1 min read

Kwikset Halo Smart Lock Is Secure, but the Android App Controlling It Isn’t, Research Finds

Silviu STAHIE

April 06, 2022

Ad One product to protect all your devices, without slowing them down.
Free 90-day trial
Kwikset Halo Smart Lock Is Secure, but the Android App Controlling It Isn’t, Research Finds

Bitdefender security researchers have identified a vulnerability in the Android application controlling the Kwikset Halo Smart Lock. Still, the overall security of the lock proved to be pretty good.

One of the biggest issues in today’s digital world is that people surround themselves with smart devices and don’t really realize it. The fact that many Internet of Things devices arrive on the market with laughable security and almost zero support complicates a situation that’s already problematic.

Smart locks are the kind of device you forget is there. You expect them to work and that’s about it. But smart locks are part of the IoT world, and that means they need proper support and users have to be aware that they might need to apply patches.

Bitdefender took a closer look at the Kwikset Halo Smart Lock and noted two important findings. Unlike many IoT devices, the connection can’t be intercepted with a man-in-the-middle attack, the firmware is a GBL container file that is encrypted and signed, and two-factor authentication is enabled by default. Finally, the serial connection pins are not accessible to attackers.

The protection around the lock ticks almost all of the necessary boxes, but there’s a problem with the Android application because it exposes a content provider that can be accessed by any application on the phone.

“Because of a race condition, it can be used by a malicious application to read any file of the application including the default_settings.xml file which contains the authentication token, user info and the lock serial number,” explained the security researchers.

Fortunately, following an official notification from Bitdefender, the vendor released an update for the Android application and the vulnerability is gone.

Download the whitepaper

tags


Author



Right now

Top posts

Threat actors impersonate Canadian gas retailer to deliver malicious OneNote phishing campaign, Bitdefender Labs warns

Threat actors impersonate Canadian gas retailer to deliver malicious OneNote phishing campaign, Bitdefender Labs warns

January 26, 2023

2 min read
Spammers phish eager vacationers with travel-themed lures, Bitdefender Antispam Lab warns

Spammers phish eager vacationers with travel-themed lures, Bitdefender Antispam Lab warns

January 19, 2023

4 min read
Enhance your cyber resilience and privacy on Computer Security Day in four easy steps

Enhance your cyber resilience and privacy on Computer Security Day in four easy steps

November 29, 2022

2 min read
How to monitor your online privacy during your Thanksgiving trip

How to monitor your online privacy during your Thanksgiving trip

November 22, 2022

3 min read
Just your yearly dose of Black Friday spam: Cybercrooks get ahead of the game to steal shoppers’ info

Just your yearly dose of Black Friday spam: Cybercrooks get ahead of the game to steal shoppers’ info

November 16, 2022

6 min read
Bitdefender VPN in 2022: the new, the improved, and the soon-to-be

Bitdefender VPN in 2022: the new, the improved, and the soon-to-be

November 14, 2022

5 min read

FOLLOW US ON

SOCIAL MEDIA


You might also like

Meta Pays Out Bounties for Account Takeover and Two-Factor Authentication Bypass Exploits Meta Pays Out Bounties for Account Takeover and Two-Factor Authentication Bypass Exploits
Silviu STAHIE

January 31, 2023

1 min read
Hackers steal 10 million customer details from JD Sports Hackers steal 10 million customer details from JD Sports
Graham CLULEY

January 30, 2023

2 min read
North Korean Hackers Tried to Launder $100 Million in Crypto Stolen in 2022 North Korean Hackers Tried to Launder $100 Million in Crypto Stolen in 2022
Silviu STAHIE

January 25, 2023

1 min read