File this one under "not everything needs a computer in it". Finnish security house F-Secure today revealed a vulnerability in the KeyWe Smart Lock that could let a sticky-fingered miscreant easily bypass it. To add insult to injury, the device's firmware cannot be upgraded either locally or remotely. This means the only way …

COMMENTS

Post your comment

House rules Send corrections

Add to 'My topics'

Wednesday 11th December 2019 16:38 GMT Pascal Monett

As usual, "smart" is anything but

Ok, fine, you'd need to know how to use Wireshark, which is probably not on the list of abilities of every thief in the area, but still, this is just one more thing to add to the ever-growing list of things IoT has promised and not kept in Real Life (TM).

A bog-standard lock may not be the right solution to protect a front door, but a good, 5-point security lock is.

And you don't need to worry about the state of the batteries.

33 1 Reply
1. Wednesday 11th December 2019 16:49 GMT PerlyKing
  
  Re: As usual, "smart" is anything but
  
  Not every thief needs to know how to use Wireshark, it just takes one enterprising one to package everything into an easy-to-use kit. If enough of these locks are ever fitted to make it worth their while.
  
  54 0 Reply
2. Wednesday 11th December 2019 17:25 GMT katrinab
  
  Re: As usual, "smart" is anything but
  
  It looks like the feature set is much the same as a car door lock, and they have mostly managed to guard against replay attacks.
  
  1 1 Reply
  1. Thursday 12th December 2019 18:07 GMT Michael Wojcik
    
    Re: As usual, "smart" is anything but
    
    they have mostly managed to guard against replay attacks
    
    For sufficiently small values of "mosttly", I suppose.
    
    There have been a number of published successful attacks against wireless car locking systems. The main reason there aren't more is that this area of research quickly became boring, as researchers realized that automotive security is a disaster, and there were far more interesting vulnerabilities in it.
    
    4 0 Reply
    1. Friday 13th December 2019 17:06 GMT katrinab
      
      Re: As usual, "smart" is anything but
      
      The article you link to describes a vulnerability in a then 10 year old vehicle, and does say that most cars don't have this vulnerability. So I don't think this example disproves "mostly".
      
      1 0 Reply
Wednesday 11th December 2019 16:50 GMT Tom 35

Lots of bog-standard locks are easy to bypass.

https://www.youtube.com/channel/UCm9K6rby98W8JigLoZOh6FQ

25 5 Reply
1. Wednesday 11th December 2019 18:03 GMT mittfh
  
  Re: Lots of bog-standard locks are easy to bypass.
  
  Not to mention safes with electronic locks, but also equipped with the cheapest manual cylinder lock bypass the manufacturers could get their hands on (so it takes longer to remove the keyway cover than it does to pick the lock!)
  
  6 0 Reply
2. Wednesday 11th December 2019 18:57 GMT Cagey Bee
  
  Re: Lots of bog-standard locks are easy to bypass.
  
  Love that guy's videos. Bought a cheap pick set. Now even our 6 year old can pick every lock in the house. Including the deadbolts. I'll never trust another lock.
  
  13 0 Reply
  1. Thursday 12th December 2019 00:27 GMT Martin-73
    
    Re: Lots of bog-standard locks are easy to bypass.
    
    LPL and BosnianBill are two of my favourite youtube channels... the silly mistakes manufacturers make, it's pretty much like 'security by obscurity'... which as any fule kno, doesn't work. Master lock? PAH
    
    11 0 Reply
    1. Thursday 12th December 2019 15:47 GMT GnuTzu
      
      Re: Lots of bog-standard locks are easy to bypass.
      
      Oh, and how they've been tearing a new one in most of the electronic locks they've been reviewing.
      
      And, I remember watching EEVblog profiling power terminals.
      
      1 0 Reply
    2. Friday 13th December 2019 17:25 GMT Anonymous Coward
      
      Re: Lots of bog-standard locks are easy to bypass.
      
      Security by obscurity-- well, that is all a crypto key is. Something very obscure...
      
      Better to describe by equivalent bit strength / resistance to attack.
      
      0 0 Reply
3. Wednesday 11th December 2019 19:51 GMT Scott 26
  
  Re: Lots of bog-standard locks are easy to bypass.
  
  Love the LPL...!
  
  Can't believe you've got so many down votes!
  
  10 0 Reply
  1. Wednesday 11th December 2019 21:45 GMT Sgt_Oddball
    
    Re: Lots of bog-standard locks are easy to bypass.
    
