Kwikset Halo Smart Lock Is Secure, but the Android App Controlling It Isn’t, Research Finds

Bitdefender security researchers have identified a vulnerability in the Android application controlling the Kwikset Halo Smart Lock. Still, the overall security of the lock proved to be pretty good.

One of the biggest issues in today’s digital world is that people surround themselves with smart devices and don’t really realize it. The fact that many Internet of Things devices arrive on the market with laughable security and almost zero support complicates a situation that’s already problematic.

Smart locks are the kind of device you forget is there. You expect them to work and that’s about it. But smart locks are part of the IoT world, and that means they need proper support and users have to be aware that they might need to apply patches.

Bitdefender took a closer look at the Kwikset Halo Smart Lock and noted two important findings. Unlike many IoT devices, the connection can’t be intercepted with a man-in-the-middle attack, the firmware is a GBL container file that is encrypted and signed, and two-factor authentication is enabled by default. Finally, the serial connection pins are not accessible to attackers.

The protection around the lock ticks almost all of the necessary boxes, but there’s a problem with the Android application because it exposes a content provider that can be accessed by any application on the phone.

“Because of a race condition, it can be used by a malicious application to read any file of the application including the default_settings.xml file which contains the authentication token, user info and the lock serial number,” explained the security researchers.

Fortunately, following an official notification from Bitdefender, the vendor released an update for the Android application and the vulnerability is gone.

Download the whitepaper