Thursday, July 16, 2015
Electronic keys are coming to multifamily. But you need to take steps to keep them secure.
For Diana Pittro, executive vice president of Chicago-based RMK Management Company, the banks of keys hanging in her leasing and maintenance offices are slowly disappearing. In their place is a PC-like console where the company codes the electronic fobs it now gives residents instead of traditional keys.
Each of those fobs can be programmed to open an individual apartment door, as well as other common areas in a building, such as a fitness room or clubhouse theatre room. That means residents can carry just a single fob that opens all the areas they have access to, instead of multiple cards or keys.
“That alone is much more convenient for residents,” Pittro says.
Long used in businesses, hotels and campus settings – where facility-wide control allows for lockdowns in emergency situations -- keyless electronic access is now becoming more commonplace in market rate apartments as well. Add to that the raft of consumer-oriented smart locks that have been hitting the market and synch with smartphones using Bluetooth technology – August Smart Lock and Kwikset’s Kevo are two – and it’s clear that physical keys are going the way of CDs and VCRs.
The reasons why are clear. Pittro’s fobs can be programmed to provide access to just one or both of the towers in a two-tower property, and can be used for other amenities, ranging from storage lockers to parking garage access. Using the console that came with the system, Pittro’s leasing agents and property managers can set the times that residents can access those areas – say until 10 p.m. for the community theatre room -- and, in the case of lost or damaged equipment, identify who used a room last. “It allows you to customize access down to the individual resident,” Pittro says.
RMK has been deploying Winston-Salem, N.C.-based Kaba Access Control’s multihousing “SafLoks” to new buildings as they’re constructed, and outfitting older ones when they’re remodeled.
“It costs more at setup, but it’s cheaper in the long run because you don’t have to change the locks when someone leaves,” she says. “Plus, now, I don’t have a million keys floating around. Or worse, a master key that can open any lock in the building. With this system, you just don’t have that.”
Cost to set up the system has run RMK (or the owners of the 30 buildings and 7,000 units RMK manages) between $400-$500 a door, or about $200-$300 more than a traditional keyed locking system. But because Pittro can simply reprogram the fobs when a resident leaves, instead of changing the locks, she says RMK believes it will save money in the long run. Plus, by charging residents $25 per fob, she says they do a much better job of returning them than traditional keys.
“It’s just a reality of apartments, people are not very good at giving their keys back,” Pittro says. “With this, if I don’t get it back, I can just block it from the system. It just makes more sense to have a key that you have control over through programming.”
But while the advantages of keyless access are many – automated reprogramming for apartment managers, no more rogue keys, and access control options to various parts of a property during pre-programmed periods -- apartment owners need to be aware of the inherent risks of giving residents electronic access to their properties. Namely, as with any electronic network, you’re also providing a potential gateway to anyone who can hack into the system
“The main risk, of course, is the issue of duplication, and how easy it is to duplicate that electronic key,” says Sam Rehman, chief technology officer at application protection firm Arxan Technologies. “Before, I would actually have to steal a physical key, duplicate it and then distribute it. Now, I could literally just post that key online, and then everybody would have access to your apartment building.”
Arxan provides security to smart phone apps to prevent exactly that, by making sure that the identity of the person using the key is encrypted. But other methods of duplication are also possible. For instance, just as cyber criminals have installed so-called “sniffers” on retailers’ credit card terminals, ATMs and gas pumps, they could do the same with electronic entry access devices.
“The goal, in that case, is to monitor the protocol so that as people walk close to the door and open it, they can record the information that goes back and forth, and then see if they can find any patterns in the information,” Rehman says. “It’s very doable.”
And criminals could, of course, purchase the types of machines that RMK uses to code its fobs, and try to reverse engineer the system to break any encryption, just as they might try to steal traditional keys and duplicate them.
“The critical element comes down to how people store these electronic keys, and the security they build into the system,” Rehman says. “If you’re talking to a vendor, you should ask them how the keys could possibly be duplicated. If they say they can’t, you really need to start asking more questions, because there’s always a way.”
At the same time, Rehman says the benefits of programmable, keyless access for industries like multifamily, hotels and short-term rentals such as AirBnB and VRBO.com outweigh any perceived risks.
“As with any security-related issue, it’s always a race,” Rehman says. “We just need to keep innovating to make it so expensive and time consuming to break into the system that it won’t be worth it to the criminals to try doing so.”
If manufactures and vendors can do that, keyless access for apartments could open a whole new door of opportunity for the multifamily industry.