    "that's a false set on five.. "
    
    7 0 Reply
    1. Thursday 12th December 2019 03:16 GMT MachDiamond
      
      Re: Lots of bog-standard locks are easy to bypass.
      
      "For this lock I'll be using a standard hook in .559" BANG!
      
      4 0 Reply
4. Thursday 12th December 2019 02:03 GMT Blazde
  
  Re: Lots of bog-standard locks are easy to bypass.
  
  Since it's arguably the biggest issue, worth mentioning bog-standard locks invariably can't be updated either.
  
  5 3 Reply
  1. Thursday 12th December 2019 05:03 GMT eldakka
    
    Re: Lots of bog-standard locks are easy to bypass.
    
    Depends on the type of lock.
    
    Any decent lock can have the cylinder replaced without replacing the entire lock mechanism.
    
    If you have a lock that can't do this, it's a cheap-arse lock.
    
    12 0 Reply
5. Thursday 12th December 2019 09:30 GMT Mongrel
  
  Re: Lots of bog-standard locks are easy to bypass.
  
  I'd add this one as well, it's not just picking that makes a door insecure.
  
  https://www.youtube.com/watch?v=rnmcRTnTNC8
  
  Smart locks just add another point of failure to a door.
  
  (To be fair to locks the LPL is very good, he did a series where he picked locks from Bosnian Bill's 'Naughty Bucket', locks that BB couldn't open - and BB is good)
  
  6 0 Reply
6. Thursday 12th December 2019 11:08 GMT phuzz
  
  Re: Lots of bog-standard locks are easy to bypass.
  
  Every lock can be bypassed, the important part is, how long will it take, and how much noise and commotion will a potential thief make doing so?
  
  12 0 Reply
  1. Thursday 12th December 2019 13:11 GMT Cuddles
    
    Re: Lots of bog-standard locks are easy to bypass.
    
    Indeed, this seems to be one of the bigger issues with "smart" locks. It's not that they're necessarily easier to get through than a regular lock, but that it's possible to do so essentially untraceably in a way that doesn't look in any way suspicious to bystanders. Someone poking around at your door with bits of metal will have the police called on them if anyone sees, and will almost certainly leave some evidence of the tampering. Someone faffing around on their phone on the pavement, then walking straight through an open door doesn't look like a thief, and if they lock it again afterwards there might be no evidence anything happened at all.
    
    8 0 Reply
  2. Thursday 12th December 2019 22:23 GMT J. Cook
    
    Re: Lots of bog-standard locks are easy to bypass.
    
    indeed- I have in my tool kit a device that will go through most doors and locks. The problem is that it makes a *LOT* of noise, and is about as subtle as dropping a 16 ton anvil off a 10 story building.
    
    2 0 Reply
7. Thursday 12th December 2019 18:07 GMT Michael Wojcik
  
  Re: Lots of bog-standard locks are easy to bypass.
  
  Yes, but most of them don't cost $155 and introduce additional, unnecessary failure modes.
  
  3 0 Reply
Wednesday 11th December 2019 17:15 GMT Anonymous Coward

Sounds a bit too obvious a design flaw, are we sure it's a bug and not a feature?

8 2 Reply
Wednesday 11th December 2019 17:23 GMT JohnFen

Hobbyist lockpicking

I enjoy lockpicking as a hobby, and I've played with a number of "smart locks". So far, every single one that I've played with was much, much easier to bypass than pin-and-tumbler locks. KeyWe is in good company.

My takeaway? I would never use a smart lock for my own things.

28 0 Reply
Wednesday 11th December 2019 17:54 GMT Anonymous Coward

Marketing probably said "Ship it" when still in alpha testing

I remember back in the late 1990s working at a company developing a network based lock. Zero encryption in use. Didn't even have a password as we were still at R&D stage.

And then we suddenly found the Sales team had been selling them. Not only sold them but got them into a Building Society's HQ!

The sales team aren't worried about little things like security. Just the profit.

24 0 Reply
1. Thursday 12th December 2019 08:09 GMT Aussie Doc
  
  Re: Marketing probably said "Ship it" when still in alpha testing
  
  "The sales team aren't worried about little things like security. Just the profit."
  
  You sound surprised.
  
  13 0 Reply
2. Thursday 12th December 2019 13:02 GMT Anonymous Coward
  
  Re: Marketing probably said "Ship it" when still in alpha testing
  
  It was funded on Kickstarter. I don't think I need to add anything further.
  
  https://www.kickstarter.com/projects/1067904566/keywe-the-smartest-lock-ever/faqs#project_faq_250736
  
  3 0 Reply
Wednesday 11th December 2019 18:16 GMT Anonymous Coward

Good News?

