Kwikset Halo smart-lock security flaw fixed — here's what you need to do
Vulnerability allowed total takeover of home door lock
The Kwikset Halo smart lock had a flaw in its Android companion app that could let another app on the phone capture login credentials to Kwikset's servers, then use that information to gain control of the smart lock.
This flaw was found by researchers at Bitdefender, who notified Kwikset of it on Nov. 9, 2021. Kwikset fixed the flaw with an Android app update on Dec. 16, 2021.
If you're a Kwikset Halo smart-lock owner or user, make sure your Android app is updated to version 1.2.11. Kwikset's iOS app did not seem to be vulnerable to this flaw, Bitdefender researchers told Tom's Guide.
Reaching into the cloud
The flaw had to do with accessing Kwikset's cloud servers on Amazon Web Services, a Bitdefender report released today (April 6) explained. The credentials to access the servers could be read by other apps installed on the same Android device, the Bitdefender researchers found by using the Drozer app-security-checking tool.
The process wasn't that easy. The malicious app would have to create pointer links that tricked the Kwikset app into exported the AWS credentials from a protected file into an unprotected file, where the malicious app could then read them.
Of course, the malicious app would have to be installed by the user on the phone in the first place, but that is not so difficult when hundreds of harmless-seeming but actually malicious Android apps are found in the Google Play app store every year.
The good news is that the Kwikset Halo Android app was otherwise pretty sound. The lock itself — which is on our list of the best smart locks — had no security flaws that the Bitdefender team could find, and neither did the communications between the lock and the paired smartphone.
Sign up to get the BEST of Tom's Guide direct to your inbox.
Get instant access to breaking news, the hottest reviews, great deals and helpful tips.
The Bitdefender team was not able to use a "man in the middle" attack on the lock, were not able to crack the lock's encryption, were not able to tamper with firmware updates, and were not able to steal the Kwikset-account user password, thanks to two-factor authentication being enabled by default.
"The connection can't be intercepted with a man-in-the-middle attack, as the smart lock verifies the validity of the server certificate," Bitdefender researchers said in their paper. "An attacker can't impersonate the camera to the server as they lack knowledge of the client certificate stored on the device's memory."
Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.