
Picking the FB50 smart lock - Icyphox
https://icyphox.sh/blog/fb50/
======
thedanbob
I’ve been getting into home automation recently and I’ve given myself a rule:
nothing cloud connected. If I can’t run it off my local server, I don’t want
it. I have much more motivation to secure my home than any company ever will.

~~~
jedberg
After my internet was cut for five days and my smart house became super dumb,
I adopted that rule too.

I'd love to know what products you are using.

~~~
thedanbob
I don't have a lot hooked up yet, mostly just the software infrastructure. I'm
building it all around Home Assistant. That integrates nicely with my Unifi
network controller, which gives me presence detection (phones connecting /
disconnecting). I have one Sonoff wifi switch which I reflashed to work with
MQTT, mostly as a proof of concept, but now that I know it works I'll probably
get a pile more. And I have a Honeywell T6 Pro thermostat (z-wave) on the way.

------
OrangeTux
> DO NOT. Ever. Buy. A smart lock. You’re better off with the “dumb” ones with
> keys.

Well, physical locks are not necessary harder to pick lock than electronic
locks. Buy your self a pick lock set, practice a bit and be amazed how many
locks you can pick.

~~~
herpderperator
I think you'll be surprised. You should watch some of these videos:
[https://www.youtube.com/channel/UCm9K6rby98W8JigLoZOh6FQ](https://www.youtube.com/channel/UCm9K6rby98W8JigLoZOh6FQ)
\- choose any one of his videos. It'll be picked in under a minute.

~~~
dogma1138
LPL is an amazing lock picker, anyone with this level of skill is much better
off working as a locksmith or a security consultant.

Most B&E’s aren’t exactly executed by master thieves they aren’t single pin
picking your locks.

When selecting a door lock or a pad lock you should care only that it can be
raked or bypassed, for bike locks you should also care that it can’t be easily
cut.

For the most part your door is likely going to be the weakest link as most
people don’t have reinforced doors and door frames.

~~~
e12e
Many people even install glass windows.

~~~
NikkiA
Smashing a window is unnessecary noise.

I've been burgled 4 times in my life, all 4 were either jimmied window or
jimmied door (usually a screwdriver as a prying tool).

~~~
ChrisRR
4 times? Where do you live just out of interest?

~~~
NikkiA
I don't live there any more, but 3 times were Middlesbrough UK, the 4th was in
Mountain View, CA.

------
floatingatoll
Note that requiring a server account login before the user is allowed to
manage a Bluetooth device is an explicit violation of the App Store Review
Guidelines, so now that awareness is being drawn to this lock they may find
themselves banned on iOS soon unless they fix it.

~~~
bluesign
I dont think Apple is that hard on this. I peeked a bit the guidelines,
couldn't find the section you mentioned.

~~~
Someone
[https://developer.apple.com/app-
store/review/guidelines/#dat...](https://developer.apple.com/app-
store/review/guidelines/#data-collection-and-storage):

 _”(v) Account Sign-In: If your app doesn’t include significant account-based
features, let people use it without a log-in.”_

~~~
floatingatoll
_" Apps may not require users to enter personal information to function,
except when directly relevant to the core functionality of the app or required
by law."_

------
balls187
Losing access to a lock is bad stuff. I went with a smart lock that has a
physical key.

The article says don't buy a smart-lock, but the convenience of having one-
time access codes, scheduled access, delivery access, and linked to a security
camera make the downsides (increased attack vectors) something I'm willing to
live with.

~~~
berbec
And we, on HN, can make an informed decision about that calculated risk. The
general public just sees "Encrypted Android App with Smart Unlock" and thinks
they are safe.

~~~
balls187
Is that any different than virtually any other cyber security issue--the
general public is not well equipped to do Risk Mitigation compared to more
savvy individuals?

~~~
wlesieutre
It's a problem with the way technology scales. Previously difficult things
become cheap to do at massive scales, and companies make tons of money doing
it.

But it also make vulnerabilities scale in the same way - exfiltrating
150,000,000 SSNs isn't much harder than 150 - and the penalties for security
lapses don't scale anything like the profits that operating at these scales
does.

What's the solution to that? Bigger penalties so that companies prioritize
security? Require companies handling data and devices to carry insurance
against huge hacks? I don't know, but we need to get somewhere better than
"Ignore it because consumers generally don't understand the risks and apology
letters are cheap."

