This morning, Finnish security company F-Secure disclosed a number of vulnerabilities in the KeyWe Smart Lock, which is marketed as the “smartest lock ever” and advertised for unlocking doors through a mobile app. Security researchers discovered that cyberattackers could intercept network traffic between a user’s mobile app and the smart lock itself, ultimately gaining access to the keys to one’s home.
While we don’t have all the details, the fact that anything could be sniffed in regards to this device is a pretty egregious oversight on the part of the lock makers. Given the relatively low cost of exploitation, it’s fairly safe to assume that with proper incentives and direction, security researchers would likely have easily been able to identify this in the wild, had it been subjected to the scrutiny of a bug bounty program or similar crowdsourced evaluation. We’ve definitely seen our security researchers catch and identify similar issues in other IoT devices we’ve tested in the past.
Secondarily, it’s a good reminder to other IoT vendors to make sure it’s possible to update your device over the air and securely. The fact that this device can’t be updated remotely is a pretty substantial oversight. As with any cloud-connected device, it’s almost a complete certainty that there will need to be critical updates, and making sure there’s a vector for quickly and efficiently delivering those is integral to making sure vendors don’t leave their users exposed.