'Smart' Lock Vendor Locks Hundreds Out Of Their Home With Bungled Firmware Update

from the sorry-I-can't-do-that,-Dave dept

So we've talked repeatedly about how the real "smart" choice in the era of "smart" internet of things devices is often -- dumber technology. Whether it's your smart refrigerator or TV leaking your gmail details or viewing data over unencrypted connections, your smart car opening the door to potentially fatal attack, or your smart doorbell creating new attack vectors into your WiFi network, more often than not you're quite frankly better off with the older, less sophisticated versions of these technologies if you want the smart path toward a more secure life.

The latest case in point: smart door lock vendor Lockstate managed to completely disable the smart door locks of an estimated 500 customers after a botched firmware update left customers unable to access their own properties:

A subset of smart locks made by Lockstate have been bricked after an update. The smart lock vendor is part of Airbnb’s Host Assist program, and integrates with the accommodation rental platform so, for instance, hosts can automatically generate and email one-time codes for their guests to use during check-in....Two models of Lockstate smart lock are apparently affected, one of which currently retails for $469.

Airbnb offers property owners a $50 discount code if they use Lockstate products as part of the Host Assist program — where said products are heralded as “revolutionary” and capable of withstanding “high usage”. Because the botched update made it impossible for these locks to subsequently connect to the internet for a new fix, the vendor is informing owners that their only recourse is to wait anywhere from a week to eighteen days for a physical replacement, inundating them with neither smart nor revolutionary added costs:

In the mass mailer email, which begins “Dear Lockstate customer” and summarizes its contents as an “update” pertaining to LockState 6i/6000i, affected customers are asked to wait as long as 18 days for a full replacement. Or up to a week if they choose to remove and send the back portion of the lock to the company for repair.

Feel smarter yet? Of course this isn't the first problem of this type. Internet of things brand darling Nest has, at several different points, botched their own firmware updates for supposedly smart thermostats, resulting in users either being cooked or chilled until they were able to remedy the problem. This is the kind of stuff internet of things evangelists still don't spend much time talking about when they're busy hyping and pitching the latest and greatest internet-connected widgets, built by a rotating crop of companies with a fleeting interest in actual security, functionality and privacy.

Granted bungled firmware updates are only one risk. A recent report took a look at sixteen different brands of Bluetooth-enabled smart locks, and found that at least twelve of the brands were notably susceptible to remote attacks. The flaws are fairly standard at this point, ranging from user data and passwords being transmitted in plain text, or a bungled use of encryption to transmit user data when encryption was used at all. Short version of the lesson: if you're trying to build a smart home either do your homework and consult a hacker to find the best quality devices available, or save both time and money and revert to the best available dumb alternative.

Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: internet of things, iot, smart lock
Companies: airbnb, lockstate


Reader Comments

Subscribe: RSS

View by: Time | Thread


  1. identicon
    Anonymous Coward, 18 Aug 2017 @ 4:05am

    At what point do consumers think, gee maybe I don't need this time bomb masquerading as an item of convenience?

    link to this | view in thread ]

  2. identicon
    Anonymous Coward, 18 Aug 2017 @ 4:16am

    Re:

    That's when consumers are educated enough to avoid these technological failures. Techdirt is playing a role in this education and more and more mainstream media outlets are catching up.

    link to this | view in thread ]

  3. icon
    Stephen T. Stone (profile), 18 Aug 2017 @ 4:31am

    At some point, we are all going to end up with Jigsaw-style traps for home security. That said: I would rather take on the Reverse Bear Trap instead of the Internet of Things.

    link to this | view in thread ]

  4. icon
    Toom1275 (profile), 18 Aug 2017 @ 5:50am

    I think it was a pushed update for the version 7 lock that was, for whatever reason, taken in by version 6 locks. Being different hardware and stuff, the new firmware was nonfunctional.

    link to this | view in thread ]

  5. icon
    TheResidentSkeptic (profile), 18 Aug 2017 @ 6:34am

    New Advertising Campaign from LockSmiths Union

    When you get "Bricked Out", we get you Back In! And we can replace your locks on the spot!

    link to this | view in thread ]

  6. icon
    streetlight (profile), 18 Aug 2017 @ 6:52am

    Re: Re:

    What fraction of folks buying into smart home stuff read Techdirt or subscribe to newspapers or other media explaining this paradigm? Not many I'd guess.

    link to this | view in thread ]

  7. identicon
    Anonymous Coward, 18 Aug 2017 @ 6:55am

    Re:

    Traps are actually prohibited by most fire codes due to the hazards they pose to first responders (IFC 316.3, NFPA 1 4.1.3.1.2.2) and in immediate egress situations (NFPA 101 7.1.10.1).

