Saturday, September 20, 2008


Unlock your door over the Internet?

Bruce Schneier posts an item about this gadget, a door lock that allows you to lock and unlock it over the Internet:

The CEDIA expo in Denver has been wowed by some cunning gear designed by Schlage which makes door locks that can be wirelessly set or opened via the Internet, from a mobile phone or a computer.

Each of the battery-operated locks have keypads that are locked and unlocked with 4-digit access codes. Users who forget to lock a door and want to enter their code remotely can hop onto a Web portal or use software added to their mobile phones.

Schlage says the wireless signals sent to the locks are encrypted. Kit for the lock, which includes the lock and the wireless bridge to communicate with it will set you back $299. There’s a $13 monthly fee to use the applications that let the locks be controlled remotely.

Bruce notes that it’s probably not the best idea, and commenters have varying opinions. My first thought was that it’d be OK for locking the door (in case you forgot to), but not secure enough for unlocking. Further thought modified that a bit.

First, I’ll note that the fact that it’s “encrypted” is pretty meaningless. We don’t have details of the encryption, so we don’t know whether it’s done right in the first place. But even if it is, that would only prevent simple snooping from discovering the code, and one needn’t snoop. A four-digit code is just too easy to crack with brute force — only 10,000 codes to try, and fewer than that if you eliminate (or leave for last) the ones that most people will consider “insecure” and won’t use (such as 1111 and 1234).

On the other hand, given that monthly fee, we can assume that your mobile phone doesn’t just talk to the lock directly over the Internet. If there’s an intermediary application (server) involved, it can enforce various rules, require authentication of the device that’s trying to unlock it, put in delays when too many wrong codes have been tried, summon the police when it detects suspicious patterns, and so forth.

The reason a four-digit PIN is adequate to protect your ATM card is that these sorts of restrictions are used for it. One must have the card in hand, which is equivalent to identifying the mobile phone and only allowing access to specific ones. The bank can lock the card out after a few invalid attempts, preventing any attempt at a brute-force attack. If this can do that as well (and the encryption is adequate), then it’s good enough — it’s probably easier to pick the key lock than to try to break the wireless code.

Then, too, how many of you use wireless garage-door openers, and leave the interior door to the house unlocked? I haven’t looked at newer openers, but the old Sears system I’ve looked at uses nine three-position switches to set the code. That only gives about 20,000 possible codes (39 = 19,683), easily exposing it to a brute-force attack as well. And we know for sure that there’s no lock-out system, so it’d be easy enough to connect a transmitter to a computer, and have the computer cycle through all possibilities until the door opens. With a nine-switch code and one try per second, it’d take a little less than five and a half hours to try all the codes, putting the average expected time to crack the code at around two hours and forty-four minutes.

We don’t think of that as much of an exposure, but we should. We’re more afraid of something that works over the Internet, but we shouldn’t be. Unless the Internet-based system gives the caller feedback on success or failure (something that’d be pretty silly, since the only feedback that matters, which the real user sees, is that the lock operates) there is no value in trying to hack the lock from any distance. Sure, theoretically someone in Kuala Lumpur could open your door, but why would they try, and how would they know when they succeeded?

So it really only matters to someone who’s nearby, and for that it’s probably as secure as is any other way of getting into your house.

The real question that remains, then, is this one: Why would you pay $13/month to use this thing?


The Ridger, FCD said...

Maybe you only have one house key? Or you live in an apartment building (like mine) where the manager charges $100 to let you in - and won't do it at all after midnight - if you forget your key?

Still just remembering to carry your key seems a lot simpler.

Unless you're controlling your kids?

Barry Leiba said...

Hm, I'd thought about the usage log, but I hadn't thought of connecting it to controlling/monitoring kids. That's an interesting wrinkle.