I've been following the smart lock market with great interest. There are some odd ideas, common mistakes, and a lot of hyperbole, but also intrepid engineering, smart marketing and a level playing field. For the first time in decades there is serious public interest in locks and it's pinging the historian in me hard. I'm going to provide some context, refute some dubious claims, and offer my opinion on what's exciting, what's overhyped, and what I hope is coming next.
This was originally written in November of 2014 and published on Schuyler Towne's personal website. It has been republished here with permission.
The smart lock market is moving quickly so take this as a detailed snapshot of a young industry. I've tried to include a diversity of approaches and price points, but there are plenty of independent and well established companies, like Danalock, Schlage and Sunnect, that aren't covered here.
Typically I stick to a small niche, making a broad study of a single idea, the history of mechanical security. As I'm stepping firmly into the present in this article, I thought it would be good to cover the odd mix of expertise that inform my insights.
- Locksport: I came up in the locksport community. Barry Wels, Han Fey and Eric Schmeidl were my first, and finest, teachers. I had a knack for it, won a few competitions, held my own internationally, and was constantly exposed to some of the best pickers and researchers in the world. I know how to open a lock, I know how to think through an attack, and when I come up empty, I have a dozen pickers cleverer than me to bounce ideas off of.
- Vulnerability Disclosure: I ran Non-Destructive Entry Magazine which exposed me to the other side of the aisle, lock manufacturing and vulnerability disclosure. I was involved in the negotiation and publication of Jon King's Medecoder attack and had a seat at the table when he first demonstrated the tool to Medeco's head of Research. It's a process I've since been through with other manufacturers and it has taught me a lot about the challenges of engineering and distribution in that industry.
- History: I'm a security historian. In particular I've been studying and speaking about the great lock controversy of 1851 for years. There is a lot to be learned from that phase of security engineering. In particular, the public interest in, knowledge of, and access to security technology was unparalleled.
I'm going to cover the pros and cons of these brands
- UniKey (Better known as "Kevo") $219
- Lockitron $179
- Goji $299
- August $249
- Yale Real Living ~$250
- Haven $199
Obviously, as some of these are yet to formally enter the market, I'm working off of their current claims, early reviews, and general approaches to a common problem.
UniKey's biggest strengths are its strategic partnerships with Kwikset & Miwa. Its biggest weakness is limited device support, but they are betting on expanding adoption of Bluetooth Smart and NFC tech.
What Is It?
UniKey are best known for the Kevo lock, sold by Kwikset. This is a full replacement for your current deadbolt that opens with a touch when you carry either a key fob or their iPhone app. The Kevo also hosts a Kiwkset Smartkey, a mechanical cylinder that uses a normal key.
UniKey's founder Phil Dumas took his idea for a keyless smart lock to a high profile audience by presenting it on Shark Tank. At the time I'll admit I was dubious. Statements like this make me cringe:
I'm disrupting the lock and key industry by bringing together my access control knowledge and experience in private equity to build a company that revolutionizes a market that hasn't evolved in more than 1,000 years.
I dare you to ask me how the lock market has evolved over the last 1000 years, we'll be talking for a long time. Anyway, hyperbole aside, I think Phil and crew have made some good decisions. By licensing the UniKey technology, rather than trying to come to market themselves, Unikey found an eager and capable partner in Kwikset. In the consumer market, North America tends to be at the tail end of every innovation in locks and keys. Smart locks were coming, and had already landed in key markets in Europe and Asia, where Kwikset, then a part of Black & Decker's Hardware and Home Improvement division, didn't have a foothold. They wanted a jump on the North American market before a giant like ASSA Abloy rolled in with a proven winner.
At the same time, UniKey, even with Shark Tank money in its pocket, wasn't positioned appropriately to bring their lock to market alone. Many of their competitors remain in this position and either haven't pursued, or have failed to secure, similar licensing arrangements. Partnering with Kwikset was a win/win and not only brought the product to market quickly, but landed it on store shelves at big box retailers across Canada and the US. The Kevo wound up being not just first smart lock in brick-and-mortar stores in the US, but also the biggest advocate and validator for the market as its presence in Home Depot and Lowe's introduced millions of consumers to the smart lock.
