Smart lock’s security issues leave open doors for attackers

Smart lock’s security issues leave open doors for attackers
11.12.2019 10:50 am

Smart lock’s security issues leave open doors for attackers


Consultants with cyber security provider F-Secure have discovered an exploitable design flaw with a smart lock that attackers can use to easily pick the device. The lock’s inability to receive firmware updates means the flaw cannot be fully fixed, highlighting the difficulties faced by manufacturers and consumers with securing the new internet-connected devices hitting the market.

KeyWe Smart Lock, a remote-controlled entry device primarily used in private dwellings, allows users to open and close doors with an app on their mobile phone. F-Secure Consulting found that they were able to exploit improperly designed communication protocols and intercept the secret passphrase that controls the lock while it’s exchanged between the physical device and the mobile app.

“The lock has several protection mechanisms. Unfortunately, the lock’s design makes bypassing these mechanisms to eavesdrop on messages exchanged by the lock and app fairly easy for attackers – leaving it open to a relatively simple attack. There’s no way to mitigate this, so accessing homes protected by the lock is a safe bet for burglars able to replicate the hack,” says F-Secure Consulting’s Krzysztof Marciniak, a cyber security consultant that helped develop the hack. “All attackers need is a little know-how, a device to help them capture traffic –  which can be purchased from many consumer electronic stores for as little as 10 dollars – and a bit of time to find the lock owners.”

The attack is yet another demonstration of the security challenges facing manufacturers and consumers as internet of things devices (IoT) flood the market. One recent estimate suggests that there will be 125 billion devices connected to the internet by 2025.* But as these IoT devices spread, so will the security issues they bring.

The lock has several useful security features, including data encryption intended to prevent unauthorized parties from accessing system-critical information, such as the secret passphrase.

However, F-Secure Consulting found relatively easy ways to circumvent the system’s security measures. And since the device cannot receive firmware updates, the flaw exploited by the attack cannot be fixed, meaning lock owners will need to replace the lock or live with the risk.

Marciniak points out that security is only effective when properly implemented, which is a subtlety that IoT device vendors need to understand. 

“Security isn’t one size fits all. It needs to be tailored to account for the user, environment, threat model, and more. Doing this isn’t easy, but if IoT device vendors are going to ship products that can’t receive updates, it’s important to build these devices to be secure from the ground up,” explains Marciniak.

Marciniak recommends individuals consider the security implications of internet-connectivity before replacing their offline devices with online versions, and recommends device vendors perform security assessments on their products as part of their design.

F-Secure Consulting operates on four continents from 11 different countries. It provides cyber security services tailored to fit the needs of banking, financial services, aviation, shipping, retail, insurance, and other organizations working in highly targeted sectors.

Due to the ease of the attack and the lack of effective mitigations available to end users, F-Secure Consulting has chosen to withhold crucial parts of the technical details needed to execute the attack. However, an advisory and a blog post with more information have been published on F-Secure Labs. Additional support and services for device vendors are available from F-Secure Consulting

Related News

Financial scam warning as cybercriminals exploit COVID-19 pandemic fears

GoCompare is urging people to stay safe online as official statistics show a dramatic increase in phishing and online shopping scams, with cybercriminals looking to capitalise... Read more »

Cyber attacks, ransomware were unrelenting throughout 2019

Cyber criminals continued a barrage of attacks in 2019, spurred on by botnets of infected IoT devices and by attacker interest in the Eternal Blue vulnerability. A new report... Read more »

F-Secure expands partnership with Nifty on identity protection services

Today, cyber security provider F-Secure and Nifty, Japan’s leading internet service provider (ISP), announced they were expanding their partnership with Nifty’s deployment of F... Read more »

ACA Aponix Announces Payment and Fraud Risk Assessment Service

ACA Compliance Group (“ACA”) announced today the availability of its new payment and fraud risk assessment (“PFRA”) offering, which is designed to help firms identify and... Read more »

BullGuard: New Study Reveals One in Three SMBs Use Free Consumer Cybersecurity and One in Five Use No Endpoint Security at All

New research commissioned by and published today by cybersecurity company, ... Read more »

Free Newsletter Sign-up
+44 (0) 208 819 32 53 +44 (0) 173 261 71 47
Download Our Mobile App
Financial It Youtube channel