UniKey's whole lock replacement Kevo system is the less jarring of the four smart lock solutions, as it looks exactly like any deadbolt you've ever seen before. UniKey doesn't actually rely on Bluetooth's security protocol but instead relies on a public-key infrastructure system to authenticate users. Without getting into the nitty gritty of it, what that means is that every communication between the phone and lock is a unique transaction. So even if someone were able to sniff out a key, they wouldn't be able to use it again.


As UniKey President Phil Dumas told me, "There are more possible combinations to our lock than there are hydrogen particles in the observable universe." And because the Kevo system sits on both sides of the door, it knows if you're on the inside or outside of the door essentially eliminating any false unlocks. But then again, you have to tap the lock itself before it locks or unlocks anyway. Oh, and all updates to the Kevo's firmware are downloaded and pushed through your smartphone.

Lockitron, which originally launched in early 2011 with a whole lock replacement, has since opted for an add-on solution for your existing lock setup but only on the interior of the door. Compared to Kevo, Lockitron connects to both Wi-Fi and Bluetooth. While each exchange between your smartphone and Lockitron can also be done over just Bluetooth, you can remotely lock or unlock your door over Wi-Fi or send a notification when the knock sensor has been triggered. That extra layer of connectivity also comes with a smidge of added security. And even if you don't have a Bluetooth SMART-enabled smartphone, (iPhone 4S/5 and some Android devices) admins and those they issue digital keys can still get in and out through the mobile web. Lockitron works with Electric Imp on the Wi-Fi side of things and uses "industry standard TLS to secure device connections," which is the successor to Secure Sockets Layer (SSL), a cryptographic protocol used on the Internet that provides communication security.


Lockitron co-founder Cameron Robertson wouldn't say too much about how his smart lock authenticates and permissions digital keys beyond the aforementioned. Robertson also wouldn't divulge how his system knows whether or not you're inside the house or outside but it won't be too hard to figure that out once the devices start shipping next month.

August, like UniKey's Kevo, handles communication between the lock and a permissioned smartphone over Bluetooth. The lock itself never talks to August's server, the cloud or even the Internet. Authentication is handled through the smartphone and the accompanying August app. August owners can also grant permission or deny access through the website. And each lock comes with its own key, so it's not like issuing access to one lock grants access to all of them.


Jason Johnson, co-founder of August, won't say how his system, which sits atop the interior of a door's lock, identifies whether or not a user is on the outside or inside but says they have a bit of secret sauce that helps them figure it out. I imagine we'll know more once the product is closer to shipping later this year. Also, August won't allow customers to update the lock's firmware on their own. It's something the company is considering pending a security review.

Goji, which launched its Indiegogo campaign yesterday, is a little bit different in that it replaces your entire deadbolt system with a two-part contraption that includes a Wi-Fi-enabled camera and 24/7 customer service. It's also the only one that's glaringly obvious to the outside world that you don't have a traditional system in place.


Two programmable key fobs and four admin accounts initially ship with Goji. Each of those admin accounts can issue digital keys, with the authentication process predominantly taking place via Bluetooth. Owners can also remotely lock or unlock the, uhh, lock since Goji is connected over Wi-Fi. That connectivity also enables the system to snap a photo of anyone entering your home and automatically pushing it to your phone. So long as your network stays up, of course. So how does Goji know if you're inside or outside? A series of antennas sit on both sides of the door within both modules to magically figure it out.

Thrown for a Loophole

The problem with smart locks, though, is that like any electronic system they're not foolproof. Take the following scenario, which could happen in some insane bizarro world, that would render each of the four systems somewhat vulnerable. Again, this is a unique situation that probably won't happen very often, if ever, but it's a vulnerability nonetheless.


Let's say that the Wi-Fi network at your home goes down and your Goji or Lockitron are unable to download the latest list of blacklisted keys, an individual with a blacklisted key could still get in. How? If they're clever enough to somehow take your Wi-Fi network down and have the foresight to only have Bluetooth switched on, their digital key could still work since their particular device never hit Goji or Lockitron's server to have their permissions revoked. Again, a highly unlikely situation but it could happen.

While August and Kevo's respective locks never talk to the cloud, it gets a little trickier to gain access to a home with a blacklisted key but it's not impossible. When you, the owner, decide to blacklist a key via the web or your smartphone, you update the lock's list of blacklisted keys anytime you interact with said key. At least that's one way of doing it. The alternative to that is that both systems push updates to any smartphone that hit the server. So if someone, let's say an ex signif or house cleaner, opens either app while connected, their key is automatically updated and revoked. But in the event that you're unable to manually update the lock yourself, someone with a blacklisted key could still get in if they put their phone in airplane mode with Bluetooth still running.


Again, it's a super unlikely scenario but stranger things have happened. Technology fails. People are crazy. While each company was able to offer guidance on what to do, the larger question looms as to what other loopholes exist if this one already does.

Smart, Secure or Just Dumb?

It's easy to dismiss or turn your nose up at smart locks, but not everyone was enthused when the Nest thermostat launched either. Connected locks might not solve any obvious issues at the moment, but neither did the iPod. For urban dwellers like myself who have to pay ridiculous amounts of money for an extra set of keys, it even makes some economic sense. But they're not perfect by any stretch of the imagination. Nothing ever is. And even if they were, they're also entirely circumventable.


Any burglar who's committed enough to get into your house can either a) pop or break your window or b) take a crowbar to your door to get in. Whether or not you have a smart lock is irrelevant to them. Hacking your way through the existing 128-bit AES encryption on top of whatever each company has piled on is probably just a waste of time. You could just buy a Halligan off Amazon for $250, which is what firefighters use to break down doors. And if you have a sliding door, they could just as easily pop that out. Or! Or someone could, you know, just snatch your actual key and get in that way.

In reality smart locks don't offer any higher or lower level of security than your basic deadbolt. They're safe for what they are, and probably convenient for some, but right now you shouldn't think of them as anything more than a security parlor trick.