This article is more than 3 years old

A fouled-up over-the-air firmware update rendered hundreds of a smart lock vendor’s products unopenable via custom access codes.

Fortunately, the screw up affected only one type of product: the LockState RemoteLock 6i (6000i). These smart locks feature heavily in a partnership between LockState and Airbnb.

With RemoteLock 6i models, Airbnb hosts create custom access codes for each of their guests without giving them the lock’s physical key. As such, they sleep easy at night knowing a former guest can’t burgle their rental property using a stolen key or discarded access code.

Those custom access codes are stored on LockState’s servers. Meaning? A RemoteLock 6i needs connectivity, or no one’s getting in with a code.

Well, that’s exactly what happened on 8 August with LockState’s remote update. Hundreds of smart locks lost connectivity, causing major inconveniences for Airbnb hosts and renters. As Bleeping Computer’s Catalin Cimpanu explains:

“The botched firmware bricked the device’s smart code access mode. Physical keys continued to work. The botched firmware was a nuisance for private home owners, but it was a disaster for Airbnb hosts, who had to scramble to get customers physical keys so they could enter their rents.”

Needless to say, people weren’t happy with the news.

@lockstate Your firmware update bricked at least 500 locks. Very costly. Replacement in 14-18 days? Email response over 12 hours? Not OK. — Coffee Review (@coffeereview) August 8, 2017

Are you a stranded @Airbnb guest? @LockState just BRICKED a bunch of 6i locks. But they won't tweet updates. Trying to hide their screw-up? — Juniper (@JuniperWyoming) August 7, 2017

LockState looked into what happened and determined the botched update had affected 500 customers. It subsequently sent out a letter to these customers with instructions on how to regain access to their smart locks.

Those affected can either return their product and have LockState replace its software or receive a replacement lock altogether. The first option will take at most a week, whereas the second could take as much as two and a half weeks. Either way, customers can let the vendor know their preference by emailing 6000i@lockstate.com.

LockState says it’s fixed approximately 60% of the affected locks as of this writing.

Over 60 percent of affected locks are back online, and appreciate the customers we are working with the get them back running. — RemoteLock (@LockState) August 11, 2017

As the vendor continues its recovery mode, it’s important that owners of products like the RemoteLock 6i take a moment to reflect on this incident. Wi-Fi connectivity isn’t a given; sometimes it goes out because of a power outage or other similarly mundane event.

Customers should therefore make sure they know where their physical key is and store it in a safe location. If they are Airbnb hosts, they should also develop policies around granting renters access to their physical key in the event their smart lock’s access code stops working all of a sudden.

For further discussion on this story, make sure to listen to this episode of the “Smashing Security” podcast:

Found this article interesting? Follow Graham Cluley on Twitter to read more of the exclusive content we post.