    The better bet is to get a solid wood or metal door and actually put a decent lock on it (say a Mul-T-Lock or an Abloy disc detainer, not your typical home cheapo garbage). There is 0 need to introduce the Internet of Trash into your home security system.

    link to this | view in thread ]

  8. identicon
    Anonymous Coward, 18 Aug 2017 @ 6:55am

    20 Minutes into the Future...

    A man was shot and killed by his own security drone when he went outside to have a cigarette, Surgeon general posts new warning, blipvert upcoming.

    link to this | view in thread ]

  9. icon
    Ninja (profile), 18 Aug 2017 @ 7:09am

    Smart locks? SMART locks? Ahem.

    I'm very wary with over the air firmware updates. I'm not sure if it's just paranoia or if I'm rightly worried.

    link to this | view in thread ]

  10. identicon
    Anonymous Coward, 18 Aug 2017 @ 7:09am

    I think this is the first Internet of things device I heard of that sounds like it could actually be useful, for a small group of people. For people other then Airbnb Hosts it sounds like an Internet connected lock is almost useless and is able to fail in many horrifying ways.

    link to this | view in thread ]

  11. icon
    DannyB (profile), 18 Aug 2017 @ 7:10am

    Re:

    Smart locks are what everyone needs. Just like we need government approved encryption. To keep us safe.

    The government is not trying to weaken encryption so it can read your messages.

    The government would never try to weaken smart locks so it can get into your home.

    link to this | view in thread ]

  12. icon
    DannyB (profile), 18 Aug 2017 @ 7:15am

    Can Smart Locks ever be a good idea?

    Smart Locks (just like most IoT or "smart" devices) are a bad idea unless you can fully control them just as you control their non-smart counterparts.

    My smart lock, for example, should be under MY control as equally as a dumb lock is under my control. It does not and cannot obey some internet cloud connected mother ship.

    Similarly for all other modern devices that get embedded microcontrollers. If the owner purchaser consumer cannot fully control them, then they are a bad idea.

    Now what does this say about modern PCs which you cannot fully control? With back doors literally baked into the microprocessor.

    link to this | view in thread ]

  13. icon
    Spaceman Spiff (profile), 18 Aug 2017 @ 7:31am

    Smart devices?

    I think there is only one really smart device, and it resides between our ears! As a software and electrical engineer with 35 years of experience, I can only say DO NOT TRUST THESE DEVICES!

    link to this | view in thread ]

  14. icon
    JoeCool (profile), 18 Aug 2017 @ 7:34am

    Re:

    Yeah, FIRMWARE updates should always require a physical media, be it optical disc or USB stick. It should also require a password.

    link to this | view in thread ]

  15. identicon
    Anonymous Coward, 18 Aug 2017 @ 7:40am

    Re: Re: Re:

    Oh, you're right - Hmmmm what should TD do?
    I know, they should just give up because ... wait, why should they do that?

    link to this | view in thread ]

  16. identicon
    Anonymous Coward, 18 Aug 2017 @ 7:41am

    Re: Re:

    All Your Locks Are Belong To Us

    link to this | view in thread ]

  17. identicon
    Anonymous Coward, 18 Aug 2017 @ 7:42am

    Re: Re:

    IoT == Internet Of Trash
    I like it

    link to this | view in thread ]

  18. icon
    Roger Strong (profile), 18 Aug 2017 @ 7:56am

    Re: Re:

    Given the mistakes already made, that advice should come with a note mentioning that the USB port should be on the INSIDE-facing part of the lock.

    link to this | view in thread ]

  19. identicon
    Anonymous Coward, 18 Aug 2017 @ 8:01am

    Re:

    If the update is automatic over WiFi, and the signing key leaks, then somebody with a WiFi device can reprogram things at will. Will the bad guys who have a way of opening smart locks call their program 'open sesame'

    link to this | view in thread ]

  20. identicon
    Anonymous Coward, 18 Aug 2017 @ 8:35am

    Terrible response

    The company said it would take 5-7 days to ship the lock for repair and get it back, or 14-18 days to have a new lock shipped. Why is the second amount so much larger? Are they just trying to avoid paying for new locks, or do they really have no stock?

