Questioning Smart Lock Security
The benefits of installing a keyless smart lock to replace the physical key and cylinder include:
- Identity: the removal of anonymity from each person that unlocks the assets you protect
- Security: keyless smart locks do not have an external locking mechanism — fewer ways to defeat the lock
- Data: the records of «who», «when» and «where» and even «why» the smart lock was opened
While it is easy to understand these benefits, it can be challenging to understand the complexity of keyless smart lock security.
As an Enterprise Security focused company, JONYCO strives to educate everyone about the benefits of smart locks and keyless access control. We want you to understand the differences between a locking mechanism that can be opened with a phone and a complete cyber-secure platform that provides a set of tools to help secure and protect your assets.
The Four Domains of Keyless Smart Lock Security
When investigating a keyless access control solution, we encourage you to identify the following concerns and ask the right questions.
1. Physical Security
The aspects that prevent theft or vandalism due to the hardware’s shape, size, and installation
- Concern: Keyless smart lock hardware is perceived to be expensive and can disappear as fast as it is installed. Securing the theft of keyless smart lock hardware itself may be critical to your security program.
- Example: Company XYZ installs a keyless smart lock. One week later after arriving on site, a user finds the door open, and the lock is missing entirely. The user can’t even secure the site before he leaves.
Does your keyless smart lock provide options to install securely to the structure, preventing theft of the keyless smart lock itself?
Answer: Our padlock brings different points to be secured to a specific place with safety ropes, chains or cables.
2. Embedded Security:
The software that ensures data security and integrity within the keyless smart lock and the mobile device
- Concern: Keyless smart locks need to track the time and date to allow and disallow users access within the desired time frame.
- Example: User arrives on site, a day after his digital key expired. The user turns off his mobile radios, changes the date on his phone, and attempts to open the lock using his digital key from yesterday.
How do you ensure timely access that isn’t dependent on the mobile device for date/time?
Answer: Real time clock
Each of our locks has a real-time clock for independent time tracking. This prevents “time-based” attacks where hackers try to modify the validity of the keys and the access registry.
3. Transport Security
The protocols and algorithms that ensure identity, digital keys and access logs are safely and securely transferred between lock, mobile device and the Cloud
- Concern: Even using secure transport protocols, mobile devices transfer and store digital keys – exposing them to modification.
- Example: User downloads digital keys onto his phone. User can root his mobile device, change the details of a digital key, e.g. user and time of access. User still has the code to get in, but the logs record a different user, and at a different time.
Does a digital key incorporate the user, time, and permission to access the keyless smart lock?
Answer: With our platform, a key is generated per user with a certain time which is generated by an administrator.
Can the integrity of all three be assured and verified by the keyless smart lock before access is permitted?
Answer: As part of the asymmetric crypto architecture, padlocks generate their own private keys through the use of a hardware-based random number generator. These keys, never shared or seen by anyone, are used to decrypt information from smartphones using the 192-bit ECDSA algorithm.
4. Cloud Security
The hardware and software components that allow the ubiquitous access of users, and prevent hackers from getting in to steal data or to provide unauthorized access
- Concern: Compliance with global privacy laws imply responsibility to protect people’s information.
- Example: Users access their account information at: https://(somewebsite.com)/user/1234. User manipulates the web address to: https://(somewebsite.com)/user/4567 and views the information of another user.
How do you protect user information from others?
Are you compliant with country specific privacy laws (e.g. GDPR, LGPD, PIPEDA, CCPA)?
Do you understand and implement the concepts of Security by Design, Privacy by Design and RBAC (Role based access control)?