INSUBCONTINENT EXCLUSIVE:
Consultants at the cybersecurity firm F-Secure have discovered an exploitable design flaw in one brand of smart lock that can allow an
attacker to easily pick the device.Since the smart lock itself is unable to receive new firmware updates, the manufacturer can't patch the
device to mitigate the flaw leaving users at risk unless they decide to physically uninstall their smart lock.F-Secure Consulting discovered
the flaw in the KeyWe Smart Lock which allows users to open and close doors in their home by using an app on their smartphone
The firm found that they were able to exploit improperly designed communication protocols to intercept the secret passphrase sent between
the lock and KeyWe's app.F-Secure Consulting's Krzysztof Marciniak helped develop the hack used to unlock the smart lock and he provided
further insight on the discovery, saying:“The lock has several protection mechanisms
Unfortunately, the lock’s design makes bypassing these mechanisms to eavesdrop on messages exchanged by the lock and app fairly easy for
attackers – leaving it open to a relatively simple attack
There’s no way to mitigate this, so accessing homes protected by the lock is a safe bet for burglars able to replicate the hack
All attackers need is a little know-how, a device to help them capture traffic – which can be purchased from many consumer electronic
stores for as little as 10 dollars – and a bit of time to find the lock owners.” The security issues F-Secure found in the KeyWe Smart
Lock are yet another example of the security challenges manufacturers and consumers have begun to face as IoT devices have flooded the
According to one recent estimate, there will be 125bn devices connected to the internet by 2025 but as IoT devices see increased adoption,
security issues will also arise.The KeyWe Smart Lock has several useful security features such as data encryption that were implemented to
prevent unauthorized parties from accessing system-critical information like the secret passphrase
However, F-Secure Consulting was able to easily circumvent the system's security features.Unfortunately the device cannot receive firmware
updates so owners of the KeyWe Smart Lock will either have to replace the lock or live with the risk of an attacker hacking it to gain
access to their home.To prevent falling victim to this attack or similar ones, Marciniak recommends that consumers consider the security
implications of internet connected devices before replacing their offline devices with online versions.