UniKey have recently announced a new licensing arrangement with Miwa, who want to bring a keyless hotel lock experience to the US. This too already exists elsewhere, but that industry has been dreaming of bringing American hotel guests straight from the parking lot to their rooms, skipping check-in altogether. Smart locks can make this a reality. Miwa and Unikey won't be first to market in the US. Starwood hotels have a proprietary solution they contracted ASSA Abloy to produce that has already been introduced to some of their smaller boutique hotels. Early guest response has been positive, so expect to see much more of this as Starwood and Miwa won't be the only entrants to what should become a lucrative, competitive market.
All of the above said, none of the other companies we're looking at today should be too upset at UniKey's success. With Kevo, UniKey dramatically expanded the potential consumer's knowledge and excitement for smart locks in the US. They also left some room for improvement.
The only smartphones that currently work with Kevo are late-model iPhones. This statement, released by Phil Dumas in August addresses why:
The situation is: Android does support Bluetooth Smart (also commonly referred to as: BLE, Bluetooth 4.0 or Bluetooth Low Energy), but only HALF of Bluetooth Smart functionality is currently enabled in the Android operating system, and more is needed for Kevo compatibility. However, there's good news! Android has announced that their new operating system, Android L (Android 5), slated to become available to the public in the fall, will fully support Bluetooth Smart. When they do, our development team will be able to soon roll out an Android app for Kevo.
There were rumors last year that Kevo was having power issues when there was a brief hiccup in the pre-order distribution process. Battery life has been, and will be an issue for everyone in this market. Whether or not the rumors were true, today Kevo is restricted to only using Bluetooth Smart, which is a fantastic choice for making batteries last. It's not so fantastic for device support. Though, with With Android L now a reality, Kevo have launched a private beta for owners of new Nexus and Moto X phones and can be expected to expand that as Bluetooth Smart and Android L become more commonplace.
Miwa made a statement early this year also alluding to limited device support for their collaboration with UniKey on their ALV2 lock.
The hotel security industry relies primarily on the MIFARE protocol, so UniKey's partnership with Miwa has to rely on NFC instead of Bluetooth. While supported in top-of-the-line Android phones, NFC hasn't made it to iPhones just yet. (Well, it has, physically, but NFC in the iPhone 6 is currently restricted to be used only by Apple Pay). Which leaves both of their partners missing out on opposite chunks of the potential market.
So far we haven't seen Unikey explore standard bluetooth or Wifi. Wifi, in particular, would allow for a huge range of possibilities not only for the users, but for potential integration into various home automation systems. Plain bluetooth would draw more power, but also dramatically open up the available devices that could work with their locks.
With these device restrictions it will be years before UniKey can offer a truly keyless lock (or cardless in the case of hotel locks). This means that the Kevo continues to be locked into the Kwikset Smartkey, which has some serious flaws not addressed by Kwikset after several years. Also, the Kevo requires full hardware replacement. This isn't necessarily a bad thing, but it does leave the door open for other manufacturers to offer a simpler installation process.
Finally, Kevo recently released a software update that allows the user to assigne temporary keys, but for their first 2 years on the market the model by which the Kevo issued "keys" was tied directly to very old models of physical hardware. Most manufacturers in this market have some means of temporary access, whether that is a one-time use pass or access limited to certain periods of time, it's one of the biggest benefits to having a connected device managing your door. In the Kevo, however, keys were permanent. You could revoke and reassign them, but if you wanted to send a key to a friend without revoking someone else's access, you have to buy a digital key for $1.99. About the price of a copied key, and I would confidently bet that the cost of copying a key came up when they decided on that price. Current and future Kevo owners will certainly be glad of the software update that allows for temporary access, bringing them in line with their competition.
It's hard to fault UniKey's strategy. Their partnerships have been huge, and while they limit themselves to Bluetooth Smart in the Kwikset partnership and NFC with Miwa, their locks work well and come in at a competitive price point. They also continue to improve Kevo with software updates and have plans to offer integration with home networks in 2015. You can argue that UniKey began the consumer smart lock market in the US with Kevo, but with restrictive key policies and minimal device options, this disrupter is ripe for disruption. It would be a mistake to conflate issues with individual implementations of UniKey's technology with the capabilities or goals of the company. Whatever they do next, whatever new partnership or product is announced, will be worth paying attention to.
