The aim of smart home products and home automation is to make your life simpler. With connected products in your home, you don't need to worry about mundane tasks like turning off all the lights before bed or venturing outside to be sure you remembered to close the garage door. Commanding all your smart home's nifty automations with your voice in particular is quick, hands-free and still feels futuristic. There's risk in that, though, particularly when it comes to smart locks.
A security researcher (read: hacker) named Brad "RenderMan" Haines contacted CNET with a simple flaw regarding smart locks and voice unlocking. With an audio transducer and an IFTTT recipe designed to work with Z-Wave smart locks, an intruder could unlock your door from the outside using a voice command. This trick works only if you've done a poor job of configuring your smart lock in the first place, but the fact that it works speaks to the potential vulnerability of consumers who don't take some basic steps to secure their homes.
I tried my hand at this smart lock loophole at the CNET Smart Home with three well-known smart locks: the August Smart Lock Pro, the Kwikset Obsidian and Yale's Assure SL Touchscreen Deadbolt. Here's how it went.
How the smart lock hack works
Most voice commands for unlocking a smart lock require you to also verbally enter a PIN number. Locks that use the short-range wireless communication standard Z-Wave are an exception. Z-Wave is one of a few wireless technologies that smart home devices use to connect to hubs that connect to the internet, like the SmartThings hub we used in our tests.
In addition to Z-Wave compatibility, to replicate this hack you'll also need an account with IFTTT (If This, Then That), an online platform for creating custom commands and scenes with connected, smart devices. To set up the IFTTT command (known as a "recipe"), you'll need to connect the lock to your home's Z-Wave hub and sign in to your hub account through IFTTT. This links the two services and unlocks all your automating options.
IFTTT recipes aren't all bad. You can use these connecting automations to do things like send notifications or log actions in a spreadsheet when a certain user locks or unlocks the door. You can add lights and smart appliances to power on when you come home or turn off when you lock the door and leave.
IFTTT also lets you create custom applets, rules that tie smart home products together. You can create automations with hundreds of smart products that don't natively work together out of the box. That's what allows this PIN-less unlocking to work. For example, you can create a custom applet like, "If the temperature outside reaches 80 degrees, then adjust my Nest thermostat."
In my test scenario, the "If This" portion of the applet is a custom phrase for Google Assistant or Amazon Alexa. Unlocking a smart lock isn't possible with a HomePod for now. With Google Assistant, I created the custom command, "Unlock the front door." The "Then That" portion is the action. In this case, the action is unlocking. To set the action, I selected SmartThings, then the unlock command, then chose the appropriate smart lock from a drop-down menu of options. Hit save and you're all set.
It's not all green lights and go-aheads, though. There were a few check boxes I had to toggle and "I understand" pop-ups to accept before SmartThings could control unlocking the lock. Once I allowed control, everything worked like a charm. Again, this is all stuff you might do to connect the lock to an IFTTT command.
Saying, "OK, Google, unlock the front door" promptly unlocked each of the three locks I tested. I should point out that it's not quite as intuitive with Amazon Alexa when it comes to custom voice commands. You'll need to include the word "trigger" in your custom command. That makes it a bit harder for a would-be intruder to guess the right phrase. It would sound something like, "Alexa, trigger 'Unlock the front door.'" It's clunky, but it still works, and any hacker would be familiar with that phrasing.
What's the big deal?
Sure, not having to answer your smart speaker's follow-up question with a PIN every time you want to unlock the door is convenient, but it isn't safe. It opens your home up to anyone able to transmit a loud and clear command to catch the ear of your smart speaker. That can be done with an audio transducer from outside your home.
To put it simply, audio transducers take sound and transfer it into electrical or acoustic energy. The transducer uses its vibrations to turn a resonant surface like a home's wood door or glass window into a speaker, projecting the sound inside the home. Hold the transducer flush against a window, play a voice recording that says, "OK Google, unlock the front door," and walk right in.
Yes, it would take an observant intruder to make this work. It requires activating the particular voice assistant you use in your home, but is that so hard to guess? Many of us proudly display our shiny new smart speakers on our kitchen countertops or living-room shelves. That makes it easy to deduce which voice assistant is controlling your home. It also wouldn't be that time-consuming to simply try each one.
The intruder would also need to know what you've named your lock in the SmartThings platform. That might sound hard to guess, but chances are most of us name our locks something convenient yet incredibly obvious like "front door" or "door." Intruders could simply keep guessing until they got it right or ran out of battery power for the transducer.
What else is possible?
Unauthorized entry into your home is a major concern, but that's not the only way someone could use this exploit. Someone within earshot of the speaker using a transducer could also perform smart home commands like turning on your lights or even opening your smart shades.
