Hacker News new | comments | ask | show | jobs | submit login
Landlords forcing smart locks on tenants (twitter.com)
128 points by Lio 26 days ago | hide | past | web | favorite | 120 comments

Clearly it wouldn't be reasonable to impose a lower standard of safety and security than a non-smart lock. I don't think landlords would attempt to argue that principle.

The argument from them will be that smart locks do not regress security and safety.

Given the widespread and well known security problems with IoT devices across the industry, I think it'd be reasonable to demand assurances on this. For example, an audit trail provided to the resident for every unlock event and who authorised it, an agreement to immediately revert indefinitely to a physical lock at the landlord's expense if a vulnerability is discovered, and daily financial compensation for every day that the landlord fails to act on these mitigations.

Anything less than this I'd argue is a breach of contract, and any requirement that doesn't provide similar assurances would have to be by agreement by the tenant (ie. a new contract signed).

Breach of contract? Huh? Most tenants do not have "audit trail" requirements in their contracts and their existing physical locks don't provide one.

I always wonder if the folks making legal claims on hn actually practice law - the arguments are often nonsensical. Or maybe this type of logic is why law seems so backwards to folks

> Most tenants do not have "audit trail" requirements in their contracts and their existing physical locks don't provide one.

No, but the contract was signed at a time when physical locks were the only norm and the security and safety characteristics of a physical lock can be considered to be implied by that contract.

[For example a typical rental contract does not say "the landlord will maintain a working and suitable lock on the front door" but clearly a landlord would nevertheless be in breach of contract if the lock needed replacing due to wear and tear and the landlord refused to fix it]

This wouldn't rule out installing a smart lock in the future, but only if the security and safety characteristics, as implied by the contract, are not regressed by doing so.

A remote unlock facility wasn't agreed by the tenant, so it's reasonable to ask for an audit trail requirement in this case as previously the landlord (or their agent) would have had to be physically present, so their memory would serve as an audit trail.

I think that the perspective that [the addition of] a remote unlock facility without an audit trail compromises the security and safety of a physical lock and thus breaks the implied contract is a perfectly reasonable argument, especially given the prevalence of general industry failure (known vulnerabilities in specific models) in this area.

Landlord here. My lease doesn't specify the type of lock, nor do states where I rent property require that I disclose smart locks nor provide an audit trail of remote access to the lock. I am only required to provide "quiet enjoyment of the property" and provide reasonable notice if access is required (24 hours notice, which I provide via email and text). That said, I don't use smart locks with my properties. They're a pain in the ass from a reliability standpoint, and I prefer more reliable mechanical locks (Kwikset SmartKey, which allows for rapid re-keying when turning over the property).

> I think that the perspective that [the addition of] a remote unlock facility without an audit trail compromises the security and safety of a physical lock and thus breaks the implied contract is a perfectly reasonable argument, especially given the prevalence of general industry failure (known vulnerabilities in specific models) in this area.

While the argument can be entertained, housing statute provides for no such requirements (providing an audit trail of smart lock activity to tenants). I'm happy to run it by my attorney for funsies if you're interested in going down the rabbit hole, but I'm confident the use of smart locks, as well as not providing access control data to tenants, is entirely compliant with housing statute (and I have read all housing statute for the states I operate in).

I'm not making any claims about statute. I'm talking about contract law, which is rather separate (except when a contract is modified by statute, which as we both agree isn't the case here).

Ask your lawyer to explain implied terms of a contract, what implied terms might exist in your contract with your tenants with respect to expectations of the provision and maintenance of things such as locks that were present at the start of the tenancy, and what obligations you may have to maintain the same level of security and safety that existed at the time the contract was signed.

Your lawyer will most likely tell you that you can't _reduce_ the security of the locks, with the baseline being something between what you implied that you would provide at the start of a tenancy and what is the norm for tenancies of the same type, and that whether or not the addition of a remote unlock facility does so or not depends on the specific circumstances that only a court can determine.

