smart home

Unpatchable KeyWe smart lock can be easily picked

A design flaw in the KeyWe smart lock (GKW-2000D), which is mostly used for remote-controlled entry to private residences, can be exploited by attackers to gain access to the dwellings, F-Secure researchers have found.

KeyWe smart lock

To add insult to injury, in this present incarnation the lock can’t receive firmware updates, meaning that the security hole can’t be easily plugged.

About KeyWe smart lock

KeyWe smart lock is developed by the Korean company KeyWe, which raised money for it on Kickstarter.

The lock can be opened via an application (Wi-Fi, Bluetooth), an armband (NFC), through a touchpad (numeric code), or mechanically (with a regular key).

It has additional options like generating one-time guest codes, unlocking the door based on proximity, etc.

About the vulnerability and the attack

F-Secure security consultants acquired the KeyWe Smart Lock by pledging on Kickstarter.

They analyzed its hardware and firmware, as well as the hardware and firmware of the accompanying KeyWe bridge (which is used to connect the lock to a wireless network) and the code of the associated Android app.

They discovered that, while the company did implement some security protections for the lock and app (not so much the bridge), a flaw in the in-house developed key exchange protocol can be exploited to, ultimately, get the secret key needed to unlock the lock.

“The hardware needed [to perform the attack] is a board able to sniff Bluetooth Low Energy traffic. It can be bought for ~10$ and used out-of-the-box,” Krzysztof Marciniak, cyber security consultant at F-Secure, told Help Net Security.

“In terms of software, this requires additional work from the attacker – in our case a Python script was developed, but pretty much any language can be used as long as it can interact with a Bluetooth controller. It should also be mentioned that the mobile application needs to be analyzed (one needs to retrieve the key generation algorithm) in order to execute this attack.”

The user doesn’t even have to lock/unlock the door with the application for the attacker to intercept the operator password – they just need to run/open the mobile application. Once the app is run, it connects to the lock to check its status, and the password can be intercepted.

The attacker (or just the intercepting device) must be within 10-15 meters from the victim for the traffic interception to work. The recording of the traffic can later be analyzed to extract the key value needed to generate the lock-opening key.

More technical information about their research and discovery can be found here and here, but since the lock can’t receive firmware updates, the researchers decided to not to share some crucial details.

Symptoms of a larger problem

The vendor has acknowledged the issue and is working on fixing it, the researchers noted, but since the lock has no firmware upgrade functionality, already deployed locks will remain vulnerable.

“The mobile application does use Bluetooth (Smart/Low Energy), so that option is not safe either. NFC could be used to counter this attack, but it is prone to other attacks (cloning the access key [armband], intercepting the traffic with proper equipment etc.),” Marciniak told us.

“The touchpad option, however, seems to be the right fallback here. That being said, the mobile application should still be paired with a mobile device – otherwise a malicious user can pair with it without any additional owner confirmation.”

Lock owners will need to replace the lock or live with the risk. The vendor told the researchers that new iterations of the app will contain a fix for this issue and, equally important, new locks will have the firmware upgrade functionality.

One cannot say that no attention has been given to security, the researchers noted, but rolling your own in-house cryptography is always a risky proposition, and so is doing no threat modeling before design and development.

“Security isn’t one size fits all. It needs to be tailored to account for the user, environment, threat model, and more. Doing this isn’t easy, but if IoT device vendors are going to ship products that can’t receive updates, it’s important to build these devices to be secure from the ground up,” Marciniak pointed out.

He recommends consumers to consider the security implications of internet-connectivity before replacing their offline devices with online versions, and advises device vendors to perform security assessments on their products as part of their design.

Guidemaster: The best tech that will make your home an even better place

irobot roomba 980

iRobot

We could all use a little more help around our home, and luckily now there’s a lot of tech that can lend a hand. There are a plethora of smart home devices that can do everything from lock your doors, vacuum your carpets, or keep a watchful eye over your possessions while you’re away.

Wading through the ocean of smart home tech isn’t easy—and, admittedly, much of the smart home space is not worth your time or your money. However, we’ve tried (and personally purchased) many home tech devices that actually do deliver on what they promise. These items make keeping your home how you like it much easier.

Not all of the home tech we recommend falls into the large and nebulous category of “the Internet of Things,” either—some are kitchen appliances, home speakers, gaming accessories, and other devices that most people primarily use in the home in order to make that space feel more like our own. Some after a lot of lived-in testing time, here’s all of the home tech that we think would make great gifts this holiday season.

Note: Ars Technica may earn compensation for sales from links on this post through affiliate programs.

Philips Hue lights

Philips Hue color smart light bulbs.

Enlarge / Philips Hue color smart light bulbs.
Philips

One of the easiest ways to start making your home smarter is with smart light bulbs and Philips’ Hue line are a good option. First, you can get white or color bulbs—while most will be happy with plain, ol’ white, color bulbs can be fun if you want to add personality to a room with color-changing light scenes.

Second, all Hue bulbs connect to a bridge that comes with most Hue starter packs. The bridge helps the lights communicate with each other and with your home Wi-Fi, which is how you control them. Using the Hue mobile app, you can turn on and off individual lights or entire rooms lights, dim them to your liking, and set schedules. You can have all the lights in your home come on before you arrive home from work, so you’re not walking into a dark house.

Third, Hue light bulbs connect to a bunch of other smart home systems like Works with Alexa, IFTTT, Apple HomeKit, the Google Assistant, and more. That means you can control your lights using voice commands or other smart commands that you customize. Not only are Hue lights an easy and affordable way to get into smart home tech, but they also make the lights in your home even more convenient to control on a regular basis.

Philips Hue White and Color starter set product image

Philips Hue White and Color starter set

(Ars Technica may earn compensation for sales from links on this post through affiliate programs.)

Zojirushi rice cooker

Zojirushi rice cooker.

Enlarge / Zojirushi rice cooker.
Zojirushi

I make a lot of rice and I’ve gone through at least two rice cookers in the process. After my last $25 rice cooker broke on me, I decided to invest in the Zojirushi NS-TSC10 Micom rice cooker and—this is not hyperbole—it’s changed my cooking life. Gone are the days of burnt or undercooked rice as Zojirushi’s magical machine has propelled me into a world where all kinds of rice are cooked to perfection every single time.

I attribute this to actually reading the directions that come with the rice cooker. If you do this and follow the instructions, washing the rice before cooking and using the proper settings on the cooker itself, everything made in this machine will be tasty. In addition to rice, Zojirushi’s machine comes with a steaming basket for steaming vegetables and other foods, and it even has a cake setting.

But the machine truly shines make rice. You don’t have to guess how much water to include as the interior pot has indicators for that, and you don’t have to guess cooking times either. The machine senses how much rice and water you put into the pot and automatically sets the cooking time. All you have to do is wait for it to play a cute little jingle as soon as your rice is done and then experience rice heaven. I’ll never go back to a cheap rice cooker again, and I implore anyone who eats a lot of rice to consider a Zojirushi machine.

Zojirushi NS-TSC10 rice cooker product image

Zojirushi NS-TSC10 rice cooker

(Ars Technica may earn compensation for sales from links on this post through affiliate programs.)