back to article Firmware update blunder bricks hundreds of home 'smart' locks

Hardware biz Lockstate has managed to brick hundreds of internet-connected so-called smart locks on people's front doors with a bad firmware update. The upshot is you can't use the builtin keypad on the devices to unlock the door. Lockstate's smart locks are popular among Airbnb hosts as it allows them to give guests an entry …

  1. the Jim bloke

    IoT - where the S really is for Security

    I dont recall who or where (apart from being a thread here) this was posted originally, but its worth repeating

    1. vir

      Re: IoT - where the S really is for Security

      Well, it looks like no one can use the lock now, so I guess it's even more secure than a normal keyed lockset?

      A physical button to revert the lock to a "safe mode" where remote/bluetooth functionality is disabled, but keypad access is still allowed would seem to be a prudent guard against this type of thing. But switches are expensive; some places have the nerve to charge you as much as $0.50.

      1. Anonymous Coward
        Anonymous Coward

        Re: IoT - where the S really is for Security

        A physical button to revert the lock to a "safe mode" where remote/bluetooth functionality is disabled, but keypad access is still allowed would seem to be a prudent guard against this type of thing. But switches are expensive; some places have the nerve to charge you as much as $0.50.

        Where would this button be placed and how would it work?

        It can't be on the inside because the problem is the keypad doesn't work and the Airbnb tenant doesn't have a physical key.

        It could be on the outside but then anyone can walk up, press the button and the property owner is prevented from gaining remote access.

        1. T. F. M. Reader

          Re: IoT - where the S really is for Security

          @2+2=5: It can't be on the inside because the problem is the keypad doesn't work and the Airbnb tenant doesn't have a physical key.

          I assume the tenants would call the owner who does have a physical key to get inside. Or even to partially dismantle the lock with a set of physical tools to get to the reset switch.

          Have you ever watched a hotel employee opening a room safe left locked by a previous guest?

          1. Anonymous Coward
            Anonymous Coward

            Re: IoT - where the S really is for Security

            @ T. F. M. Reader

            If the owner has to turn up with the key then the 'reset button' might just as well be taking the batteries out for a couple of minutes. I inferred from the article that a consequence of the bug is that an affected property owner has to be physically present to fix things. The button suggestion from 'vir' doesn't solve this problem.

            1. Anonymous Coward
              Anonymous Coward

              Re: property owner has to be physically present t

              "an affected property owner has to be physically present to fix things. "

              The property owners surely still have the option of doing what absentee landlords in the holiday let business have done for decades, at least until AirBnB and the IoT in general "disrupted" things: pay someone local to the property to look after the property in the absence of the owners.

              Anyone see a big problem with that?

        2. Anonymous Coward
          Anonymous Coward

          Re: IoT - where the S really is for Security

          It would also allow any entrant to disable the electronic lock for everyone else by giving it a reset. Not so good either.

          That said, it's not the kind of lock I'd ever want on my premises - I'm not even sure you can get insurance if your locks are basically controlled by an untrusted 3rd party (the lock supplier who holds the central account). I can see why some may like it but my needs lie a bit higher, to the point where I had to choose between Assa Abloy disc based locks or EVVA Triple K - at which point I found a Youtube video about someone picking the EVVA one. Grr.

          1. Stoneshop

            Re: IoT - where the S really is for Security

            if your locks are basically controlled by an untrusted 3rd party (the lock supplier who holds the central account)

            "The crashed locks – which connect to your home Wi-Fi for remote control and monitoring as well as firmware updates – are now going to be out of action for at least a week."

            Doesn't read as 'a third party controlling the lock', unless pushing (b0rked) firmware updates counts as such too.

        3. vir

          Re: IoT - where the S really is for Security

          I suppose you could have it on the inside; as you said, if you're on the outside and the lock installs a bad update, you're out of luck. If the lock is anything like the August one I used to use (don't shoot!), it updates via a user command on the app, not over WiFi and not automatically. In this scenario, the app could tell you to make sure you're inside before initiating the install. Just a thought; I don't design smart locks so you're safe for the time being.

        4. Fatman

          Re: IoT - where the S really is for Security

          <qoute>Where would this button be placed and how would it work?</quote>

          It could be incorporated into the key lock mechanism actuated by the use of a 'special key' which is longer and reaches deeper into the lock cylinder to activate the switch. A 'standard key' being shorter, does not trip the switch.

    2. Doctor Syntax Silver badge

      Re: IoT - where the S really is for Security

      And the H stands for Hubris.

  2. Anonymous Coward
    Anonymous Coward

    "firmware for its more advanced 7i model had mistakenly been sent to some 6000i customers"

    FFS! if you haven't even mastered version numbering and checksums then why on Earth should anyone trust that you got hard stuff like crypto right?

    1. Pascal Monett Silver badge

      A mistake was made.

      Instead of faffing around with the usual "only a small number of customers was affected", the company responsibly owned up to the blunder, contacted the affected users (meaning the company knows who was affected), offered two means of repair/replacement and foots the bill in either case.

      That points to a seriously well-organized company that is probably intent on keeping its customers and showing how professional it can be in handling issues.