Sent this link to my attorney, interested to hear what I get back. Honestly though, if a tenant raised the issue with me prior to signing a lease, I likely wouldn't rent to them as long as I had other tenants to consider. If the issue was raised after they signed the lease, I'd let them know they were free to terminate the lease and move out within a reasonable amount of time or not renew their lease when it came up for renewal. Being expensive to service is a trait I can legally discriminate against, and is not protected by fair housing laws.

I can appreciate the concerns, but not to the point where I'm going to waste time litigating it. It's a public policy issue that needs to be addressed.

> I'd let them know they were free to terminate the lease and move out within a reasonable amount of time...

This would be accurate, but depending on the terms of the contract the tenant may have no obligation to do so, and you would still have an obligation to provide the same quality of lock, secure under the same reasonable threat models, as what was present at the time the contract was signed. In other words, it may be that you would not be entitled to force a smart lock [that adds extra things that compromise the security of the implied threat model such as remote unlock] on the tenant, just as you would not be entitled to remove the lock entirely.

> ...or not renew their lease when it came up for renewal. Being expensive to service is a trait I can legally discriminate against, and is not protected by fair housing laws.

No argument there.

Traditional locks are more like suggestions, and have a well known attack called "lockpicking", that is easy to learn. I doubt smart locks will be less secure than that.

Still leaves concern for DOS and privacy attacks.

You can't remotely pick a lock, but you can remotely hack a smart lock, and you also know when its owners are gone.

No lock is totally secure, but at least a dumb lock requires physical presence to defeat.

Don't forget the other major characteristics of network-connected gear; it's not just that a lock can be hacked remotely, but that all of them can be hacked at once, or even just all left accidentally unlocked because someone screwed up at Cloud Central.

The real problem with all this network connected stuff isn't even the new failure modes per se... it's the correlated nature of the new failure modes. (You know you're a Real Systems Engineer if something inside of you just screamed in terror.)

In that scenario though, the attacker (or an accomplice) would need to be physically present to take advantage of the unlock attack...

Most people don't know lockpicking so while you are right in principle this will change things in practice.

What breach? Every apartment lease agreement I’ve ever had says the leasing company can change the lease anytime they want. My recourse is to move out immediately.

A "smart" lock without a fallback to a physical key. Uses a 4 digit code and locks you out after 5 tries. This is truly terrible even beyond the usual privacy and security concerns a smart lock introduces. And those concerns are far from trivial, this sounds like a privacy nightmare and also gives far too many people potentially access that shouldn't have.

It also locks you out after that neighbor you don’t like intentionally types a wrong code five times, because you where playing loud Music yesterday until 21:00, which isn’t against the rules but he/she doesn’t like it.

Extremely smart.

So you’re saying to fight back people should just keep hitting random numbers locking everyone out in a building? Not a bad play.

To be fair, a tube of superglue has a similar effect on a dumb lock.

Pushing buttons doesn't scream vandalism like inserting glue into a lock does.

As a less vandalism like attack, consider when your drunk neighbours attempts to enter your apartment instead of their own. The security "feature" of a lock out is just an easily triggerable denial of service attack.

I like doing it to corporate security folks after they try to dictate it in authentication systems. They usually seem to understand after it's done to them.

Oh, I like that approach. I will have to remember this "argument" against lock out.

Horrifying. I hope she ends up winning a case on this. Even if it is just to get to move out early for free at least it's something.

But wow. I'd be doing the same as her if this were forced on me. I love IoT things. But I draw the line at door locks. Physical security is already difficult enough. I'm not adding more attack vectors to that.

Not to mention the data exfil that will most definitely happen with that system. I'm confident that even if the lock itself ends up being secure that the data that gets given to the landlord won't be protected at all.

There's no a single IoT device available that I would want to install in my home, let alone a lock.

I can understand the need for IoT device in industry, such as remote monitoring of device in the field. For home use I have yet to see a device that make any sense. IoT is at this point complete marketing hype, and very little practical application.

I feel the same way, I explicitly avoid any device described as "smart". I don't need a "smart" blender or microwave or coffeemaker or refrigerator or anything else.

