
Landlords forcing smart locks on tenants - Lio
https://twitter.com/hacks4pancakes/status/1086000837615382529
======
rlpb
Clearly it wouldn't be reasonable to impose a lower standard of safety and
security than a non-smart lock. I don't think landlords would attempt to argue
that principle.

The argument from them will be that smart locks do not regress security and
safety.

Given the widespread and well known security problems with IoT devices across
the industry, I think it'd be reasonable to demand assurances on this. For
example, an audit trail provided to the resident for every unlock event and
who authorised it, an agreement to immediately revert indefinitely to a
physical lock at the landlord's expense if a vulnerability is discovered, and
daily financial compensation for every day that the landlord fails to act on
these mitigations.

Anything less than this I'd argue is a breach of contract, and any requirement
that doesn't provide similar assurances would have to be by agreement by the
tenant (ie. a new contract signed).

~~~
gizmo686
Traditional locks are more like suggestions, and have a well known attack
called "lockpicking", that is easy to learn. I doubt smart locks will be less
secure than that.

Still leaves concern for DOS and privacy attacks.

~~~
rhinoceraptor
You can't remotely pick a lock, but you can remotely hack a smart lock, and
you also know when its owners are gone.

No lock is totally secure, but at least a dumb lock requires physical presence
to defeat.

~~~
jerf
Don't forget the other major characteristics of network-connected gear; it's
not just that a lock can be hacked remotely, but that _all_ of them can be
hacked at once, or even just all left accidentally unlocked because someone
screwed up at Cloud Central.

The real problem with all this network connected stuff isn't even the new
failure modes per se... it's the _correlated_ nature of the new failure modes.
(You know you're a Real Systems Engineer if something inside of you just
screamed in terror.)

------
fabian2k
A "smart" lock without a fallback to a physical key. Uses a 4 digit code and
locks you out after 5 tries. This is truly terrible even beyond the usual
privacy and security concerns a smart lock introduces. And those concerns are
far from trivial, this sounds like a privacy nightmare and also gives far too
many people potentially access that shouldn't have.

~~~
talltimtom
It also locks you out after that neighbor you don’t like intentionally types a
wrong code five times, because you where playing loud Music yesterday until
21:00, which isn’t against the rules but he/she doesn’t like it.

Extremely smart.

~~~
regularfry
To be fair, a tube of superglue has a similar effect on a dumb lock.

~~~
BlackFly
Pushing buttons doesn't scream vandalism like inserting glue into a lock does.

As a less vandalism like attack, consider when your drunk neighbours attempts
to enter your apartment instead of their own. The security "feature" of a lock
out is just an easily triggerable denial of service attack.

~~~
Nerdfest
I like doing it to corporate security folks after they try to dictate it in
authentication systems. They usually seem to understand after it's done to
them.

~~~
BlackFly
Oh, I like that approach. I will have to remember this "argument" against lock
out.

------
KeepFlying
Horrifying. I hope she ends up winning a case on this. Even if it is just to
get to move out early for free at least it's something.

But wow. I'd be doing the same as her if this were forced on me. I love IoT
things. But I draw the line at door locks. Physical security is already
difficult enough. I'm not adding more attack vectors to that.

Not to mention the data exfil that will most definitely happen with that
system. I'm confident that even if the lock itself ends up being secure that
the data that gets given to the landlord won't be protected at all.

------
mrweasel
There's no a single IoT device available that I would want to install in my
home, let alone a lock.

I can understand the need for IoT device in industry, such as remote
monitoring of device in the field. For home use I have yet to see a device
that make any sense. IoT is at this point complete marketing hype, and very
little practical application.

~~~
apexalpha
>For home use I have yet to see a device that make any sense.

Slightly off-topic but I have a thermostat that only turns on when my phone
(or me) is on the way home and it automatically turns it off when I leave my
home.

It saves me _considerable_ amount on my heating bill, especially since I'm not
home on a regular schedule and often don't know until hours in advance.

