(*) Level Lock Touch

tac0s · April 20, 2021, 7:57pm

“The Smallest, Most Capable Lock Ever”

Are you looking for a smart, drop in replacement for a lock that doesn’t stand out? Well then, Level has you covered is your only option! Pictures and videos from Level are better than I can provide.

Disclaimer
I can be obnoxiously critical. For $329 USD I expect a lot. For someone that used traditional electric strike based RFID access control setups constantly throughout the day, every day with zero issues, I expect reliability.

A Point of Clarification
There are two products currently available from Level: the Touch and Bolt. The bolt is just a replacement for the “guts” of your deadbolt where the Touch is a complete replacement. Only the touch supports NFC–and it’s more than $100 more expensive than its already steeply priced counterpart.

Conclusions
It’s a good looking product with a clever design, mechanically. It’s pretty straightforward to install (so long as you pay attention to the orientation of the locking mechanism; it’s easy to put in upside down) and storing the battery in the deadbolt itself is pretty slick. In reality, if there’s the slightest misalignment when it tries to lock, the lock will start to actuate then sound a few beeps. It will not be able to unlock electronically. The little gearbox seems to have a light break away strength to keep it from destroying itself but that means if you don’t have a physical key handy, you’re now locked out because the cylinder throws partway, locking the door but it’s no longer coupled with the gearbox so it can’t unlock. The act of using a key reseats it. Having to leave your phone near the lock to use the RFID features of the lock isn’t a deal breaker for some, but it is worth noting. Even with regard to it being a low profile smart lock, it’s just not quite right: I got the brass one, It matched the old one quite well… Except for the gray center. Again, not a deal breaker but just an obnoxious oversight when they’ve already gone so far to make it look so discreet. Despite the issues I have with it which could potentially be resolved by opting to use Apple Homekit, the product’s inherent unreliability that forces you to always have a physical key readily accessible makes me give it a shit rating and a one finger salute.

What follows is a more detailed run down of the lock…

Listed Features:

Touch
Cards
App
Auto-Lock
Auto-Unlock
Sharing
Activity
Passes
Audio
Apple Homekit Integration*

Touch
The app lets you set up the lock to lock or unlock via a touch of a finger. I used the lock feature–unlock is tied to the app on your smartphone and seems to use bluetooth to detect proximity.

Cards
There’s not much information on their website or the literature that comes with the product other than “ISO 15693.” Poking around with a proxmark easy didn’t show me anything special about the tags (but I am not an expert). To add a card, you use the app. Using a Spark 1 or Vivokey Developer Card throws an error. I contacted Level about using 3rd party cards and after a week long run around they finally told me that only their cards will work with the product. For me (and most of us, i think) the appeal of using an RFID based solution is that you can leave your keys/smartphone/whatever at home because you’ve got the thing under your skin. The Touch, however, will not respond to a tag (other than to beep twice when you scan a previously added tag) if it cannot connect to the app (I had turned off bluetooth). It can tell that the card was previously added (they sent two with the kit and the unadded one elicited no response) but will not respond without checking back to Level but the lock doesn’t have wifi… Maybe it works better if you have Apple Homekit? Further, it isn’t exactly easy to get the lock to scan the card–they say to touch the logo to the lock but I find myself rubbing it around on the lockface for around 10 seconds or more before it responds. I ordered a few different types of ISO 15693 cards to do more exhaustive testing–I will update when they arrive. We could also learn quite a bit more about what’s going on with some bluetooth snooping, I imagine, but I’m not even sure where to start with that.

App
I kind of hate that they list the “app” as a feature because most of the lock’s other listed features are features of the app… The only one that isn’t listed independently is that you can toggle the lock with a push of the button–assuming you are within the bluetooth range.

Auto-Lock/Auto-Unlock
These are proximity based using bluetooth in the app.

Sharing
Want to create a temporary pass for a certain time period that anyone with a link can use? Gotcha covered! Except they have to download the app.

Activity
Within the app you can see an access log. It will show when the lock was toggled manually, or by whichever methods are enabled. Kinda cool but it only lists the last five (?) and only if you can pair with it. It would be nice if there was an long term log–why not given that it has to sync back to their servers? If someone interacts with it using the app, you will be able to see the last time it was accessed. I guess this feature is a little better with Homekit–allowing remote notifications and the like. But still only a very short log. Which is inconvenient when you stumble back home after a month on the road, run a bunch of errands, but don’t remember to check the log immediately. (Did my plants die because my friend didn’t bother to water them?) Further, trying to check the extended history even when you are right next to it with a phone in hand is not super reliable. I find myself having to restart the app frequently just to get it to open…

Passes
These are a less restricted version of the sharing feature–there’s no timeout and you can give people either admin (config) or guest (just access) permissions.

