Are Smartlocks smart?
Locks that are used in millions of homes and residential buildings worldwide and that are designed specifically to thwart hacking are easily opened with both a screwdriver and wire, two researchers say.
Kwikset smartkey locks are certified Grade 1 security for residential use by the Builders Hardware Manufacturers Association and are advertised by Kwikset as being invulnerable to being hacked with wires, screwdrivers, or anything else inserted in the keyway.
But that’s not the case, as two noted lock hackers, Marc Weber Tobias and Toby Bluzmanis, demonstrated for WIRED and showed attendees at the Def Con hacker conference.
Tobias and Bluzmanis have been cracking locks at Def Con for years, demonstrating the ability to defeat high-security electronic locks used at the White House and other government offices, electro-mechanical locks, deadbolts, and even electronic safes used by millions of consumers
But the Kwikset smartkey locks, which Kwikset introduced in 2008, have the widest distribution of any locks they’ve tested — Kwikset sells more than 20 million a year. The locks cost between $20-$40 and come with several features that make them appealing — the main one being a reprogrammable cylinder that gives owners the ability to reprogram the locks on the fly to any key.
The latter feature can be used by apartment managers to change a door lock after a resident vacates a unit or a building manager is terminated, without having to swap out the actual lock or call a locksmith. It can also be used by homeowners to provide temporary access to construction workers, gardeners or someone else who needs to gain entry for a certain time period, after which the locks can be changed back to fit the original key.
But the researchers say the lock design is inherently insecure. The locks can’t be bumped, but they can be cracked in other ways.
“It’s very clever because the consumer can instantly reprogram the key, but it’s also insecure,” Tobias says. “There’s a lot of positives for Kwikset, but the problem is they can be opened in 15 seconds with a screwdriver and a paper clip. It’s not a pin-tumbler lock so that it doesn’t have the inherent physical strength to block the plug from turning when you do certain things.”
He and Bluzmanis developed a number of techniques to compromise the locks, including one that lets them thwart it with a four-inch screwdriver and torque wrench, and another that lets them crack the lock just as easily with a wire.
Tobias says the BHMA rating is misleading to consumers, fooling them into believing the locks are secure when they aren’t. He filed a formal complaint with the BHMA two years ago, but says the standards body has ignored it. The standard requires that a lock like this can withstand 300 pound inches of torque, but the researchers say they used much less than this to open the locks.
Kwikset did not respond to requests for comment from WIRED, but Tobias, in phone calls to technical support for Kwikset, was told repeatedly that the locks were impervious to screwdrivers or wires, and that a screwdriver wouldn’t even fit in the keyway.
“With these ones you cannot even put a flat screwdriver in there,” a technician named Satima on the company’s support line told him during a recent phone call, which Tobias recorded. “There’s racks from up and down direction, not just up” that make it impossible to align the springs in the lock, she said. “There’s no tool that you can just put in the cylinder and pop it open. You can’t put any type of wire or anything like that.”
Another technician told him, “If it was that easy to pick a Kwikset lock, they would be having us doing recalls, [but] there’s nothing like that. It’s business as usual.” Without the key, there’s no way to open the locks, the technician asserted, and “sticking anything foreign inside of the keyway is just going to make it that much harder to open up.”
The smartkey is a five-pin lock and has 6 depth increments (the height and depth of the mountains and valleys on a key). It can be reprogrammed by placing the original key in the lock and inserting a tool into a slot in the lock face, which moves the assembly back about an eight of an inch and separates the pins and slider and holds them apart while a new key is inserted. The lock then registers the impressions on the new key and resets the relationship between the pins and slider to correspond to the new key.
They demonstrated six different ways of defeating the locks, including inserting a piece of blank with a sharp end into the keyway then, using a hammer, punch out the cap on the back of the plug — a thin piece of metal. Then they inserted a wire with a looped end into the keyway to turn the tailpiece, which rotates independently of the plug, making a key irrelevant. The method works in just 30 seconds and leaves no damage and no trace, since the original key still works in the locks.
In a second attack, Bluzmanis inserted a 4-inch screwdriver into the keyway, grasped it with a wrench and turned it to open the lock in just 15 seconds. According to the standard, the lock should be able to withstand 300 pounds-force-inch of torque, but they used only a little more than 100 pounds-force-inch to open the lock.
Another attack involved decoding the lock by using a series of keys that are a single depth to determine the depth of each of the pins inside the lock.