F-Secure's researchers found that potential hackers could intercept network traffic between the mobile app and the smart lock, essentially stealing the keys to someone's home out of thin air.
"Unfortunately, the lock's design makes bypassing these mechanisms to eavesdrop on messages exchanged by the lock and app fairly easy for attackers, leaving it open to a relatively simple attack," Krzysztof Marciniak, an F-Secure consultant, said in a statement. "There's no way to mitigate this, so accessing homes protected by the lock is a safe bet for burglars able to replicate the hack."
The security researcher noted that this attack could be performed through network-sniffing devices, some of which can be bought for as little as $10.
KeyWe said that it had fixed the issue through security patches, even though F-Secure's researchers found that its firmware doesn't allow for over-the-air updates.
"We are really sorry about this problem. Our users' security is our top priority and we are continuously working to resolve any issues and avoid them in the future," a KeyWe spokesman said in a statement.
Amazon didn't respond to a request for comment on whether it would continue selling the vulnerable locks.
Because the firmware for KeyWe's smart lock doesn't allow for updates, the lock's owners will live with the risk of a hacker being able to open their doors until they've replaced the lock, researchers said. Newly purchased versions of the lock will have fixed the vulnerability, the security firm said.
F-Secure declined to provide specific technical details on the smart lock's vulnerability because the security flaw can't be fixed.
The messages between the mobile app and the lock are encrypted, but F-Secure researchers found that they could intercept the key generator itself. By analyzing the communications between the lock and the phone, security researchers found they were able to pick up the key commands for the smart lock, which could then be used to unlock the door.
The lock's key generation algorithm allowed potential hackers to retrieve codes for unlocking the door, despite the encryption on the app.
"The issue is with the key, not the encryption. The encryption itself is secure," Marciniak said. Originally published Dec. 11 at 2 a.m. PT. Updated at 4:44 a.m. PT: Adds statement from KeyWe.