'Smart' Lock Vendor Locks Hundreds Out Of Their Home With Bungled Firmware Update

from the sorry-I-can't-do-that,-Dave dept

So we've talked repeatedly about how the real "smart" choice in the era of "smart" internet of things devices is often -- dumber technology. Whether it's your smart refrigerator or TV leaking your gmail details or viewing data over unencrypted connections, your smart car opening the door to potentially fatal attack, or your smart doorbell creating new attack vectors into your WiFi network, more often than not you're quite frankly better off with the older, less sophisticated versions of these technologies if you want the smart path toward a more secure life.

The latest case in point: smart door lock vendor Lockstate managed to completely disable the smart door locks of an estimated 500 customers after a botched firmware update left customers unable to access their own properties:

A subset of smart locks made by Lockstate have been bricked after an update. The smart lock vendor is part of Airbnb’s Host Assist program, and integrates with the accommodation rental platform so, for instance, hosts can automatically generate and email one-time codes for their guests to use during check-in....Two models of Lockstate smart lock are apparently affected, one of which currently retails for $469.

Airbnb offers property owners a $50 discount code if they use Lockstate products as part of the Host Assist program — where said products are heralded as “revolutionary” and capable of withstanding “high usage”. Because the botched update made it impossible for these locks to subsequently connect to the internet for a new fix, the vendor is informing owners that their only recourse is to wait anywhere from a week to eighteen days for a physical replacement, inundating them with neither smart nor revolutionary added costs:

In the mass mailer email, which begins “Dear Lockstate customer” and summarizes its contents as an “update” pertaining to LockState 6i/6000i, affected customers are asked to wait as long as 18 days for a full replacement. Or up to a week if they choose to remove and send the back portion of the lock to the company for repair.

Feel smarter yet? Of course this isn't the first problem of this type. Internet of things brand darling Nest has, at several different points, botched their own firmware updates for supposedly smart thermostats, resulting in users either being cooked or chilled until they were able to remedy the problem. This is the kind of stuff internet of things evangelists still don't spend much time talking about when they're busy hyping and pitching the latest and greatest internet-connected widgets, built by a rotating crop of companies with a fleeting interest in actual security, functionality and privacy.

Granted bungled firmware updates are only one risk. A recent report took a look at sixteen different brands of Bluetooth-enabled smart locks, and found that at least twelve of the brands were notably susceptible to remote attacks. The flaws are fairly standard at this point, ranging from user data and passwords being transmitted in plain text, or a bungled use of encryption to transmit user data when encryption was used at all. Short version of the lesson: if you're trying to build a smart home either do your homework and consult a hacker to find the best quality devices available, or save both time and money and revert to the best available dumb alternative.

Filed Under: internet of things, iot, smart lock
Companies: airbnb, lockstate

Reader Comments

Subscribe: RSS

View by: Time | Thread

  1. icon
    MrTroy (profile), 20 Aug 2017 @ 7:30pm

    Re: Re:

    While I generally agree with this sentiment, it does butt up against another problem.

    Devices that are connected to the internet but don't update automatically... typically won't be updated, and so security flaws that are discovered over time don't get fixed over time, leading to IoT devices that are happy to participate in distributed attacks of some nature.

    The ability to create limited-time codes to access the property seems like a perfect fit for the AirBNB or similar model, so I'd say that this is far less of a pink elephant than most internet-connected devices. If it provides access audits per code, then homeowners could determine that the cleaners did or didn't access the property at times when they were supposed to, amongst other simple conveniences. This sounds to me like a genuinely useful device.

    Internet-facing security would of course have to be bullet-proof and upgradeable. Maybe the simple fix would have been for firmware upgrades to be pushed by the device owner rather than the device manufacturer, with escalating warnings over time from the manufacturer if devices are left without upgrade perhaps resulting in a loss of warranty (support? Warranty is probably a legal thing) if a device hasn't received an update flagged as security for more than (say) 3 months.

    At least if the owner is doing the upgrade, and it fails, they are aware of the failure *at that moment* and so can respond to it at the time. I fail to have much sympathy for owners for whom this approach would be too hard because they own too many properties.

Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here

Subscribe to the Techdirt Daily newsletter

Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Follow Techdirt
Techdirt Gear
Shop Now: Techdirt Logo Gear
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Report this ad  |  Hide Techdirt ads
Recent Stories
Report this ad  |  Hide Techdirt ads


Email This

This feature is only available to registered users. Register or sign in to use it.