The good news is that those of us who have been banging on at this stuff being a really bad idea are being proven right yet again. If you’re going to make a tech product, have it reviewed by a security researcher before you release it.

26 0 Reply
1. Thursday 12th December 2019 19:40 GMT Michael Wojcik
  
  Re: Good News?
  
  Indeed. Another bit of good news is that those of us wise enough to stay away from this sort of overpriced rubbish have yet another reason to feel superior.
  
  Ah, that's some good smug.
  
  5 0 Reply
Wednesday 11th December 2019 18:29 GMT oiseau

Alexa?

... unlock their doors through a traditional metal key, via a mobile app, or with Amazon Alexa.

Amazon Alexa?

It's a joke, right?

Really now ...

The stupid things people do these days.

O.

22 0 Reply
1. Wednesday 11th December 2019 20:08 GMT Jason Bloomberg
  
  Re: Alexa?
  
  So perhaps no hacking needed. Just shouting through the letter box could get the door unlocked.
  
  23 0 Reply
  1. Thursday 12th December 2019 18:57 GMT Robert Helpmann??
    
    Re: Alexa?
    
    Just shouting through the letter box could get the door unlocked.
    
    Speak, friend, and enter?
    
    3 0 Reply
2. Wednesday 11th December 2019 21:35 GMT Anonymous Coward
  
  Re: Alexa?
  
  Open the ~~pod bay~~ front door, Halexa.
  
  31 0 Reply
  1. Thursday 12th December 2019 09:43 GMT Anonymous Coward
    
    Re: Alexa?
    
    I'm sorry, owner. I'm afraid I can't stop the outsider from open the door.
    
    5 0 Reply
Thursday 12th December 2019 00:22 GMT jason 7

So did this happen...

...due to it being the baby of some late 20 something that won't allow their 'great concept' to be pros & conned because they would get upset if some 40/50 something said "yeah...hang on...but..."

7 0 Reply
1. Friday 13th December 2019 18:00 GMT fidodogbreath
  
  Re: So did this happen...
  
  OK, boomer.
  
  2 0 Reply
  1. Sunday 15th December 2019 17:16 GMT jason 7
    
    Re: So did this happen...
    
    GenX'er actually. I'm the gen that despairs of both that came before and after.
    
    1 0 Reply
Thursday 12th December 2019 01:34 GMT Venerable and Fragrant Wind of Change

Insewerants

For what it's worth ...

When I moved house in August, I was interested in installing a keyless lock. Not one I could operate from an app (I'm not that dumb), but one where I could key in a combination to open it from the outside. Keyless was because keys in the pockets are annoying, and it would be great to be able to dispense with them (and with phones too) when going out "light". I've lived with a combi lock on the door to the communal hall of an apartment building in the past, and that was good - though sadly my own front door still had a regular key.

But my bottom line was that the lock had to be British Standards compliant, and have the kitemark recognised by insurers. Turns out there's none available. So any combi lock could only have been secondary, which rather defeats the purpose.

14 0 Reply
Thursday 12th December 2019 03:28 GMT MachDiamond

Nothing's perfect

No lock is going to keep 100% of miscreants out of your house. It makes no sense to install the most fiendishly difficult to pick lock at £400 as a burglar is just going to heave a rock through the back window instead. That said, it's running in a rearwards direction to install a lock that easier to defeat then what's standard now and to be able to defeat it from the other side of the planet too.

While Wireshark may (or may not) be difficult to use, somebody will write up a nice how-to tutorial or post a video from a hacker con showing how easy it is to bypass these sorts of locks just like LPL and Bosnian bill do all of the time. I binged watched a good portion of Lock Picking Lawyers videos when I was out with strep. I bought myself a crappy set of lockpicks (getting better ones soon) and have been building a set of clever little tools as well. I've made a moderate bit of dosh decoding those boxes estate agents use to keep keys. They are always losing the combos of the ones at the office and I pick them while sat in front of the telly for a fiver each (min 10 at a time). £50 for very few minutes of work during the commercials is good money of an evening.

4 0 Reply
Thursday 12th December 2019 08:12 GMT Aussie Doc

Oops.

"...or with Amazon Alexa."

For some reason I had visions of the miscreant yelling through the door "Oi, Alexa, open the %$#@ing door, init."

