“In terms of software, this requires additional work from the attacker – in our case a Python script was developed, but pretty much any language can be used as long as it can interact with a Bluetooth controller. It can be bought for ~10$ and used out-of-the-box,” Krzysztof Marciniak, cyber security consultant at F-Secure, told Help Net Security.
![keywe lost bluetooth pairing keywe lost bluetooth pairing](https://icdn3.digitaltrends.com/image/digitaltrends/skullcandy-sesh-evo-00009-1200x9999.jpg)
“The hardware needed is a board able to sniff Bluetooth Low Energy traffic. They discovered that, while the company did implement some security protections for the lock and app (not so much the bridge), a flaw in the in-house developed key exchange protocol can be exploited to, ultimately, get the secret key needed to unlock the lock.
#KEYWE LOST BLUETOOTH PAIRING ANDROID#
They analyzed its hardware and firmware, as well as the hardware and firmware of the accompanying KeyWe bridge (which is used to connect the lock to a wireless network) and the code of the associated Android app. About the vulnerability and the attackį-Secure security consultants acquired the KeyWe Smart Lock by pledging on Kickstarter. It has additional options like generating one-time guest codes, unlocking the door based on proximity, etc. The lock can be opened via an application (Wi-Fi, Bluetooth), an armband (NFC), through a touchpad (numeric code), or mechanically (with a regular key). KeyWe smart lock is developed by the Korean company KeyWe, which raised money for it on Kickstarter.
![keywe lost bluetooth pairing keywe lost bluetooth pairing](https://www.mojopromotions.co.uk/images/products/bluetooth_keyfinder/image/2/large_product.jpg)
To add insult to injury, in this present incarnation the lock can’t receive firmware updates, meaning that the security hole can’t be easily plugged. A design flaw in the KeyWe smart lock (GKW-2000D), which is mostly used for remote-controlled entry to private residences, can be exploited by attackers to gain access to the dwellings, F-Secure researchers have found.