One of these defenses is a novel approach to securely and usably communicate a user’s intended actions to smart locks, which we prototype and evaluate. Ultimately, our work takes a first step towards illuminating security challenges in the system design and novel functionality introduced by emerging IoT systems.

BibTeX citation:

@techreport{Ho:EECS-2016-11,
    Author= {Ho, Grant and Leung, Derek and Mishra, Pratyush and Hosseini, Ashkan and Song, Dawn and Wagner, David},
    Title= {Smart Locks: Lessons for Securing Commodity Internet of Things Devices},
    Year= {2016},
    Month= {Mar},
    Url= {http://www2.eecs.berkeley.edu/Pubs/TechRpts/2016/EECS-2016-11.html},
    Number= {UCB/EECS-2016-11},
    Abstract= {We examine the security of home smart locks: cyber-physical devices that replace traditional door locks with deadbolts that can be electronically controlled by mobile devices or the lock manufacturer’s remote servers. We present three categories of attacks against smart locks and analyze the security of five commercially-available locks with respect to these attacks. Our security analysis reveals that flaws in the design, implementation, and interaction models of existing locks can be exploited by several classes of adversaries, granting them capabilities that range from unauthorized home access to irrevocable control of the lock. To guide future development of smart locks and similar Internet of Things devices, we propose several defenses that mitigate the attacks we present. One of these defenses is a novel approach to securely and usably communicate a user’s intended actions to smart locks, which we prototype and evaluate. Ultimately, our work takes a first step towards illuminating security challenges in the system design and novel functionality introduced by emerging IoT systems.},
}

EndNote citation:

%0 Report
%A Ho, Grant 
%A Leung, Derek 
%A Mishra, Pratyush 
%A Hosseini, Ashkan 
%A Song, Dawn 
%A Wagner, David 
%T Smart Locks: Lessons for Securing Commodity Internet of Things Devices
%I EECS Department, University of California, Berkeley
%D 2016
%8 March 12
%@ UCB/EECS-2016-11
%U http://www2.eecs.berkeley.edu/Pubs/TechRpts/2016/EECS-2016-11.html
%F Ho:EECS-2016-11