      From where I stand, although I have no use for their product, I do appreciate how they are dealing with the situation and wish that more examples of that behavior were available.

      1. h4rm0ny

        Yep. Compare their behaviour with a company like TalkTalk. Whilst it's a cock-up, and undoubtedly a PITA to the affected customers, the company's response seems professional and pro-active. They responded quickly, reached out to customers proactively, set up a dedicated email address for customers to contact them with and arranged compensation.

        The company is also a supporter of Net Neutrality. In all, they seem a good company.

      2. Doctor Syntax Silver badge

        "That points to a seriously well-organized company that is probably intent on keeping its customers and showing how professional it can be in handling issues."

        No. If it really cared it wouldn't leave the lock unusable for days or even weeks. It would have paid for a local locksmith to provide a same-day service to replace each customer's lock with some temporary arrangement and then replace that it in due course with the official replacement - if the customer still wanted the official replacement.

        Owning up to the mistake is not customer service. Even fixing it in the way they have is not customer service. Customer service is ensuring that the inconvenience to the customer is minimised.

        1. Stoneshop

          Lcal locksmith

          No. If it really cared it wouldn't leave the lock unusable for days or even weeks. It would have paid for a local locksmith to provide a same-day service to replace each customer's lock with some temporary arrangement and then replace that it in due course with the official replacement - if the customer still wanted the official replacement.

          I doubt a local locksmith would have a unit similar to the ones knackered by the update, and a temporary replacement would therefore likely be just some common conventional lock. The lock is still functioning as a conventional lock anyway, and given that the company is willing to send out a replacement first, you're not gaining anything by having a locksmith putting a temporary lock in. With only a short window where you have your AirBNB guests holding a physical key (the replacement lock will have a different one), I don't see that as a huge problem, and if you, as an AirBNB host, see that differently, then by all means arrange for that yourself

          1. Doctor Syntax Silver badge

            Re: Lcal locksmith

            "a temporary replacement would therefore likely be just some common conventional lock. The lock is still functioning as a conventional lock anyway"

            One if the issues cited was giving the physical key to the AirBNB customer. If a conventional lock is fitted once the repaired original is in place the conventional lock can be removed and the physical key for that ceases to be of concern to the owner.

            "With only a short window"

            That's 5 to 7 working days. Add in up to 4 calendar days to cover weekends, i.e. up to 11 days elapsed time. If you think that's short then you have a point but maybe their customers wouldn't agree with you.

            1. Stoneshop

              Re: Lcal locksmith

              If a conventional lock is fitted once the repaired original is in place the conventional lock can be removed and the physical key for that ceases to be of concern to the owner.

              You get a new one sent out to you, with a different key. Once that one is fitted, the keys for the original lock, and any copies thereof, cease to be of concern to the owner.

              I haven't used AirBNB myself, but someone who has told me they did receive a physical key (of a type that you'd need an owner certificate for to show a locksmith if you wanted a copy made, so at least a bit of a hurdle regarding copying) that would open the front door and their apartment, with a deposit as collateral. I don't see why that wouldn't work for those two weeks until you received the replacement.

              Not watertight, but then neither would an IoT lock.

            2. Anonymous Coward
              Anonymous Coward

              Re: Lcal locksmith

              ..... "If you think that's short then you have a point but maybe their customers wouldn't agree with you."

              To me this is vastly simpler and easier than having to go back and forth with the manufacturer getting them to source a locksmith in the location the lock is fitted, then arranging a mutually convenient time for the locksmith to attend. This is going to take time as the locksmith will probably want paying in advance as the job is being done for a third party. After that I have to be at the property for him to arrive to fit a replacement which hopefully doesn't need too many new holes drilling in the door!. And then after that another site visit is required to swap out the temporary replacement.

              To avoid that degree of hassle I and I suspect many of their customers many would find an 11 day turn around time quite acceptable and probably much quicker than getting a locksmith involved.

        2. JimC

          Well, by Inrenet company standards of service

          Its not to bad, but lets face it, that's not a high bar, is it. ISPs,pone companies, software companies, none of them are exemplars of great service when things go pear shaped are they?

          1. REMOTIZER

            Re: Well, by Inrenet company standards of service

            All smart locks are supposed to be about convenience, not security as burglars always search out the weakest point of entry. However, once the front door's deadbolt of any residence is placed on the WWW, it instantly becomes a hacker magnet waiting to happen. Just google "DEF CON 2016" and read just how easy these hackers hacked smart locks and smart homes.

        3. Anonymous Coward
          Anonymous Coward

          "..... to replace each customer's lock with some temporary arrangement ...."

          ..... like a physical lock with a key? So why is a locksmith needed as this is exactly what the smart lock became after it was bricked by the bad firmware?

          1. Doctor Syntax Silver badge

            "So why is a locksmith needed as this is exactly what the smart lock became after it was bricked by the bad firmware?"

            The whole selling point of this (apart from being a cool IoT cloud thingy) is that the property owners don't want to give out the physical key. Unless a temporary lock is fitted, for which the key can be considered disposable when the original is refitted, then this is just what they have to do. If the repaired lock doesn't also have a change of physical key, their $469 has been wasted.

