back to article Bad news: KeyWe Smart Lock is easily bypassed and can't be fixed

File this one under "not everything needs a computer in it". Finnish security house F-Secure today revealed a vulnerability in the KeyWe Smart Lock that could let a sticky-fingered miscreant easily bypass it. To add insult to injury, the device's firmware cannot be upgraded either locally or remotely. This means the only way …

  1. Pascal Monett Silver badge
    Thumb Down

    As usual, "smart" is anything but

    Ok, fine, you'd need to know how to use Wireshark, which is probably not on the list of abilities of every thief in the area, but still, this is just one more thing to add to the ever-growing list of things IoT has promised and not kept in Real Life (TM).

    A bog-standard lock may not be the right solution to protect a front door, but a good, 5-point security lock is.

    And you don't need to worry about the state of the batteries.

    1. PerlyKing Silver badge

      Re: As usual, "smart" is anything but

      Not every thief needs to know how to use Wireshark, it just takes one enterprising one to package everything into an easy-to-use kit. If enough of these locks are ever fitted to make it worth their while.

    2. katrinab Silver badge

      Re: As usual, "smart" is anything but

      It looks like the feature set is much the same as a car door lock, and they have mostly managed to guard against replay attacks.

      1. Michael Wojcik Silver badge

        Re: As usual, "smart" is anything but

        they have mostly managed to guard against replay attacks

        For sufficiently small values of "mosttly", I suppose.

        There have been a number of published successful attacks against wireless car locking systems. The main reason there aren't more is that this area of research quickly became boring, as researchers realized that automotive security is a disaster, and there were far more interesting vulnerabilities in it.

        1. katrinab Silver badge

          Re: As usual, "smart" is anything but

          The article you link to describes a vulnerability in a then 10 year old vehicle, and does say that most cars don't have this vulnerability. So I don't think this example disproves "mostly".

  2. Tom 35 Silver badge

    Lots of bog-standard locks are easy to bypass.

    https://www.youtube.com/channel/UCm9K6rby98W8JigLoZOh6FQ

    1. mittfh

      Re: Lots of bog-standard locks are easy to bypass.

      Not to mention safes with electronic locks, but also equipped with the cheapest manual cylinder lock bypass the manufacturers could get their hands on (so it takes longer to remove the keyway cover than it does to pick the lock!)

    2. Cagey Bee

      Re: Lots of bog-standard locks are easy to bypass.

      Love that guy's videos. Bought a cheap pick set. Now even our 6 year old can pick every lock in the house. Including the deadbolts. I'll never trust another lock.

      1. Martin-73 Silver badge

        Re: Lots of bog-standard locks are easy to bypass.

        LPL and BosnianBill are two of my favourite youtube channels... the silly mistakes manufacturers make, it's pretty much like 'security by obscurity'... which as any fule kno, doesn't work. Master lock? PAH

        1. GnuTzu Silver badge

          Re: Lots of bog-standard locks are easy to bypass.

          Oh, and how they've been tearing a new one in most of the electronic locks they've been reviewing.

          And, I remember watching EEVblog profiling power terminals.

        2. Anonymous Coward
          Anonymous Coward

          Re: Lots of bog-standard locks are easy to bypass.

          Security by obscurity-- well, that is all a crypto key is. Something very obscure...

          Better to describe by equivalent bit strength / resistance to attack.

    3. Scott 26

      Re: Lots of bog-standard locks are easy to bypass.

      Love the LPL...!

      Can't believe you've got so many down votes!

      1. Sgt_Oddball Silver badge

        Re: Lots of bog-standard locks are easy to bypass.

        "that's a false set on five.. "

        1. MachDiamond Silver badge

          Re: Lots of bog-standard locks are easy to bypass.

          "For this lock I'll be using a standard hook in .559" BANG!

    4. Blazde
      Happy

      Re: Lots of bog-standard locks are easy to bypass.

      Since it's arguably the biggest issue, worth mentioning bog-standard locks invariably can't be updated either.

      1. eldakka Silver badge

        Re: Lots of bog-standard locks are easy to bypass.

        Depends on the type of lock.

        Any decent lock can have the cylinder replaced without replacing the entire lock mechanism.

        If you have a lock that can't do this, it's a cheap-arse lock.

    5. Mongrel

      Re: Lots of bog-standard locks are easy to bypass.

      I'd add this one as well, it's not just picking that makes a door insecure.

      https://www.youtube.com/watch?v=rnmcRTnTNC8

      Smart locks just add another point of failure to a door.

      (To be fair to locks the LPL is very good, he did a series where he picked locks from Bosnian Bill's 'Naughty Bucket', locks that BB couldn't open - and BB is good)

    6. phuzz Silver badge

      Re: Lots of bog-standard locks are easy to bypass.

      Every lock can be bypassed, the important part is, how long will it take, and how much noise and commotion will a potential thief make doing so?

      1. Cuddles Silver badge

        Re: Lots of bog-standard locks are easy to bypass.

        Indeed, this seems to be one of the bigger issues with "smart" locks. It's not that they're necessarily easier to get through than a regular lock, but that it's possible to do so essentially untraceably in a way that doesn't look in any way suspicious to bystanders. Someone poking around at your door with bits of metal will have the police called on them if anyone sees, and will almost certainly leave some evidence of the tampering. Someone faffing around on their phone on the pavement, then walking straight through an open door doesn't look like a thief, and if they lock it again afterwards there might be no evidence anything happened at all.

      2. J. Cook Silver badge

        Re: Lots of bog-standard locks are easy to bypass.

        indeed- I have in my tool kit a device that will go through most doors and locks. The problem is that it makes a *LOT* of noise, and is about as subtle as dropping a 16 ton anvil off a 10 story building.

    7. Michael Wojcik Silver badge

      Re: Lots of bog-standard locks are easy to bypass.

      Yes, but most of them don't cost $155 and introduce additional, unnecessary failure modes.

  3. Anonymous Coward
    Anonymous Coward

    Sounds a bit too obvious a design flaw, are we sure it's a bug and not a feature?

  4. JohnFen Silver badge

    Hobbyist lockpicking

    I enjoy lockpicking as a hobby, and I've played with a number of "smart locks". So far, every single one that I've played with was much, much easier to bypass than pin-and-tumbler locks. KeyWe is in good company.

    My takeaway? I would never use a smart lock for my own things.

  5. Anonymous Coward
    Anonymous Coward

    Marketing probably said "Ship it" when still in alpha testing

    I remember back in the late 1990s working at a company developing a network based lock. Zero encryption in use. Didn't even have a password as we were still at R&D stage.

    And then we suddenly found the Sales team had been selling them. Not only sold them but got them into a Building Society's HQ!

    The sales team aren't worried about little things like security. Just the profit.

    1. Aussie Doc
      Pint

      Re: Marketing probably said "Ship it" when still in alpha testing

      "The sales team aren't worried about little things like security. Just the profit."

      You sound surprised.

    2. d-m

      Re: Marketing probably said "Ship it" when still in alpha testing

      It was funded on Kickstarter. I don't think I need to add anything further.

      https://www.kickstarter.com/projects/1067904566/keywe-the-smartest-lock-ever/faqs#project_faq_250736

  6. Anonymous Coward
    Anonymous Coward

    Good News?

    The good news is that those of us who have been banging on at this stuff being a really bad idea are being proven right yet again. If you’re going to make a tech product, have it reviewed by a security researcher before you release it.

    1. Michael Wojcik Silver badge

      Re: Good News?

      Indeed. Another bit of good news is that those of us wise enough to stay away from this sort of overpriced rubbish have yet another reason to feel superior.

      Ah, that's some good smug.

  7. oiseau Silver badge
    Facepalm

    Alexa?

    ... unlock their doors through a traditional metal key, via a mobile app, or with Amazon Alexa.

    Amazon Alexa?

    It's a joke, right?

    Really now ...

    The stupid things people do these days.

    O.

    1. Jason Bloomberg Silver badge

      Re: Alexa?

      So perhaps no hacking needed. Just shouting through the letter box could get the door unlocked.

      1. Robert Helpmann?? Silver badge
        Childcatcher

        Re: Alexa?

        Just shouting through the letter box could get the door unlocked.

        Speak, friend, and enter?

    2. Thoguht Silver badge

      Re: Alexa?

      Open the pod bay front door, Halexa.

      1. Anonymous Coward
        Anonymous Coward

        Re: Alexa?

        I'm sorry, owner. I'm afraid I can't stop the outsider from open the door.

  8. jason 7 Silver badge

    So did this happen...

    ...due to it being the baby of some late 20 something that won't allow their 'great concept' to be pros & conned because they would get upset if some 40/50 something said "yeah...hang on...but..."

    1. fidodogbreath Silver badge
      Paris Hilton

      Re: So did this happen...

      OK, boomer.

      1. jason 7 Silver badge

        Re: So did this happen...

        GenX'er actually. I'm the gen that despairs of both that came before and after.

  9. Venerable and Fragrant Wind of Change

    Insewerants

    For what it's worth ...

    When I moved house in August, I was interested in installing a keyless lock. Not one I could operate from an app (I'm not that dumb), but one where I could key in a combination to open it from the outside. Keyless was because keys in the pockets are annoying, and it would be great to be able to dispense with them (and with phones too) when going out "light". I've lived with a combi lock on the door to the communal hall of an apartment building in the past, and that was good - though sadly my own front door still had a regular key.

    But my bottom line was that the lock had to be British Standards compliant, and have the kitemark recognised by insurers. Turns out there's none available. So any combi lock could only have been secondary, which rather defeats the purpose.

