Skip to content
Naked Security Naked Security

Siri opens “smart” lock to let neighbor walk into a locked house

"Thanks, Siri," said the guy who spent thousands on smart lightbulbs, temperature-sensing thermostats and a Bluetooth-controlled door lock.

Apple’s HomeKit security has been foiled by a recently discovered security hole: it listens to Siri if you ask it to open the front door.

A 31-year-old Missouri man by the name of Marcus (he asked Forbes not to use his last name) last week posted the tale on Reddit.

As he told Forbes, a month ago, Marcus decided to set up his place as a smart home, all based on the Apple HomeKit smart-home gadget ecosystem.

He spent thousands. He bought 30 Philips Hue LED light bulbs: those bulbs you can turn on via your phone. Marcus also got himself two Ecobee Wi-Fi thermostats with eight remote temperature sensors scattered throughout the house.

To cap it all off and keep that pricey stuff safe, Marcus bought himself an August Smart Lock: a Bluetooth-enabled lock that recognizes your mobile phone when you approach and unlocks the door.

Apple HomeKit is a proprietary communication standard for controlling these types of third-party smart home devices via iOS and its intelligent voice assistant, Siri.

As a hub to control all those internet-enabled gadgets, Marcus set up an iOS device: namely, his iPad Pro, which he put in the living room.

Of course, he showed it all off to his neighbor – a “cool techy guy like myself,” Marcus says.

All was going great. His bulbs brightened gradually when he woke up, and the door unlocked when he approached: no fumbling for keys.

I work long, 10-hour days. Having things automated lets me sleep better. For the month I’ve been using this stuff, I love it.

Yes, all was just ducky. .. until last week’s incident with the floured chicken wings.

Here’s what happened, Marcus says:

I’m pulling out of my driveway and [my neighbor] runs up and asks to borrow some flour to fry wings for an office wing party/contest; dope.

So I put the car in park to go back inside and he’s like “I’ll let myself in.” I’m stunned, like what the f*ck. Dude walks up to my front door and shouts, “HEY SIRI, UNLOCK THE FRONT DOOR.” She unlocked the front door.

What happened was that the neighbor was actually able to shout to Marcus’s iPad in the living room in order to get Siri to unlock the door.

Marcus’s post went viral. Even Apple responded, saying that it recommends that all users enable passcode authentication on their devices.

Bit of a problem, that, if the whole point of a hub is to make it so you don’t have to unpeel yourself from the couch to fiddle with gadgets, right?

I’m using the iPad the way it was marketed. It’s not, ‘Hey Siri,” and then go up and enter a PIN.

As it was, Marcus had set up his iPad Pro to be a central, voice-controlled hub for the whole smart home. He put the iPad in the living room so he could control the smart lock via Bluetooth.

Forbes likened his use to that of Amazon Echo, the voice-activated intelligent assistant.

But here’s the difference: Amazon must have foreseen the problem of linking security systems with voice activation. You can lock a door with Alexa, and you can check whether it’s locked or not, but you can’t unlock it.

This isn’t the smart lock’s fault. It never should have been hooked up to a voice-activated assistant (that was apparently close to a window!) to begin with.

Marcus isn’t turning on his iPad’s passcode, in spite of Apple’s recommendation. Rather, he reluctantly removed the August Smart Lock.

So his home’s a little less smart and a bit more secure, and now he has to figure out some old-fashioned way to let the dog walker in while he’s away.

Does that mean a key? Maybe tucked under a mat or hidden in a plastic rock?

How retro!

While Marcus figures out the dog walker dilemma, it’s worthwhile to note that the makers of smart things haven’t always been smart about security.

It doesn’t have to be that way!

Here are 7 tips from Sophos’s Chester Wisniewski on how we can better secure the Internet of Things (IoT).

11 Comments

Could he not have kept the smart lock but removed from the voice commands since it would recognise his mobile phone via Bluetooth.

Agreed. It would depend on how the lock works, but keeping the phones (Marcus and his dog walker’s) paired while unpairing the iPad seems a pretty good balance between convenient entry and keeping one’s own flour to oneself.

…of course he might merely have *told* Forbes he uninstalled the lock to preempt wardriving of a different sort.

Am I missing something here or is this nothing more than the digital equivalent of leaving the key under the doormat or writing your PIN on the signature strip on the back of your bank card? (My bogosity meter started beeping early on in this whole story.)

Lots of stuff gets created in the name of nifty (albeit as well of more noble advancement) without foreseeing alternate methods of abuse. Though it’s now quite apparent they should have thought of this–I wholeheartedly agree–it’s unsurprising they didn’t think to test it 15 feet through a closed window. They were busy passing excited high fives when the lab tricks they planned…worked.

A couple slightly wider examples:
– GoDaddy’s website is lame when you have a handful of domains, but it becomes a huge cluster of garbage with a few hundred domains–I can only imagine the logarithmic frustration with thousands.
– A student repurposed the Wiimote to greatly enhance virtual 3D and digital whiteboards.

Beta testing in all fields is limited by implicit parameters hinging on the intended use. That’s why public bug bounties are doing so well. Forest for the trees.

Sometimes going ‘Smart’ isn’t all that smart.
Ask some infosec guys if they would put a ‘smart’ lock on their houses. I suspect you won’t get an answer so much as a look of disgust.
It’s actually becoming hard to get away from all this ‘smart’ connected stuff if you don’t want it especially in cars.

He could just password protect his iPad. It requires you unlock it before any doors can be unlocked.

Comments are closed.

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?