Siri opens “smart” lock to let neighbor walk into a locked house

Apple’s HomeKit security has been foiled by a recently discovered security hole: it listens to Siri if you ask it to open the front door.

A 31-year-old Missouri man by the name of Marcus (he asked Forbes not to use his last name) last week posted the tale on Reddit.

As he told Forbes, a month ago, Marcus decided to set up his place as a smart home, all based on the Apple HomeKit smart-home gadget ecosystem.

He spent thousands. He bought 30 Philips Hue LED light bulbs: those bulbs you can turn on via your phone. Marcus also got himself two Ecobee Wi-Fi thermostats with eight remote temperature sensors scattered throughout the house.

To cap it all off and keep that pricey stuff safe, Marcus bought himself an August Smart Lock: a Bluetooth-enabled lock that recognizes your mobile phone when you approach and unlocks the door.

Apple HomeKit is a proprietary communication standard for controlling these types of third-party smart home devices via iOS and its intelligent voice assistant, Siri.

As a hub to control all those internet-enabled gadgets, Marcus set up an iOS device: namely, his iPad Pro, which he put in the living room.

Of course, he showed it all off to his neighbor – a “cool techy guy like myself,” Marcus says.

All was going great. His bulbs brightened gradually when he woke up, and the door unlocked when he approached: no fumbling for keys.

I work long, 10-hour days. Having things automated lets me sleep better. For the month I’ve been using this stuff, I love it.

Yes, all was just ducky. .. until last week’s incident with the floured chicken wings.

Here’s what happened, Marcus says:

I’m pulling out of my driveway and [my neighbor] runs up and asks to borrow some flour to fry wings for an office wing party/contest; dope.

So I put the car in park to go back inside and he’s like “I’ll let myself in.” I’m stunned, like what the f*ck. Dude walks up to my front door and shouts, “HEY SIRI, UNLOCK THE FRONT DOOR.” She unlocked the front door.

What happened was that the neighbor was actually able to shout to Marcus’s iPad in the living room in order to get Siri to unlock the door.

Marcus’s post went viral. Even Apple responded, saying that it recommends that all users enable passcode authentication on their devices.

Bit of a problem, that, if the whole point of a hub is to make it so you don’t have to unpeel yourself from the couch to fiddle with gadgets, right?

I’m using the iPad the way it was marketed. It’s not, ‘Hey Siri,” and then go up and enter a PIN.

As it was, Marcus had set up his iPad Pro to be a central, voice-controlled hub for the whole smart home. He put the iPad in the living room so he could control the smart lock via Bluetooth.

Forbes likened his use to that of Amazon Echo, the voice-activated intelligent assistant.

But here’s the difference: Amazon must have foreseen the problem of linking security systems with voice activation. You can lock a door with Alexa, and you can check whether it’s locked or not, but you can’t unlock it.

This isn’t the smart lock’s fault. It never should have been hooked up to a voice-activated assistant (that was apparently close to a window!) to begin with.

Marcus isn’t turning on his iPad’s passcode, in spite of Apple’s recommendation. Rather, he reluctantly removed the August Smart Lock.

So his home’s a little less smart and a bit more secure, and now he has to figure out some old-fashioned way to let the dog walker in while he’s away.

Does that mean a key? Maybe tucked under a mat or hidden in a plastic rock?

How retro!

While Marcus figures out the dog walker dilemma, it’s worthwhile to note that the makers of smart things haven’t always been smart about security.

It doesn’t have to be that way!

Here are 7 tips from Sophos’s Chester Wisniewski on how we can better secure the Internet of Things (IoT).