Flaws have been found in KeyWe smart locks that potentially allow malicious actors to gain unauthorized access to homes. Worryingly, this security flaw can’t be fixed as the KeyWe smart lock is unable to receive firmware updates.
What are Smart Home Locks?
Smart home locks, like KeyWe, are sold as devices that allow consumers to get into their homes more conveniently. These devices allow users to open and close doors in their home by using an app on their smartphone.
The KeyWe Smart Lock includes several security features, including data encryption. These features were implemented to prevent hackers from accessing system critical information like the secret passphrase. However, a Finland based security company, F-Secure Consulting, found that they were able to easily bypass KeyWe’s security features.
Picking the KeyWe Smart Lock
Security researchers found that the vulnerabilities in KeyWe devices were caused by improperly designed communication protocols. Consequently, these design flaws allow attackers to intercept the secret passphrase sent between the lock and the KeyWe app.
F-Secure stated: “The lock has several protection mechanisms. Unfortunately, the lock’s design makes bypassing these mechanisms to eavesdrop on messages exchanged by the lock and app fairly easy for attackers – leaving it open to a relatively simple attack.”
Apparently, all attackers need is some know-how and a device to help them capture traffic, which can be purchased cheaply from many electronic stores. Once attackers find a lock owner, they just need to wait until the homeowner uses the app.
What Should KeyWe Smart Lock Owners Do?
With the increased presence of IoT devices in homes, such as Ring Door Bells, Smart Speakers and even children’s toys, the likelihood of home owners becoming victim to cyber-attacks also increases. According to a recent estimate, there will be 125bn internet connected devices in homes by 2025. Thus, making IoT devices a growing security concern.
Consequently, security experts recommend that consumers think twice before replacing their offline device, i.e. a lock and key, with an online version such as the KeyWe Smart Lock. Although Smart Lock devices may be convenient, they also expose owners to increased cybersecurity risks.
As for consumers who already own a KeyWe Smart Lock, unfortunately, these locks can’t receive firmware updates. Therefore, owners of KeyWe smart locks need to either replace the lock or live with the risk of malicious actors hacking it to access their home.