Audio
The lock gives various beeps to provide feedback. Even when you specifically toggle the sound off, it will still beep at you when it encounters errors. I opted for Level because I live in the ghetto and would rather not draw any attention. An app notification would be vastly preferred, imo.

Apple Homekit
I don’t own any Apple products so I can’t say much… But here is what Level has to say:

Remote Connectivity
- Check the status and use your lock when away.
Voice Control
- Ask Siri to open, close, or check the status of your lock.
Automations
- Unlock your door upon arrival, set a schedule to lock, and more.
Notifications
- Know when someone’s come and gone while away

NoUsersLefft · April 20, 2021, 8:21pm

And it’s only for left hand doors? What kind of shit is that

tac0s · April 20, 2021, 8:37pm

Haha, good catch! That had not occurred to me.

Zwack · April 20, 2021, 10:24pm

Meh, so instead of a relatively solid bolt (some contain mechanisms to make the bolt harder to cut) they have hollowed it out in order to put a battery inside. (From their site it looks like a CR2 which is almost the same size as the bolt on my front door lock)

I would be curious if you could loop a wire saw around the bolt with the door shut, and then cut through the bolt.

I am also concerned by the weak coupling between the gearbox and the motor. Given that door alignment is frequently an issue in older houses (every door in my house has been rehung since I moved in) this could be a pain to deal with especially if you don’t know how to adjust doors.

Given that I run HomeAssistant so that I don’t have to deal with external entities in my home automation I do not like the concept of requiring an app so that my devices work.

tac0s · April 20, 2021, 10:37pm

The battery is indeed a CR2. Side note: the kit included two caps of different lengths to work with residential and commercial doors.

Theoretically, yes, a wire saw could be pulled through, definitely if you brought a drill and small bit for a pair of pilot holes and a small hook to pull the saw back through… But really, even a traditional electric strike is vulnerable to a drill and battery…

Spot on about the alignment problems–eventually we’ll all suffer from this.

Zwack · April 20, 2021, 11:16pm

I am more concerned that the battery holder is relatively thin walled and can be cut through even quicker. I suspect that you wouldn’t have to cut all the way through for the deadbolt to be weak enough to allow you to push the door open. Sure that isn’t as subtle as picking the lock, but even lower skill.

I notice that they don’t tout the security of the actual lock cylinder I would love to know it’s specifications. From what I have found so far it uses an SC1 key, so it is five pins and a relatively open keyway. Unless any of those pins are security pins it is a pretty simple cylinder.

As for pilot holes and hooks, I have tested mica shims on my front door (a deadbolt isn’t shimmable) but despite my misgivings about getting it past the door frame I found it was relatively simple.

For what it is worth I use a grade 2 commercial deadbolt with six pins, some of them security pins. Grade 2 commercial deadbolts are expected to survive more actuations than residential deadbolts, but are no more expensive (they are usually cheaper).

I realise that the people who purchase a level touch are more interested in the smart/convenient features than security, but I would like the physical security to be more important than being able to talk to my front door lock.

tac0s · April 20, 2021, 11:25pm

I’d be lying if I said I knew anything about picking locks. Honestly, if you or someone else wants to take a crack at it, let me know. I’ll be removing it as I’m moving in the next fewish weeks.

Here’s a picture of the extra cylinder cap–the wall thickness is a little shy of 1mm but you’ll still have to cut through the battery as well.

Regarding other locks, I’m sure there are more secure traditional locks out there but it’s only fair to compare apples to apples–if it’s not a smart lock, it’s not a fair comparison.

Zwack · April 20, 2021, 11:44pm

Would you though? If you are using a wire saw around the outside you will be cutting through about 1/2 of the cylinder perimeter once that is done you might be able to tear the rest of the cylinder just by pushing on the door (assuming it opens inward). If the cylinder itself tears it is possible that the battery won’t be across the lock mechanism at that point.

As for the lock, I would be more interested in seeing it gutted to get an idea of how secure the actual lock mechanism is. I have a 5 pin SC1 here that can be raked in a couple of seconds (and I am not particularly skilled). Adding security pins would slow that down or stop it.

tac0s · April 20, 2021, 11:49pm

By no means am I security expert–I just got pretty decent at finding hardware solutions to software problems. Like I mentioned, if someone (yourself included) is interested in doing some more extensive and possibly destructive testing, I’d be happy to ship it that way for the community’s benefit. I intend on testing some other tags when they arrive and will keep it installed for the next week to six weeks prior to my moving. After that, well, I’m not excited at the prospect of reinstalling something so unreliable… PM me if you’re willing to test and share the results…

Zwack · April 20, 2021, 11:59pm

Given your willingness to let me test it, and that I can avoid being destructive I will take you up on that offer if you don’t mind.

