X
CNET logo Why You Can Trust CNET

Our expert, award-winning staff selects the products we cover and rigorously researches and tests our top picks. If you buy through our links, we may get a commission. Reviews ethics statement

Smart lock has a security vulnerability that leaves homes open for attacks

The lock isn't able to receive updates, which means the flaw allowing hackers to break in will always be present.

Alfred Ng Senior Reporter / CNET News
Alfred Ng was a senior reporter for CNET News. He was raised in Brooklyn and previously worked on the New York Daily News's social media and breaking news teams.
Alfred Ng
3 min read
keywe.png

Security researchers found a vulnerability with KeyWe's smart lock allowing any potential attacker to unlock doors by intercepting network traffic between the lock and the mobile app.

KeyWe via Kickstarter

Smart locks are sold as devices that can make getting in your home more convenient, but security researchers found a vulnerability that makes it easy for hackers and thieves to do the same. 

On Wednesday, Finland-based security company F-Secure disclosed flaws with the "KeyWe Smart Lock," which marketed itself as the "Smartest Lock Ever!" The lock sells for about $155 on Amazon and allows for unlocking doors through a mobile app. 

F-Secure's researchers found that potential hackers could intercept network traffic between the mobile app and the smart lock, essentially stealing the keys to someone's home out of thin air. 

"Unfortunately, the lock's design makes bypassing these mechanisms to eavesdrop on messages exchanged by the lock and app fairly easy for attackers, leaving it open to a relatively simple attack," Krzysztof Marciniak, an F-Secure consultant, said in a statement. "There's no way to mitigate this, so accessing homes protected by the lock is a safe bet for burglars able to replicate the hack."

The security researcher noted that this attack could be performed through network-sniffing devices, some of which can be bought for as little as $10. 

Read more: Best home security systems of 2020 | Best cheap home security

KeyWe said that it had fixed the issue through security patches, even though F-Secure's researchers found that its firmware doesn't allow for over-the-air updates. 

"We are really sorry about this problem. Our users' security is our top priority and we are continuously working to resolve any issues and avoid them in the future," a KeyWe spokesman said in a statement. 

Amazon didn't respond to a request for comment on whether it would continue selling the vulnerable locks. 

Internet-of-things devices present a major risk because there are no cybersecurity standards for these gadgets. But unlike vulnerabilities with IoT devices like a wearable rosary, smart lock issues pose a direct risk by allowing potential hackers access to people's homes.

You might not want to install a smart lock, but landlords across the country have been installing the connected gadgets, presenting a security risk for thousands of people at their doorsteps.    

Because the firmware for KeyWe's smart lock doesn't allow for updates, the lock's owners will live with the risk of a hacker being able to open their doors until they've replaced the lock, researchers said. Newly purchased versions of the lock will have fixed the vulnerability, the security firm said.

F-Secure declined to provide specific technical details on the smart lock's vulnerability because the security flaw can't be fixed. 

The messages between the mobile app and the lock are encrypted, but F-Secure researchers found that they could intercept the key generator itself. By analyzing the communications between the lock and the phone, security researchers found they were able to pick up the key commands for the smart lock, which could then be used to unlock the door. 

The lock's key generation algorithm allowed potential hackers to retrieve codes for unlocking the door, despite the encryption on the app. 

"The issue is with the key, not the encryption. The encryption itself is secure," Marciniak said.
Originally published Dec. 11 at 2 a.m. PT.
Updated at 4:44 a.m. PT:
Adds statement from KeyWe.

Watch this: How to protect your holiday packages

16 smart doorbells to watch over your front stoop

See all photos