Malwarebytes researchers are warning users not to buy into the hype, or the actual products, offered with Amazon's Key service, which combines smart locks and security cameras to enable in home deliveries.
Researchers say that like most internet of things (IoT) devices, it is unclear what vulnerabilities the smart lock include, how often they will be updated, and that previous smart locks have proven insecure in the past, according to an Oct. 26 blog post.
In addition, researchers called for more transparency surrounding the underlined technology used in the product since neither Amazon nor the manufacturer's technical specifications pages list the security protocols used within the locks.
Some of the questions raised were if the lock's software would be updated and if so how frequent, what would happen in the event if a company ceased to offer support for the locks, and other liability issues. At least one of the locks uses Wi-Fi, which was noted as insecure, while others use Bluetooth low energy technology which affords additional security but could still leave users vulnerable.
Last year, independent researchers Anthony Rose and Ben Ramsey demonstrated at the DefCon Conference how 12 of 16 Bluetooth smart locks could be hacked due to a lack of encryption and other vulnerabilities which allowed them to change user passwords.
Researchers called for smart lock manufactures to use independent industry-wide security standards in design, independent code auditing, conventional implementation of industry standard encryption, conventional implementation of industry standard encryption, have right to repair and not use Wi-Fi before smart locks could achieve the same purchase status as standard deadbolt locks.