December 11, 2019 |

Smart lock’s security issues leave open doors for attackers

Design flaw discovered in smart lock highlights ongoing struggle to produce devices that are both smart and secure.

Helsinki, Finland – December 11, 2019: Consultants with cyber security provider F-Secure have discovered an exploitable design flaw with a smart lock that attackers can use to easily pick the device. The lock’s inability to receive firmware updates means the flaw cannot be fully fixed, highlighting the difficulties faced by manufacturers and consumers with securing the new internet-connected devices hitting the market.

KeyWe Smart Lock, a remote-controlled entry device primarily used in private dwellings, allows users to open and close doors with an app on their mobile phone. F-Secure Consulting found that they were able to exploit improperly designed communication protocols and intercept the secret passphrase that controls the lock while it’s exchanged between the physical device and the mobile app.

“The lock has several protection mechanisms. Unfortunately, the lock’s design makes bypassing these mechanisms to eavesdrop on messages exchanged by the lock and app fairly easy for attackers – leaving it open to a relatively simple attack. There’s no way to mitigate this, so accessing homes protected by the lock is a safe bet for burglars able to replicate the hack,” says F-Secure Consulting’s Krzysztof Marciniak, a cyber security consultant that helped develop the hack. “All attackers need is a little know-how, a device to help them capture traffic –  which can be purchased from many consumer electronic stores for as little as 10 dollars – and a bit of time to find the lock owners.”

The attack is yet another demonstration of the security challenges facing manufacturers and consumers as internet of things devices (IoT) flood the market. One recent estimate suggests that there will be 125 billion devices connected to the internet by 2025.* But as these IoT devices spread, so will the security issues they bring.

The lock has several useful security features, including data encryption intended to prevent unauthorized parties from accessing system-critical information, such as the secret passphrase.

However, F-Secure Consulting found relatively easy ways to circumvent the system’s security measures. And since the device cannot receive firmware updates, the flaw exploited by the attack cannot be fixed, meaning lock owners will need to replace the lock or live with the risk.

Marciniak points out that security is only effective when properly implemented, which is a subtlety that IoT device vendors need to understand.

“Security isn’t one size fits all. It needs to be tailored to account for the user, environment, threat model, and more. Doing this isn’t easy, but if IoT device vendors are going to ship products that can’t receive updates, it’s important to build these devices to be secure from the ground up,” explains Marciniak.

Marciniak recommends individuals consider the security implications of internet-connectivity before replacing their offline devices with online versions, and recommends device vendors perform security assessments on their products as part of their design.

F-Secure Consulting operates on four continents from 11 different countries. It provides cyber security services tailored to fit the needs of banking, financial services, aviation, shipping, retail, insurance, and other organizations working in highly targeted sectors.

Due to the ease of the attack and the lack of effective mitigations available to end users, F-Secure Consulting has chosen to withhold crucial parts of the technical details needed to execute the attack. However, an advisory and a blog post with more information have been published on F-Secure Labs. Additional support and services for device vendors are available from F-Secure Consulting.

Further images and videos are available upon request.


Latest Press Releases

May 29, 2020

A start button for securing cloud-based email

F-Secure Cloud Protection for Microsoft Office 365 is built to secure inboxes as businesses move to cloud-based email services.

May 22, 2020

F-Secure becomes Premier Member of The Fiber Broadband Association’s LATAM Chapter

Helsinki, Finland – May 22, 2020: Cyber security provider F-Secure has become the newest Premier Member of the LATAM chapter of the Fiber Broadband Association – the largest and only trade association in the Americas dedicated to the pursuit of an all-fiber optic network infrastructure. As a Premier Member, F-Secure will support the organization providing […]

May 13, 2020

F-Secure UK completes study on intelligent transport system security

Research highlights threats and security challenges facing the UK’s emerging driverless transportation infrastructure.

April 30, 2020

New vulnerabilities make exposed Salt hosts easy targets

“Patch by Friday or compromised by Monday,” warns F-Secure Principal Consultant Olle Segerdahl. “That’s how I’d describe the dilemma facing admins who have their Salt master hosts exposed to the internet.” Olle’s warning is a reference to new Salt vulnerabilities (CVE-2020-11651 and CVE-2020-11652) disclosed earlier today in an F-Secure Labs advisory. Salt is open-source software […]

%d bloggers like this: