this post was submitted on 06 Oct 2025
18 points (100.0% liked)

homeassistant

16629 readers
405 users here now

Home Assistant is open source home automation that puts local control and privacy first.
Powered by a worldwide community of tinkerers and DIY enthusiasts.

Home Assistant can be self-installed on ProxMox, Raspberry Pi, or even purchased pre-installed: Home Assistant: Installation

Discussion of Home-Assistant adjacent topics is absolutely fine, within reason.
If you're not sure, DM @GreatAlbatross@feddit.uk

founded 2 years ago
MODERATORS
 

cross-posted from: https://slrpnk.net/post/28482551

I'm looking into installing a door lock w/ key pad at home for two use cases:

  1. I'm out of town and need to allow someone to enter my home, in an emergency or for any reason.
  2. Nice to have - "oh shit, did I lock the door" - ability to lock the door remotely from my phone, would also solve use case #1 by unlocking remotely.

If there are no privacy respecting / self hosted apps for remote control (use case #2), then a "dumb" electronic lock w/ key pad that enables me to set a PIN that I can give to a friend or neighbor in a pinch and then reset the PIN after I get home, that would be good enough. If no such keypad/electronic locks exist, then my backup plan is to just make a few copies of my key for trusted friends & family and/or hide a key, but I'd like to explore the keypad route.

top 26 comments
sorted by: hot top controversial new old
[–] besmtt@lemmy.world 5 points 2 weeks ago (4 children)

I've had 3 Yale deadbolts with Z-wave since 2016 or so and I love them. They use 4 AAs and I don't mind putting in rechargeables a couple times a year. They have an external way to charge them with a 9v battery in an emergency. No physical key so they can't be picked that way. At times in the past I've had problems with Z-wave delays or then losing connection to the controller, but over the last year of using Z-waveJS UI in an LXC they've been solid. Codes can be set up in HA/Z-waveJS UI or on the keypad itself.

[–] HubertManne@piefed.social 2 points 2 weeks ago (1 children)

I sorta wish the way locks had developed had been the other way around were the standard was the lock in the wall and the hole in the door. Then we would wire them up at this point.

[–] besmtt@lemmy.world 1 points 2 weeks ago (1 children)

That's a fantastic idea. You'd probably need the controls to be on the door, but I'm sure that could be done with some pogo pins or wireless charging to the wired unit in the wall.

[–] HubertManne@piefed.social 3 points 2 weeks ago

I was thinking like long ago that the key in the wall and a simple static push/pull type handle on the door.

[–] just_another_person@lemmy.world 1 points 2 weeks ago (1 children)

These locks were exploited many years ago, and I don't believe they are considered to be safe.

[–] besmtt@lemmy.world 1 points 2 weeks ago (2 children)

Mind sharing an article/video on that?

[–] lemming741@lemmy.world 2 points 2 weeks ago

https://www.pentestpartners.com/security-blog/z-shave-exploiting-z-wave-downgrade-attacks/

I really hope the current production isn't vulnerable to an 8 year old exploit.

[–] just_another_person@lemmy.world 1 points 2 weeks ago (1 children)
[–] besmtt@lemmy.world 1 points 2 weeks ago (1 children)

Thanks for that, that's good to know. But TBH, I feel much more secure with deadbolts that don't use keys. Here's a video that helped me make up my mind when I got these.

As far as I can tell, CVE-2023-26943 doesn't have anything to do with Z-wave, it looks to be related to RFID.

[–] just_another_person@lemmy.world 1 points 2 weeks ago (1 children)

You mentioned Yale Smart Locks, and that CVE is specific to Yale Smart Locks. Has nothing to do with Z-Wave, but if your lock has a contact reader, it's susceptible.

[–] besmtt@lemmy.world 1 points 2 weeks ago (1 children)

Just Z-wave here. Thanks though.

[–] just_another_person@lemmy.world 1 points 2 weeks ago (1 children)

You're missing the point here...🤦

[–] besmtt@lemmy.world 1 points 2 weeks ago (1 children)

Am I?

The one attack vector you provided that actually applies here is something that would require technical experience above what your average thief would reasonably have. But with a keyed deadbolt, a lot of those can be raked, picked, or opened with a Lishi tool.

So yeah, you're right that there's a vulnerability when locks are paired. But that would require someone to either be within range when that happens or to place a battery powered device and pick up that information the next time pairing happens. Pairing doesn't happen very often. I think the last time I paired any of my locks was over a year ago.

But with keyed locks, an attacker wouldn't have to wait for me to do anything, they could just walk up and pick the lock with tools that are easier to get and understand/use.

Going with your reasoning, the two videos I've shared about picking deadbolts would mean that keyed locks aren't secure either.

[–] just_another_person@lemmy.world 1 points 2 weeks ago (1 children)

Two words then: Flipper Zero

You're behind the times on this one. This is a common tool used to defeat all kinds of locks. The Z-Wave exploits have been around for a LOOOONG time now. There's also BT and RFID exploits as well, hence the CVE is posted above.

[–] besmtt@lemmy.world 1 points 2 weeks ago (1 children)

Mind sharing a link to something showing that the Flipper Zero can actually do anything with Z-wave? Cause all I found are pages that talk about how hard it would be to implement zigbee, let alone*Z-wave:

https://forum.flipper.net/t/zigbee-z-wave-capacity/771

https://old.reddit.com/r/flipperzero/comments/zx05x4/why_cant_we_have_zigbee_support/

I found those two when searching for flipper zero "z-wave" and look what I found right after them, a video dismissing your whole argument about Z-wave devices/locks not being secure:

https://youtu.be/6JK-jrLd1yc

And why are you bringing up the CVE again? I already said that my locks don't use RFID and they also don't use Bluetooth. You're verging into Straw Man fallacy territory.. I knew there was a reason I had you tagged as a "very upset person".

