Kwikset Halo Smart Lock Is Secure, but the Android App Controlling It Isn’t, Research Finds
Bitdefender security researchers have identified a vulnerability in the Android application controlling the Kwikset Halo Smart Lock. Still, the overall security of the lock proved to be pretty good.
One of the biggest issues in today’s digital world is that people surround themselves with smart devices and don’t really realize it. The fact that many Internet of Things devices arrive on the market with laughable security and almost zero support complicates a situation that’s already problematic.
Smart locks are the kind of device you forget is there. You expect them to work and that’s about it. But smart locks are part of the IoT world, and that means they need proper support and users have to be aware that they might need to apply patches.
Bitdefender took a closer look at the Kwikset Halo Smart Lock and noted two important findings. Unlike many IoT devices, the connection can’t be intercepted with a man-in-the-middle attack, the firmware is a GBL container file that is encrypted and signed, and two-factor authentication is enabled by default. Finally, the serial connection pins are not accessible to attackers.
The protection around the lock ticks almost all of the necessary boxes, but there’s a problem with the Android application because it exposes a content provider that can be accessed by any application on the phone.
“Because of a race condition, it can be used by a malicious application to read any file of the application including the default_settings.xml file which contains the authentication token, user info and the lock serial number,” explained the security researchers.
Fortunately, following an official notification from Bitdefender, the vendor released an update for the Android application and the vulnerability is gone.
Identifying and Dealing with Online Bullying Is Not Impossible - School Presentation Inside
June 28, 2022
Let’s Celebrate World Social Media Day by Improving Your Privacy and Security Online
June 28, 2022
Bitdefender Reveals the Top Cyber Threats Faced by Consumers in 2021
June 22, 2022
Scam alert: Cybercrooks use shady investment domain to scam keen investors out of money and data
May 24, 2022
John Oliver Shows the Dark Side of Data Brokerage on Last Week Tonight
April 15, 2022
Bitdefender Labs Warns of Phishing Scams Targeting MetaMask Users
April 14, 2022