There's also the small problem of the app needing the IP address of the door it's trying to unlock. It's not clear whether that information is easily obtained, but the fact is that it has to be obtained, somehow. You can't just walk up to any door and hit a button; there needs to be some recon work to secure the IP addresses first. Still, it's a nice illustration of a weakness in this sort of security system, and the team is actually working with US-CERT (the U.S. Computer Emergency Readiness Team) to ensure that the loophole is patched.