  10. MachDiamond Silver badge

    Nothing's perfect

    No lock is going to keep 100% of miscreants out of your house. It makes no sense to install the most fiendishly difficult to pick lock at £400 as a burglar is just going to heave a rock through the back window instead. That said, it's running in a rearwards direction to install a lock that easier to defeat then what's standard now and to be able to defeat it from the other side of the planet too.

    While Wireshark may (or may not) be difficult to use, somebody will write up a nice how-to tutorial or post a video from a hacker con showing how easy it is to bypass these sorts of locks just like LPL and Bosnian bill do all of the time. I binged watched a good portion of Lock Picking Lawyers videos when I was out with strep. I bought myself a crappy set of lockpicks (getting better ones soon) and have been building a set of clever little tools as well. I've made a moderate bit of dosh decoding those boxes estate agents use to keep keys. They are always losing the combos of the ones at the office and I pick them while sat in front of the telly for a fiver each (min 10 at a time). £50 for very few minutes of work during the commercials is good money of an evening.

  11. Aussie Doc
    Windows

    Oops.

    "...or with Amazon Alexa."

    For some reason I had visions of the miscreant yelling through the door "Oi, Alexa, open the %$#@ing door, init."

  12. Anonymous Coward
    Anonymous Coward

    Smart locks a rip off

    Who picks a bloody lock anyway (And why would you give someone access remotely when you're not in we seemed to cope perfectly fine for a number of centuries). When my mate's house got broken into they crowbared the entire rear double door's handle. He put immobilizing lock on the replaced handles after that. The second time the scumbag smashed the entire window with a hammer and crawled in. We know it was a hammer as mate and scumbag walked into the living room at the same time still holding said hammer. (Fortunately scumbag was a coward scumbag and legged it). I suppose the lessons are they'll get in if they want to and ..don't park your expensive car in the drive way I guess. But I think I digress.

    1. JohnFen Silver badge

      Re: Smart locks a rip off

      "Who picks a bloody lock anyway"

      A million times this. Every so often, someone will get their hackles up that I not only pick locks for fun, but I have no problem teaching anyone else to do it as well. The objection is "you could be teaching thieves how to break in".

      But I counter with the reality -- if someone wants to break into your home, they aren't going to be picking the lock. There are far too many, much easier, ways of gaining access. There's bump keys, there's using shims to pop the latch, and there's always the old standby of just breaking a window or crowbarring something open.

      On the other hand, it has happened that I've locked myself out of my house and regained entry without breaking anything by picking my own lock, so it is an occasionally useful skill.

  13. Mike 137 Bronze badge

    The real biggest issue

    "Arguably, the biggest issue here isn't that the KeyWe had a glaring design flaw, but rather that it's impossible to remediate."

    The biggest issue is really why the hell you'd want to use a mobile phone or Alexa to open your front door. The lock accepts a physical key, so use it.

    The insane enthusiasm for "digital" everything is no different in principle from the insane enthusiasm for radioactive patent medications at the start of the 20th century - uninformed, dangerous and pointless. The latter got to the point of manufacturing a radium jockstrap insert. I suppose supplying a front door lock that facilitates burglary is not quite in the same league, but it's getting there.

    1. Phil O'Sophical Silver badge

      Re: The real biggest issue

      At least a radium jockstrap insert has the likely advantage of overall gene pool improvement, since the purchaser won't be able to pass on their 'stupid' gene.

      1. Anonymous Coward
        Anonymous Coward

        Re: The real biggest issue

        "the purchaser won't be able to pass on their 'stupid' gene."

        Getting bitten by a radioactive sperm would create a seriously weird super hero...

  14. headrush

    Just repeating the "no lock is secure" point.

    We have relatively expensive plastic windows with multipoint locking systems. As we found out recently, it's all marketing crap. A crowbar applied between window and frame near the opening side simply breaks the latching mechanism.

    Nothing designed to be opened easily is ever going to be secure.

  15. HellDeskJockey

    As a long time user of keypad smart locks there are a couple of advantages. When you have housemates that loose keys on a regular basis just give them a combination. Most can easily be changed if needed. Also if you have cleaners or health care providers coming to the house give them a separate combination they can easily come in. Not totally secure but since a thief could easily break the window and enter it's good enough.

    No radio locks though the advantage you get is not worth the risk.

  16. VTAMguy

    Manufacturer claims on Amazon that the problem is "resolved"

    Someone posted a question to the Amazon listing for this product that asked when it would be taken off the market as being insecure, and the manufacturer (or facsimile thereof) answered that the issue "has since resolved this with the updates done through the mobile app". Well, someone's lying here. Interesting also that Amazon has blocked any reviews of this thing except if you have already purchased it. They don't want the bad news spreading, obviously.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2020