The only two exceptions are my phone (hard to avoid) and my radiator thermostats.

For the latter, they are connected to the internet and I can adjust temperature and put them in "holiday mode" from an app or web page. However the control box doesn't require any firewall holes or port openings, as far as I can tell it gets updates by sending a HTTP request to the same online portal where I can control my heating schedules.

It communicates with the thermostats and window sensors on some kind of RF protocol similar to Z-wave, but if someone goes to the effort of hacking that just to mess with my heating, I would actually be a bit flattered.

I probably wouldn't choose the internet-connected version again. Even though it is a lot easier to setup and manage, I think I would prefer the "dumb" standalone units. They're a bit more fiddly to setup initially, and you have to put each of them to holiday mode manually. But I would prefer to not have them connected to any kind of network.

I used to be the type of person who wanted everything 100% connected 100% of the time. Over the last couple of years, I've taken a pretty hard turn in the opposite direction, I prefer to have everything as simple and standalone as possible.

>For home use I have yet to see a device that make any sense.

Slightly off-topic but I have a thermostat that only turns on when my phone (or me) is on the way home and it automatically turns it off when I leave my home.

It saves me _considerable_ amount on my heating bill, especially since I'm not home on a regular schedule and often don't know until hours in advance.

I'm also a proponent of smart thermostats. It's a godsend to be able to have the heating turned up automatically before waking, and as I'm getting home. I have no regrets whatsoever although of course, I'm concerned about my presence data being available to the company running the tech. But I would never put in a smart lock - I see no benefit whatsoever.

And my no1. argument against this is the same as against almost every other IoT device - this heating business should be between your thermostat and your phone. It should not go through third party servers and cloud services.

Smart devices are fine for me. Using them as an excuse to turn a product into a service isn't.

They had programmable thermostats that didn't tell everyone who had access what you're up to. They fit the use cases of almost everyone.

I am intrigued now to see if I can figure out whether it's sending my data outside of the system.

Hmmh, I on the other hand, turn on the heating when I come home, then exercise. Once I'm done, I feel warm and soon it actually is. But that's just me.

In The Netherlands you have the right to replace the locks with your own locks, as long as you can re-install the original lock once you move out.

How is that arranged in the US?

Do you need to provide your landlord with a copy of the key to your new lock?

In the US, it's standard for a rental agreement and/or state law to specify that the landlord can enter your property with 24 hours notice even if you're not there, or to enter immediately in case of an emergency.

> In the US, it's standard for a rental agreement and/or state law to specify that the landlord can enter your property with 24 hours notice even if you're not there, or to enter immediately in case of an emergency.

As a European, I find the idea extremely shocking.

Here entering the residence of someone without their explicit consent is considered home invasion and can net you a year in jail and a fine of up to 15000 euros. It doesn't matter if you own the property as long as someone else lives their. It remains true if they are not paying. You will need the police and a court order if you want to enter.

Worth noting: this kind of rule is both normal, & legal in both IE & UK. The idea that this wasn't the case somewhere sounds weird (although nice!) to my European ears.

No, if you replace it they don't have a key, and you don't have to give it to them.

In Germany the landlord isn't even allowed to keep a copy of the key for the original lock, so obviously you don't have to give them a key of your own lock.

All clauses in contracts that require you to give a key to the landlord are automatically void.

All of the places I’ve rented did not permit me to change the locks. I did change the cylinder on one place despite the contract and I changed it back before I left. I’m sure I could have been evicted for this but more likely I would just be liable for repairs.

Realtors and home renting companies use these near me. Signs that say "Let yourself in" and you can get a temporary code to go into a rental and such.

From a privacy stand point there are many concerns but when renting or leasing you are already bound by laws requiring you to admin maintenance and even owners with sufficient notice. Notice timeliness is all based around the nature of the call.

Plus on a safety side, elderly people could have locks opened for emergency persons by a central clearing system similar to how some home security systems are managed.

