'Hocus Pocus 2' Review Wi-Fi 6 Router With Built-In VPN Sleep Trackers Capital One Claim Deadline Watch Tesla AI Day Student Loan Forgiveness Best Meal Delivery Services Vitamins for Flu Season
Want CNET to notify you of price drops and the latest stories?
No, thank you
Why You Can Trust CNET
Our expert, award-winning staff selects the products we cover and rigorously researches and tests our top picks. If you buy through our links, we may get a commission. Reviews ethics statement

Smart lock has a security vulnerability that leaves homes open for attacks

The lock isn't able to receive updates, which means the flaw allowing hackers to break in will always be present.

Security researchers found a vulnerability with KeyWe's smart lock allowing any potential attacker to unlock doors by intercepting network traffic between the lock and the mobile app.
KeyWe via Kickstarter

Smart locks are sold as devices that can make getting in your home more convenient, but security researchers found a vulnerability that makes it easy for hackers and thieves to do the same. 

On Wednesday, Finland-based security company F-Secure disclosed flaws with the "KeyWe Smart Lock," which marketed itself as the "Smartest Lock Ever!" The lock sells for about $155 on Amazon and allows for unlocking doors through a mobile app. 

F-Secure's researchers found that potential hackers could intercept network traffic between the mobile app and the smart lock, essentially stealing the keys to someone's home out of thin air. 

"Unfortunately, the lock's design makes bypassing these mechanisms to eavesdrop on messages exchanged by the lock and app fairly easy for attackers, leaving it open to a relatively simple attack," Krzysztof Marciniak, an F-Secure consultant, said in a statement. "There's no way to mitigate this, so accessing homes protected by the lock is a safe bet for burglars able to replicate the hack."

The security researcher noted that this attack could be performed through network-sniffing devices, some of which can be bought for as little as $10. 

Read more: Best home security systems of 2020 | Best cheap home security

KeyWe said that it had fixed the issue through security patches, even though F-Secure's researchers found that its firmware doesn't allow for over-the-air updates. 

"We are really sorry about this problem. Our users' security is our top priority and we are continuously working to resolve any issues and avoid them in the future," a KeyWe spokesman said in a statement. 

Amazon didn't respond to a request for comment on whether it would continue selling the vulnerable locks. 

Internet-of-things devices present a major risk because there are no cybersecurity standards for these gadgets. But unlike vulnerabilities with IoT devices like a wearable rosary, smart lock issues pose a direct risk by allowing potential hackers access to people's homes.

You might not want to install a smart lock, but landlords across the country have been installing the connected gadgets, presenting a security risk for thousands of people at their doorsteps.    

Because the firmware for KeyWe's smart lock doesn't allow for updates, the lock's owners will live with the risk of a hacker being able to open their doors until they've replaced the lock, researchers said. Newly purchased versions of the lock will have fixed the vulnerability, the security firm said.

F-Secure declined to provide specific technical details on the smart lock's vulnerability because the security flaw can't be fixed. 

The messages between the mobile app and the lock are encrypted, but F-Secure researchers found that they could intercept the key generator itself. By analyzing the communications between the lock and the phone, security researchers found they were able to pick up the key commands for the smart lock, which could then be used to unlock the door. 

The lock's key generation algorithm allowed potential hackers to retrieve codes for unlocking the door, despite the encryption on the app. 

"The issue is with the key, not the encryption. The encryption itself is secure," Marciniak said.

Originally published Dec. 11 at 2 a.m. PT.
Updated at 4:44 a.m. PT:
Adds statement from KeyWe.

Now playing: Watch this: How to protect your holiday packages