On Wednesday, Finland-based security company F-Secure disclosed flaws with the "KeyWe Smart Lock," which marketed itself as the "Smartest Lock Ever!" The lock sells for about $155 on Amazon and allows for unlocking doors through a mobile app.
F-Secure's researchers found that potential hackers could intercept network traffic between the mobile app and the smart lock, essentially stealing the keys to someone's home out of thin air. "Unfortunately, the lock's design makes bypassing these mechanisms to eavesdrop on messages exchanged by the lock and app fairly easy for attackers, leaving it open to a relatively simple attack," Krzysztof Marciniak, an F-Secure consultant, said in a statement. "There's no way to mitigate this, so accessing homes protected by the lock is a safe bet for burglars able to replicate the hack."
The security researcher noted that this attack could be performed through network-sniffing devices, some of which can be bought for as little as $10. KeyWe said that it had fixed the issue through security patches, even though F-Secure's researchers found that its firmware doesn't allow for over-the-air updates.
"We are really sorry about this problem. Our users' security is our top priority and we are continuously working to resolve any issues and avoid them in the future," a KeyWe spokesman said in a statement.
Amazon didn't respond to a request for comment on whether it would continue selling the vulnerable locks.
Internet-of-things devices present a major risk because there are no cybersecurity standards for these gadgets. But unlike vulnerabilities with IoT devices like a wearable rosary, smart lock issues pose a direct risk by allowing potential hackers access to people's homes.
You might not want to install a smart lock, but landlords across the country have been installing the connected gadgets, presenting a security risk for thousands of people at their doorsteps.
Because the firmware for KeyWe's smart lock doesn't allow for updates, the lock's owners will live with the risk of a hacker being able to open their doors until they've replaced the lock, researchers said. Newly purchased versions of the lock will have fixed the vulnerability, the security firm said.
F-Secure declined to provide specific technical details on the smart lock's vulnerability because the security flaw can't be fixed.
The messages between the mobile app and the lock are encrypted, but F-Secure researchers found that they could intercept the key generator itself. By analyzing the communications between the lock and the phone, security researchers found they were able to pick up the key commands for the smart lock, which could then be used to unlock the door.
New research from Parks Associates finds 60 percent of U.S. broadband households feel “safe enough” with a professionally monitored home security system, while 55 percent report feeling “safe enough” with only a self-monitored home security system.
“While more consumers feel ‘safe enough’ only with a home security system, security-focused smart home devices deliver this same baseline feeling of security for a majority of households,” said Brad Russell, research director, Connected Home, Parks Associates. “A significant portion of households associate these products with a sense of security, which increases as more devices are added to the bundle. This creates a serious challenge to the traditional home security industry as cost is a major barrier that weighs down the overall appeal of their solutions.”
Consumers identify security systems as providing the strongest sense of “safe enough” security, but these systems are the least appealing when price is considered. Smart home security devices are a key alternative for cost-conscious consumers when purchasing equipment to secure their home, with a bundle including an all-in-one camera and an outdoor light fixture with a camera as the most appealing.
“As more players from the CE industry enter the DIY security space, they bring an expertise in product design that improves ease-of-use and attractiveness in smart home products,” Russell said. “This emphasis on user experience puts pressure on legacy security manufacturers and service providers to deliver solutions and systems that meet or exceed this higher bar, while still keeping costs low.”