Four times smart locks went wrong

There's a lot to like in the idea of smart locks but there's been no shortage of recent incidents that might give you pause about buying in just yet.


What happened?

Tapplock recently came under scrutiny when security researcher, Vangelis Stykas, found that anyone could obtain sensitive information to locate and open a lock, simply by pulling the information directly from a leaky company’s API server.

The researcher demonstrated how to retrieve the lock’s last known postal address, and enough data to create an unlock code, which could be used to locate and open any smart lock.

In a statement made by Tapplock, the company confirmed it had pulled the API, which the app relies on to wirelessly open the lock using Bluetooth, given the risk of a data breach.

“This patch addresses several security issues and upgrades Tapplock’s communication and authentication security protocols. We will continue to monitor the latest security trends and provide updates from time to time,” the company said.

However, the lock also features other detrimental flaws. Aside from the poor-quality aluminium alloy that the lock is built out of, YouTube user JerryRigEverything also found that you can potentially unscrew the back of the lock, rendering it useless.


What happened?

In 2017, a botched wireless update for a remotely accessible smart lock system by LockState inadvertently bricked hundreds of the locks.

The locks suffered a “fatal error”, according to the company, rendering them unable to be locked. Customers have been asked to either return the impacted locks for repair, or request a replacement.

The company mistakenly sent out an over-the-air firmware update to its 6000i systems that was intended for its 7000i model locks. The update caused first-generation models of the 6000i locks to malfunction, rendering them unable to be locked and no longer able to receive over-the-air updates.

More than 500 customers using model 6000i RemoteLocks were impacted, and approximately 200 of these customers were Airbnb hosts.

A remote fix to this problem was deemed impossible by the company, meaning users had to physically replace the affected locks.

Amazon Key

What happened?

Amazon’s Amazon Key service is a smartlock and security camera pairing designed to let delivery people into the users house to drop off packages, will full video footage for accountability.

However, a vulnerability in the system was discovered by Ben Caudill of Rhino Security Labs late last year. He found that a delivery person could walk into a users home, drop off a package and leave. Then, instead of locking the door with their app, they can issue commands to the camera via a laptop or other device, causing it to freeze footage on a single frame.

While the camera is frozen, they can reenter the home, move out of the camera’s view, and restart it. While it will appear as though they have stepped outside and took a few seconds to initiate a lock, they are actually now in the users home, free to do as they please and leave through another exit.

Amazon said that it alerts users if their camera’s feed is frozen for an extended period, and that they have issued an update to help protect people against the vulnerability.


What happened?

In 2016, a software engineer and white-hat hacker known as Jmaxxz uncovered one area of vulnerability in August smart locks relating to guest access.

August’s locks allow users to grant someone ongoing, recurring or temporary access to their home via a digital key. Jmaxxz discovered a vulnerability with August’s guest access that allowed a guest to hack August’s software and enroll a new key. Once a guest enrolled a new key, they could control an August smart lock even after the homeowner removed them as a guest.

Thankfully, there have been no reports of break-ins due to this vulnerability and Jmaxxz noted that August, unlike the other companies whose locks were hacked, have been responsive and at least some of the issues have been fixed.

“I don’t think the current fixes are sufficient,” said Jmaxxz.

“However, August has deployed a number of important patches over the last couple of weeks, and I am hopeful they will be deploying the needed firmware updates soon.”

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags Security Watchsmart locks

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.
Show Comments

Most Popular Reviews

Latest Articles


PCW Evaluation Team

Cate Bacon

Aruba Instant On AP11D

The strength of the Aruba Instant On AP11D is that the design and feature set support the modern, flexible, and mobile way of working.

Dr Prabigya Shiwakoti

Aruba Instant On AP11D

Aruba backs the AP11D up with a two-year warranty and 24/7 phone support.

Tom Pope

Dynabook Portégé X30L-G

Ultimately this laptop has achieved everything I would hope for in a laptop for work, while fitting that into a form factor and weight that is remarkable.

Tom Sellers


This smart laptop was enjoyable to use and great to work on – creating content was super simple.

Lolita Wang


It really doesn’t get more “gaming laptop” than this.

Featured Content

Product Launch Showcase

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?