Consultants with cyber security provider F-Secure have discovered an exploitable design flaw with a smart lock that attackers can use to easily pick the device. The lock’s inability to receive firmware updates means the flaw cannot be fully fixed, highlighting the difficulties faced by manufacturers and consumers with securing the new internet-connected devices hitting the market.
KeyWe Smart Lock, a remote-controlled entry device primarily used in private dwellings, allows users to open and close doors with an app on their mobile phone. F-Secure Consulting found that they were able to exploit improperly designed communication protocols and intercept the secret passphrase that controls the lock while it’s exchanged between the physical device and the mobile app.
“The lock has several protection mechanisms. Unfortunately, the lock’s design makes bypassing these mechanisms to eavesdrop on messages exchanged by the lock and app fairly easy for attackers – leaving it open to a relatively simple attack. There’s no way to mitigate this, so accessing homes protected by the lock is a safe bet for burglars able to replicate the hack,” says F-Secure Consulting’s Krzysztof Marciniak, a cyber security consultant that helped develop the hack. “All attackers need is a little know-how, a device to help them capture traffic – which can be purchased from many consumer electronic stores for as little as 10 dollars – and a bit of time to find the lock owners.”
The attack is yet another demonstration of the security challenges facing manufacturers and consumers as internet of things devices (IoT) flood the market. One recent estimate suggests that there will be 125 billion devices connected to the internet by 2025.* But as these IoT devices spread, so will the security issues they bring.
The lock has several useful security features, including data encryption intended to prevent unauthorized parties from accessing system-critical information, such as the secret passphrase.
However, F-Secure Consulting found relatively easy ways to circumvent the system’s security measures. And since the device cannot receive firmware updates, the flaw exploited by the attack cannot be fixed, meaning lock owners will need to replace the lock or live with the risk.
Marciniak points out that security is only effective when properly implemented, which is a subtlety that IoT device vendors need to understand.
“Security isn’t one size fits all. It needs to be tailored to account for the user, environment, threat model, and more. Doing this isn’t easy, but if IoT device vendors are going to ship products that can’t receive updates, it’s important to build these devices to be secure from the ground up,” explains Marciniak.
Marciniak recommends individuals consider the security implications of internet-connectivity before replacing their offline devices with online versions, and recommends device vendors perform security assessments on their products as part of their design.
F-Secure Consulting operates on four continents from 11 different countries. It provides cyber security services tailored to fit the needs of banking, financial services, aviation, shipping, retail, insurance, and other organizations working in highly targeted sectors.
Due to the ease of the attack and the lack of effective mitigations available to end users, F-Secure Consulting has chosen to withhold crucial parts of the technical details needed to execute the attack. However, an advisory and a blog post with more information have been published on F-Secure Labs. Additional support and services for device vendors are available from F-Secure Consulting.