According to The Register a firmware update mistake has managed to brick hundreds of internet-connected door locks:
The upshot is you can't use the builtin keypad on the devices to unlock the door. Lockstate's smart locks are popular among Airbnb hosts as it allows them to give guests an entry code to get into properties without having to share physical keys. Lockstate is even a partner with Airbnb.
Earlier this week, though, new software was automatically sent out to folks' $469 Lockstate 6000i locks – one of the upstart's top residential smart locks – which left the keypad entirely useless. The crashed locks – which connect to your home Wi-Fi for remote control and monitoring as well as firmware updates – are now going to be out of action for at least a week.
[...] The physical key on the lock should still work, but that's going to be cold comfort for a lot of Airbnb users, who prefer to keep the physical keys to themselves and set an access code for each lodger that stops by.
(Score: 4, Interesting) by kaszz on Sunday August 13 2017, @03:36AM (3 children)
In other words Lockstate and the buyer owns it..
The question then becomes if it's more secure to let Lockstate do the automatic update thing and risk their incompetence. Or to block them from doing anything by ripping out the phone-home connection. But instead risking a lock that can be thwarted by some security leap you missed ?
Another approach is to flash it with your own firmware..
At 2:09 [youtube.com] the interior design of the lock should be obvious. The square SMD chip (QFP-64?) in the upper left corner is likely the MCU. Find the JTAG points, flash it. Another approach is to make a replacement board that uses the connector to the right. That way you can do the lock thing correctly.
Overview of both sides [youtube.com]. In particular outside only have keypad, and the inside have keypad+battery box.
As the lock lacks any wired connection to anything. I'll assume it phones home via 802.11 and DHCP. Or does it use Bluetooth, or GSM/3G ?
(Score: 0) by Anonymous Coward on Sunday August 13 2017, @03:42AM (2 children)
If it were the case that Lockstate AND the buyer (the intersection) owns it, then they'd both have to agree on how it's controlled.
What you are describing is Lockstate OR the buyer (the union) owns it.
This distinction is not splitting hairs; the lack of appreciation for this distinction is the root of all disputes.
(Score: 2) by kaszz on Sunday August 13 2017, @03:48AM (1 child)
AND - because both can tell the unit to contradict the order from the other "user".
So the user should verify code and lock the manufacturer out of the product.
(Score: 0) by Anonymous Coward on Sunday August 13 2017, @03:50AM
Now, we're back to what the Bitcoiners say. (XOR).