      3. John Brown (no body) Silver badge

        "That points to a seriously well-organized company that is probably intent on keeping its customers and showing how professional it can be in handling issues."

        Commendable though that may be, does it not strike anyone as odd that shipping the affected lock back, getting it reprogrammed then shipping back to the customer will take 5-7 days but shipping a new replacement in advance of returning the failed lock takes over three weeks?

        I wonder what happens when the customer ships the faulty lock back for reprogramming? Is there a module they send back, leaving the manual part of the lock in place or do they need to fit a standard lock in the meantime?

        1. Anonymous Coward
          Anonymous Coward

          Re: over three weeks

          "shipping a new replacement in advance of returning the failed lock takes over three weeks?"

          How long does it take for a containerload of Chinese tat to be ordered, manufactured, shipped to customer warehouse, clear customs at the destiination, be rebranded with brand-specific badges and reconfigured to an end-user-ready state, and be delivered ready to use?

          Three weeks sound about right? Maybe a little longer?

          1. Anonymous Coward
            Anonymous Coward

            Re: over three weeks

            Possibly, in the UK it would be 6-8 weeks

        2. CrazyOldCatMan Silver badge

          getting it reprogrammed then shipping back to the customer will take 5-7 days but shipping a new replacement in advance of returning the failed lock takes over three weeks

          Not really - in the first case, they don't have to replace the unit, just reprogramme it. In the second case, they have to manufacture a new unit (because I very much doubt that they have enough in stock to replace all the borked units) and then ship it out.

          And (in general) making new stuff takes longer than reprogramming old stuff.

      4. This post has been deleted by its author

    2. Anonymous Coward
      Anonymous Coward

      Re: "firmware for its more advanced 7i model had mistakenly been sent to some 6000i customers"

      Agreed. It's not hard to have the firmware file(s) identify what models the update is valid for & have the existing firmware not run the update unless the intended model matches the physical model. All IoT crap should do such checks from the get go.

  3. Mark 85

    And everyone I know not in IT wonders why I'm not a fan of IoT....

  4. Haku
    Facepalm

    The Internet of Turmoil strikes again.

    1. Anonymous Coward
      Anonymous Coward

      Lovely

      knocks my "Idiots or Twonks" into a cocked hat.

      Seriously, this should be essential reading (and comprehension) for anyone thinking of buying this sort of crap.

      I know that soon everything is supposed to be 'connected' but why?

      I'd expect the Home and Contents insurers to start loading premiums for people who secure their homes with this stuff.

      Then there are the Adverts for Alexa that tell it to use Hive to do something.

      How secure will that be if all it takes is for someone to shout throught the letterbox, "Alexa open the front door for me please"

      Madness (welcome to the house of fun) and it won't end well.

      At least my home won't have any of this crap for the forseeable future.

      1. Mark 85

        Re: Lovely

        I can see it being connected within the house but for crap sakes why does it need to talk to the Internet? Oh.. updates... yeah...

        1. Anonymous Coward
          Anonymous Coward

          Re: Lovely

          I recently bought a Linksys EA7500 WiFi access point/router. The only easy way to set up this device is to subscribe to the Linksys "cloud" so that ALL CONFIGURATION is done via the Linksys cloud account.

          *

          This is so that "you can manage your router using your smart phone from anywhere on the planet".

          *

          So your home LAN is open to hacking from "anywhere on the planet"......REALLY?

          *

          It took a day and a lot of research to find out how to configure the device in the old fashioned way -- using a laptop and a CAT5 cable (and NO INTERNET ACCESS).

          *

          In the future it may be impossible to manage a computer-based device without "the cloud" -- if idiots like Linksys have their way.

          *

          Yup.......lovely!!!!

          1. John Brown (no body) Silver badge

            Re: Lovely

            "The only easy way to set up this device is to subscribe to the Linksys "cloud" so that ALL CONFIGURATION is done via the Linksys cloud account."

            To be fair, this sort of thing started because of NAT and the difficulty of creating universal and easy set-up for IT illiterate users. Then the marketing people realised the potential for user lock-in and subscription services so even with universal adoption of IPv6, we'll never get back to the direct connect methods now. "$x as a Service" is here to stay. After all, it's risky enought that company providing the service and "cloud" server might go bust, but there also the risk Google might buy them up and shut them down anyway.

            1. Doctor Syntax Silver badge

              Re: Lovely

              "it's risky enought that company providing the service and "cloud" server might go bust"

              Or even just TITSUP* for a while.

              *Total Inability To Secure Users' Premises

          2. Hans 1
            Boffin

            Re: Lovely

            Linksys EA7500

            OpenWRT supports the EA8500, I think ... well, this page seems to infer that, at work, no time to read it all ...

            https://wiki.openwrt.org/toh/linksys/linksys_ea8500

            Punters, next time you buy a router/wifi access point, check out OpenWRT support -> All major router purveyors have had security blunders like root/root accounts, telnet access via "magical link" etc ... don't trust them, trust yourself, get OpenWRT!

      2. John Smith 19 Gold badge
        Unhappy

        "should be essential reading anyone thinking of buying this sort of crap."

