There are millions of smart locks on the market that can be installed to provide greater security in access to your home; however, digital forensics specialists have just reported the finding of a vulnerability that, if exploited, would allow threat actors to enter your home with ease.
F-Secure, a Finnish-based security company, reported a flaw in the KeyWe smart lock, marketed as “the smartest lock ever”. This device’s price is around $155 USD on sites like Amazon and can be operated through a mobile app.
The team of digital forensics experts discovered that a threat actor could intercept traffic between the app and the device, extracting unlock keys in the process through a Man-in-The-Middle (MiTM) attack.
“The design of this smart lock allows you to dodge some security mechanisms to be able to spy on communications between the app and the lock very easily for a hacker with the required knowledge”, mentions Krysztof Marciniak, member of F-Secure. To make matters a little worse, experts say there is no way to mitigate the risk of exploiting this vulnerability, so all users of this device will remain exposed. In the report, experts add that it is possible to carry out the attack using network tracking devices, available on the market from $10.
In this regard, KeyWe mentions that the vulnerability was corrected by releasing some update patches, however, experts claim that the firmware of the smart lock does not allow over-the-air updates (according to Wikipedia, this is a concept of a form of software distribution, configuration settings, and security updates).
KeyWe subsequently released a statement that mentions: “We are very sorry for these inconveniences. The safety of our users is our top priority; we will continue to work to resolve any security issues related to our products.” On the other hand, Amazon has not responded to requests for information about the availability of affected products in its online store.
Digital forensics experts mention that the main problem with the suo of Internet of Things (IoT) devices is that there is currently no cybersecurity standard applicable to this technology, so a new device can be released without needing to be tested first.
In addition, because the firmware of these devices cannot be updated, users will remain exposed until the company finds a way to effectively address this vulnerability, or until the user decides to uninstall this Tool. It should be noted that the latest version of the smart lock was completely corrected before being released to the market.
For security, F-Secure did not publicly disclose further technical details about the vulnerability, so the report was only delivered to the company. According to the digital forensics experts of the International Institute of Cyber Security (IICS) even though communications between the app and the smart lock are encrypted, it is possible to intercept them and collect the key commands to open the lock, a relatively easy process for a hacker who knows where to start attacking.