Kwikset Z-Wave lock security problems

I am using a Kwikset on a side door as an alternative entry way, not one we ever use. I personally wouldn’t use the automation features for the Kwikset latch to disarm the alarm system due to various security flaws in the design. One item is what Ryan mentions, while you can enter numbers of 0-9…the actual key combinations are reduced by 1/2. The other flaw in the Kwikset, which I wonder what other locks have solutions for, is that if anyone has access to the “secure” side they can quickly program their own code with no tools.

The Kwikset doesn’t use any screws to secure the battery/programming compartment. If you have access to open the door or to be inside the house (visitor, contractor, etc) then you could quickly just slide open the panel, hit the program button and key in a new code. I have heard that some of the locks require a “master code” to unlock it to allow programing new codes, however the Kwikset does not…and the internal codes seem to be entirely isolated from those that are controlled via the Zwave controller, furthermore I have alerts to tell me if anyone unlocks this door for that reason.

Ryan, do you know which locks do password protect adding internal codes? Also, do all Zwave locks have a “tamper” alert as I wasn’t able to figure out how to get the Kwikset to trigger a tamper event during my testing (tried typing invalid codes repeatedly, etc).

It actually reduces the number of key combinations by 1/16 when using a 4 digit code, not 1/2.

Yale/Schlage: 10^4 = 10,000 different combinations
Kwikset: 5^4 = 625 different combinations

The most interesting situation is if you have 31 users on your 2GIG panel, each with a different 4 digit pin code and they all have access to the Kwikset lock. In that case, if a bad guy comes along and randomly enters a code then he has a 31/625 = 4.96% chance of guessing a valid code in 1 try. Let’s round that to 5% or 1/20. I’m no statistician but I believe that means a bad guy would be able guess a valid code in just 10 attempts on average! (slightly more since I rounded)

Yale and Schlage locks require a master/programming code to add/change user codes. With Yale locks you set that master code first thing when you first power on the lock. Yale forces you to set the code to something you make up. With Schlage the master code is hard coded and printed on a sticker inside the lock.

Yale pro: There is no way to find the master code printed on a sticker that comes with the lock. You can change the master code if you need to.
Yale con: It’s your responsibility to pick a random enough code to be secure.
Schlage pro: The factory assigns a securely random master code and you can’t screw it up by using your home address or 1234.
Schlage con: You can just disassemble the lock to find the master code printed on a sticker. You could remove the sticker but if someone was able to get the code before you removed it or find it in the trash there is nothing you can do. You’ll never be able to change it.

I believe Kwikset does have a tamper if you enter an invalid code in 3 times in a row. We used Kwikset for a short time until I sat down and thought about all the security problems they have. I’m pretty sure I remember getting tamper alerts when people forgot their codes.

Ryan, thanks for the feedback. We are likely going to buy another Zwave lockset, I will look at Yale (since Schlage seems to be more interested in selling Nexia subscriptions) and decide which of locations is “lower risk” and place the Kwikset there.

Does 2Gig have anything on the roadmap for allowing more than a 4-pin user codes? It sure would increases the number of combinations significantly, I would love to be able to use 6 or 7 pins…be nice if they allowed a range, say between 4 and 8 pins.

I’m not aware of any 2GIG plans to increase the number of digits for disarming pin codes. I’ve asked for that before and they said the CP-01 standard for reducing false alarms won’t let them use more than 4 digits for a disarm code.

There is a work around some people use but it’s not extremely convenient. Alarm.com will allow you to assign an 8 digit code to a user as long as they don’t have security panel access. Some people create 2 users in the Alarm.com address book for each person who has access to a lock. They give one of those users a 4 digit code, and the other user an 8 digit code that begins with the 4 digit code of the first user. Then you just have to remember the 8 digit code for the lock and you can disarm the panel with the first 4 digits of it.

Ryan,

I recently bought a zwave kwikset lock and now people are telling me they are really bad. Basically so bad I might as well not have a lock. Are they really that bad?

How good are the Yales with the zwave functions? Kwikset seems to do this well.

Thanks,

Greg

I recommend Yale or Schlage over Kwikset, but the Kwikset z-wave locks do work and to say you might as well not have a lock is a gross exaggeration. It’s still a sturdy door lock and it’s going to keep people out. It’s just more vulnerable to attacks from smart bad guys than Yale or Schlage. Most bad guys are not very smart. Keep in mind it’s much easier to kick in your door frame than to outsmart a Kwikset lock.

My big problem with Kwikset electronic locks is that they only have 5 buttons instead of 10 like Yale and Schlage do. See this post above.

So that means it’s 16 times easier for someone to randomly guess your lock code with Kwikset than it is with Schlage or Yale. The work around I mentioned above is useful if you’re you’re going to have a lot of user codes in your Kwikset.