        $469 is not a price for "crap." That's pretty good phone, or cheap laptop territory.

        It just act's like it.

        1. PNGuinn
          WTF?

          $469 is not a price for "crap."

          That's what you USED to think, John?

          1. John Smith 19 Gold badge
            Unhappy

            Re: $469 is not a price for "crap." That's what you USED to think, John?

            Not at all.

            I think this thing (it's a front door lock) is obscenely over priced for what it does, simply for the novelty of how it does it.

            Crap can always be over priced for what it does (Google JML products for a company that sells nothing but such items).

            For that kind of money I'm pretty sure you can get a very heavy door, with piano hinges and a high security multi bolt lock to go with it.

            1. Anonymous Coward
              Anonymous Coward

              Re: $469 is not a price for "crap." That's what you USED to think, John?

              "Google JML products for a company that sells nothing but such items"

              Don't you dare be so rude about one of Tony Blair's biggest financial backers:

              http://www.telegraph.co.uk/finance/newsbysector/retailandconsumer/10310722/Rich-private-school-Oxford.-Meet-John-Mills-Labours-biggest-donor.html

              where you can read this familiar sounding excuse:

              "“If you sell 50m units of something or other you just can’t avoid some mistakes,” he says “There’s no defence. In that particular incident, the products were supplying hadn’t been finished properly and we had no way of knowing.”

              Sadly for Mr Mills, Trading Standards found a way of knowing.

              Sadly for the rest of us, Trading Standards didn't put him out of business. They rarely have the power (or funds) to do anything about people like that.

            2. Stoneshop

              Re: $469 is not a price for "crap." That's what you USED to think, John?

              For that kind of money I'm pretty sure you can get a very heavy door, with piano hinges and a high security multi bolt lock to go with it.

              A few days ago I was in a hardware store in Germany, and one of the things they had on sale was a burglary/vandalism resistant front door (including hinges, frame and five-point lock), for roughly double that price.

      3. John Brown (no body) Silver badge

        Re: Lovely

        "I'd expect the Home and Contents insurers to start loading premiums for people who secure their homes with this stuff."

        I'd expect the opposite. To the insurers, IoT = electronic = equals security = better so anyone NOT using this type of kit will see their premiums increased. As was predicted here by many, the insurers "black box" for young drivers to monitor their quality of driving to reduce premiums is now being advertised as a benefit to all drivers. Before long they will be standard and drivers without them will pay much more for choosing not to be tracked and watched by big brother.

    2. John Smith 19 Gold badge
      Thumb Up

      " The Internet of Turmoil strikes again."

      Nice.

      That's exactly what this causes.

  5. ma1010
    Megaphone

    Hey, EVERYBODY!

    Internet connected tat is NOT GOOD, m'kay?

    When large corporations (who supposedly have staff who specialize in keeping bad actors out of their systems) seem to get hacked regularly, putting one's door lock on the Internet seems a bit, well, stupid.

    Do not connect to the Internet that doesn't really need to be connected to the Internet. And if you do connect it, expect it to get p0wned - in this case by the manufacturer.

  6. pdh

    Why an update?

    It's a lock, fer the cryin out loud. I wonder why a door lock would need a software upgrade in the first place -- how complicated can the software be?

    It would be interesting to see the list of bug fixes that the firmware upgrade was intended to address. Maybe the CPU in the lock is mining bitcoins for the company in its spare time, and they had to introduce new logic to deal with the recent bitcoin forking?

    1. DNTP

      Re: Why an update?

      I'm like 95% sure the actual answer is "implementing usage data collection for an affiliate" but maybe I am being a little cynical about the way IoT generally seems to be run.

      1. PNGuinn
        Black Helicopters

        "but maybe I am being a little cynical" @DNTP

        Er ... No.

    2. Version 1.0 Silver badge

      Re: Why an update?

      Perhaps it's to fix a bug, like entering 99999999999999999999999999 causes a buffer overflow and the door opens?

      Nobody codes for reliability these days, nobody check the code, just scribble a few lines, pretty print it and go down the pub for lunch and a beer or five. After lunch you return to the office and push the update out.

      1. Anonymous Coward
        Anonymous Coward

        Re: Why an update?

        This is an interesting read that perhaps sheds light on why. It's not laziness, but more that most peoples brains aren't wired to spot failures.

        http://lesswrong.com/lw/iw/positive_bias_look_into_the_dark/

    3. picturethis

      Re: Why an update?

      Companies are damned if they don't update their devices, now ones that do are being criticized?

      Yes, they messed up during an update, but at least they were updating

      Yes, I would never trust an IOT access to my residence, but they seem to be doing the correct thing towards fixing the problem

      Who knows what they were fixing with the update - TLS v1.2 support, or as others have said - maybe issues with buffer overflows, etc.

      This sort of stuff is just really the beginning (of the tip of the iceberg) in terms of breaches that will occur due to IOT security.

      I, myself (which I am usually quick to criticize) am not ready to jump on them quite yet except for the fact that yes the entire issue was caused by updating the wrong device - that does indicate some sort of inexperience where there should have been none.

      1. Doctor Syntax Silver badge

        Re: Why an update?