The one good thing about IoT locks compared to other internet security issues
is that you need physical access to do anything with it. The script kiddies
spamming SSH authentication attempts at every webserver from somewhere on the
other side of an ocean can't break in to your house with this. Other IoT
devices like security cameras are still a concern though; a vulnerability in
those could scoop up a lot of private videos.

------
gregable
Locks are often fairly weak against real attackers.

I enjoyed this youtube video of another smart (fingerprint?) lock being broken
due to a digital reset. It has a plastic panel on the front where the
fingerprint reader is. If you remove the panel with a razor blade (it's just
attached with glue), it even has a reset button exposed which resets the
fingerprint.
[https://www.youtube.com/watch?v=uVvEkcN5tW8](https://www.youtube.com/watch?v=uVvEkcN5tW8)

~~~
ihuman
LockPickingLawyer also picked the same lock in OP's post. If you search for
the MicaLock on Amazon, the page says it's just a FB50.

[https://www.youtube.com/watch?v=WeCGTosv-
_c](https://www.youtube.com/watch?v=WeCGTosv-_c)

------
jedberg
I'm a big fan of _electronic_ locks, but I refuse to have a smart lock. I know
enough about IOT and security to know that a lock with a wifi chip might as
well not be there at all.

I just program a few extra codes into the lock ahead of time, and if I need to
let someone in in an emergency, I just give them one of my burner codes and
delete it when I get home.

I don't really need a log of every entry because the camera pointed at my door
already gives me one of those. :)

~~~
mikeash
Why is a WiFi lock so bad? It opens you up more, but the number of people who
can hack even the most insecure example is vastly smaller than the number of
people who can kick down a door or break a window. Household locks are almost
always just about deterring casual criminals, and internet vulnerabilities
don’t move the needle much on that.

~~~
jedberg
> Why is a WiFi lock so bad?

Scalability. Once you know how to pick one, you can pick them all quickly and
remotely. Kicking down a door or picking a physical lock takes time and effort
and exposes you to scrutiny while doing it.

~~~
mikeash
Picking a lock remotely seems rather pointless.

~~~
outworlder
> Picking a lock remotely seems rather pointless.

From another country, maybe.

Via WIFI? You are not more than a few hundred meters away. Doing that from
across the street is much more convenient. Once they are done, they can just
walk right in.

~~~
mikeash
Doesn’t seem very scalable. Maybe you can knock over 10x as many houses in a
night as a normal criminal. Normal criminals are 1000x (at least) more
numerous, so it’s not a big increase in the threat.

------
JaggedNZ
Doesn't this suggest that the unlock code comes from the "cloud" and not your
phone/app? So if you loose internet access you are not able to unlock? Or
maybe it locally caches the key?

~~~
e12e
First, this is obviously hilariously bad from a system perspective (un-
authenticated/unauthorized rebind of lock) [1]

OTOH it appears the problem is entirely server side, and could be
patched/mitigated by the provider?

It still seems possible that the _lock_ is secure-ish. It _might_ conceivably
have some form of anchored trust (pinned cert?) to communicate with the server
- and a secure/better rekey flow could maybe be implemented?

Still sounds crazy to delegate authorization _entirely_ to the cloud (I'm
guessing you can open the lock wo internet, but not re-key).

I'm not even crazy about "find my phone"-services - and that's considering the
vendor typically owns the hw, the kernel _and_ can push updates (ie: all bets
are off anyway).

[1] I'm also curious about the "lock code" field in the data - does the
service advertise the pin if you give the correct serial/hw ID of the lock? Or
something else?

------
one2zero
If someone picks a "dumb lock" and steals all of your belongings, does the
manufacturer have any liability? What if someone picks your "smart lock"?

~~~
balls187
Home owners insurance typically covers theft of personal belongings.

~~~
one2zero
Yeah but after that? How often do insurance companies go after the "dumb" lock
manufacturer? Could the same be said about "smart" lock manufacturers? I would
guess that this idea of a lawsuit against one of these companies is only an
issue of "when" not "if".

------
Damogran6
So pretty much 0% security success in every smart lock I've seen attacked. (I
think I've seen 5 so far, every one had nuclear dumpster fire issues.)

------
outworlder
As a rule, hardware companies are crap at writing software. If the software is
risky from a security standpoint, that's even worse.