In the long run, you opt out by living somewhere else or owning your own place. There are both pros and cons and we need to focus on both and not one or the other.

edit: Another service/feature/etc I have seen lately is bundling standard utilities into the lease with surcharges for exceeding caps (electricity, gas, and water). This relieves the landlord of headaches and new residents from having issues getting services started

Sure there are potential positives, but the current state of the art is not ready for this, and if you read the thread, it's clear this particular vendor is absolutely not handling the requisite security concerns in the right way. In any case, there's no good reason not to have a physical key for a fallback. What happens during a power outage and the Internet is down? How is this thing powered anyway? Batteries are a major problem. And again, if it's hardwired, that's also a risk.

These aren't necessarily the same thing. When I was looking for a rental house about 6 months ago, essentially all of the homes I visited were set up with a "smart lockbox".

You had to set up an account with a 3rd party service who required a picture of a photo id and a small fee ($5 for 30 days access, IIRC). The rental listings would ultimately link to the 3rd party service where you could schedule a visit to the house, then get a temporary code to access the key when you arrived. All of the homes still used traditional physical locks.

I'm not a fan of "smart" devices, but think this was actually a great service as long as the home is unoccupied. As a tenant I was able to easily visit a dozen different homes in one day without having to spend hours on the phone scheduling visits with property managers.

Is it impossible to do this safely?

Just like with my car, it would be really convenient when holding kids and a load of their stuff to not have to fish out the keys.

I suppose there's the issue of your landlord locking you out if they're unhappy with something, but surely that is not purely a technological issue.

Car locks are one thing. They are hackable, but only in a very targeted and location-specific manner, basically the same risk as a physical key. But this is a centrally controlled system in which your landlord and a third party you have no control over are monitoring your movements and can remotely unlock the door via an Internet-connected device. So it's remotely monitorable and hackable. And since there's no physical presence required to monitor or hack it, it's actually a much bigger risk than remote car locks.

Also, cars are very different than homes. Typically we don't store truly valuable and irreplaceable items in our cars, unlike our homes. Typically we don't sleep in our cars, unlike our homes. You can easily see if someone is approaching your car, or trying to get in, when you are in it. Not necessarily the case with your home.

Key code locks are pretty convienient since you don't even need a phone yet aren't connected to any externel network and they allow a normal key to be used as a backup. A lot of them can be hooked up to the internet vie Z-wave or similar but they don't have to be.

Even better are the ones that are keypads + smartlock. We'll probably be swapping over to one of the Yale locks which has a keypad & uses August's tech for the smart part.

In theory, yes, it's possible to do this safely.

But offhand I can think of several horror stories about smart locks, and no good stories. The tech just seems absurdly immature at this point. And this product, in particular, is apparently known for glitching and not working, so...

On top of the software aspects many smart locks neglect the actual locking mechanism leaving the lock vulnerable to easy tricks like shimming.

Smart locks also have to consider how they'll function without electricity. An exposed slot for a battery could let an attacker instantly fry the lock from the outside.

An exposed slot for a battery could let an attacker instantly fry the lock from the outside.

A long time ago I got drunk at my birthday party so my wife drove us back to the beach house we rented. She parked my car so that it was about five inches overhanging someone’s driveway.

Their driveway wasn’t blocked but it was a dick move and they retaliated by shaving off candle wax into my car’s door locks. Fortunately I always used remote unlock but back then most people still used physical keys to unlock their car.

People can mess or destroy any lock. There are legitimate concerns about electronic locks for sure but I don’t understand setting the bar so much higher for them than mechanical locks.

  I don’t understand setting the bar so much
  higher for them than mechanical locks.
Based on the smart lock reviews I've seen on youtube channels that review locks, rejecting 98% of smart locks on the market doesn't require that you hold the smart locks to a higher standard than the mechanical locks.

Because the reviews I've seen indicate almost all smart locks fall a long way short of the security of equally priced mechanical locks.

While I agree that the bar is high for smart locks I think that comes down to the promises made by making a lock "smart". Good software security should make a smart lock safer than even some of the best traditional locks.

I'll admit my example is poor. A good smart lock wouldn't default to unlocked if electronically fried. I still think it's worth being worried about how easily and discreetly you can vandalize a lock.