        "Yes, they messed up during an update, but at least they were updating"

        The purpose of an update is to improve that which is being updated If the attempt leaves it in a worse condition there's at least a basis for arguing that it wasn't really an update.

    4. dajames

      Re: Why an update?

      how complicated can the software be?

      In this case, not complicated enough to check to see whether it's about to overwrite itself with software for an incompatible device, apparently.

  7. Sureo

    "smart home devices"

    Don't seem that smart, do they?

    1. Teiwaz

      Re: "smart home devices"

      The 'Smart' bit is getting people to buy the crap in the first place.

      It's all one big 'Snake Oil' peddling exercise. There's probably a secret society behind it that awards seats in a new sales 'magic circle' if you manage to convince enough people to buy your crap that you turn a profit.

      1. h4rm0ny

        Re: "smart home devices"

        It's pretty useful to be able to assign temporary pass codes to people for the lock and also see remotely if it's been used, if it's closed and locked or left open. These products are very popular with AirBnB hosts. Even as just an every day obsessive compulsive who always wonders if she's left the door unlocked when she goes away, a product like this has appeal.

        1. The Man Who Fell To Earth Silver badge
          WTF?

          Re: "smart home devices"

          All true, but as others have pointed out, none of that should have been too hard to write & debug correctly in the first place. It's only a lock with a few remote logging features & simple remote control features. So the need for updates likely is to (1) make fixes for poor initial coding and (2) add "features" that probably add data collection stuff of little benefit to the owner. It's just a lock. And as others have pointed out, the firmware updating process should include model info in the new firmware to be checked by the old firmware for a match before proceeding with the update.

          1. Peter Gathercole Silver badge

            Re: "smart home devices" @The Man...

            But one of the problems is that even if the actual lock code is quite simple, the required code to keep it safe from hacking, MitM attackes etc. is not.

            Lets assume they were originally using SSL or TLS 1.0 as the encryption management. In order to keep the device safe, that would need to be changed, and some of the ciphers and cryptography would have to be retired as a result of discovered vulnerabilities in the older, previously held secure, connection code.

            The patches for the underlying technologies may be freely available. Packaging and deploying them to your IoT device is not. This is why cheap IoT tat is such a flawed idea at the moment.

  8. frank ly

    Quality

    "It'd be a real shame of AirBnB'ers weren't able to illegally stay in my building this week."

    Does that even make sense if you replace 'of' with 'if'?

    1. Jamie Jones Silver badge

      Re: Quality

      My guess is that other official tennents in his bulding complex are renting out their properties via airBnB, against their contract conditions.

      I'm assuming he doesn't like all these uncooth people in his building.

      Not sure what's illegal though, unless they are a bunch of people who climbed over trumps wall.

      Do I win a prize?

      1. Stoneshop

        Re: Quality

        Not sure what's illegal though,

        If the rental agreement has clauses against subletting it would definitely be.

        There have been several cases of people getting kicked out of their rented housing because they rented out rooms, or even their entire apartment, via AirBNB.

        1. Jamie Jones Silver badge

          Re: Quality

          I wouldn't have thought breach of contract would be illegal, but I suppose there are legal requirements if you effectively run a hotel. Is that it?

          1. Stoneshop
            Holmes

            Re: Quality

            I wouldn't have thought breach of contract would be illegal,

            How about that particular phrase causing 'sufficient grounds for terminating the contract'?

  9. Jamie Jones Silver badge
    Facepalm

    *facepalm*

    Earlier this week, though, new software was automatically sent out to folks' $469 Lockstate 6000i locks

    A lock, upgradeable over the internet? What could go wrong?!

  10. Your alien overlord - fear me

    Which is why my front door is a manual number lock. Doesn't even need power. And no, it's not open for AirBnB'ers. Why did I use a number lock? Ever shut the front door and realised the keys were in your other jacket. Doh !!!!!!

    1. Doctor Syntax Silver badge

      "Ever shut the front door and realised the keys were in your other jacket."

      Not a problem. My front door has a lever lock that requires me to turn a key to lock it.

      1. h4rm0ny

        >>Not a problem. My front door has a lever lock that requires me to turn a key to lock it.

        Ever gone away and not been sure if you remembered to lock it?

        1. Roland6 Silver badge

          >Ever gone away and not been sure if you remembered to lock it?

          A colleague once came back from a week long conference to find his front door wedged closed with a piece of paper. He subsequently discovered that his neighbours seeing the front door open and him obviously out, kindly latched the Yale lock just in case he had left his keys inside, then wedged the door closed with paper.

          So unless your door has an auto closer, having a Yale lock etc. isn't a guarantee your door has actually locked as you pull it behind you in your rush to catch that taxi...

          Personally, having had mortice locks for a few decades, I;ve got into the habit of checking the door has locked behind me.

          Interestingly, the IoT potentially will create more stress: there you are in some far flung place that happens to have Internet and you take a look at your home and discover the front door is showing a status of not closed... Currently, I have a nice holiday and only have to worry about the front door when I get home and discover it unlocked.

          1. h4rm0ny

            >>"there you are in some far flung place that happens to have Internet and you take a look at your home and discover the front door is showing a status of not closed... Currently, I have a nice holiday and only have to worry about the front door when I get home and discover it unlocked."