[–] just_another_person@lemmy.world 0 points 2 weeks ago (1 children)

Lol, classic deflection of someone who insecure in their knowledge about a subject and trying to change the subject. Personal attacks. Weak sauce, guy. Have a time with yourself.

[–] besmtt@lemmy.world 1 points 2 weeks ago

You've shared nothing to make me think anything other than this accusation being projection.

[–] rhymepurple@lemmy.ml 1 points 2 weeks ago (1 children)

This lock requires a Yale account to register/setup the lock though, correct? In other words, while you can use the lock locally, it first needs to be associated with a Yale account.

Additionally, if I remember correctly, its Z-Wave module is a 500 series using the Security 0 (S0) standard instead of the more modern 800 series and/or Security 2 (S2) sandard. The 800 series (introduced in 2021) should provide much better reliability and range while the S2 standard (introduced in 2017) should make your connection more secure and less chatty. However, the 800 series does not operate as a mesh network and is still working through the final legislative approvals in Europe.

Unfortunately, I don't think there is a one-size-fits-all, perfect solution. I believe the only Z-Wave lock that addresses the two items in my comment is the Philips 4000 Series deadbolt. One issue with that lock is I believe you have less control over the combinations without the Philips app (eg: cannot specify date/time ranges when a code will work, can only add codes while physically at the device, etc.).

[–] besmtt@lemmy.world 2 points 2 weeks ago (1 children)

My Yale locks don't directly touch the Internet, they're Z-wave only, so there isn't even an option to setup an account. It's just the lock, my Zooz ZST39 controller that is bound to Z-waveJS UI in an LXC, that is then tied into home assistant.

Z-wave 800 is a mesh network. Z-wave LR is not a mesh network.

[–] rhymepurple@lemmy.ml 1 points 2 weeks ago* (last edited 2 weeks ago) (1 children)

Ah, you're right about 800 mesh and LR.

I've seen multiple reports online about the lock requiring an account though and Yale's documentation stating that it only supports 500 series. Below are just a few examples of reports indicating that a Yale account is required for setup. Is yours the same model?

[–] besmtt@lemmy.world 1 points 2 weeks ago (1 children)

Your first link is talking about "FAQ: Yale Assure Lock 2 with Wi-Fi", I'm talking about Z-wave locks, not Wi-Fi.

On your second link, look for the comments from thelordzer0 "I have like 7 ZW3 modules and none of them required any accounts."

I told you that I don't have an account setup. I never have needed it with my locks/modules. My modules are ZW2s. I'm not interested in debating other locks/modules with you.

[–] rhymepurple@lemmy.ml 1 points 2 weeks ago (1 children)

Maybe I'm not picking up on the different models correctly, but the first link I sent was about Z-Wave.

Can I use the Assure Lock 2 with my Z-Wave Hub?

The Assure Lock 2 supports the following Z-Wave modules:

  • Z-Wave 500 Series (version 1.8.1)
    • Module Part Number: AYR-MOD-ZW2-USA
  • Z-Wave 700 Series (available at a later date)

I know some people, like yourself and the commenter thelordzer0, have had success using the lock without a Yale account or app. I'm not sure why you've been able to but others are reporting differently. I was just commenting to help OP out in case they're one of the other people who were forced to create an account and/or use the Yale app to initialize their lock.

[–] besmtt@lemmy.world 1 points 2 weeks ago

Your first link:

"supports 500 series](https://support.shopyalehome.com/yale-assure-lock-2-with-wi-fi-faq-B1q1o8M5q)"

It has wi-fi in the URL.

The title at the top of that page is:

"FAQ: Yale Assure Lock 2 with Wi-Fi"

And we know that it comes with a WiFi module because of this question from your same link:

"Do I need a Yale Connect Wi-Fi Bridge?

Because it has a Wi-Fi Smart Module, the Assure Lock 2 does not require a Wi-Fi bridge."

Notice how they put in the "ZW2" module part number in that last question? To get one of their locks to work with Z-wave you have to take out the WiFi module and put in a Z-wave module.

[–] Sxan@piefed.zip -2 points 2 weeks ago

I'll second Yale ZWave door systems. Þey're great, no WiFi needed.

[–] k4j8@lemmy.world 5 points 2 weeks ago

Do you use Home Assistant? If so, any Z-Wave lock will be privacy-respecting. I've only used the Schlage Connect, but it was very reliable. I could change the codes remotely using Z-Wave JS UI.

[–] early_riser@lemmy.world 1 points 2 weeks ago* (last edited 2 weeks ago)

Just installed the Kwikset HomeConnect 620 deadbolt last weekend. It's a Z-Wave lock, which as others have said makes it independent of ~~someone else's computer~~ the Cloud. It has a keypad using tactile buttons which makes quick no-eyes operation easier. It also has a regular key that can be used in the event the smart features fail. It works with Home Assistant meaning you can operate it remotely if you open the right ports on your router or buy a HA cloud subscription.

The only gotcha is that creating and revoking PIN codes via HA/Z-Wave JS isn't straightforward. You have to go into the developer tools and search for the correct action.