Do any smart locks actually do that? That just seems negligent from the manufacturer. To access my apartment building I need to go through two magnetically locked doors, so if the power is off they are off, but I assume that's for safety reasons so you can easily get out in an emergency. I was under the impression smart locks just exposed the normal locking mechanism on the inside.

The tech is fine, in theory.

The problem of those locks - or really, almost any IoT device - is that they're connected to a third-party service. This creates risk of abuse, remote hacking, remote bricking (e.g. when the vendor decides to thank everyone for the incredible journey), breach of privacy and ties user into a hostile relationship with the vendor, because the device isn't really a product anymore, but a service.

There are plenty of good stories—the product works as intended and never happens to face a determined adversary. It’s just not a remarkable story, and the potential upsides are pretty minimal compared to the downsides in the horror stories you’ve heard.

Just local RFID tokens without internet connection? If you use a system with properly secure tokens that's probably a relatively safe option.

Same with key codes: internet management is not really needed for that. Of course access could be properly secured, but vendors have a really bad record of actually getting that right.

The tokens being secure is not enough. The system also has to check latency etc. to prevent repeater attacks.

Imagine a scenario like that: You leave your car in a parking lot. One attacker follows you with a repeater. Once you're around the corner the second attacker approaches your car and opens it via the repeated radio signal and starts it.

A while ago there had been a small debate on this topic, as attackers actually used such an approach to break into cars (sometimes even stealing them) https://www.wired.com/2017/04/just-pair-11-radio-gadgets-can...

You can sidestep this if the token needs to be explicitly activated. Unlike turning a key in a mechanical lock this needn't be something that requires dexterity, just any positive action e.g. pressing a button.

A code repeater seems like a lot of work when standard tumbler locks are bypassed by a credit card, $10 lock pick set, a strong kick.

According to that wired article the repeater is $10 as well and lockpicking needs a little practice and skill, using a repeater not. :)

it's more just the huge risk right?

so many factors become part of the threat model, when you could stick to the physical lock, and really limit it.

https://twitter.com/internetofshit?lang=en is a pretty good example.

you could make a rfid chip reader part of your lock, but even that has weakness.


tldr: limit your damn threat model/inconvenience.

I don't think security of entry to the apartment is the main concern (because most locks can be picked fairly easily, and criminals force doors regardless of lock).

I think privacy, network security, and availability are the bigger issues.

well, i do agree, the network and availability are my main issues.

if a criminal is going to break you door, it's going to happen. but, i think people would be more suspicious of someone picking a door lock, rather then waving a Chip and the door allowing them access.

i know, alot of hotels weren't surprised to learn their room doors were amazing weak.


if you want a good physical lock the ANSI Grading System is a good place to start.

First thing I did when I moved into my flat was to change my locks.

I bought various cylinders that open with the same key. Thus I can open my garage, my flat, and my other small spaces with the same key.

Advantage too: the previous tenant wouldn't be able to access my home if they've kept the key. The landlord too.

And if there's an unlikely urgence ? Well, just break the door (it's a cheap cardboard-y one)

That probably violates the terms of your lease unfortunately.

In Switzerland at least: no. It's considered the same as painting the walls: they have to be identical when you move out. In the meantime you do what you want.

But frankly, I would do it even if it was forbidden, as long as the door wouldn't be reinforced.

Happy to hear that. Where I live (Ontario, Canada) it's not explicitly illegal but landlords are allowed to make the tenant not changing the locks a condition of their lease and most do because it is enforceable.

In the US where I live, I think I have noticed in more than one lease agreement something that says you may change the locks at your own expense if you want. I'm not sure how standard it is, but I've never seen anything that says you can't change them.

It's odd that they make concessions like that in a lease agreement but that's great. Ontario generally favours tenants in legal matters but the locks thing bothers me a bit. I currently have an issue with my landlord and I know they have made illegal entry to my unit and others in my building (illegal meaning without 24hr notice for a valid reason or not because of an emergency) and I can't change my locks. My only option at the moment (because I have no proof to take to the Landlord and Tenant Board) is to place a camera in my apartment which I don't particularly like doing.