            The far more likely scenario is that I worry about something I don't and being able to check that it's locked is what enables me to relax. In the unlikely eventuality that I have left it unlocked, I can call a friend and ask them to pop round and lock it for me. It's not like I am helpless to do anything about it just because I am away!

        2. Doctor Syntax Silver badge

          "Ever gone away and not been sure if you remembered to lock it?"

          1. What Roland6 said.

          2. The door has a glass panel on either side. Therefore with a cylinder lock (AKA Yale* lock) latch it can never be locked at all. If the back of the door is accessible from outside then it can't be locked without a key or combination on the inside as well as the outside. A glass panel in or beside the door combined with a cylinder lock is a gift to B&E merchants.

          Some of the comments in this thread reveal a worrying naivety about keys. Does nobody change the door lock when they move into new premises? A few years ago my daughter moved into a new house having received "all" the keys from the previous owner. As she was moving in a neighbour rolled up with another front door key that she'd had for some time that the previous owner had forgotten about. I'd have changed her lock anyway but it moved things on a bit.

          * Yale don't just make cylinder locks. In fact my mortice lock was made by Yale.

        3. Baldrickk

          >Ever gone away and not been sure if you remembered to lock it?

          No.

          You very quicky get into the routine of locking it when you close the door to leave -

          unless you are going in and out regularly (i.e. getting shopping from the car) when you leave the door unlocked, you generally leave the door locked at all times.

          If you do happen to leave your keys inside, you simply open the door again and get them.

    2. Anonymous Coward
      Anonymous Coward

      The security of a manual push button lock is often poor as the order in which the buttons are pressed does not matter and each of the digits in the code need to be unique. For a 10 button lock with a 4 digit code rather than the intuitive 10,000 permutations it provides only C(10,4) or 210 unique combinations. Pretty easy to brute force.

      Going up to a 5 digit code doesn't help much as that only gives 252 combinations. Of course if an attacker doesn't know if it's a 4 or a 5 digit code it will be harder for them as they need to try for both, and if they have no clue at all how many digits (1 to 10) are in the code then there are 1065 possibilities which is going to be slow to brute force, but still an order of magnitude down on the intuitive 10,000 possibilities.

    3. DropBear

      "Which is why my front door is a manual number lock"

      Depending on how mortified you are or are not in the mood to become, do or never do check out a few Youtube videos demonstrating how easily and quickly a typical* "number lock" gets pwned by anyone who also watched the same videos, using nothing but a thin "feeler" pick showed in next to the dials...

      *there are things that can be done to prevent a lot of this, but it just doesn't seem to be present in the vast majority of these locks - "we don't give a shit" is not exclusive to IoT...

  11. John Smith 19 Gold badge
    WTF?

    Attention Internet of Turmoil suppliers. You are not in the lock/clock/thermostat/fridge business

    You're now in the software development (and support) business.

    Either accept this (and set up processes accordingly) or get flushed down the pan of history.

    A lock used to allow 3rd party access to living accommodation whose entry code can be re-written remotely you say?

    How weak is the crypto? I fancy a holiday.

  12. David Roberts
    Facepalm

    The use case seems sensible

    Despite the negative comments, remote control of physical access devices is what IT is all about. Saving time and effort. Allowing one person in a remote office to manage distributed real estate instead of sending someone out in a van to do it by hand.

    The implementation, however, sucks.

    Lessons like this are needed for each new technology to teach people to do it right. Shouldn't be, but it seems to be the only way people will learn.

    Anyone with a Smart Meter in the UK should be taking note, of course. Just in case a remote update bricks the meter and also uses the "disconnect" feature for the mains supply.

    1. Anonymous Coward
      Anonymous Coward

      Save more time to do what?

      Save more time to do what? Put more people out of work? Inflate the profits of tax-avoiding billionaires? Put even more power into the hands of people who should zero power and would serve us better by being locked away in a safe place...with a proper lock and key not one of these IoT things?

      1. David Roberts

        Re: Save more time to do what?

        Can I perhaps offer an example?

        Remote management of servers and routers instead of staffing all the data centres with identical skill sets?

        Luddites may not like this but remote management of software and hardware (in a secure manner) is generally taken for granted.

  13. Wolfclaw

    One of the main problems of IOT remote management, they make a change that screws up and your left in the lurch. Surely a device like this should have an update USB port for emergency resets using the appropriate physical key and passcode as authentication ?

    1. Ken Hagan Gold badge

      Given the price tag, definitely.

    2. TonyHoyle

      Given the price I'm at a loss why it didn't have backup firmware and switch to that when the update failed. The kind of thing that has been standard in consumer upgradable devices for years.

      But that would have cost them 10p, and required them to give a shit.

      1. Anonymous Coward
        Anonymous Coward

        Re: "But that would have cost them 10p,"

        Given the quantities allegedly involved (hundreds of locks affected?) and the cost of software development, I suspect the extra cost per unit might have been a bit more than 10p. Correction welcome.