We installed Kwikset locks a for a short time few years ago when it was the only z-wave lock option available and before I had really thought through that 5 button issue. We switched to Yale soon after they released a z-wave lock. Our experience has been that the Yale locks we’ve installed were more reliable than Kwikset which means fewer service calls, which saves money, which makes me happy.

You may also have heard about a z-wave lock being hacked by researchers at a security conference. See this article.

http://suretycam.com/can-hackers-unlock-my-z-wave-door-lock

They declined to say which z-wave lock it was but I can confirm it was not Yale and that Yale locks do not suffer from that vulnerability.

Excellent, thanks.

While the alarm.com events are really nice, I’m shying away from setting up an event to disarm the system when the front door is unlocked.

Great post on the number of possibilities. One thing I did notice about the zwave lock I bought at Lowes is that you can use 6 digits, or 5^6 possibilities; which gives a number of combinations closer to your 10^4 lock.

“I recommend Yale or Schlage over Kwikset, but the Kwikset z-wave locks do work and to say you might as well not have a lock is a gross exaggeration. It’s still a sturdy door lock and it’s going to keep people out. It’s just more vulnerable to attacks from smart bad guys than Yale or Schlage. Most bad guys are not very smart. Keep in mind it’s much easier to kick in your door frame than to outsmart a Kwikset lock.”

You can actually force a kwikset lock (Weiser, Baldwin, etc) almost as fast as you can open it with a key, and there will be no visable signs of a forced entry.

Forcing open Kwikset locks doesnt require intelligence or special skills, some locksmiths alledge they can train a monkey to do it…

It is also known that the Kwikset locks sold at Home Depot contain plastic parts inside.

Having a Kwikset lock on your home is like putting a bullseye on your house…and everyone knows that the zwave lock that was hacked was a Kwikset one.

(For those unaware, in residential security, deadbolts/locks regardless of zwave capability or not, have three grades- ANSI 1, ANSI 2, ANSI 3, ANSI Grade 1 are best)

How to open a “bump proof” ANSI Grade 1 Kwikset deadbolt in 10 sec:

I know more about the electronics than the actual locking hardware but I’ve definitely heard locksmiths say they won’t install Kwikset locks. I suspect locksmiths are a little biased since a lock that can be re-keyed without a locksmith threatens their income but I also think the design features that allow Kwikset locks to be re-keyed so easily must reduce their effectiveness as a security device. I’d still recommend a Kwikset over no lock at all. Even if you can train a monkey to defeat a Kwikset lock, most residential doors can easily be kicked in and you don’t even have to train a burglar to do that. At this point, having used all 3 brands, I’m a Yale man.

Here’s something interesting I got in the mail the other day. It looks like Kwikset has at least fixed the 5 button problem. I can’t find these on their website yet though. Must be coming soon…

Kwikset 10 Button Lock Ad

You may consider the key-free Yale Touch Screen lock instead. http://www.yaleresidential.com/en/yale/yaleresidential-com/Real-Living/product-details/Key-Free/

It has 10 buttons (more possible combinations), and can’t be bumped. It’s more pricey than any other z-wave lock I’ve found, but I suppose you get what you pay for with these locks. I haven’t yet pulled the trigger on buying one, anyone else have experience with them?

Yes, they’re great. We have them although it appears they haven’t been added to the DIY store yet. My only caution is make sure you don’t let the batteries die because there’s no mechanical way to unlock. You’d have to run to the hardware store and get a 9V battery to temporarily power it up to unlock. If you don’t trust yourself to change the batteries in time, get one with a key cylinder instead and carry the key as a backup.

Heads up… when they quality check these locks, they have to “include/add” them to a zwave controller to confirm they’re working. A large batch of the Kwikset locks weren’t removed or “excluded” from these test controllers before shipping. Therefore, you can’t add them to a new controller until you first send a command to “exclude” the locks and wipe their association to the test controllers. Tap the “remove devices” button to begin scanning… then click the zwave button on the lock. This will reset the lock and allow you to add the lock to your controller as you normally would.

Hopefully this will save a few of you from unnecessary exchanges… (I went through 2 before Kwikset support filled me in on the issue).

I have three Schlage 369 locks that I’m tired of trying to get working on my 2gig system. I replaced one with a Quickset 914 and works very well.

Ryan - interested in your Yale/Schlage discussion… I’m looking for a motorized deadbolt lock - what Yale model # have you had the most success with?

There aren’t many Yale models to choose from. They’ve all worked well for us. And they have a removable Z-Wave module so if they ever need a Z-Wave upgrade it’s easy and cheap.

The new Kwikset locks have 10 digit buttons now so those are more secure than the old 5-button Kwikset locks.

Oh no… for the Yale fanboys…haha.