SAN FRANCISCO—When Roger Pincombe was strolling the streets of SoMA near his apartment here last Tuesday, he saw something that would pique the interest only of somebody who had just spent too many hours navigating the esoteric nuances of an Internet-connected door lock: an identical lock to the one he’d just reset. Would the easily guessable default code he’d found in the lock’s manual work on this one?
A lead software engineer at financial-services company Capital One by day, and assistant manager at the Chinatown nonprofit Great Star Theater by night, Pincombe had just repaired the theater’s RemoteLock 6i when he spotted its twin on the door of an office building in SoMa.
Curious, he approached the door and confirmed that it was locked. He typed in the easily guessable four-digit local-user code he saw in the manual, and as if he’d just whispered “open sesame,” the lock released, and he was able to open the door.
“It took me by surprise that it actually opened, so in that split second, I was trying to think of something to say to whoever was about to be staring at me from inside,” Pincombe says. “When I realized there was no one inside, it occurred to me someone might mistake me for a burglar. It wasn’t until I was walking away that the wider implication dawned me—that maybe most of these locks still have the default code enabled.”
Seconds later, Pincombe discovered that the CEO of the business Pincombe had entered, who requested anonymity because his company had been burglarized within the past year, had observed the entire incident as he was walking toward the office. “Surprised” when he saw Pincombe successfully unlock the door, he asked him what he was doing.
After Pincombe told him how he’d unlocked it and advised him to disable the default code, the CEO described Pincombe as “quite the Good Samaritan.”
“We owe him one,” the CEO told The Parallax.
The RemoteLock 6i (also known as the 6000i) is hardly a low-end Internet-connected lock. Selling at retail for $469 and integrating with Airbnb, it’s the latest premium consumer door lock model from LockState. The appeal isn’t hard to understand, either. If you have an Internet connection, you can grant anyone door access with a few taps on your phone from anywhere in the world.
The 6i is also no stranger to recent scrutiny. A software update on August 7 accidentally disabled at least 500 6i’s, a small percentage of the overall number sold, according to Nolan Mondrow, CEO of Denver-based LockState, which makes the lock. While the company says that four days later, 60 percent of the bricked locks had been re-enabled, that still left about 200 disabled locks.
In addition to baking in a default local-user code, each RemoteLock 6i comes with a far more powerful default programming code that can be used to disconnect the lock from Wi-Fi, manually add new codes, delete old ones, mute the keypad, and even factory-reset the lock. Pincombe describes the default programming code, an easily guessable string of eight digits, as an “admin override.”
READ MORE ON THE INTERNET OF THINGS
For decade-old flaws in voting machines, no quick fix
Critical systems at heart of WannaCry’s impact
Time for a Department of the Internet of Things?
The long reach of Mirai, the Internet of Things botnet
Hackers call for federal funding, regulation of software security
Shut the front door: The state of the ‘smart’ lock
5 questions to ask before buying an IOT device
Living on the edge of heartbreak: Researcher hacks her own pacemaker
At the time Pincombe opened the nearby business’ door, both default codes, similar to default Wi-Fi router passcodes, were changeable only through the lock’s Web browser interface, and accessible “only if you know what you’re looking for,” Pincombe said. Not even the RemoteLock mobile app could be used to fix that glaring hole in the lock’s security, he says, though Mondrow contests that’s an intentional design.
In the eight days since, Mondrow says LockState has taken long-planned steps to tighten the lock’s security. An update last week, after Pincombe’s experiment, deleted the default local-user code, and an update released last night, following repeated requests for contact by The Parallax, changed how the locks handle the default programming code.
The programming code is now randomized “less than a week” after lock activation, Mondrow says, if the user hasn’t manually changed it using the Web portal.
“There should be no default codes in the locks after the short grace period we give them to configure their locks,” he says. “It was on the road map, but it got accelerated because of all of this.”
Administration codes to access hardware devices are nothing new. They have been part of the intersection of electronics hardware and computers for decades. Hard-coded and default passwords allow consumers and manufacturers to repair broken devices, which can be especially useful, if the device controls access to the user’s home or business. But not making clear to users whether, how, or when the default codes have been updated or deleted puts them at risk.
“It wasn’t until I was walking away that the wider implication dawned me—that maybe most of these locks still have the default code enabled.”—Roger Pincombe, lead software engineer, Capital One, and assistant manager, Great Star Theater
Internet-connected door lock usage is booming, according to an October 2016 report by Grand View Research. The firm projects a $24.2 billion smart-lock market by 2024, despite numerous hacking risks. But setting a default code that works across all units of a particular lock model is more like shooting yourself in the foot than getting attacked by an outside force, Internet of Things security expert Brian Knopf says.
Knopf, who for years worked to build and secure devices at Belkin, and now works on an IoT user identity product at Neustar, says using identical default user codes for all units of a specific smart-lock model is a “major issue.”
“There’s just no reason for it. This is a safety device,” Knopf says. The grace period, not mentioned in any RemoteLock documentation as of yet, creates a window during which somebody with either the default local-access code or the default programming code could open a RemoteLock. And while the RemoteLock manual explains how to change the default codes, nowhere does it explicitly advise users to do so.
Knopf, who has outfitted his home with “hundreds” of IoT devices, from door locks to lightbulbs, recommends that lock manufacturers follow the example of Schlage, which for its Connect smart lock provides each lock model with a different master code and two local-access codes. Importantly, he says, it doesn’t reuse codes.
Mondrow says that although the company takes user feedback seriously, LockState has no plans to adopt different master codes for each lock it makes.
“Of course, our customers are our top priority,” he says. “You can’t foresee everything, but we try to react quickly.”
For Pincombe, and perhaps other RemoteLock users, it may not be quickly enough.
“If anything, this whole ordeal has reaffirmed my belief that you should never trust the manufacturer defaults, and always look through all the extended options, especially for something with security implications like a door lock,” Pincombe says. “But of course, in the real world that doesn’t end up happening, so you end up with security holes like this.”
Disclosure: The author is a financial supporter (and regular patron) of the Great Star Theater.