Why buying a “smart” padlock is a bad idea

May 6, 2019

Recently I’ve been binge-watching the LockPickingLawyer channel on YouTube. There’s a whole lot to learn from these videos, especially if you were never into the lock-picking business. But one particular thing made a big impression: how badly “smart” padlocks perform when it comes to physical security.

Disclaimer: I think it would be excessive to use ironic quotation marks throughout this text, so I’m not gonna do it. Just keep in mind that every time I use the word smart, I’m using mental air quotes — “smart.” And for that matter, lock might as well be “lock.”

Let’s start with the eGeeTouch smart luggage lock, which is supposed to be unlocked with either a smartphone app or an NFC (near-field communication) tag. Never mind that a TSA master key that anyone can print on a 3D printer can open every baggage lock, thus rendering all baggage locks useless. This little padlock makes it even worse. It is so badly designed that it can be fully disassembled and easily opened with nothing more than a pocket knife — even a plastic card might do.

The same goes for this Pavlit fingerprint padlock. Remove the plastic front panel with either a screwdriver or a pocket knife and you will see the switch that unlocks the shackle. By the way, this padlock has one more critical vulnerability — it is susceptible to shimming.

Another example: the TurboLock TL-400KBL bicycle smart lock. This padlock is designed to be opened either by a smartphone app connected by Bluetooth, or by entering a PIN with a keypad. Even if you’re no physical security expert, you can spot this padlock’s weakness: It’s made of plastic and presumably isn’t hard to break or even burn. But such destructive actions won’t be necessary in this case, because the padlock can be conveniently disassembled with a screwdriver. It’s as easy as taking apart a plastic toy.

Let’s take a look at the Uervoton fingerprint padlock. It has a metal body that looks pretty solid. No way can it be opened with a pocket knife or a screwdriver, right? Unfortunately, the design is terrible: a bunch of screws on the lock’s surface are easy to unscrew. After that, the lock literally falls apart.

Finally, we have the BoxLock, probably the most reasonable example of a smart lock. This padlock works with barcodes. You can program it to be opened with a barcode printed on a delivery package. At first glance, this padlock looks quite beefy, but it’s not nearly as tough as it seems. It can be disassembled with a screwdriver even while locked.

There’re many other reviews of smart locks on the LockPickingLawyer channel. But almost all of them have the very same issue: they are designed as consumer electronic devices, and that design makes them vulnerable to the easiest of physical attacks.

Conventional locks have a completely different design. First of all, their bodies are always made from one solid piece of metal. Second, the screws are usually hidden and there’s always at least one screw that can be accessed only when the shackle is unlocked. Third, to be resistant to shackle shimming, good padlocks employ ball bearings in the unlocking mechanism. There’s a lot more, of course, but those are the basics, and even inexpensive padlocks follow the rules. This Yale padlock is a good example:

Unfortunately, smart lock manufacturers seem to be unaware of these design features and leave their customers vulnerable to the easiest attacks. So think twice before buying a smart padlock — it’s very likely you will be paying much more and getting much less security in return. And you probably do want your lock to be secure; why else would you be buying one?