I'd love to know what products you are using.
Otherwise zigbee and z-wave products mostly work completely offline.
Some Xiaomi products (you need to be careful, as not all work offline) work offline and can be connected to local servers.
For shutters I use products by Rademacher. Its yet another base station (by now I have 4...), but they can be connected over http locally.
It runs entirely locally.
Been looking for that for a while but no way I ever trust a cloud connected one anf everything passable connects to cloud.
Well, physical locks are not necessary harder to pick lock than electronic locks. Buy your self a pick lock set, practice a bit and be amazed how many locks you can pick.
Any monkey can buy lock picks and pick a door lock. It's not hard. Generally if you buy a decent rake, it'll open most locks quickly. It's arguably much more work to hack the _smart_ side of a lock than it is to just pick the _dumb_ part.
The caveat here is that smart locks are often "picked" en masse - once you break one in a lab, you can immediately and silently do the same to the rest globally. This is similar to software hacking.
The guidance here should be to only purchase smart locks from vendors that you can trust to patch zero-days quickly. How you qualify a vendor as such is a mystery - I don't know that there's been enough zero days on smart locks to verify.
Most B&E’s aren’t exactly executed by master thieves they aren’t single pin picking your locks.
When selecting a door lock or a pad lock you should care only that it can be raked or bypassed, for bike locks you should also care that it can’t be easily cut.
For the most part your door is likely going to be the weakest link as most people don’t have reinforced doors and door frames.
LPL's real good videos are his physical attacks. Whether it's twisting, core pulling, or breaking out the Ramset, all are more likely than a criminal trying to SPP a lock.
There's a difference between using a lock that requires an expert to pick, vs a smart lock that requires an expert to write an app that anyone can use to hack the lock.
I get why people are hard on smart locks, but I really don't see them as any more insecure then regular locks.
For example, here[1] is a "keyless bluetooth padlock" that can be opened trivially by rapping the locking pall with any hammar-like tool ("rock"). (it also has far too much around the shackle, so can also be opened with a a simple shim (e.g. a small cutout from a cola can). Another common problem are locks that don't seal their electronics securely, so they can be attacked by simply unscrewing a panel, ripping out the electronics. and touching the battery wires to the locking pal's actuator.
However, that type of problem are simply poor designs. In theory, in the future better designs could be made that include protections against well-known attack methods similar to what is already included in many "regular" locks.
A fundamental concern with locks that depend on radio (or worse, the internet) is what the lock does when when the radio/internet communication fails (for any reason). Does the lock fail-open, or fail-closed[2]? Did the lock even address this important question? Does the lock open if someone unplugs the router? Or does it trap people behind the lock if a fire destroys the cable/DSL modem? Physical locks also have failure-mode concerns, but they tend to be limited to something happening locally, With "smart" devices, you are adding remote resources (like the internet router in another room, or remote servers, etc) as a critical component of the lock's security. That is a terrible idea if you that remote resource is intrinsically outside your control.
[1] https://www.youtube.com/watch?v=vIbXC5LR8aQ
[2] https://en.wikipedia.org/wiki/Fail-safe#Fail_safe_and_fail_s...
If there's a fire or medical emergency (heart attack, allergic reaction/anaphylactic shock etc) - you generally don't want it to be too hard to break in...
The article says don't buy a smart-lock, but the convenience of having one-time access codes, scheduled access, delivery access, and linked to a security camera make the downsides (increased attack vectors) something I'm willing to live with.
Inside most modern car keyfobs there is an "emergency" physical key...or should be (recently saw one where the space was empty as the dealer had failed to include it) It's not marked or obvious from the outside of most I have seen and some prying in some innocuous looking seam will be needed. One of those things that seems obvious once you know it but may not have run across.
On some of mine, the physical key is also the pry-tool used to open the body of the fob for battery changing. :)
On my Toyota, this mechanical key can be used to lock the doors while the engine is running (pitstop mode), which is otherwise not possible. On my friend's Mercedes, it does not respond to the mechanical key (wait, what?) while the engine is running.
”(v) Account Sign-In: If your app doesn’t include significant account-based features, let people use it without a log-in.”
I just program a few extra codes into the lock ahead of time, and if I need to let someone in in an emergency, I just give them one of my burner codes and delete it when I get home.
I don't really need a log of every entry because the camera pointed at my door already gives me one of those. :)
Scalability. Once you know how to pick one, you can pick them all quickly and remotely. Kicking down a door or picking a physical lock takes time and effort and exposes you to scrutiny while doing it.
I enjoyed this youtube video of another smart (fingerprint?) lock being broken due to a digital reset. It has a plastic panel on the front where the fingerprint reader is. If you remove the panel with a razor blade (it's just attached with glue), it even has a reset button exposed which resets the fingerprint. https://www.youtube.com/watch?v=uVvEkcN5tW8
OTOH it appears the problem is entirely server side, and could be patched/mitigated by the provider?
It still seems possible that the lock is secure-ish. It might conceivably have some form of anchored trust (pinned cert?) to communicate with the server - and a secure/better rekey flow could maybe be implemented?
Still sounds crazy to delegate authorization entirely to the cloud (I'm guessing you can open the lock wo internet, but not re-key).
I'm not even crazy about "find my phone"-services - and that's considering the vendor typically owns the hw, the kernel and can push updates (ie: all bets are off anyway).
[1] I'm also curious about the "lock code" field in the data - does the service advertise the pin if you give the correct serial/hw ID of the lock? Or something else?
