Smart home products seem to be keeping white-hat hackers in business. It’s a safe bet at this point to say in the near future, they’ll be kept in business, as the smart home products continue to have many vulnerabilities.
One of those products is the KeyWe Smart Lock. It was discovered that it has a design flaw that can be exploited by an attacker to easily pick the lock.
KeyWe Smart Lock Vulnerability
Consultants at the F-Secure Consulting firm not only found that the KeyWe Smart Lock could be exploited but also that it’s not able to get firmware updates. This is how companies fix security exploits, but KeyWe doesn’t have the ability to patch the firmware. The only way out for users is to physically uninstall the smart lock.
The flaw in the KeyWe smart lock allows users to open and close doors that have the lock installed by using a smartphone app. But the consultants found that they could exploit the communication protocols that were poorly designed. This allowed them to intercept the secret passphrase that is used between the lock and the app.
Krzysztof Marciniak, of F-Secure Consulting, helped create the hack that was ultimately used to unlock the smart lock. He provided further insight into the discovery of the poorly-designed communication protocols.
“The lock has several protection mechanisms. Unfortunately, the lock’s design makes bypassing these mechanisms to eavesdrop on messages exchanged by the lock and app fairly easy for attackers – leaving it open to a relatively simple attack.
“There’s no way to mitigate this, so accessing homes protected by the lock is a safe bet for burglars able to replicate the hack. All attackers need is a little know-how, a device to help them capture traffic – which can be purchased from many consumer electronics stores for as little as $10 – and a bit of time to find the lock owners.”
The KeyWe Smart Lock does have many security features that were implemented to prevent unauthorized access to critical information, such as data encryption. Yet, F-Secure was able to easily circumvent these security features. And since it can’t receive firmware updates, owners will need to replace the lock, as there is no need to have something called a “lock” that allows access.
Circumventing Potential Issues
Marciniak recommends that potential buyers consider the security of IoT devices before installing them. But sometimes this is easier said than done. That information is usually not so readily available. If it were, there would be no need for white-hat hackers.
This is yet another instance of the security flaws that many IoT devices are facing, and it’s only going to increase with the number of IoT devices expected to dramatically grow. It’s estimated that by 2025, there will be 125 billion devices connected to the Internet.
How do you think the problem of security in IoT devices such as the KeyWe smart Lock should be handled before it gets out of control? Leave your thoughts and ideas in the comments below.
Image Credit: YouTube