~~~
telesilla
I'm also a proponent of smart thermostats. It's a godsend to be able to have
the heating turned up automatically before waking, and as I'm getting home. I
have no regrets whatsoever although of course, I'm concerned about my presence
data being available to the company running the tech. But I would never put in
a smart lock - I see no benefit whatsoever.

~~~
around_here
They had programmable thermostats that didn't tell everyone who had access
what you're up to. They fit the use cases of almost everyone.

~~~
telesilla
I am intrigued now to see if I can figure out whether it's sending my data
outside of the system.

------
adenhoed
In The Netherlands you have the right to replace the locks with your own
locks, as long as you can re-install the original lock once you move out.

How is that arranged in the US?

~~~
cmg
Do you need to provide your landlord with a copy of the key to your new lock?

In the US, it's standard for a rental agreement and/or state law to specify
that the landlord can enter your property with 24 hours notice even if you're
not there, or to enter immediately in case of an emergency.

~~~
brmgb
> In the US, it's standard for a rental agreement and/or state law to specify
> that the landlord can enter your property with 24 hours notice even if
> you're not there, or to enter immediately in case of an emergency.

As a European, I find the idea extremely shocking.

Here entering the residence of someone without their explicit consent is
considered home invasion and can net you a year in jail and a fine of up to
15000 euros. It doesn't matter if you own the property as long as someone else
lives their. It remains true if they are not paying. You will need the police
and a court order if you want to enter.

~~~
lil_cain
Worth noting: this kind of rule is both normal, & legal in both IE & UK. The
idea that this wasn't the case somewhere sounds weird (although nice!) to my
European ears.

------
Shivetya
Realtors and home renting companies use these near me. Signs that say "Let
yourself in" and you can get a temporary code to go into a rental and such.

From a privacy stand point there are many concerns but when renting or leasing
you are already bound by laws requiring you to admin maintenance and even
owners with sufficient notice. Notice timeliness is all based around the
nature of the call.

Plus on a safety side, elderly people could have locks opened for emergency
persons by a central clearing system similar to how some home security systems
are managed.

In the long run, you opt out by living somewhere else or owning your own
place. There are both pros and cons and we need to focus on both and not one
or the other.

edit: Another service/feature/etc I have seen lately is bundling standard
utilities into the lease with surcharges for exceeding caps (electricity, gas,
and water). This relieves the landlord of headaches and new residents from
having issues getting services started

~~~
skywhopper
Sure there are potential positives, but the current state of the art is not
ready for this, and if you read the thread, it's clear this particular vendor
is absolutely not handling the requisite security concerns in the right way.
In any case, there's no good reason not to have a physical key for a fallback.
What happens during a power outage and the Internet is down? How is this thing
powered anyway? Batteries are a major problem. And again, if it's hardwired,
that's also a risk.

------
lordnacho
Is it impossible to do this safely?

Just like with my car, it would be really convenient when holding kids and a
load of their stuff to not have to fish out the keys.

I suppose there's the issue of your landlord locking you out if they're
unhappy with something, but surely that is not purely a technological issue.

~~~
Lazare
In theory, yes, it's possible to do this safely.

But offhand I can think of several horror stories about smart locks, and no
good stories. The tech just seems absurdly immature at this point. And this
product, in particular, is apparently known for glitching and not working,
so...

~~~
daxterspeed
On top of the software aspects many smart locks neglect the actual locking
mechanism leaving the lock vulnerable to easy tricks like shimming.

Smart locks also have to consider how they'll function without electricity. An
exposed slot for a battery could let an attacker instantly fry the lock from
the outside.

~~~
300bps
_An exposed slot for a battery could let an attacker instantly fry the lock
from the outside._

A long time ago I got drunk at my birthday party so my wife drove us back to
the beach house we rented. She parked my car so that it was about five inches
overhanging someone’s driveway.

Their driveway wasn’t blocked but it was a dick move and they retaliated by
shaving off candle wax into my car’s door locks. Fortunately I always used
remote unlock but back then most people still used physical keys to unlock
their car.

People can mess or destroy any lock. There are legitimate concerns about
electronic locks for sure but I don’t understand setting the bar so much
higher for them than mechanical locks.

