Tag: smart door lock retrofit application

August responds to its smart lock’s security weaknesses by patching its software

Article August Smart Lock press picture courtesy of August

IoT manufacturer caught fixing security holes | The Register

Here’s what happened when someone hacked the August Smart Lock | CNet

My Comments

The Internet Of Things, along with network hardware focused at consumers and small businesses, has been considered a thorn in the side of people who are involved with data security. This is because of a poor software-maintenance cycle associated with these devices along with customers not installing new software updates for these devices.

Recently, at the DEFCON “hack-a-thon” conference in Las Vegas, a few of the smart locks were found to have software weaknesses that made them vulnerable.

But August, who makes one of these smart locks which are retrofitted to existing “bore-through” single-cylinder tubular deadbolts, answered this issue in a manner that is considered out-of-place for the “Internet Of Things”. Here, they issued software patches to rectify these security issues and offered them as a user-downloadable firmware update.

What is a sad reality for a lot of these devices is that the manufacturer rarely maintains the firmware that runs these devices, if not at all. Some manufacturers think that this practice is about having to “add functionality” to these devices which they would rather do with subsequent models or product generations. But this kind of updating is about making sure that the software ecosystem associated with the product is secure and stable with all the “bugs” ironed out. Similarly, it is also about making sure that the product is complying with industry standards and specifications so as to work properly with other devices.

August uses the latest iterations of their smartphone apps to deploy the firmware updates to their products, typically requiring that you place your phone with the app running near the door that is equipped with these locks.

The computing security industry and computing press congratulated August on responding to the security weakness in its products through a firmware update with “The Register” describing it as being beyond the norm for the “Internet Of Everything”. But they wanted more in the form of them disclosing the nature of the threats in the lock’s firmware in a similar manner to how Microsoft, Google or Apple would disclose weaknesses in their operating-system software.

This issue also is something that is applying to home-network equipment like routers, along with toys and games that connect to the Internet. What is being called out for is a feedback loop where bugs and other software deficiencies in all these devices are called out and a simplified, if not automatic, in-field software-update process takes place whenever newer firmware that answers these problems is released. This also includes the manufacturers disclosing the security issues that have been found and explaining to customers how to mitigate the risks or update the affected software.

A smart-lock solution arrives for the Euro-standard mortice lock

Article – French language / Langue Française

La Poste vend aussi des serrures connectées (The Post Office also sells smart locks) | Le Figaro (France)

From the horse’s mouth

La Poste

PostAccess Product Page

Press Release

Video (Click to play – French language)

My Comments

At the moment, most smart-lock solutions are catering towards the “bore-through” cylindrical deadbolt that is common in the USA and some other countries.

But there is an established “open-frame” cylinder-mortice-lock platform, known as the “Euro-profile” platform, which has a strong presence “across the board” in most of Britain and Europe and has some presence in Oceania. This is based around a single-piece module that houses the key cylinder and / or a thumb-turn which slides in to a mortice lock or multi-bolt locking system already installed in to a door. This platform hasn’t been served by this technology until now.

La Poste, the French post-office, have started marketing a smart-lock kit as part of their foray in to the connected-home scene. This is based around a “swap-in” module that replaces the cylinder module or cylinder / thumbturn module that is part of a European-standard mortice lock or multi-point locking system and, like some of the other smart locks, works with a fob or your Bluetooth-linked smartphone dependent on the package.

Here, the hardware based around a high-security outside cylinder module which “drives” the lock’s bolt and provides access using a traditional key. This interlinks with an inside module that has a thumbturn along with the electronics including the Bluetooth Smart radio subsystem that is part of the PostAccess system. It also has an integrated door-alarm which can be set up to work as a simple “buzzer alarm” that sounds when someone opens the door, or it can simply be set to sound if someone attempts to force the door open.

It also works with an NFC card reader that looks like a wireless doorbell and comes with the PostAccess Sérénité package. This card reader actually links with the lock using Bluetooth Smart technologies so it can read NFC cards, badges or wristbands and use these as keys.

People who buy the PostAccess Services Connectée package also receive a Wi-Fi – Bluetooth bridge that links the lock to your home network, This allows for you to manage your PostAccess lock remotely through a Web portal that is set up by La Poste in France. The standards around the online service encompass a high-security data transfer setup between the PostAccess smart lock and the servers which are located in France.

What I like of this smart lock is that it is the first product of its kind to work with the Euro-profile cylinder-mortice-lock platform purely on a retrofit basis in a manner that suits a “screwdriver expert”. As well, it is the first product of its type to be a hub for two peripheral devices i.e. the NFC card reader and a home-network bridge while working with smartphones for authentication and management purposes.

Like other early entrants in to the network-based connected-home or “Internet Of Things” idea, it will show the problems and bugs associated with these devices. This is where you rely on particular vendor-supplied equipment, smartphone apps and services to get the full benefit from them and they don’t work on an “open-frame” platform. To approach this better, the manufacturers would need to make the PostAccess smart lock software-upgradeable to newer “open-platform” standards

La Poste could be seeing this as a way to get their foot in the door to the connected home rather than trying to run their own “n-box” triple-play Internet service in to a highly-competitive Internet-service market. They could take this further with other products of the connected-home class and / or build out their Services Connectée package for remote home management.

To make the “smart-lock” idea work, there has to be an emphasis on seeing more products of this class appear on all of the commonly-used form-factors that the typical door lock appears in. As well, there has to be the ability to see the connected-home “Internet-Of-Things” concept mature on a level playing field along with encouraging a distinct role for these devices in the connected home.