Club Benefits
You are now subscribed
Your newsletter sign-up was successful
Want to add more newsletters?
Daily (Mon-Sun)
Tom's Guide Daily
Sign up to get the latest updates on all of your favorite content! From cutting-edge tech news and the hottest streaming buzz to unbeatable deals on the best products and in-depth reviews, we’ve got you covered.
Weekly on Thursday
Tom's AI Guide
Be AI savvy with your weekly newsletter summing up all the biggest AI news you need to know. Plus, analysis from our AI editor and tips on how to use the latest AI tools!
Weekly on Friday
Tom's iGuide
Unlock the vast world of Apple news straight to your inbox. With coverage on everything from exciting product launches to essential software updates, this is your go-to source for the latest updates on all the best Apple content.
Weekly on Monday
Tom's Streaming Guide
Our weekly newsletter is expertly crafted to immerse you in the world of streaming. Stay updated on the latest releases and our top recommendations across your favorite streaming platforms.
Join the club
Get full access to premium articles, exclusive features and a growing list of member rewards.
The Kwikset Halo smart lock had a flaw in its Android companion app that could let another app on the phone capture login credentials to Kwikset's servers, then use that information to gain control of the smart lock.
This flaw was found by researchers at Bitdefender, who notified Kwikset of it on Nov. 9, 2021. Kwikset fixed the flaw with an Android app update on Dec. 16, 2021.
If you're a Kwikset Halo smart-lock owner or user, make sure your Android app is updated to version 1.2.11. Kwikset's iOS app did not seem to be vulnerable to this flaw, Bitdefender researchers told Tom's Guide.
Reaching into the cloud
The flaw had to do with accessing Kwikset's cloud servers on Amazon Web Services, a Bitdefender report released today (April 6) explained. The credentials to access the servers could be read by other apps installed on the same Android device, the Bitdefender researchers found by using the Drozer app-security-checking tool.
The process wasn't that easy. The malicious app would have to create pointer links that tricked the Kwikset app into exported the AWS credentials from a protected file into an unprotected file, where the malicious app could then read them.
Of course, the malicious app would have to be installed by the user on the phone in the first place, but that is not so difficult when hundreds of harmless-seeming but actually malicious Android apps are found in the Google Play app store every year.
The good news is that the Kwikset Halo Android app was otherwise pretty sound. The lock itself — which is on our list of the best smart locks — had no security flaws that the Bitdefender team could find, and neither did the communications between the lock and the paired smartphone.
The Bitdefender team was not able to use a "man in the middle" attack on the lock, were not able to crack the lock's encryption, were not able to tamper with firmware updates, and were not able to steal the Kwikset-account user password, thanks to two-factor authentication being enabled by default.
"The connection can't be intercepted with a man-in-the-middle attack, as the smart lock verifies the validity of the server certificate," Bitdefender researchers said in their paper. "An attacker can't impersonate the camera to the server as they lack knowledge of the client certificate stored on the device's memory."