5 0 Reply
Thursday 12th December 2019 08:40 GMT Anonymous Coward

Smart locks a rip off

Who picks a bloody lock anyway (And why would you give someone access remotely when you're not in we seemed to cope perfectly fine for a number of centuries). When my mate's house got broken into they crowbared the entire rear double door's handle. He put immobilizing lock on the replaced handles after that. The second time the scumbag smashed the entire window with a hammer and crawled in. We know it was a hammer as mate and scumbag walked into the living room at the same time still holding said hammer. (Fortunately scumbag was a coward scumbag and legged it). I suppose the lessons are they'll get in if they want to and ..don't park your expensive car in the drive way I guess. But I think I digress.

5 0 Reply
1. Thursday 12th December 2019 22:34 GMT JohnFen
  
  Re: Smart locks a rip off
  
  "Who picks a bloody lock anyway"
  
  A million times this. Every so often, someone will get their hackles up that I not only pick locks for fun, but I have no problem teaching anyone else to do it as well. The objection is "you could be teaching thieves how to break in".
  
  But I counter with the reality -- if someone wants to break into your home, they aren't going to be picking the lock. There are far too many, much easier, ways of gaining access. There's bump keys, there's using shims to pop the latch, and there's always the old standby of just breaking a window or crowbarring something open.
  
  On the other hand, it has happened that I've locked myself out of my house and regained entry without breaking anything by picking my own lock, so it is an occasionally useful skill.
  
  7 0 Reply
Thursday 12th December 2019 09:48 GMT Mike 137

The real biggest issue

"Arguably, the biggest issue here isn't that the KeyWe had a glaring design flaw, but rather that it's impossible to remediate."

The biggest issue is really why the hell you'd want to use a mobile phone or Alexa to open your front door. The lock accepts a physical key, so use it.

The insane enthusiasm for "digital" everything is no different in principle from the insane enthusiasm for radioactive patent medications at the start of the 20th century - uninformed, dangerous and pointless. The latter got to the point of manufacturing a radium jockstrap insert. I suppose supplying a front door lock that facilitates burglary is not quite in the same league, but it's getting there.

7 0 Reply
1. Thursday 12th December 2019 10:42 GMT Phil O'Sophical
  
  Re: The real biggest issue
  
  At least a radium jockstrap insert has the likely advantage of overall gene pool improvement, since the purchaser won't be able to pass on their 'stupid' gene.
  
  11 0 Reply
  1. Friday 13th December 2019 10:49 GMT Anonymous Coward
    
    Re: The real biggest issue
    
    "the purchaser won't be able to pass on their 'stupid' gene."
    
    Getting bitten by a radioactive sperm would create a seriously weird super hero...
    
    3 0 Reply
Friday 13th December 2019 12:31 GMT headrush

Just repeating the "no lock is secure" point.

We have relatively expensive plastic windows with multipoint locking systems. As we found out recently, it's all marketing crap. A crowbar applied between window and frame near the opening side simply breaks the latching mechanism.

Nothing designed to be opened easily is ever going to be secure.

1 0 Reply
Friday 13th December 2019 17:23 GMT HellDeskJockey

As a long time user of keypad smart locks there are a couple of advantages. When you have housemates that loose keys on a regular basis just give them a combination. Most can easily be changed if needed. Also if you have cleaners or health care providers coming to the house give them a separate combination they can easily come in. Not totally secure but since a thief could easily break the window and enter it's good enough.

No radio locks though the advantage you get is not worth the risk.

0 0 Reply
Monday 16th December 2019 17:26 GMT VTAMguy

Manufacturer claims on Amazon that the problem is "resolved"

Someone posted a question to the Amazon listing for this product that asked when it would be taken off the market as being insecure, and the manufacturer (or facsimile thereof) answered that the issue "has since resolved this with the updates done through the mobile app". Well, someone's lying here. Interesting also that Amazon has blocked any reviews of this thing except if you have already purchased it. They don't want the bad news spreading, obviously.

0 0 Reply
Tuesday 4th February 2020 23:40 GMT Randy_David

Be wise and stay secured - Choose LOCKLY

I wouldn't argue why Keywe didn't escape from the hands of burglars, it is a not so smart lock if I may say.

But I thank Lockly creators for introducing this smart lock to the market. I have several attempts from my not so friendly neighborhood trying to decode but my lock simply turned to Safe Mode that disables itself from being accessed except when prompted with the right combination

0 0 Reply