~~~
daxterspeed
While I agree that the bar is high for smart locks I think that comes down to
the promises made by making a lock "smart". Good software security _should_
make a smart lock safer than even some of the best traditional locks.

I'll admit my example is poor. A good smart lock wouldn't default to unlocked
if electronically fried. I still think it's worth being worried about how
easily and discreetly you can vandalize a lock.

~~~
fyfy18
Do any smart locks actually do that? That just seems negligent from the
manufacturer. To access my apartment building I need to go through two
magnetically locked doors, so if the power is off they are off, but I assume
that's for safety reasons so you can easily get out in an emergency. I was
under the impression smart locks just exposed the normal locking mechanism on
the inside.

------
Faaak
First thing I did when I moved into my flat was to change my locks.

I bought various cylinders that open with the same key. Thus I can open my
garage, my flat, and my other small spaces with the same key.

Advantage too: the previous tenant wouldn't be able to access my home if
they've kept the key. The landlord too.

And if there's an unlikely urgence ? Well, just break the door (it's a cheap
cardboard-y one)

~~~
DKnoll
That probably violates the terms of your lease unfortunately.

~~~
Faaak
In Switzerland at least: no. It's considered the same as painting the walls:
they have to be identical when you move out. In the meantime you do what you
want.

But frankly, I would do it even if it was forbidden, as long as the door
wouldn't be reinforced.

~~~
DKnoll
Happy to hear that. Where I live (Ontario, Canada) it's not explicitly illegal
but landlords are allowed to make the tenant not changing the locks a
condition of their lease and most do because it is enforceable.

~~~
perl4ever
In the US where I live, I think I have noticed in more than one lease
agreement something that says you may change the locks at your own expense if
you want. I'm not sure how standard it is, but I've never seen anything that
says you can't change them.

~~~
DKnoll
It's odd that they make concessions like that in a lease agreement but that's
great. Ontario generally favours tenants in legal matters but the locks thing
bothers me a bit. I currently have an issue with my landlord and I know they
have made illegal entry to my unit and others in my building (illegal meaning
without 24hr notice for a valid reason or not because of an emergency) and I
can't change my locks. My only option at the moment (because I have no proof
to take to the Landlord and Tenant Board) is to place a camera in my apartment
which I don't particularly like doing.

------
davidkuhta
Why not just use a smart lock in conjunction with a normal keyed deadbolt?
Then you can just use the combination of technologies at your discretion.

------
iwasakabukiman
Can we change the title to “landlord”? I’m only seeing on person saying this
is happening to them on Twitter and the title makes it sound extremely
sensationalist.

~~~
wink
In the thread it's stated that it's probably for a few thousand apartments if
I'm not mistaken - not a single building/landlord. (Bit unsure about the exact
categorization here, if the landlord is just outsourcing building management.)

------
paulie_a
Why are they going full iot and smarthub with an app? My building uses rfid
key fobs and it's great. Temporary ones can be made by calling the front desk.

~~~
thisismyaccoun7
I believe I live in a complex owned by the same company as the Twitter user,
and if so, I can answer that.

The owners aren't installing it themselves but going through
[https://smartrent.com/](https://smartrent.com/). As you can see from their
homepage, the benefits of the smart home features are aimed at
owners/landlords/property managers primarily, with renters' benefits being
secondary. Those landlord benefits come from online automation.

------
scotty79
I recently got keyless car. Now I want something like that for my apartment
door very much. No fumbling with the key. Just grab the handle and doors open.

------
nicolas_t
Is there any secure smart lock? I would want one because I'm away 3 months a
year and it would simplify renting my apartment on airbnb when I'm away
(especially with the rent I pay in HK) but I'm also rather worried about the
security implications. And from my brief research, a lot of vendors have very
little documentations about security.