Most leases will explicitly require the landlord have unfettered access to the property. Usually, the only caveat being that the tenant will be given some amount of notice. My leases say 24 hours.

/If I ever came to one of my properties and my key didn't work, you better bet you'd be evicted.

I see two options: 1) You announce before 24h, and therefore the renter can lend you a set of keys 2) You come unannounced. If it's an emergency you can break the door. If it's not then you've got no business being there.

On 2) NO! I'm not busting down my own door to get into my property. And if I have to, I'm evicting you.

On your greater point, there are a million ways to skin a Roman senator. There are alternatives that don't require a smartlock and if an otherwise great tenant (or applicant) really pressed the issue, perhaps I'd go with another one. In the absence of that, I'll go with what's easiest and sensibly secure (which, by the by, a smartlock is).

Why not just use a smart lock in conjunction with a normal keyed deadbolt? Then you can just use the combination of technologies at your discretion.

Can we change the title to “landlord”? I’m only seeing on person saying this is happening to them on Twitter and the title makes it sound extremely sensationalist.

In the thread it's stated that it's probably for a few thousand apartments if I'm not mistaken - not a single building/landlord. (Bit unsure about the exact categorization here, if the landlord is just outsourcing building management.)

My complex's owners are doing this, and from the person's details on Twitter, it looks to be the same company. They own properties in 22 US states with 250,000 residents according to their website.

Why are they going full iot and smarthub with an app? My building uses rfid key fobs and it's great. Temporary ones can be made by calling the front desk.

I believe I live in a complex owned by the same company as the Twitter user, and if so, I can answer that.

The owners aren't installing it themselves but going through https://smartrent.com/. As you can see from their homepage, the benefits of the smart home features are aimed at owners/landlords/property managers primarily, with renters' benefits being secondary. Those landlord benefits come from online automation.

I recently got keyless car. Now I want something like that for my apartment door very much. No fumbling with the key. Just grab the handle and doors open.

Is there any secure smart lock? I would want one because I'm away 3 months a year and it would simplify renting my apartment on airbnb when I'm away (especially with the rent I pay in HK) but I'm also rather worried about the security implications. And from my brief research, a lot of vendors have very little documentations about security.

I would obviously only consider one that has a fallback to an actual key.

Define secure? A keyed tumbler lock can often be bypassed with a $10 kit and an hour's training via YouTube. Alternatively, without a frame reenforcement kit, a lock is bypassed with a strong kick.

Finding a software hack is probably the least of your worries.

Technically savvy people can think of lots of ways to overcome technology. It’s easy to get hung up on the problems with something new while ignoring the problems of current systems.

In addition to what you said, people often leave mechanical locks unlocked on at least one or more windows or doors. People often have easily broken glass on their doors. It’s commonly said that most locks are “courtesy locks” because they’re so easy to defeat. So I don’t understand many of the security concerns surrounding electronic locks. Privacy and failure concerns I can understand though.

That leads to a question I had recently, I know that some insurance will only reimburse in case of thefts if there's sign of a break-in. If someone lock-picks the lock, is there a trace of a break-in? Would such thefts be covered?

You can take apart the lock and see scratches on the pins as signs of picking, but bump keys are notorious for not providing a sign of break in.

I thought bump keys were the one of the more obvious methods since hammering the key in can easily dent the cylinder

I think the question you're asking isn't purely about security. You're asking about a lock that maximizes security while allowing you to digitally transmit a key - in which case I don't know of any with a track record for resisting attack.

Right now the predominant attitude is basically "key control is easier than trying to secure IoT." Easier to use a physical key and manually vet who gets the key than to audit an IoT setup. I tend to agree just because the state of security practices in IoT is so egregiously bad.

That's a good point, I could potentially disconnect the lock from internet when I'm actually staying in my apartment. When I leave it to guests, most of my important stuff are packed away.

It's a hard trade off and yes I don't trust most keylocks company to get iot security right since it's not their core competence

Not that ai have seen. Check out 'the lockpicking laywer' on youtube for details on many models. He only focuses on physical security however.