    The proper response would be to send new locks right away with 24-hour shipping, and a prepaid box to return the old one. If they run out of locks, they should be sending their employees to hardware stores to buy more, or even paying for the broken locks so they can reflash and send them out.

    This quote was bullshit too: "Owners were not stranded with a non-working lock. This keypad lock comes with an emergency set of keys that can be used in case of emergency." That's great if the owner is the one trying to use the lock, and the owner has the keys on them at the time (i.e., not in a box inside the locked house). If it's the owners kid who's locked out, or their Airbnb guests, those people are still screwed.

    link to this | view in thread ]

  21. identicon
    Anonymous Coward, 18 Aug 2017 @ 8:45am

    Re: Re:

    The better bet is to get a solid wood or metal door and actually put a decent lock on it[...] There is 0 need to introduce the Internet of Trash into your home security system.

    People running short-term rentals (like Airbnb) from out of town really do need something other than a key they carry. They could use a lock-box with combination instead, but anyone who's stayed there would know the combination (until the owner could go physically go there and change it), and there's always a risk someone would copy the key or not return it.

    The proper solution, of course, is to stop being cheap and hire a local person to manage it and give out and replace keys, or change combinations, as needed (and clean and inspect before guests arrive).

    People not renting out to strangers can simply buy some non-internet-connected combination lock or lockbox, if they or their family don't want to carry keys. (Except that pushbutton door locks, whether "smart" or not, have pretty terrible security records.)

    link to this | view in thread ]

  22. identicon
    Anonymous Coward, 18 Aug 2017 @ 8:56am

    I do like the idea of a smart house but don't like it when you put it on the internet. There are definitely features I like but I will try to keep my smart system on a separate VLAN that doesn't have access to the internet. Preferably PoE and not even wireless if possible.

    link to this | view in thread ]

  23. icon
    Mononymous Tim (profile), 18 Aug 2017 @ 9:25am

    Unfortunately "smart" has become overrated, just like common sense.

    link to this | view in thread ]

  24. identicon
    Anonymous Coward, 18 Aug 2017 @ 9:36am

    Re: Re:

    The government would never try to weaken smart locks so they can get into your home. They will however promote and push for smart locks having a code for emergency responders to unlock your door in the event you need to call 911 to your home for something.

    Naturally access to such a code would be carefully controlled. It would never be stolen or misused. However just in case of the unlikely event that happened, all uses of the code would of course be logged by the locks. Plus since they're building in some logging ability anyways, the locks would log all usage of the door so the homeowner had the option of knowing people's comings and goings. For the homeowner's convenience, those logs would of course be stored "in the cloud".

    link to this | view in thread ]

  25. icon
    That Anonymous Coward (profile), 18 Aug 2017 @ 10:43am

    You paid us nearly 500 and we care about you as a customer, so much that when we disable the device we'll send a fix in the next few weeks. Until then have your AirBnB customers sleep in the rental car.

    link to this | view in thread ]

  26. identicon
    bob, 18 Aug 2017 @ 10:58am

    Re:

    When the device functions properly it usually is revolutionary and cool. The problem is customers don't know about the potential downtime. And unfortunately when these things go down it results in spectacular failures.

    link to this | view in thread ]

  27. identicon
    bob, 18 Aug 2017 @ 11:32am

    Re: Re: Re:

    And this is a perfect example of why technology will never fully replace humans and why hotels still have the ability to compete with airB&B.

    link to this | view in thread ]

  28. icon
    McGyver (profile), 18 Aug 2017 @ 12:01pm

    No matter how much manufacturers can improve "smart" products, anything that needs to be connected to the Internet, receive constant updates or has the potential to become "bricked" is a product that has just one more way to fail.
    So previously you have ordinary wear and tear, the possibility of a manufacturer defect and now let's add "smart fail".
    Some things are just better off dumb... no matter how cool it seems be able to turn on your electric toothbrush or check your coffeemaker's emotional status from halfway across the planet, you are just adding more vectors for failure and frustration.

    link to this | view in thread ]

  29. identicon
    Anonymous Coward, 18 Aug 2017 @ 1:56pm

    Re: Smart devices?

