Smart locks promise the security of a traditional lock without the need to carry around a key. Most can be unlocked with a mobile app or an RFID-equipped card you can store in your wallet. Unfortunately, they're also pretty easy to hack open. The office of New York's attorney general, Eric T. Schneiderman, announced a settlement today with one such smart lock manufacturer. Utah-based Safetech Products has agreed to encrypt all of its smart lock passwords, electronic keys and other credentials within its locks, prompt users to change the default password upon initial setup and establish a more comprehensive security program.
Safetech makes both padlocks and door locks, each available on Amazon. According to the New York AG's office, independent security researchers found that the company's locks did not secure passwords or other security information in its locks, which left customers open to hacking and theft.
"Companies employing new technologies must implement and promote good security practices and ensure that their products are secure, including through the use of encryption," Schneiderman said in a statement. "Together, with the help of companies like Safetech, we can safeguard against breaches and illegal intrusions on our private data."
While this may be the first time an attorney general has taken legal action against a smart lock company like this, it won't likely be the last. Kwikset was sued recently for its Smart key lock's alleged culpability in the rape and murder of a young woman in Florida by the building security guard. While not a true smart lock, the lock in question has a programmable cylinder that can be made to work with any key, which can be used to give temporary access to anyone. It's also easily broken into with a screwdriver and a paper clip.
As we all turn to smart devices and the Internet of Things in our lives, it becomes even more important to make sure we're being protected from both hackers and ourselves. The settlement with Safetech could be the first big step towards companies building better security into their smart devices.
The devices in our homes are increasingly connected to the internet—posing new privacy & security risks to consumers. We're taking action.
— Eric Schneiderman (@AGSchneiderman) May 23, 2017