The Internet of Things never fails to amaze me. And make us think outside of the box.
As the British publication The Register said, your smart lock may be knackered. Google says that knacker means damage severely and I think they are right.
Here is the story.
For AirBnB hosts, one security challenge they have is how do they get keys to their one night renters in a secure manner and how do they stop those renters from making a copy of the key to rob the place later.
There is an answer. AirBnB has actually partnered with a company that makes smart locks (hence the Internet of Things tie in). These smart locks have a keypad on the front so that you can set a code, if you want, 5 minutes before your overnight guest arrives and tell them what it is and when they leave, you can change it.
Ignoring for the moment all the security holes in many of these smart locks, in concept it makes perfect sense.
So much sense that AirBnB recommends these $469 locks (and, maybe, gets a cut of the action; I don’t know).
For AIrBnB homeowners, this makes their life easier. The lock connects to WiFi which allows you to reset the code remotely, which is convenient for the owner.
It also allows for the manufacturer to download new firmware automatically (because, after all, one of the things that is not high on your priority list is patching your door. Err, door lock).
Again, in concept, I think this automatic patching is THE WAY TO GO. People are, in general, horrible about patching software. Whether we are talking about their computer or their phone, they just don’t do it. So when it comes to the Internet of Things – your dishwasher, refrigerator or front door, it is pretty unlikely that you are going to patch it with any regularity, so automatic patching is good.
EXCEPT … when the manufacturer screws it up.
In this case Lockstate, who makes this formerly smart and now knackered lock, sent the wrong firmware update to some of their locks. In this case they claim it was only 500 locks, but it certainly makes a point when you are standing on the front step of this home that you rented for hundreds of dollars a night and you can’t get in.
Apparently, they sent the firmware for their 7000i model lock to some of their 6000i model locks and, not surprisingly, it knackered the lock (I like that word).
Lockstate sent an email to the owners of these formerly smart locks and told them that they had two choices.
Option 1 was to take the back of the lock off (where I assume the smart part is) and send it back to the factory and they would either replace it or put the right software in it, making it UNknackered. This option, they say, would take 5-7 business days.
Option 2 was for the homeowner to ask Lockstate to send you a new lock and then, once you get it, send them back the old lock. This will take them 14-18 days to ship.
In the mean time, you get to camp out on your front doorstep, I guess.
For AirBnB home owners who may have new guests every night, this could be a problem. Especially if the owner does not live in the same town in which the home is located.
Ultimately, the AirBnB home owners (and, apparently, they are the only ones affected because this lock was made specifically for AirBnB), will deal with it and in a week or three they will all be laughing about it.
Now to circle around to the title of the post.
As we integrate more so-called smart devices into our lives, we are going to have to create disaster recovery plans and business continuity plans for what happens when these smart devices are not so smart.
For example, let’s assume this was your house and not a rental. The lock does have a physical key, but since you go in and out all the time using the buttons on the front (or maybe, with different locks, your smart phone), the key is in a junk drawer somewhere inside the house. And you are standing on the front step. What do you do? What is your disaster recovery plan? How do you get in and out of your house until you can get your lock repaired or replaced?
How long are you willing to be locked out of your house?
Of course, this is only a placeholder for the 20 billion smart Internet of Things devices that we, supposedly, will be using in the next few years.
What happens if they update the software in all of your smart light bulbs and they won’t turn on any more? Or, maybe, they won’t turn off. What if a hacker updates your light bulbs and each one of them starts calling 911 continuously (a variant of this actually happened already, so don’t call it far fetched)?
These are maybe simplistic things, but it can get more real. Your smart car has millions of lines of software in it and it also can update itself. The possibilities of what an errant or malicious update might do are endless.
Right now we don’t even know what these 20 billion smart devices that we are going to be using ARE, never mind how to deal with all of the potential failure modes.
I can see it now. You buy your smart light bulb and you open the manual. In it, in addition to the 40 safety warnings in the manual, is included, at no extra charge, a 20 page disaster recovery plan for dealing with all of the possible disasters that could happen to you and this light bulb.
The possibilities boggle the mind.
Lets assume that, in a few years, you might have a hundred smart devices in your home or apartment. Along with, of course, a hundred disaster recovery plans. OMG!
Unfortunately, since cost is the driver in IoT devices, the manufacturers will not put in manual controls to be used in case of emergency, And, if current IoT security is any harbinger of the future, we know security will be terrible.
So here is one scenario. A hacker or nation state actor decides to wreak havoc and hacks into some major vendor’s IoT devices and knackers them. Maybe, all of the smart light bulbs in the country turn off. And won’t turn on.
OK everybody, Where is your light bulb disaster recovery manual? Have you practiced your light bulb disaster recovery plan? Have you implemented your light bulb business continuity plan?
While I am doing this partly tongue in cheek, maybe it isn’t as far fetched as we would like to think.
As hundreds of AirBnB home owners discovered recently, it isn’t that far fetched.
By the way, Lockstate says that they have fixed 60 percent of the dead locks. I guess the other 40 percent of the home owners are still standing on their front porch.
Information for this post came from The Register.