My intention would be to attempt to pick the cylinder (I don’t need any of the interior parts of the lock at all), and also to gut it (take it apart and look at the pins).

I can return it either in the same state or with added security pins if you wish. The original key will still work afterwards too. I probably won’t attempt to bump the lock but I can add a bump halt pin too. (A lightweight pin with a heavier spring as an attempt to counteract bump attacks).

tac0s · April 21, 2021, 12:04am

Cool! I look forward to hearing the results. I will PM when I figure out when I’m leaving to arrange shipping. In the mean time, if someone else is interested in investigating it further (a la bluetooth snooping, for example) feel free to give a shout and I’m sure we can work something out! I really like the idea that Level was working towards, I just think their implementation was lacking. Given the number of incredibly smart folks in the community and the existing push towards an open source smart deadbolt, I’m sure we can do better!

Zwack · April 21, 2021, 12:17am

I am taking a slightly different approach, I have a Grade 2 deadbolt on the way from a supply company, and want to see if I can reliably replace just the building interior portion with a microcontroller/H bridge/motor/gearbox. If I can then it should be easy to trigger the lock with any one of a number of possibilities like the Xac.

This would be similar to a danalock but without their ecosystem (and you would need to provide your own access controller)

fraggersparks · April 21, 2021, 12:20am

Okay, so I think I can shed some light on this.

If you wanted to post (or pm) a TagInfo dump of your included tags, I can look at what might be going on. I have my suspicions, but I want to confirm.

tac0s · April 21, 2021, 12:21am

I support all forms of innovation in the community–if I can help you prove your concept, so much the better. If we can do it without denying others the opportunity to use the same materials to further their projects as well, well then we’re all winning, aren’t we?

tac0s · April 21, 2021, 12:24am

It’s XML–sorry!

<?xml version="1.0" encoding="UTF-8"?> 4.24.7 2021-04-20 17:22:41 STMicroelectronics SA LRi2K tag DF:F5:48:B9:04:23:02:E0 false STMicroelectronics SA LRi2K 256 bytes ‣ 64 blocks, with 4 bytes per block Supported read commands: ‣ Single Block Read ‣ Multiple Block Read ‣ Get Multiple Block Security Status ‣ Get System Information AFI supported DSFID supported IC reference value: 0x23 ISO/IEC 15693-3 compatible ISO/IEC 15693-2 compatible Tag description: ‣ TAG: Tech [android.nfc.tech.NfcV, android.nfc.tech.NdefFormatable] ‣ Maximum transceive length: 253 bytes MIFARE Classic support present in Android ID: E0:02:23:04:B9:48:F5:DF AFI: 0x00 DSFID: 0x00 0 E1 40 20 01 1 00 00 00 00 2 00 00 00 00 3 00 00 00 00 4 00 00 00 00 5 00 00 00 00 6 00 00 00 00 7 00 00 00 00 8 00 00 00 00 9 00 00 00 00 10 00 00 00 00 11 00 00 00 00 12 00 00 00 00 13 00 00 00 00 14 00 00 00 00 15 00 00 00 00 16 00 00 00 00 17 00 00 00 00 18 00 00 00 00 19 00 00 00 00 20 00 00 00 00 21 00 00 00 00 22 00 00 00 00 23 00 00 00 00 24 00 00 00 00 25 00 00 00 00 26 00 00 00 00 27 00 00 00 00 28 00 00 00 00 29 00 00 00 00 30 00 00 00 00 31 00 00 00 00 32 00 00 00 00 33 00 00 00 00 34 00 00 00 00 35 00 00 00 00 36 00 00 00 00 37 00 00 00 00 38 00 00 00 00 39 00 00 00 00 40 00 00 00 00 41 00 00 00 00 42 00 00 00 00 43 00 00 00 00 44 00 00 00 00 45 00 00 00 00 46 00 00 00 00 47 00 00 00 00 48 00 00 00 00 49 00 00 00 00 50 00 00 00 00 51 00 00 00 00 52 00 00 00 00 53 00 00 00 00 54 00 00 00 00 55 00 00 00 00 56 00 00 00 00 57 00 00 00 00 58 00 00 00 00 59 00 00 00 00 60 00 00 00 00 61 00 00 00 00 62 00 00 00 00 63 00 00 00 00 x:locked, .:unlocked

tac0s · April 21, 2021, 12:25am

Now that is interesting…
Edit: not really…

fraggersparks · April 21, 2021, 12:26am

Could you take a screenshot? hah

tac0s · April 21, 2021, 12:27am

fraggersparks · April 21, 2021, 12:28am

Okay from a super quick check, these tags are just ISO15 EEPROM. No authentication, just 2048 bits memory.

tac0s · April 21, 2021, 12:29am

So, we’re working with just a preregistered UID? I have a second, unregistered card if it would help to scan that one, too…