Lockitron's biggest strengths are clued-in founders with an affordable, portable product that solves a specific problem for a sizable consumer base. Their biggest problems are related to manufacturing, timely distribution and customer education, but as manufacturing continues to improve, the problems with distribution and education are reduced.
What is it?
The Lockitron requires no hardware replacement whatsoever. It fits over the thumbturn on your current deadbolt. It can be opened with your smartphone in front of the lock, remotely via a web app, or even with a text message.
Lockitron's story is the perfect opposite to Unikey. Rather than a single founder seeking funding on a TV show, Paul Gerhart and Cameron Robertson wound up rejected from Kickstarter, creating their own crowdfunding platform Selfstarter and launching to a larger-than-anticipated community of passionate enthusiasts. Their lock is meant to be simple to install and able to work with any device imaginable, even offering entry via text message. They've succeeded on the simplicity. Originally Paul and Cameron were selling a full lock, requiring replacement of the user's current hardware. They were prototyping their lock as early as 2009, but despite massive interest and enviable coverage in the press, their sales were anemic. After a major revision, Paul and Cameron settled on a much more affordable device that would attach to the interior of the door, covering the thumbturn of a deadbolt, which rotates that thumbturn to lock or unlock the door. This means that the Lockitron doesn't permanently alter any of the existing lock or door hardware. By reducing both the financial and mechanical barriers for entry, they found blistering success in pre-sales.
The installation process is the fastest option available. This also means that it can be removed from a door rapidly as well, which means you could easily take your lock with you when you move, when you change your mechanical lock, or even when you are traveling. The simplicity and price point —least expensive on this list— make it ideal for students and renters. The founders have put serious thought into the relative powerlessness the typical renter has over their own security. Even if you can't change your locks, you can still add a lockitron. One of my biggest frustrations with even commercial digital locks is that many of them fail to log mechanical events. The lockitron records every interaction with the lock. It knows if someone knocks on the door or unlocks the deadbolt mechanically and will alert you to that as it happens. Nosey landlord in your apartment unannounced? You'll get a notification as soon as they open the door.
Lockitron makes use of NFC, Wifi and Bluetooth, and is built to be extended by a hacker/maker/diy-minded user. While they haven't established any licensing relationships like Unikey, the system is meant to be easy to integrate with myriad devices and home automation systems, which has led to adoption by the Pebble Smartwatch, Smarthings Hub, Doorbot and many others. With such an open platform they take digital security more seriously than many of their competitors. In 2011, they launched a same-day patch for all of their V1 units to protect against the BEAST SSL vulnerability. They continue this commitment to digital security by inviting public comment and providing secure means of communicating bugs and vulnerabilities.
The founders have a great perspective on security in general, and you'll occasionally find them kicking around the same parts of the internet where lockpickers gather. Beyond that, they are thinking about locks as far more than utilitarian objects:
I look at this from the inverted perspective. Walls are designed to keep people out. Locks are there to decide who you let in.
— Paul Gerhardt
I love the idea of a marketing campaign for a smart lock centered around the question "Who will you let in?" Unfortunately, Lockitron haven't been able to make a strong shift to marketing yet, as they've had their share of problems.
By providing access to myriad methods of communication, battery life becomes a big problem. Early on Lockitron handled this by implementing a "knock to turn on" feature for wifi access. The process of arriving at your door, knocking to turn the lock on, then authenticating, was frustrating to some of their early adopters. This was limited to wifi, but the knock sensor had issues of its own as some users found their knocks not being registered by the Lockitron.
While Lockitron have had success mitigating some of these issues, they reveal the larger issue of educating consumers. Lockitron starts in a strong position of being dead simple to install and begin using. Then you see the trade off. By not requiring any hardware replacement, the Lockitron is at the whim of the existing hardware.
