A fouled-up over-the-air firmware update rendered hundreds of a smart lock vendor’s products unopenable via custom access codes.
Fortunately, the screw up affected only one type of product: the LockState RemoteLock 6i (6000i). These smart locks feature heavily in a partnership between LockState and Airbnb.
With RemoteLock 6i models, Airbnb hosts create custom access codes for each of their guests without giving them the lock’s physical key. As such, they sleep easy at night knowing a former guest can’t burgle their rental property using a stolen key or discarded access code.
Those custom access codes are stored on LockState’s servers. Meaning? A RemoteLock 6i needs connectivity, or no one’s getting in with a code.
Well, that’s exactly what happened on 8 August with LockState’s remote update. Hundreds of smart locks lost connectivity, causing major inconveniences for Airbnb hosts and renters. As Bleeping Computer’s Catalin Cimpanu explains:
“The botched firmware bricked the device’s smart code access mode. Physical keys continued to work. The botched firmware was a nuisance for private home owners, but it was a disaster for Airbnb hosts, who had to scramble to get customers physical keys so they could enter their rents.”
Needless to say, people weren’t happy with the news.
@lockstate Your firmware update bricked at least 500 locks. Very costly. Replacement in 14-18 days? Email response over 12 hours? Not OK.
— Coffee Review (@coffeereview) August 8, 2017
Are you a stranded @Airbnb guest? @LockState just BRICKED a bunch of 6i locks. But they won't tweet updates. Trying to hide their screw-up?
— proprietresswy (@JuniperWyoming) August 7, 2017
LockState looked into what happened and determined the botched update had affected 500 customers. It subsequently sent out a letter to these customers with instructions on how to regain access to their smart locks.
Those affected can either return their product and have LockState replace its software or receive a replacement lock altogether. The first option will take at most a week, whereas the second could take as much as two and a half weeks. Either way, customers can let the vendor know their preference by emailing [email protected].
LockState says it’s fixed approximately 60% of the affected locks as of this writing.
Over 60 percent of affected locks are back online, and appreciate the customers we are working with the get them back running.
— RemoteLock (@LockState) August 11, 2017
As the vendor continues its recovery mode, it’s important that owners of products like the RemoteLock 6i take a moment to reflect on this incident. Wi-Fi connectivity isn’t a given; sometimes it goes out because of a power outage or other similarly mundane event.
Customers should therefore make sure they know where their physical key is and store it in a safe location. If they are Airbnb hosts, they should also develop policies around granting renters access to their physical key in the event their smart lock’s access code stops working all of a sudden.
For further discussion on this story, make sure to listen to this episode of the “Smashing Security” podcast:
Smashing Security #038: 'Gents! Stop airdropping your pics!'
Listen on Apple Podcasts | Spotify | Pocket Casts | Other... | RSS
More episodes...
LockState should be made to pay AirBnB, so that they can compensate their 500 customers.
Not to put too fine a point on it, what good is an electronic lock that incorporates a mechanical lock to open it? Has the manufacturer and the users of these devices never heard of lockpicks? These locks provide the same false sense of security that electronic locks on cars have provided to their owners. While it's very nice that no physical keys have to be given out to guests, so that a former guest can't let himself back in, anyone thinking he or she is safe from intrusion because the electronic lock will keep people out of the room is obviously not reckoning with the skills of professional burglars.
These locks aren't meant to solve the problem of a professional burglar from gaining entry. They're made so that the owner of the house can provision temporary access to a many guests while maintaining persistent access for themselves.
Nobody (i hope) thinks this lock is a solution to burglary – and I don't think it's presented that way. Really, it's a security convenience feature..
Yes, by all means, have ANOTHER lockbox on site, a mechanical one, to allow access to a physical key. But, as more of these connected devices enter the market, I look forward to hearing about more of these type incidents. Smart Homes??? Beware!
Placing anything that uses electricity on the world wide web can be a hacker magnet waiting to happen, as the daily news of somebody being hacked is old hat. I don't read much online about garage door openers or automotive key fobs being hacked, although I know it's possible. However, automotive key fobs and garage door openers have worked successfully for decades. Technology should be about Return on Investment, and it seems most remote control deadbolts on the market today are simply too expensive and too hackable. Just google DEF CON 2016 and watch/learn about a convention for hackers that demonstrates just how easy it is to hack any smart lock with an IP address.