Security

Hundreds of IoT smart locks bricked by bad update, leaving customers stranded

A botched wireless update for certain LockState locks has left them unable to be locked or unlocked without the physical backup key and highlighting the dangers associated with IoT.

A flawed wireless update for certain LockState smart locks caused a "fatal error," leaving many customers without a working lock and without an easy way to fix it. After some customers took to Twitter to voice their concerns, LockState CEO Nolan Mondrow issued a formal statement and the company's response in an email.

The issue impacted users of the 6000i smart lock systems. Due to some error, an update intended for LockState's 7000i model locks was sent to the 6000i locks instead, rendering them inoperable, according to a report from Threatpost.

The problem was compounded by the fact that no remote fix could be performed. In his email, Mondrow noted that, after the update took place, "it failed to reconnect to our web service, making a remote fix impossible."

SEE: Special report: Cybersecurity in an IoT and mobile world (free PDF)

The particular locks that were affected by the issue were also a part of LockState's Airbnb Host Assist marketing partnership. As such, around 200 Airbnb customers were affected by the botched update, the Threatpost article reported.

So, what are users to do? According to LockState, there are two possible remedies.

The first option is to remove the back of the bad lock and send it to LockState so the company can fix the software and send it back. However, this will take a total of 5-7 days, the email said.

Alternatively, users can ask LockState to ship a replacement interior lock, to be installed by the user. Then, customers would then need to ship the bad lock back to LockState. But, according to the email, this option is quoted as an even longer fix time at 14-18 days.

Either way, users have to email their choice to 6000i@lockstate.com to start the process, and LockState has agreed to pay the shipping both ways and provide a year of free service for the LockState Connect Portal for these locks, the email said.

Until the customer gets their fix of choice, it's back to physical keys to get in and out of the doors.

The Lockstate update fiasco highlights a growing concern over the security and operability of Internet of Things (IoT) devices. As more and more of the world becomes connected, threats begin to emerge over what can be done with those connections, whether it's hacking cars or spying on personal webcams.

Businesses, especially, should be cautious in their use of IoT. IT leaders should study what data is collected by the device, and try to take into account any known vulnerabilities before proceeding.

The 3 big takeaways for TechRepublic readers

  1. A botched wireless update for LockState 6000i locks has left them inoperable, and customers without an immediate fix.
  2. Users have two options to remedy the problem, but both require mailing lock parts back to LockState and could take some time between 5-18 days.
  3. Businesses should be wary of IoT device risks and proceed with caution before deploying any connected systems.

Also see

locks.jpg
Image: iStockphoto/JamesYetMingAu-Photography

About Conner Forrest

Conner Forrest is a Senior Editor for TechRepublic. He covers enterprise technology and is interested in the convergence of tech and culture.

Editor's Picks

Free Newsletters, In your Inbox