When it comes to making voice purchases, there are real concerns here, too. While Google Assistant requires either voice recognition or a voice code to complete purchases, Alexa allows you to disable the voice code, and anyone within earshot can make a purchase. You'll get an email receipt and any physical purchases are eligible for return if an erroneous purchase occurs. Still, it's clear that the security of things like unlocking and purchasing via smart speaker is left up to the responsibility of the user.
What the manufacturers say
I reached out for comment to August, Kwikset, Yale, SmartThings and IFTTT. Each company responded and the message was more often than not a recognition that customers do have the option to get around a PIN, but should consider the dangers and even take responsibility for them. I heard phrases like, "The homeowner accepts the risks associated," and, "They can decide what level of caution they want to take." The team at IFTTT suggested customers make their custom command something very specific like, "OK, Google, unlock my door code six A nine G." Official company statements are copied below, but the gist is much the same across the board: Do this at your own risk.
August
At August, we prioritize always keeping the bad guys out, always letting the good guys in, and then convenience. For that reason, we strongly suggest that August Smart Lock users only use August integrations with voice assistants to unlock their doors as to avoid scenarios like the one you've outlined.
- Christopher Dow, CTO, August Home
Kwikset
At Kwikset, we put security first and we encourage our customers, homeowners and renters to make smart choices when it comes to home automation. It's important to educate yourself and consider the value you place on security and convenience when integrating your lock with other smart home products, systems, platforms and voice assistants.
Specific to IFTTT and the situation you've presented, homeowners can choose to enable unlocking without a PIN through a voice assistant for added convenience. This is an optional setting and while it does make for a more seamless interaction with the lock through a voice assistant -- by enabling the feature, the homeowner accepts the risks associated and makes a conscious decision to prioritize convenience over security. Ultimately, the homeowner does have control over their smart lock security and can avoid the particular situation that you outline by simply not enabling the "unlock without a PIN" IFTTT recipe.
Currently, many mainstream voice control devices and security platforms require a PIN to unlock with a voice assistant. Kwikset and other manufacturers of end-devices have asked others in the industry to prioritize this (requiring a PIN) for the safety and security of its customers. While it might seem faster to unlock the door without the PIN, there is an associated risk and Kwikset doesn't recommend jeopardizing your home's security to save a few seconds.
-Troy Brown, Principal Engineer, Electronic Systems for Kwikset
Yale
Yale works with partners like SmartThings and Amazon to implement recommended settings on our smart locks, such as Amazon Alexa requiring a voice code to unlock your Yale Lock, to help our customers avoid scenarios like the one you've outlined. However, the customer does have the ability to customize and adjust the settings for their smart lock and opt into other abilities -- that way they can decide what level of caution they want to take.
- Kevin Kraus, Director of Technology Integrations at Yale
SmartThings
SmartThings enables lock and unlock functionality as part of its standard API integration with third-party (Works With SmartThings) smart locks. Current Works With SmartThings integrations are:
- Amazon Alexa integration with SmartThings does support unlocking through Alexa's secure unlocking feature. The user has the option to enable functionality and/or set up a unique PIN code.
- Google Assistant integration with SmartThings does not support unlocking through Google Home's voice control.
While these smart abilities are available to the customer, it's up to them to enable them. SmartThings provides a platform to integrate third-party devices (Works With SmartThings products), and the manufacturer of these devices sets recommendations.
IFTTT
For anyone using IFTTT and voice assistants that would like an additional layer of security, we encourage you to adjust your Applet's unique phrase to include a PIN code or keyword of your choosing. For example, "OK, Google, unlock my door code six A nine G."
IFTTT is on a mission to help everyone protect and benefit from their information. As our industry continues to evolves, we are eager to work with every service on IFTTT to make their experiences more powerful and secure. For voice assistants to become as impactful in our lives as our smart phones, there are still big steps that need to be taken to secure every type of interaction with them. Voice recognition is a critical step in the right direction for assistants in the same way that finger prints and facial recognition were for smart phones.
Our guidance for people using voice enabled unlocking is to only leverage 'Works with the Google Assistant' direct action enabled smart home devices that have two-factor authentication (August locks for example). Specifically regarding IFTTT, that is something that would be completely set up by the user and they should recognize the risks associated with enabling that process. We suggest users be considerate when doing IFTTT linking and highly discourage users from using non-Google Assistant approved actions for unlocking and disarming features.
Amazon declined to comment.
The takeaway is this: For better or for worse, the onus is on you to take basic steps to keep your smart home devices secure. If you're going to use a voice assistant to unlock your doors, use a PIN every single time, no matter how annoying it is to have that extra step. The next time you think it's annoying to answer Google Assistant or Alexa, think about how annoying it would be to track down your stolen stuff.