A common issue is that a door or lock may have been installed poorly and the bolt winds up misaligned. A human can easily overcome a small misalignment. The bolt will just feel "sticky" and more force will be required. I can tell you from personal experience that a lot of people just live with mildly misaligned deadbolts. However, for the Lockitron, this presents a serious problem. In the worst case, the force required to throw or pull the bolt will be too great, and the door won't fully lock, or perhaps worse still, won't fully unlock. Or, the Lockitron will be able to overcome the force required, but will run down it's battery faster as a result. The good news is that Locktitron have partnered with Schlage to offer tapered bolts to customers experiencing ongoing problems and properly aligning a deadbolt isn't beyond the ability of most users, but communicating why they have to, and how to accomplish it is a painful process.
Unfortunately, this isn't the only issue Lockitron have had to walk their customers through. Here's an excerpt from their website describing what to do if a unit fails to register knocks:
Unfortunately depending on the construction of your door you may need to knock very firmly for the sensor to respond...If Lockitron doesn't respond after multiple attempts, repeat the steps above but knock directly on the unit. If Lockitron still doesn't respond, this may indicate that the wires from the battery box have become caught in the knock sensor, hindering it's vibration. Using the included screwdriver you can remove the battery box and ensure that the wires are tucked away from the knock sensor...
— Lockitron FAQ
That's fine for the current early adopters (and some of them would argue that it is not, actually, fine) but before casual consumers jump in, these DIY fixes need to either become permanently fixed at the factory, or, barring that, codified into a concise, precise troubleshooting guide with illustrations, videos, etc. to make solving these problems as simple as possible for the end user.
Finally, Lockitron backers have suffered through ongoing delays that certainly dampened some of their enthusiasm. Thankfully an active, supportive core have remained and over the past summer and fall large quantities of Lockitrons have been fully assembled and started rolling out the door to a significant number of backers (Shipped to backer 11,000 as of the time of this writing).
The continued improvements Lockitron have made to their design appear to be slowly solving many of their problems. Edge cases are being accommodated and before too long the original cohort of funders will have their locks in hand and Lockitron can look forward to entering what has become a competitive market. They are positioned uniquely to introduce renters, a well-populated class of consumers, to their first smart lock. However, before they can hope for wide adoption, they must take the time to shore up how they educate their customers.
Goji's strengths lie in their live support services and the pedigree of their VP of Product. The lock's biggest weaknesses are price and attachment to a poor quality mechanical cylinder. They are going after the home automation market hard and provide a lot to compensate for a high price tag.
What Is It?
The Goji is a full replacement for your current deadbolt hardware that can be opened with your smartphone. On the exterior there is a digital display that greets the entrant by name and an integrated camera that sends the owner a photo of the entrant. This display can be flipped down to reveal a traditional mechanical lock.
It is easy to imagine something going wrong with a relatively new technology, so I think it's awesome that the team at Goji are positioning their lock to be the best supported option out there. They do this by providing 24/7 phone support and a growing network of locksmiths they can lean on for in-person support. Whether or not an individual user will actually make use of the support networks doesn't particularly matter, just the fact that this new, but critically positioned piece of tech has a safety net attached makes the Goji an incredibly attractive option to consumers.
The network of locksmiths also allows Goji to distribute patches to any mechanical problems that might emerge. Historically, locks are rarely recalled, and when a major flaw is discovered in a consumer-grade lock it is up to the consumer to discover the flaw exists, find whether or not a solution is available and then implement it at their own expense. Vulnerability disclosure in mechanical security necessarily has different rules than information security as there is a complete lack of a distributed network for patching locks. Goji is in a perfect position to completely change that, and potentially create demand for other companies to do the same.
Goji can also boast of a very serious technical lead on their core team. Lloyd Seliber, VP of Product, has enjoyed a long and distinguished career in the lock industry. To get a sense of him you can read some of his patents:
A method of assigning change keys and master keys in a master key system using a 6 pin cylinder with 5 bittings based on an 8×8 checkerboard and pieces ¼, 1, 4, 16 squares in size representing 16, 64, 256 and 1024 change keys with a master key bitting combination available for each piece which would operate all the change keys assigned to that piece. A first alternate embodiment uses an array of (b−1)(p−3) elements (b being the number of bittings and p being the number pins used for master keying), each array element representing (b−1)3 change keys. The array being repeatedly divided into subarrays of (b−1)(p−x) elements, where x=4, 5, 6, . . . , p−1. Instead of assigning the change keys to a checkerboard piece, the change keys are assigned to a subarray representing at least the number of change keys.
— Lloyd Seliber, Patent #: US6516644
He came up with a method of using a checkerboard to plan out a complex masterkey system. He is a huge lock nerd and I absolutely love him for that! His expertise appears to be in access control in its myriad forms, rather than constructing individual cylinders. That is valuable experience as we move from physical keys to more complex, collaborative methods of access. It's nice to see an industry veteran in a key position at one of the independent manufacturers.
Finally, I can't skip over the Goji's integrated camera: This feature doesn't excite me too much, personally, but it makes for an incredibly cool demo, and helps further distinguish their lock from the competitors.
There are only 2 real problems with the Goji so far as I'm concerned. Cost, and the quality of the mechanical cylinder they ship with.
While you can get in a bit cheaper during their presale, Goji have set a retail price of $299 for the lock, and an additional $45 for a single key fob for use of the Goji without a phone, for a potential single-install cost of $343, plus shipping. You can see the full price comparison at the start of this article, but Goji are the most expensive (barely edging out Haven), and nearly double the cost of the least expensive option.
You get a lot for your money, particularly with the 24/7 phone support. The fob is also a nice feature, and of course, the integrated camera. However, the value stops dead when it gets to the mechanical cylinder. Don't be fooled by this quote on their website:
Our mechanical lock also is UL-compliant, giving you the maximum performance security you can find on the market.
or this quote from a CNET review:
The internal lock mechanism comes from one of the top Taiwanese lock manufacturers, according to Goji's representatives.
Here's a picture from their website showing their key fobs, and a small inset of the mechanical keys:
When I first saw that I thought "No way they went with a Kwikset knockoff..." and assumed that was stock photography their designer grabbed for the website. However, I then saw this photo in the aforementioned CNET article:
That is clearly a KW1 (Kwikset) keyway, and looking back at the keys we can see it tops out at 5 pins. Suggesting that an off-brand, 5 pin Kwikset knockoff is the "Maximum performance security you can find on the market" is upsettingly untrue. The mechanical security market is filled with high quality products that will both last longer and provide a higher level of security. However, those locks also come with a significantly increased cost. I worry that when the added features of 24/7 support and a video camera made Goji's profit point hit $300, they ironically sacrificed the quality and security of the lock itself.
While Goji may be an expensive option, they can easily market themselves toward a more considered audience who want the premium support Goji offers. Many consumers make the calculation that a cheaper, unsupported product may wind up costing much more in the future. I also hope that as Goji gains traction and some freedom to experiment, they release a model paired with a high quality lock. As the footprint for mechanical locks in the US is standardized it would be a very easy upgrade to offer.
The August smart lock's biggest strength may be their handsome design and social features, but their greatest weakness is that those are their only stand-out features. August hope that by staying simple and beautiful, they may wind up at the head of the pack.
What Is It?
The August is a partial replacement for your current deadbolt. It replaces the thumbturn on the interior of your door and interfaces with your bolt directly. The August can be opened with a wide variety of smartphones.
The best part of August's lock is its appearance. The sleek circle that only replaces interior door hardware has been very thoughtfully designed. August comes in a variety of smart color choices and has a very simple, clean interface.
Their marketing follows from their aesthetic. August doesn't spend a lot of time talking about their security, but instead talk up the social aspect of smart locks. No one else is committing to this idea, but I think August are being quite clever. Their motto is "Safe. Simple. Social." As Paul Gerhardt said, "Locks are there to decide who you let in." August are the only brand fully embracing that. Their app is meant to create a party. You can invite guests & send them a key at the same time. They even include a digital guestbook, which sounds a bit goofy, but whether or not anyone uses that feature, its presence demonstrates a commitment to the social side of access control.
With Jason Johnson as CEO and Yves Béhar doing the design, August are staking out a very specific, design oriented, position in the market.
This is my dream project, since working for Apple in the beginning of my career, I've wanted to make products that combine cutting edge design with cutting edge technology. There is nothing else I'd rather be doing.
— Jason Johnson, "Wise Words with Jason Johnson" via Springwise
The lock itself is fine. It runs on vanilla Bluetooth so device support is reasonable, and installation isn't bad, as you keep your old lock.
However, August doesn't have a single feature that one of its competitors isn't doing better. The bluetooth support is good for power, but Kevo's restraint is better for power. The bluetooth support allows for more devices, but Lockitron's bluetooth/NFC/wifi package allows for any device - you can even unlock it via a text message. Their price point of $249 is lower than Goji and Haven, but Kevo and Lockitron come in well below it. Replacing only the interior door hardware is easier than Kevo and Goji's full hardware replacement, but is worse than Lockitron's and less portable. It can log access via smartphone, but Haven and Lockitron can both log other interactions with the door that don't involve an app. They have an interesting team behind them, but it doesn't compare with Yale's connections to ASSA Abloy or Goji's VP of Product.
Across the board, every interesting feature of August is a poor comparison to at least one of their competitors.
As everyone else does the hard work of establishing and exploring the edges of this market, August are avoiding entering an arms race of cutting edge features. By simply working well, looking good, and aiming at a broad customer base, August may wind up winning the day.
Yale's entry to the American smart lock scene has strengths in ASSA Abloy's deep financial and engineering pockets, and their quick move to integrate with home automation suites. Their greatest weaknesses are in the mechanical construction of the lock and Yale's poor market penetration in the states. They are counting on their partnerships to establish them as a well made, high quality solution.
What Is It?
The Yale Real Living smart lock is a full hardware replacement, touchscreen keypad lock. It also has a mechanical cylinder (though completely keyless locks are an option) and, if coupled with a home automation system, can be opened with your smartphone. It cannot, however, interface with a smartphone on its own.
Yale came out swinging when they announced theirs was the first lock to be approved by the the iConnect home automation suite. iConnect is the system that powers Comcast/Xfinity's home automation line, not to mention ADT and several others. Their parent company, ASSA Abloy, already had a strong digital lock business in Europe and has been innovating in higher security access control for decades. On top of that, their line of Yale digital locks, specifically, were already being sold in America. So when iConnect opened up to partnerships, they were able to very quickly satisfy any requirements they had and adjust their lock to suit the market.
While the Yale Real Living lock is carried on Amazon and other online retailers, you're less likely to find it on store shelves or making the rounds on social media, tech blogs and crowdfunding sites. By sticking to their normal distribution channels —Locksmiths and builder's supply companies— Yale were able to get their lock to market quickly and maintain a position as a higher-quality brand name.
Being an established security company with a wide range of products and a huge family of sibling companies in the same sector, Yale can take the smart lock much further than most of their competitors. In particular, Yale can offer a family of products that allow you to pick and choose where you'll use the smart lock, a padlock, or even a complex masterkeying system. They can act as a transition point between high quality mechanical locks and high quality smart locks for consumers who own multiple properties, property development companies and any normal consumer who is concerned about pairing their new smart lock with a quality keyed lock.
It just doesn't compete on features. Yale's lock only communicates via Z-Wave, which means it won't be interacting with your phone, or fob, directly. If coupled with a home automation system, it gains phone interaction, but I'd guess that for the next few years there will be more people buying smart locks than total home automation packages. I wouldn't be surprised if ASSA Abloy, or Yale, specifically, introduced a standalone smartphone in the interim.
A month after their iConnect press release went out there were videos of Yale's Real Living locks being opened by paperclips, it undercut their position and broke my heart.
This hasn't made too much of a splash, but it's a big deal. The problem has since been fixed and there are confirmed reports of Yale's Australian division paying for locksmiths to come out & install the mechanical patch over there, which bodes well. However, this problem should not have existed in the first place. Yale is far from the first to have this problem. In the short list I can remember off the top of my head we have…
- Adams Rite
- QAS Biometric Safe
- American 1100 Series Padlocks
Ever since Linus Yale Jr's landmark patent, pin tumbler locks have acted as a layer of abstraction. The key no longer interacts with the bolt directly, but instead rotates the lock, which has a protrusion out the back that operates the bolt. For a hundred years lock makers keep forgetting that just because the key doesn't touch the bolt doesn't mean we can't get to the bolt through the lock. If the back of the cylinder isn't closed off, we can snake a wire, or paperclip, out the back and toggle the bolt directly, completely avoiding the authentication mechanism of the lock. We've also seen plenty of use of mallets and magnets to trip solenoids and overcome digital lock manufacturer's attempts to separate the interlocking elements. Things are rough out there right now and no one seems to be learning lessons from each other's failures. Henry Robinson Towne, co-founder of the Yale Lock Company back in 1868 hits the nail on the head.
Few self-respecting professional "inventors" have felt their mission to be fulfilled until they have "invented" a lock of some kind. Apparently there is a fascination in the subject which they cannot resist, however complete their ignorance of the past achievements and present development of the art, and so each incontinently proceeds to "invent" things which, while new to his untutored mind, are usually already well-known, occasionally in successful use, but more frequently long since consigned to the limbo of useless and discarded schemes.
— Henry Robinson Towne, Locks and Builders Hardware: A Hand Book for Architects, 1904
Yale has been sold a few times, it isn't the company it once was, but if ASSA Abloy intend to trade on the value of the Yale name, they need to make sure long-solved vulnerabilities aren't being reintroduced in their locks. At this point I'm less worried about this bypass, specifically, than what it implies about the care being taken in engineering this line of smart locks.
The stakes aren't particularly high for Yale. They can comfortably sell their smart lock to an established customer base in which they are a well known brand. However, with hungry new competitors ready to shake up any market they can get a foothold in, Yale will need to stay sharp and shore up their engineering, or risk getting shut out of a competition that they have the resources to lead.
Haven's biggest strength is an audacious goal of truly keyless entry and an eye catching idea. Their biggest weakness is hyperbolic marketing and a lack of industry experience. However, if they can succeeed in their presale and openly solicit feedback from the security community, this could wind up being a very cool product.
What Is It?
The Haven lock is a barricade for the bottom of your door. As such, it does not replace or interface with any of your existing lock hardware. It has a foot release for easy exit, and can be opened and closed by your smartphone.
Haven was inspired by pylon barricades and is focused on physical resistance. You install the Haven lock in your floor where it deploys upward to block the bottom of the door. They've run a battery of batterings to test it's strength and so far, so good. The very idea of changing the position of the lock is exciting and rare enough to be notable. Their mix of ideas is something to pay attention to. Haven is equipped with sensors to detect attempted forced entry, and has easy-to-use safety features for rapid egress. Their battery backup solution seems like a solid concept, though we'll have to see how it holds up in practice. Altogether, for ease of use and physical resistance, Haven has been thoughtfully designed.
The idea that most excites me, though, is their genuine desire to get rid of keys completely. While this is theoretically possible with Lockitron, Yale and August, it isn't the stated goal of anyone in this market. In fact, most of their competitors go out of their way to ensure the user that they can still use keys. Haven are taking the opposite approach, declaring keys to be outmoded, annoying and insecure and calling for their abolition. This is going to scare some people, and I'll admit that my initial reaction was hesitant, but I appreciate that Haven refuses half-measures. Everyone else declares how disruptive their products are while carefully not overstepping the status quo. Haven are standing firmly on the far side of that line.
They also seem to have a well-coordinated, enthusiastic support system in their home state of Kentucky. There are some impressive people devoting an exciting mix of experience, time and connections to make sure their lock successfully comes to fruition. If that system stays in place after the excitement of their pre-sale, when scaling, power, assembly, distribution and every other problem you can imagine start to wear everyone down, I think they could be very successful bringing Haven to market.
The step-to-open feature, where you can press on a plate with your foot that will automatically deactivate the lock, leaves them vulnerable to the same methods we use to open cars. If the door can be wedged out or open at all, you can simply get a long-reach tool in to tap the plate and unlock the door for you. This isn't a massive issue, as properly framed doors should prove difficult to pull out, but it helps demonstrate the bigger problem. Haven can only stop inward-opening doors. If your door opens out, Haven is useless. For the suburban home owner, this is just fine, but there is a big market out there that could potentially be served very well by Haven that can't actually make use of it.
Speaking of excluding themselves from markets, renters will also be out of the question because installation of the Haven lock requires you to drill into the floor in front of the door. And if you happen to have carpet, it's even worse.
If carpet is present, trace an outline of the provided template with a razor blade or box cutter. Remove the excess carpet and install accordingly.
The market they have left, suburban homeowners, already have better, well established, physical resistance solutions in multi-point locks that engage multiple latches in the top, bottom and middle of the door. These can't be easily pried or pushed. They provide greater resistance, can work in either direction and don't damage the rest of the house. Multi-point-locks aren't cheap, as you replace, or at least significantly modify, your door, but for security against destructive entry, I believe it is the better option.
Finally, their marketing is frustrating. I've reached out to Haven on twitter, facebook and email, the three means of communication they provide on their website, and after a month I'm yet to hear anything back. What I wanted to know was where they were getting their data for three claims found on their website.
- "95% of break-ins require some kind of force"
- "Break-ins are on the rise"
- "80% of break-ins occur through the front or back door"
I'm not going to speak to claim #3, as I can't find a counter-claim, but every reference I've seen to it elsewhere appears to be pulled from other scare-mongering marketing copy, not actual reports. Claims 1 and 2, however, are demonstrably false. The FBI and the BJS (Bureau of Justice Statistics), put together comprehensive reports on crime every year, often issuing special reports throughout the year on specific sorts of crime.
From 2012 to 2013, the rate of burglary dropped 8%, and has been dropping or staying flat year over year for the past 5 years. Source That is the opposite of an increase. In 2012, the year the most recent full report covers, 2/3rds of attempted or successful break-ins involved force. Source That isn't even close to 95%. Haven's claims do not match the data.
Optimistically, Haven may have cribbed their marketing materials from unsourced claims found on the website of sketchy security services companies who try to inflict as much fear as possible to sell their products. Hopefully they'll aim for accuracy in their future marketing.
Haven's limited utility may hinder initial adoption, but if they can find a way to non-destructively mount their unit to the floor, they'll open up a huge class of potential buyers. While they have an awesome product development team and a great idea, their outsider status is showing in a misunderstanding of their competition and sketchy fear-based marketing.
Battery life remains a problem. Most of these manufacturers still rely on a physical key to open the door in the event of a power failure, and Haven is relying on warnings. I recently helped a friend troubleshoot an electronic lock used in a school. They also relied on the warning method, but because of the nature of a school, the battery in the lock had run down during the school year, then died completely over the summer without anyone knowing it had been warning them. Haven has an advantage here as, presumably, their warnings will also ping the smartphone of the owner. Whether or not they are geographically available to do anything about it at that moment, they still have options for solving the problem before destructive entry is required. However, if these manufacturers look to the well established players in locks, there are some last-resort power options worth looking into.
- Kaba Mas X-Series: This is an incredible lock for a number of reasons, but particularly relevant is that it is human powered. By rotating the dial you build up enough power to operate the lock. While this is impractical for everyday use on a suburban door, as a last-resort solution to a power failure it is inspired.
- External Battery: While the Goji opens downward to reveal a keyway, it could just as easily open to reveal a battery slot. Early on, manufacturers of consumer-aimed electronic locks realized that power might end up being a problem and allowed users to insert a batter from the outside to provide temporary power to the lock until they could get in and replace the main power supply. A common version of this can be found on many electronic gun safes. A thin, discrete panel slides back to reveal terminals for a 9-volt.
- Phone Charging: The possibility exists to transmit power over a cable, or even over the air, from a smart phone. Assuming the user will have their phone available, this could be an interesting option for last-resort power supply.
None of these locks quite convince me yet, but all of the features are there to build what I would consider an ideal solution. I would love to see a company come out with tiered options. Being able to buy the super-portable Lockitron, then add a floor-bar like Haven, but have them both controlled by the same device? That would be the least expensive, most advanced, consumer-level multi-point locking system so far. You could go perfectly keyless and add a last-resort power option that uses the Lockitron's knock sensor to trigger Haven's reserve when the batteries are otherwise depleted. Make it as beautiful as the August with the support of the Goji and the partnerships of Yale and Unikey, and you might just have the perfect smart lock.
Unfortunately, we're probably still years away from that scenario, but hopefully as these locks gain wide acceptance we'll start to see better options, wider integrations and clever adoption of each other's ideas.
Schuyler Towne is a security anthropologist and Research Scholar at the Ronin Institute. You can see more of his research at SchuylerTowne.com. If you enjoyed this article, feel free to hit him up on Twitter. He loves any excuse to talk locks. This post was original published on his personal website and can be found here.