Case study 2: the door
Several companies, such as Danalock or Lockitron, have recently started to offer smart-locks, which can go on top of traditional locks and enable them to be opened or closed remotely, through a smartphone application.
A major strength of smart-locks is that keys can be sent and revoked from one smartphone to another, using the Internet. In practice, this means that you can easily give a key to your house, or to a particular room in your house, to a specific person at a specific time. For instance, if some friends is visiting you for a few days, you can give them access to your house, even if you are not around, and then revoke their access once they have left. Since smart-locks use Bluetooth technology, it is also possible for them to open as soon as your smartphone is within a given distance of the lock, as offered by the Noke padlock.
Smart-locks can improve the security of your home by removing the need to make physical copies and distributing them, which can then be lost or stolen. A proper smart-lock will ensure that each user is granted access exactly when they need it, no less, no more. However, making these locks usable is far from trivial: how to define the right policy? And more importantly, how to ensure that the person using the smartphone is the legitimate user of that phone? For instance, if an attacker is able to remotely access your phone, are they also able to copy all your keys and access your home? Smart-locks therefore need to have a strong identification mechanism, i.e., a way to find out the identity of the user, and an even stronger authentication mechanism, i.e., a way of ensuring that this identity is the correct one.
© Newcastle University