KeyWe smart lock vulnerability can't be patched

by Mark Tyson on 11 December 2019, 13:11

Tags: F-Secure (DTV.BE), Kickstarter

Quick Link: HEXUS.net/qaegrc

Add to My Vault: x

KeyWe engaged in a very successful crowdfunding campaign for its eponymous smartlock last year. The Kickstarter project was described as originating the "smartest lock ever" and was fully funded within 3 hours, eventually raising over half a million USD. As well as selling its smart lock direct, KeyWe started to distribute its smart home security device on Amazon this summer, after finally shipping to the majority of the backers of the Kickstarter project. As you can see via the Amazon product page the KeyWe isn't cheap at US$155 and requires a compatible smart home hub. However, that's all fine for most people if this is a good product…

Earlier this week Finish security company F-Secure published a blog post on its Labs pages. It had decided to look at security of convenient smart devices and has focuses some attention onto the KeyWe smart lock. Unfortunately for KeyWe the product didn't stand up very well to security researcher scrutiny.

In brief, F-Secure's researchers found that potential hackers or house-breakers could intercept wireless traffic between the smart lock and mobile app. Sniffing and analysing this data can reveal "the keys to the kingdom," says the blog and mentions the hardware required to do such a task. However, it wasn't explicit with regard to exactly how to hack the smart lock, so as not to make its methods widely available and public.

Someone was lurking as you opened the smart lock

KeyWe has been in touch with F-Secure about its published findings and acknowledged the issue and claims to be working on fixing it. Unfortunately for owners of existing hardware it is noted that the KeyWe smart lock doesn't have upgradable firmware. New hardware will be introduced, says KeyWe, which will both include a firmware fix and offer firmware upgradability for any future similar problems.

Hopefully owners of existing hardware with the vulnerability will get some kind of replacement program or at least a discount to upgrade. F-Secure recommends that potential purchasers of smart and IoT devices look into device security features and updatability before replacing tried and trusted things with smart-connected versions. Meanwhile, vendors of the smart / IoT devices should steer away from developing or deriving in-house crypto as this was the main vector for the vulnerability discovered in the KeyWe smart lock.



HEXUS Forums :: 14 Comments

Login with Forum Account

Don't have an account? Register today!
And that's why i pretty much stay away from anything wireless, only things i have are the phone - RC stuff and FPV transmitters.

The home wifi that for all else are pretty much a must have drug,,,,, well i am clean if you dont count the cables routed throughout the apartment for internet and security cameras ( on a separate non connected devise of course )
Presumably you're also locked out of your house in the event of a power cut… a great many of which I fully expect, once our new Labour Overlords take power later this week?

Pretty much anything electronic is hackable anyway, from keyless cars to marital aids, to ‘too-Smart-for-their-own-good’ devices like this. I'm surprised that this is news to users.
This is clearly bad and i'ts good they are fixing things, but ultimately this is still more secure than the vast majority of door locks in the UK.

Most door locks are trivial to pick in seconds with a bit of practice, and many cheaper ones can simply be snapped anyway. The “hacks” on electronic locks generally require much more sophistication and effort/planning, and so whilst this is an issue, it's not necessarily a reason not to buy one.

Of course, a good door lock with lot of security pins is a better, more secure option - but they also cost over £100 in general, and most people seem to speind more in the £10-£20 region for their locks…

The bigger issue with smart locks that I have found is that it's very hard to find decent quality ones which are compatible with UK multi-point locking UPVC doors. There are a few, but they are either mega expensive or cheap and unreliable.

Plenty of choice in the US though, just not much here..yet.
I want to strap a claymore mine to my front door, so if tampering = shish kebab :-)
Okay that will ruin some of my stuff, but really the price of a dead criminal can never be too high.
Spud1
Most door locks are trivial to pick in seconds with a bit of practice, and many cheaper ones can simply be snapped anyway.
But neither are as easy as many people tend to assert… and not every lock can be snapped.
Rather, a thief will look for an easier entry point… such as the window you left open!