I would obviously only consider one that has a fallback to an actual key.

~~~
smileysteve
Define secure? A keyed tumbler lock can often be bypassed with a $10 kit and
an hour's training via YouTube. Alternatively, without a frame reenforcement
kit, a lock is bypassed with a strong kick.

Finding a software hack is probably the least of your worries.

~~~
nicolas_t
That leads to a question I had recently, I know that some insurance will only
reimburse in case of thefts if there's sign of a break-in. If someone lock-
picks the lock, is there a trace of a break-in? Would such thefts be covered?

~~~
thisismyaccoun7
You can take apart the lock and see scratches on the pins as signs of picking,
but bump keys are notorious for not providing a sign of break in.

~~~
tomatotomato37
I thought bump keys were the one of the more obvious methods since hammering
the key in can easily dent the cylinder

------
scoot_718
I'm shocked a landlord would willingly seek out this amount of legal
liability.

Home Contents Insurance companies take note - these guys are asking for it.

------
HelloNurse
What about connecting the lock to your network, collecting full network logs,
and having the landlord arrested for hacking as soon as the wrong packet comes
out of the device?

~~~
mnw21cam
The landlady is having this forced onto her, so I would think the proper
target would be the big org pushing the change.

------
tpaschalis
I really can't understand what some people are smoking out there. Is it's a
push/lobby from companies? A need to have Orwellian control over the tenants?
Misguided 'fellowkids' approach to appear 'hip' and 'embrace tech'..? Or just
plain silliness? Hanlon's razor is failing me.

~~~
noobiemcfoob
Then you just don't understand the viewpoint of a landlord. If I have to
coordinate service to fix the waterheater or something but I live 3 towns
over, it's a lot easier to give a technician a temporary password to the
property in a set time window.

/To do this requires a good relationship with your tenants and technicians

~~~
Faaak
You can also give the technician the property's renter's phone number and let
themselves coordinate.

~~~
noobiemcfoob
You are greatly overestimating the amount of energy and time the average
tenant will put into fixing anything in the property. I _wish_ I could count
on them to help in coordinating.

~~~
tpaschalis
Well, anecdote, but in most cases I know (South Europe) it's _the tenants_
chasing behind the landlord to fix issues in their homes, and not vice versa
:P Why wouldn't one want stuff on the property he's renting (and paying dearly
for it) fixed?

~~~
noobiemcfoob
You would think a tenant would be eager to get something fixed. I had a tenant
with a broken water heater who waited 3 weeks to tell me. In the winter!
/shrug I try not to judge

------
gambiting
I mean......yes, it does look terrible and I would not want to have this
installed in my house.

But on the other hand....our landlord does have a physical copy of the key to
our house. I consider this to be a good thing, not a bad thing though!
Probably made even better by the fact that legally the landlord has to give
tenants 24 hours notice if they want to gain entry(in the UK). They can't just
come over whenever without telling me first.

~~~
maccard
> our landlord does have a physical copy of the key to our house. I

This should only be acceptable in the case where your landlord is also your
property manager. If they're not, then your letting agent should have a copy
of a key.

On the 24 hours note, in 8 years of renting in the UK, I can only remember one
instance where I was actually told 24 hours in advance. I was usually emailed
at 5pm saying "hey, we have someone coming around for X tomorrow at 9:30, we
will let them in". I told them no but they still came every time.

~~~
handzbagz
You can legally change the lock if you change it back when you move out.

~~~
pintxo
This: my current lock has been used in three different cities.

------
Simulacra
No. In fact hell no. Maybe this will encourage more people to buy?

------
calgoo
I dont know how your system works in the US, but here in Spain, I change the
lock when i move into a rented apartment. When i move out, i hand the new keys
to the owner. That way i make sure no old tenets or the owner can enter my
apartment as they have no right to enter once its rented.

