KeyWe engaged in a very successful crowdfunding campaign for its eponymous smartlock last year. The Kickstarter project was described as originating the "smartest lock ever" and was fully funded within 3 hours, eventually raising over half a million USD. As well as selling its smart lock direct, KeyWe started to distribute its smart home security device on Amazon this summer, after finally shipping to the majority of the backers of the Kickstarter project. As you can see via the Amazon product page the KeyWe isn't cheap at US$155 and requires a compatible smart home hub. However, that's all fine for most people if this is a good product…
Earlier this week Finish security company F-Secure published a blog post on its Labs pages. It had decided to look at security of convenient smart devices and has focuses some attention onto the KeyWe smart lock. Unfortunately for KeyWe the product didn't stand up very well to security researcher scrutiny.
In brief, F-Secure's researchers found that potential hackers or house-breakers could intercept wireless traffic between the smart lock and mobile app. Sniffing and analysing this data can reveal "the keys to the kingdom," says the blog and mentions the hardware required to do such a task. However, it wasn't explicit with regard to exactly how to hack the smart lock, so as not to make its methods widely available and public.
Someone was lurking as you opened the smart lock
KeyWe has been in touch with F-Secure about its published findings and acknowledged the issue and claims to be working on fixing it. Unfortunately for owners of existing hardware it is noted that the KeyWe smart lock doesn't have upgradable firmware. New hardware will be introduced, says KeyWe, which will both include a firmware fix and offer firmware upgradability for any future similar problems.
Hopefully owners of existing hardware with the vulnerability will get some kind of replacement program or at least a discount to upgrade. F-Secure recommends that potential purchasers of smart and IoT devices look into device security features and updatability before replacing tried and trusted things with smart-connected versions. Meanwhile, vendors of the smart / IoT devices should steer away from developing or deriving in-house crypto as this was the main vector for the vulnerability discovered in the KeyWe smart lock.