If you're looking for convenience, a basic $30 (USD) lockbox (example[1]) from a hardware store is an easy way, albeit without much extra security. Whoever cleans up between guests can change the code. That's what I stuck with when I was renting my house short-term. There was always a risk that a guest could copy the key and come back a month later, but I felt like I would rather live with that risk than pay $100+ for a smart lock and potentially make myself an easily visible target for a simple hack. If some teenage hackers looking to cause mischief took a hammer or spray paint to the interior, they could easily have cost me more than a hypothetical burglar walking away with the TV and other electronics.

[1] https://www.homedepot.com/p/Master-Lock-5400D-9-6-cu-in-Set-...

I'm pretty comfortable with the security of the Kaba evolo (they have a range of levels of "smart", I like the less-smart ones).

The best systems are currently (for non-safes), the combination strong mechanical (Abloy, etc.) plus electronic. Two systems I've seen be non-crap are Abloy Cliq and Videx CyberLock.

Neither of these is residential.

I'm shocked a landlord would willingly seek out this amount of legal liability.

Home Contents Insurance companies take note - these guys are asking for it.

What about connecting the lock to your network, collecting full network logs, and having the landlord arrested for hacking as soon as the wrong packet comes out of the device?

The landlady is having this forced onto her, so I would think the proper target would be the big org pushing the change.

I suppose that the lock only talks with a central server via an encrypted connection, so you wouldn't see any proof

I really can't understand what some people are smoking out there. Is it's a push/lobby from companies? A need to have Orwellian control over the tenants? Misguided 'fellowkids' approach to appear 'hip' and 'embrace tech'..? Or just plain silliness? Hanlon's razor is failing me.

It’s both liability and labor thing. When a tenant moves out, large apartment buildings change the lock. With an electronic lock any member of staff can ‘rekey’ the lock in a few seconds.

For liability, the large companies use big key control systems to try and track which staff is checking out keys to what, but it’s still possible for staff to make unauthorized copies. With an electronic lock they get a nice report that shows all the times the lock was used and when the door was opened.

And finally, many property managers are control-freaks and they love that tenants need to ask to make ‘copies’ of the electronic keys. Previously the only real option for key control was something like Medeco and most don’t want to pay for that.

Then you just don't understand the viewpoint of a landlord. If I have to coordinate service to fix the waterheater or something but I live 3 towns over, it's a lot easier to give a technician a temporary password to the property in a set time window.

/To do this requires a good relationship with your tenants and technicians

You can also give the technician the property's renter's phone number and let themselves coordinate.

You are greatly overestimating the amount of energy and time the average tenant will put into fixing anything in the property. I wish I could count on them to help in coordinating.

Well, anecdote, but in most cases I know (South Europe) it's the tenants chasing behind the landlord to fix issues in their homes, and not vice versa :P Why wouldn't one want stuff on the property he's renting (and paying dearly for it) fixed?

You would think a tenant would be eager to get something fixed. I had a tenant with a broken water heater who waited 3 weeks to tell me. In the winter! /shrug I try not to judge

I mean......yes, it does look terrible and I would not want to have this installed in my house.

But on the other hand....our landlord does have a physical copy of the key to our house. I consider this to be a good thing, not a bad thing though! Probably made even better by the fact that legally the landlord has to give tenants 24 hours notice if they want to gain entry(in the UK). They can't just come over whenever without telling me first.

In germany, landlords are not entitled to have a copy of your flats key and they're not entitled to enter the apartment at their will unless there's an emergency. They can ask for a visit a reasonable time in advance and you might have to comply, but then it's still you opening the door.

So...the same then. In the UK the landlord is not entitled to the copy of the key either.

When I was a student I almost attacked a strange guy I found creeping around our flat at night - turned out it was the landlord!

Citizen's Advice confirmed he had no right to be there without our permission.

> our landlord does have a physical copy of the key to our house. I

This should only be acceptable in the case where your landlord is also your property manager. If they're not, then your letting agent should have a copy of a key.