    Yeah and it's currently on version 20.1.7

    A really oversensitive version that's prone to violent breaks with reality.

    link to this | view in thread ]

  30. identicon
    Anonymous Coward, 18 Aug 2017 @ 2:11pm

    Re:

    anything that needs to ... receive constant updates or has the potential to become "bricked" is a product that has just one more way to fail.

    But writing secure and robust software before releasing a product is hard!

    I'd love to see firmware for stuff like this come with an algorithmic proof of correctness, but startup culture isn't going to give us that.

    link to this | view in thread ]

  31. identicon
    Anonymous Coward, 18 Aug 2017 @ 2:15pm

    Re: Re: Re:

    All nicely wrapped up in a compact package for pick up by any of the three letter acronyms or their hacker buddies.

    link to this | view in thread ]

  32. identicon
    Anonymous Coward, 18 Aug 2017 @ 2:16pm

    Re: Re:

    Really - and for a device no one really needs.

    link to this | view in thread ]

  33. icon
    Toom1275 (profile), 18 Aug 2017 @ 3:34pm

    Re: Terrible response

    "Are they just trying to avoid paying for new locks, or do they really have no stock?"

    Or... perhaps they also bricked their entire factory stock at the same time?

    Also, the bricked locks were the previous generation of lock, so since they've moved on to a new model, that would mean less of the old one.

    link to this | view in thread ]

  34. identicon
    Cowardly Lion, 18 Aug 2017 @ 5:29pm

    Re: Re: Re:

    Quite possibly a fair portion. Have you seen Techdirt's page rankings on the internet?

    I'm guessing it's why they are a thorn in several prominent sides.

    link to this | view in thread ]

  35. identicon
    Cowardly Lion, 18 Aug 2017 @ 5:43pm

    Re: Re:

    Downtime? Possibly you meant downside...?

    I"m struggling to think why a door lock should ever need downtime because that seems to me highly dangerous and a recipe for disaster. It's sod's law that you'll need your lock to open (FIRE!) just when it's having some me time.

    link to this | view in thread ]

  36. identicon
    Anonymous Coward, 19 Aug 2017 @ 12:18am

    Testing, Testing, One, Two, Three

    Or even testing it on all their product range, both new and old.

    Looks like the old school way of doing things came about due to that annoying thing called experience.

    link to this | view in thread ]

  37. icon
    MrTroy (profile), 20 Aug 2017 @ 7:30pm

    Re: Re:

    While I generally agree with this sentiment, it does butt up against another problem.

    Devices that are connected to the internet but don't update automatically... typically won't be updated, and so security flaws that are discovered over time don't get fixed over time, leading to IoT devices that are happy to participate in distributed attacks of some nature.

    The ability to create limited-time codes to access the property seems like a perfect fit for the AirBNB or similar model, so I'd say that this is far less of a pink elephant than most internet-connected devices. If it provides access audits per code, then homeowners could determine that the cleaners did or didn't access the property at times when they were supposed to, amongst other simple conveniences. This sounds to me like a genuinely useful device.

    Internet-facing security would of course have to be bullet-proof and upgradeable. Maybe the simple fix would have been for firmware upgrades to be pushed by the device owner rather than the device manufacturer, with escalating warnings over time from the manufacturer if devices are left without upgrade perhaps resulting in a loss of warranty (support? Warranty is probably a legal thing) if a device hasn't received an update flagged as security for more than (say) 3 months.

    At least if the owner is doing the upgrade, and it fails, they are aware of the failure *at that moment* and so can respond to it at the time. I fail to have much sympathy for owners for whom this approach would be too hard because they own too many properties.

    link to this | view in thread ]

  38. icon
    Idiot Buy (profile), 9 Aug 2019 @ 12:04am

    FipiLock Smart Fingerprint Padlock

    link to this | view in thread ]


Follow Techdirt
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Discord

The latest chatter on the Techdirt Insider Discord channel...

Loading...
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.