Unpatchable KeyWe smart lock can be easily picked

A design flaw in the KeyWe smart lock (GKW-2000D), which is mostly used for remote-controlled entry to private residences, can be exploited by attackers to gain access to the dwellings, F-Secure researchers have found.

To add insult to injury, in this present incarnation the lock can’t receive firmware updates, meaning that the security hole can’t be easily plugged.

About KeyWe smart lock

KeyWe smart lock is developed by the Korean company KeyWe, which raised money for it on Kickstarter.

The lock can be opened via an application (Wi-Fi, Bluetooth), an armband (NFC), through a touchpad (numeric code), or mechanically (with a regular key).

It has additional options like generating one-time guest codes, unlocking the door based on proximity, etc.

About the vulnerability and the attack

F-Secure security consultants acquired the KeyWe Smart Lock by pledging on Kickstarter.

They analyzed its hardware and firmware, as well as the hardware and firmware of the accompanying KeyWe bridge (which is used to connect the lock to a wireless network) and the code of the associated Android app.

They discovered that, while the company did implement some security protections for the lock and app (not so much the bridge), a flaw in the in-house developed key exchange protocol can be exploited to, ultimately, get the secret key needed to unlock the lock.

“The hardware needed [to perform the attack] is a board able to sniff Bluetooth Low Energy traffic. It can be bought for ~10$ and used out-of-the-box,” Krzysztof Marciniak, cyber security consultant at F-Secure, told Help Net Security.

“In terms of software, this requires additional work from the attacker – in our case a Python script was developed, but pretty much any language can be used as long as it can interact with a Bluetooth controller. It should also be mentioned that the mobile application needs to be analyzed (one needs to retrieve the key generation algorithm) in order to execute this attack.”

The user doesn’t even have to lock/unlock the door with the application for the attacker to intercept the operator password – they just need to run/open the mobile application. Once the app is run, it connects to the lock to check its status, and the password can be intercepted.

The attacker (or just the intercepting device) must be within 10-15 meters from the victim for the traffic interception to work. The recording of the traffic can later be analyzed to extract the key value needed to generate the lock-opening key.

More technical information about their research and discovery can be found here and here, but since the lock can’t receive firmware updates, the researchers decided to not to share some crucial details.

Symptoms of a larger problem

The vendor has acknowledged the issue and is working on fixing it, the researchers noted, but since the lock has no firmware upgrade functionality, already deployed locks will remain vulnerable.

“The mobile application does use Bluetooth (Smart/Low Energy), so that option is not safe either. NFC could be used to counter this attack, but it is prone to other attacks (cloning the access key [armband], intercepting the traffic with proper equipment etc.),” Marciniak told us.

“The touchpad option, however, seems to be the right fallback here. That being said, the mobile application should still be paired with a mobile device – otherwise a malicious user can pair with it without any additional owner confirmation.”

Lock owners will need to replace the lock or live with the risk. The vendor told the researchers that new iterations of the app will contain a fix for this issue and, equally important, new locks will have the firmware upgrade functionality.

One cannot say that no attention has been given to security, the researchers noted, but rolling your own in-house cryptography is always a risky proposition, and so is doing no threat modeling before design and development.

“Security isn’t one size fits all. It needs to be tailored to account for the user, environment, threat model, and more. Doing this isn’t easy, but if IoT device vendors are going to ship products that can’t receive updates, it’s important to build these devices to be secure from the ground up,” Marciniak pointed out.

He recommends consumers to consider the security implications of internet-connectivity before replacing their offline devices with online versions, and advises device vendors to perform security assessments on their products as part of their design.