On the 24 hours note, in 8 years of renting in the UK, I can only remember one instance where I was actually told 24 hours in advance. I was usually emailed at 5pm saying "hey, we have someone coming around for X tomorrow at 9:30, we will let them in". I told them no but they still came every time.

>> "hey, we have someone coming around for X tomorrow at 9:30, we will let them in". I told them no but they still came every time.

Then they were breaking the law, and almost certainly the letting contract. The only question is whether you want to do anything about it or not(legally) - most people don't want to go and fight with their landlord over a repair happening with less than 24 hours notice.

I only had to do this once - our landlord wanted some work carried out in less than 24 hours from telling me and I said ok, but you need to give us at least 24 hours notice, come back the next day - and they did.

You can legally change the lock if you change it back when you move out.

This: my current lock has been used in three different cities.

>our landlord does have a physical copy of the key to our house

The practice in Turkey is to change the lock as soon as you move to your apartment. And most of the time landlords say "I don't want to be accountable if someone enters to the apartment, thus change the locks as soon as possible". And even though the landlord owns the property he is not allowed to enter to the apartment, there is a specific law for that.

I'm not saying that the landlord has to have the key over here - I could change the locks if I wanted to - I'm just saying that in my experience it was always beneficial - when I locked myself out, or had someone coming over to repair the boiler or something else...the landlord was always happy to come over and unlock the door. For me it's a benefit, not a downside.

This is not a benefit of landlord's legal right to access.

Even if you consider these particular benefits, you should be able to make the choice of whether or not to give your landlord (or another trusted person) a spare key.

>>you should be able to make the choice of whether or not to give your landlord (or another trusted person) a spare key.

I do have that choice. I can go and change my locks today if I chose to and the landlord can't legally stop me from doing so. I just chose not to, because to me(personally) the landlord having the key is worth the benefit it provides.

You can choose to do that, but it's ambiguous whether or not it's legal e.g. https://www.landlordlawblog.co.uk/2011/03/07/tenants-legal-h...

It depends on the trust. There are friendly landlords and then there are bad landlords and worse, landlords who are extremely afraid of their property values going down.

The issue here is less about access and more about privacy.

No. In fact hell no. Maybe this will encourage more people to buy?

I dont know how your system works in the US, but here in Spain, I change the lock when i move into a rented apartment. When i move out, i hand the new keys to the owner. That way i make sure no old tenets or the owner can enter my apartment as they have no right to enter once its rented.


If many people want to fight against something, making it public helps those people to find each other and organize. From some of the tweets, other people in similar situations have reached out to her.

> Some gems include the fact they don’t seem to realize the directly connected smarthub is an attack vector for the zwave smart devices, which they never patch.

> And they can’t describe a patch SLA or what they’ll do in a couple years when their Zipato hubs aren’t updated anymore.

> Been chatting with other security folks who brought this up and they were totally dismissed. Vendor couldn’t state they took basic measures like hashing and salting lock pins.

If this was optional, fine, choose not to have it. But this isn’t optional, it is mandatory for all property managed by the same group, over the head of the landlord.

Using the “triggered” buzzword to signal that this is another frivolous SJW anxiety, and yet this is not SJW related at all.

This is a ligitimate security issue, since internet-enabled locks are never going to be secure enough to trust your life with, and even if one brand works well, most landlords will not be technically equipped to sort the differences out on there own, and will wind up deploying these locks before expert researchers can evaluate them.

Working resonably-secure locks or not, what happens when the mothership goes down? When the domain gets hijacked? When wi-fi gets jammed? When wires get cut.

Really sophisticated two stage attacks are being used on car security systems already. Step one, damage the internet link and wait. Step two, when the link is down the car’s security is defeated, and may be safely stolen.

Oh look. Another buzzword. Get gaslighted.

I think you're really underestimating how serious this is.

I could imagine that you would not just want to stand by and do nothing if you suddenly have to move because the landlord just made your appartment very insecure

You've never had a bad ex did you ?

Applications are open for YC Summer 2019

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact