Key Security Questions to Ask about Z-Wave and Zigbee Smart Locks

May 1, 2019 | Security

By Charlie Hill and Yuzuka Akasaka

10 minute read

A smart lock is an electronic lock that an individual can use to secure or unlock a unit with an authorized device (i.e. an app on a phone, key fob, etc) instead of a typical physical key. They are designed to make the lives of your Staff and Residents more convenient and secure.

Smart locks can typically communicate with mobile applications through various wireless protocols, including WiFi, Bluetooth, Z-Wave, and Zigbee. This post focuses on smart locks that use Z-Wave and Zigbee for connectivity.

There are many points to consider when understanding how a smart lock can best protect you. Many IoT solutions providers claim to support Z-Wave and Zigbee locks, but as with installing any smart building devices, there are various risk factors to consider.

Here are some key questions and explanations to best understand security factors.

1. What happens when locks go offline? What would the IoT solutions provider do in this case?

An offline status for a lock means that there is no network connectivity. A lock falling off the network could mean some of these things:

  • Someone may have tampered with the lock (the Z-wave or Zigbee wireless module may have been removed)
  • Someone may have cracked the master code and factory reset the lock
  • Someone may have attacked the network and the gateway (aka “hub”) that connects the lock has gone offline

Like any technology, fully-connected locks have some risks. Asking the solutions provider about these scenarios is critical to knowing that they are keeping your building’s security at the top of their priorities

2. How are the locks installed?

Many smart devices are vulnerable (or not as secure) at the earliest stages in their life cycles (i.e. when they are first commissioned and programmed). There are many excellent open-source articles about these vulnerabilities, and while we do not want to highlight these methods, we encourage you to do your due diligence. If the smart locks are commissioned on-site at the property, beware of advance notice to Residents, as this could also be advance notice for bad actors (potential hackers).

These installation and commissioning vulnerabilities are some of the many reasons why STRATIS always commissions devices off-site at a secure location with trusted partners that have been vetted by its largest clients.

3. Who installs the locks and how trustworthy are they?

Similar to the point above, the security of the installation process is important. For the solutions provider to prove their trustworthiness, they must:

  • Show that they are going to follow a secure process correctly
  • Show that they can be trusted with sensitive information

Many solutions providers use third-party contractors for lock installations. Good questions to ask are: Who has vetted these contractors? Do they know the master codes (explained more in the point below) and other sensitive information?

4. If there is a master code for the smart locks, how is the solutions provider managing the master codes for the locks on the property?

Smart locks with keypads or pin code locks often come with default master codes. The master codes are usually a generic sequence that is set when the device first comes out of its packaging. To know if the solutions provider ensures security after installation, ask more about a) How are these codes being set after installation? b) Who is managing these codes? and c) How are they managing these codes after they are set?

5. How is the Resident’s pin code being managed?

If a physical key or phone is missing, the Resident or Property Manager would likely know. However, someone could know or pass on a past or present Resident’s pin code without them knowing. For example, in the same unit, someone who knew the previous Resident’s pin code could still access the unit even after a new Resident has moved in. Therefore, securing the unit for the next Resident to move in is critical. We recommend you understand how this security process is automated by asking the solutions provider to demonstrate for you.

6. What is the fire rating of the lock?

Different municipalities and local regions have various standards for locks and fire safety. Underwriters Laboratories (UL) is an organization that performs safety testing and provides ratings for products like smart locks. Since many smart locks were originally designed for single family home use, they often do not protect against risks and concerns that are unique to MultiFamily or Student Housing.

7. How does the lock protect against physical vulnerabilities in the hallway? (i.e. a passerby seeing the pin code, hearing the failure-to-lock notification sound, etc)

A MultiFamily property hallway is a small space where it is easy for people passing by to see a Resident entering a pin code. Many locks make loud notification sounds when the Resident is entering this pin code, potentially alerting bad actors nearby who may attempt to view the sequence. It is important to ask how these risks can be reduced.

8. What happens if there are foundational building shifts that misalign the door and lock?

Especially in mid and high-rise properties, foundational shifts can cause the unit door and deadbolt to misalign with the strike plate. Motorized deadbolts (deadbolts that automatically “throw” the deadbolt into a position) are more susceptible to incomplete lock events due to their inherent hands-off characteristics. Furthermore, similar to pin code smart locks that have audible tones for pin code sequence entry, many smart locks make loud notification sounds when the deadbolt does not extend properly. This can inadvertently alert bad actors to unlocked units.

This video below with Felicite Moorman, STRATIS CEO and co-founder, shows a motorized deadbolt installed in a misaligned door frame.

The best way to learn about Z-Wave and Zigbee smart locks and security is by doing your due diligence and thinking critically about a proposed solution. Remember: These devices are typically designed for single-family homes. Knowing this fact as a baseline will enable your team to think through and ask the right questions regarding how these devices will work in MultiFamily or Student Housing.

To learn more about how the STRATIS IoT platform can secure your MultiFamily or Student Housing property, contact us for a free demo here.

About STRATIS

STRATIS is an Inc. 5000 “Fastest Growing Company in America” and an Entrepreneur 360 “Best Company in America.” STRATIS enables smart apartments and intelligent buildings and is the only platform of its kind built for the complexities of multifamily and student housing. Since launch, STRATIS has installed in 300,000 apartments across the U.S. and more than 10,000 internationally. To get more information visit: STRATISIoT.com.