The Kwikset Halo smart lock had a flaw in its Android companion app that could let another app on the phone capture login credentials to Kwikset's servers, then use that information to gain control of the smart lock.
This flaw was found by researchers at Bitdefender (opens in new tab), who notified Kwikset of it on Nov. 9, 2021. Kwikset fixed the flaw with an Android app update on Dec. 16, 2021.
If you're a Kwikset Halo smart-lock owner or user, make sure your Android app is updated to version 1.2.11. Kwikset's iOS app did not seem to be vulnerable to this flaw, Bitdefender researchers told Tom's Guide.
Reaching into the cloud
The flaw had to do with accessing Kwikset's cloud servers on Amazon Web Services, a Bitdefender report released today (April 6) explained. The credentials to access the servers could be read by other apps installed on the same Android device, the Bitdefender researchers found by using the Drozer (opens in new tab) app-security-checking tool.
The process wasn't that easy. The malicious app would have to create pointer links that tricked the Kwikset app into exported the AWS credentials from a protected file into an unprotected file, where the malicious app could then read them.
Of course, the malicious app would have to be installed by the user on the phone in the first place, but that is not so difficult when hundreds of harmless-seeming but actually malicious Android apps are found in the Google Play app store every year.
The good news is that the Kwikset Halo Android app was otherwise pretty sound. The lock itself — which is on our list of the best smart locks — had no security flaws that the Bitdefender team could find, and neither did the communications between the lock and the paired smartphone.
The Bitdefender team was not able to use a "man in the middle" attack on the lock, were not able to crack the lock's encryption, were not able to tamper with firmware updates, and were not able to steal the Kwikset-account user password, thanks to two-factor authentication being enabled by default.
"The connection can't be intercepted with a man-in-the-middle attack, as the smart lock verifies the validity of the server certificate," Bitdefender researchers said in their paper. "An attacker can't impersonate the camera to the server as they lack knowledge of the client certificate stored on the device's memory."