13
Consultants at the cybersecurity firm F-Secure have discovered an exploitable design flaw in one brand of smart lock that can allow an attacker to easily pick the device.Since the smart lock itself is unable to receive new firmware updates, the manufacturer can't patch the device to mitigate the flaw leaving users at risk unless they decide to physically uninstall their smart lock.F-Secure Consulting discovered the flaw in the KeyWe Smart Lock which allows users to open and close doors in their home by using an app on their smartphone.
The firm found that they were able to exploit improperly designed communication protocols to intercept the secret passphrase sent between the lock and KeyWe's app.F-Secure Consulting's Krzysztof Marciniak helped develop the hack used to unlock the smart lock and he provided further insight on the discovery, saying:“The lock has several protection mechanisms.
Unfortunately, the lock’s design makes bypassing these mechanisms to eavesdrop on messages exchanged by the lock and app fairly easy for attackers – leaving it open to a relatively simple attack.
There’s no way to mitigate this, so accessing homes protected by the lock is a safe bet for burglars able to replicate the hack.
All attackers need is a little know-how, a device to help them capture traffic – which can be purchased from many consumer electronic stores for as little as 10 dollars – and a bit of time to find the lock owners.” The security issues F-Secure found in the KeyWe Smart Lock are yet another example of the security challenges manufacturers and consumers have begun to face as IoT devices have flooded the market.
According to one recent estimate, there will be 125bn devices connected to the internet by 2025 but as IoT devices see increased adoption, security issues will also arise.The KeyWe Smart Lock has several useful security features such as data encryption that were implemented to prevent unauthorized parties from accessing system-critical information like the secret passphrase.
However, F-Secure Consulting was able to easily circumvent the system's security features.Unfortunately the device cannot receive firmware updates so owners of the KeyWe Smart Lock will either have to replace the lock or live with the risk of an attacker hacking it to gain access to their home.To prevent falling victim to this attack or similar ones, Marciniak recommends that consumers consider the security implications of internet connected devices before replacing their offline devices with online versions.