        On the other hand if company directors routinely got sued for realistic customer costs (plus a bit of punitive and exemplary damages) and regularly lost, that might cost enough to get the company management a bit more interested.

  14. Anonymous Coward
    Trollface

    Fact

    What most Airbnb hosts really want is a lock that can tell if it's a renter-of-color and stay locked.

    1. Commswonk

      Re: Fact

      Any statement accompanied by the word "Fact" usually isn't.

      Obviously there is an exception in this case...

  15. jMcPhee

    Can hardly wait for internet enabled insulin dispensers

    1. Ken Hagan Gold badge

      Google is your friend. There have certainly been cases of hackable medical implants and I'd be surprised if no-one has yet added telemetry.

    2. John Smith 19 Gold badge
      Unhappy

      " Can hardly wait for internet enabled insulin dispensers"

      You're a bit behind the times. Infusion pumps (they do other stuff apart from insulin) had serial ports in the late 90's.

      I'm pretty sure at least one model has a BlueTooth interface or some other species of exploitable connectivity.

      IRL what has happened is every such pump has fail safed on the same day.

      There's a delightful YT from a doctor who studies how (and why) large complex systems fail.

      1. Anonymous Coward
        Anonymous Coward

        Re: " Can hardly wait for internet enabled insulin dispensers"

        P Versus NP is the main problem... unsolvable too! Just as a hint to all you IOT startups thinking you can break the "accepted current industry", when that industry *is* Maths, you better be good!

      2. Anonymous Coward
        Anonymous Coward

        Re: " Can hardly wait for internet enabled insulin dispensers"

        My wife is fitted with an Intrathecal Baclofen Pump. It releases minute doses of Baclofen (an anti-spasmodic) into the spinal fluid.

        From what I have seen, the interface is proprietary - not WiFi or Bluetooth so I suspect the manufacturers are using security by obscurity as a design parameter.

        I would *hope* that said pump has been programmed with some sanity checks, and will be able to reject obviously incorrect settings (such as "increase dose by 10000%). However there's no way of knowing.

        So what ARE the international standards (cf ISO27001) for medical implant software ? There must be some ...

  16. d3vy

    "Lockstate Connect, which is a subscription-based service that allows full remote control of all compatible smart home devices."

    Subscription based service.... Three words that mean I wont ever own a product.

    At some point this company is going to decide to stop supporting these locks, they will shut doen the servers and your back to having a dumb lock a $600 dumb lock (With the added bonus that its probably also hackable) - Ill stick to physical keys thanks.

  17. Will Godfrey Silver badge
    Meh

    They shouldn't have bothered.

    I don't need any more reasons to avoid IoT like the plague.

  18. Anonymous Coward
    Devil

    Bwahahhahaaaa!

    See above.

    1. h4rm0ny
      Paris Hilton

      Re: Bwahahhahaaaa!

      Why so hateful?

  19. Whiskers

    The key's indoors ...

    I wonder if any users have left their only physical keys inside the house whose lock is now bricked? This could get a bit messy and expensive. I know, as I've managed to lock myself out more than once (purely by my own actions, no internet required). Doors and windows aren't cheap.

    If their only computer is also inside the inaccessible house, will they even have got the email?

    1. Anonymous Coward
      Anonymous Coward

      Re: The key's indoors ...

      Top tip - Leave a key with a neighbour in a sealed envelope. It works because they can show they haven't used it. I trust them anyway and it complies with insurance requirements.

  20. ecofeco Silver badge

    So how's the cloud and IdioT working for ya, people?

    I never get tired of saying this.

  21. Black Betty

    This is what you get when every App is an OS patch.

    Who the hell needs a light switch (or lock) with more processing power than one of Seymour's early babies?

  22. kvasnic

    I am one of the impacted customers.

    I am an airbnb host and my guest was impacted - unable to enter the home half way through their vacation.

    I have sent 5 emails to LockState over the past week - not a single response from LockState.

    Abysmal customer service.

    1. Anonymous Coward
      Anonymous Coward

      Any company that requires and only accepts emails is not offering customer service. Though I have had great service over email, they need more points of contact.

      1. Anonymous Coward
        Anonymous Coward

        email support

        the converse is the *increasing* number of companies that only offer phone support.

        Quite aside from the fact that the paradigm of email support is completely different to phone support is the annoyance that not being able to use a computer to interact restricts people with disabilities.

        I have had quite a few companies send me a letter after I sent them an email complaining that they were unable to contact me by phone. Clearly missing my opening paragraph where I state I cannot use a voiceline. Of course, if they can't get *that* right, what else can't they manage competently ????

        1. TonyHoyle

          I lost count of the number of companies that would publish an email support address that would just autorespond with a phone number. I don't get the mentality.. To badly misquote yoda.. have an email or don't, there is no middle ground.

          1. JimmyPage Silver badge
            Thumb Up

            Back in the early days of the internet ...

            a lot of marketeers idea for the corporate website was a page with a phone number ...

            What was it Henry Ford said ?

            If I had asked my customers what they wanted, they would have said "faster horses"

  23. harmjschoonhoven
    WTF?

    Hm,

    Having seen how easy it is to pick a lock, there is hardly a problem.

  24. Mage Silver badge

    IoT stupidity

    Why would any sane person have an Electronic lock that's connected to the Internet 24x7?

    Apart from this fiasco, it makes the lock vulnerable to hacking.

    Better that users are emailed with updates and that locks are updated by USB stick, with socket under a plate locked by key on inside of door.

    This design is inherently insecure. It's not like a TV setbox where a botched OTA upgrade is only inconvenient.

    Yet cars and other things have this stupid design concept.

  25. DerekCurrie
    Facepalm

    So, IoT Security Can't Catch A Break

    This past year, one of the thoroughly justified rants about a lot of IoT devices has been that their firmware can't be automatically updated, Even HP printers have been implicated in this blunder. Users have to go and fetch firmware updates themselves, if they're available, if the device will even accept an update.

    But here we are with a laudable IoT device that is, thank you, automatically updated.

    Except the update is deadly.

    Little baby steps. IoT is juvenile technology. We're still stuck in The Dark Age of Computing.

    1. Anonymous Coward
      Anonymous Coward

      Re: Juvenile Technology

      Nope. It's juvenile developers.

      1. Anonymous Coward
        Anonymous Coward

        Re: Juvenile Technology

        "It's juvenile developers."

        With greatest respect, that's bollocks.

        It's incompetent, ignorant, and naive management AS WELL as juvenile developers.

        The juvenile developers should have known that it was sensible, maybe even essential, to be able to identify that any firmware update was fit for use on the device it was being applied to. Maybe that wasn't in the spec, maybe they said it would cost $$$ to implement and thus it got rejected, maybe something else.

        The incompetent, ignorant, and naive management should have realised that any update needs to be tested on a realistic sample of the market before being forced onto the whole userbase. If that can't be done, the process design is as broken as the company management.

        1. Anonymous Coward
          Anonymous Coward

          Re: Juvenile Technology

          I bet they were using Agile. Just remember burglars are more agile than developers.

          1. Doctor Syntax Silver badge

            Re: Juvenile Technology

            "Just remember burglars are more agile than developers."

            Not always. A few have got stuck in the windows they were trying to climb through (splendid recent example http://www.independent.co.uk/news/uk/home-news/burglar-jailed-after-getting-stuck-in-bathroom-window-a7562221.html ) and a few have fallen through roofs or roof-lights.

  26. Anonymous Coward
    Anonymous Coward

    A short step

    From IoT to IdioT.

  27. heyrick Silver badge

    One simple job

    A physical key, plus one or more numeric codes with some method allowing them to be assigned and expired. Why does this thing even need firmware updates?

    Oh yes, maybe it is because the WiFi module is vulnerable because "being connected" is so much more important than "being secure"...

    1. Anonymous Coward
      Anonymous Coward

      Re: "being connected" is so much more important than "being secure"...

      "Being fashionable" (for supplier and customer) is so much more important than "being fit for purpose". Even after media coverage like this.

      Dumb people buy smart gear (exceptions apply).

      FTFY, etc.

  28. Anonymous South African Coward Bronze badge

    And this is one of the reasons you have to have n+1 devices, the last device is used to test any updates before rolling the update(s) out to the rest of the tat bazaar.

  29. Arachnoid

    Remote security risks?

    So the lock owner is reliant on the lock producer having a secure enough server, thats up to the snuff of preventing a rogue compromised update that allows ner do wells access to propertys protected by said locks.

  30. Anonymous Coward
    Anonymous Coward

    Consequential loss (more UK perspective)

    it will be interesting when cases like this start hitting the news - and courts - on a regular basis. Certainly from a UK perspective where the concept of consequential loss is *very* narrow.

    I wonder how many AirBnB "businesses" (quotes *not* ironic) will be able to recover their lost "profits" ????

  31. MrKrotos

    Just use a magnet, I am told by a locksmith friend that that is all you need to open these locks.

    1. samzeman

      That's a good point I hadn't thought of.

      Whats to stop you forcefully wiping someone's lock, if not to get in then to lock them out? If you wanted to be a jerk.

    2. Baldrickk

      Just use a magnet

      It's all you need to fire an ID-locked gun...

    3. TonyHoyle

      They're probably hardened against that, being $800 locks.

      It's like being able to open padlocks with bits of beercan or pick locks in about 10 seconds flat (I've seen an electric lockpick in action.. 10 seconds is an outlier - it's probably quicker than using the key..). A *lot* of locks are just security theatre, but most burglars don't know that, and of those that do, they'll go after the easy ones rather than the hard ones, so all you have to do is make sure you don't get your lock from the bargain bin like your neighbour did and you're probably safe

  32. SophieFry

    Okay, I understand when in the smart house system there are video cameras, light and smoke sensors, opening the gate system. But smart lock on the front door? I do not know about you, but I can not trust such device. I'm not saying that it's much safer to lock on a key, thieves do not usually stop it, but I somehow can not bring myself to believe that a smart lock is safer than a regular lock. Although the idea itself is quite interesting, I recently came across an interesting video where the guys themselves assembled such a smart lock)

  33. IsabellaH

    Usually all the smart locks do have a mechanical button, also they have a way to be reset to factory settings which means firmware reset too.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like