If a smart lock is on your Christmas list this year, it's best to give the KeyWe Smart Lock a miss due to a design flaw that it seems can't be fixed.
As The Register reports, cyber-security company F-Secure has discovered that the KeyWe Smart Lock, which currently sells for $155 on Amazon, can be circumvented due to "improperly designed communications protocols." Worst than that, though, is the fact this design flaw can't be solved due to the smart lock having no way of allowing a security patch to be applied.
The KeyWe lock allows entry via a traditional key, a keypad, or through a KeyWe app on your phone. The AES encryption used to secure the communication link to your phone is 128-bit, but F-Secure determined messages sent over the encrypted channel only relied on two factors for security: a common key to initiate the key exchange, and the app/lock key calculation process.
Overcoming both these factors is, according to F-Secure, "trivial." The common key is created "based on the device Bluetooth MAC address available globally," while the key calculation process "can be retrieved from the mobile application." F-Secure believes a malicious attacker could intercept and gain access to the lock from a range of up to 15 meters away.
There is no way of mitigating this design flaw right now, and it seems unlikely there will be if the KeyWe Smart Lock can't be patched. F-Secure's advice for anyone using the lock is to pair a mobile device with it and keep that mobile device "as far from the device as possible and use a physical key/touchpad only."