Making sense of lock security
How does CNET test deadbolts? How secure is secure enough? And what about new smart features?
- 10 years product testing experience with the CNET Home team
If I asked you what type of deadbolt you have on your front door, would you know the answer? Kwikset? Yale? Schlage? Maybe you know the manufacturer off the top of your head, but do you know the specific model? How about ratings -- do you know how much force your lock is capable of withstanding?
If you answered no to any of these questions, you're not alone. Despite the fact that we use our locks more than just about any other piece of household hardware and depend upon them to protect our homes from intruders and theft, we rarely pay much attention to them. For most people, a deadbolt is just a deadbolt. Unless you've built or renovated your own home, the chances are good that the lock in your front door is the same one that was there before you moved in. If the door locks when you turn the key one way and unlocks when you turn it the other, you're more than likely satisfied.
But should you be? Many will contend that all locks are not created equal, that some are less secure than others. Give Google or YouTube a quick scan, and you'll find countless means of bypassing common locks, from lock picking to lock bumping to forced entry and everything in between. Some of these methods are even specific to particular deadbolt brands and models.
The case of the Kevo
This was what we found when I recently reviewed the
At this point, the question was: Does it matter? After all, locks only keep honest people out. If someone is truly determined to break into your home, it almost certainly won't be your deadbolt that stops them, no matter the brand or model. Still, after much discussion, including conversations with security experts, professional locksmiths, and the team at Kwikset, we decided that, in our view, it was important for consumers to be aware of this vulnerability before purchasing a Kevo for their home, and we updated the review accordingly.
This isn't to say that this disqualified the Kevo in our eyes. The SmartKey deadbolt can be safely and easily rekeyed by its owner, and it offers strong protection against lock picking and lock bumping, two vulnerabilities that plague many common residential locks. It deserves credit for that. I know that I'd sleep fine at night with a Kevo in my front door -- but if someone else wanted more peace of mind from their lock than the Kevo offered, I couldn't blame them. The point is that consumers have a right to know the facts, then decide for themselves how much security is secure enough.
Moving forward
The interesting thing about this experience was that it led the team here at CNET Appliances to come to a better understanding of how we need to test and evaluate lock security, and in the interest of transparency (and with several more smart locks likely to be reviewed in the near future), here's where we stand.
First, we understand that just about every lock is susceptible to some kind of covert or forced entry. It isn't fair to hold one lock accountable for a vulnerability that's widely shared. However, if a given deadbolt has a unique vulnerability, then our opinion is that the consumer has a right to know about it before purchasing and installing it. This was the case with the Kevo -- the attack that we tested is one that specifically targets the unique, proprietary design of Kwikset's SmartKey deadbolt.
Some vulnerabilities concern us more than others. The Kevo attack requires little to no practice, and can be executed with fairly common tools, all of which are perfectly legal to purchase and own. In our eyes, this made it a valid point of concern, and one worth confirming for ourselves. Other attacks that require a great deal of skill, or access to more specific, harder-to-find, and even illegal tools are much less of a threat, since so many potential thieves won't have the means or the know-how to execute them properly.
As for testing the physical strength of the lock, we will be monitoring and reporting on the standards set by the American National Standards Institute (ANSI), the independent organization that tests and rates locks for the amounts of force they're able to withstand, as well as Underwriters Laboratories (UL), which tests how resistant locks are to common bypass methods, such as picking. This means that we will not be attempting to break each of the locks that we test, nor will we be delving into the intricate world of lock picking. If, however, a given lock is rated as less physically sound or pick resistant than other locks like it, we'll be sure to make that clear.
In the end, testing locks comes down to common sense and due diligence. If a lock has a specific, unique vulnerability that an untrained thief could plausibly learn about and execute after a quick Google search, then that vulnerability will factor into our review of the lock. If that vulnerability is unconfirmed, then we will attempt to confirm it and share the results with you. If we can confirm it, then we'll explain how that vulnerability impacts the overall security of the lock, and how that, in turn, should impact your buying decision.
What about smart locks?
With the convenience of connected locks comes new concerns about cybersecurity. So far, it seems that you're much more likely to have your place broken into by conventional means than because someone was able to hack into your deadbolt, but this will still be something to keep an eye on as these smart locks become more widely used. Most manufacturers will put the levels of encryption that they use into relative terms, like "bank-level," and we'll be sure to decode just what terms like these actually mean for you and the security of your home.
All of this stems from our goal of offering consumers fair and relevant information on lock security to help inform their buying decisions. Like with any product category, as your options grow, so does the need to be aware of what you're paying for. If you're one of the many who've never given your locks that level of thought before, rest assured that we're here to help.