Hundreds Of Smart Locks Get Bricked By A Buggy Firmware Update (bleepingcomputer.com)

← Back to Stories (view on slashdot.org)

Hundreds Of Smart Locks Get Bricked By A Buggy Firmware Update (bleepingcomputer.com)

Posted by EditorDavid on Sunday August 13, 2017 @04:24AM from the world's-smartest-bricks dept.

An anonymous reader quotes BleepingComputer: On Tuesday, August 8, smart locks manufacturer LockState botched an over-the-air firmware update for its WiFi enabled [RemoteLock 6i] smart locks, causing the devices to lose connectivity to the vendor's servers and the ability to open doors for its users... The device costs $469 and is sold mainly to Airbnb hosts via an official partnership LockState has signed with the company. Hosts use the smart locks to configure custom access codes for each Airbnb renter without needing to give out a physical key to each one. The botched firmware bricked the device's smart code access mode. Physical keys continued to work. The botched firmware was a nuisance for private home owners, but it was a disaster for Airbnb hosts, who had to scramble to get customers physical keys so they could enter their rents.
The post includes tweets from angry lock owners, one complaining about a two-week wait for a replacement. The company is also offering to fix the defective units within "5-7 days," promising that "Every employee and resource at LockState is focused on resolving this for you as quickly as possible."

119 comments

Min score:

Reason:

Sort:

Inside Job... by js290 · 2017-08-13 04:27 · Score: 5, Insightful

Yet another data point demonstrating outages are better caused by admins than by hackers.

--
"Tempers are wearing thin. Let's just hope some robot doesn't kill everybody." --Bender
1. Re:Inside Job... by Anonymous Coward · 2017-08-13 04:37 · Score: 0
  
  "Hackers" usually means "it wasn't us!" (like that Shaggy song) or "we're too stupid!" (to be left alone with computers) or something to that tune.
  Don't ever use "hackers" in a security context if you want to be taken seriously.
2. Re: Inside Job... by Anonymous Coward · 2017-08-13 05:36 · Score: 1, Interesting
  
  Mark another in the "win" column for the DevOps model: traditional development release cycles could never have bricked so many devices so quickly.
3. Re:Inside Job... by Anonymous Coward · 2017-08-13 14:39 · Score: 0
  
  It was the firmware, the device bricked on reboot no longer connecting to its c2 servers. Many reasons this happened, virtually none with the people who actually pushed the update or are otherwise involved with the fw update process. They did not test well enough, plain and simple. Perhaps only a subset running an earlier hardware might be affected and they didn't test those or who knows what else.
  Anyhow blaming the admin ops people is like blaming white people for something muslims do.
4. Re:Inside Job... by Anonymous Coward · 2017-08-14 03:03 · Score: 0
  
  I bet it's that goddamned Jitterbug gang.
Cloud equivalent by CaptainOfSpray · 2017-08-13 04:33 · Score: 5, Interesting

Yet another data point to underpin the motto "Never allow any data or access or service that you value to be controlled by Somebody Else's Computer"

--
"Cock Up Your Beaver" does not mean what you think. This sig is intended to clog filters and annoy do-gooders
1. Re:Cloud equivalent by Anonymous Coward · 2017-08-13 04:47 · Score: -1
  
  your a doosh
2. Re:Cloud equivalent by Kergan · 2017-08-13 04:49 · Score: 3, Interesting
  
  However big a QA screwup this is, at least give this company credit for actually trying to upgrade their firmware.
3. Re:Cloud equivalent by arth1 · 2017-08-13 05:08 · Score: 4, Insightful
  
  However big a QA screwup this is, at least give this company credit for actually trying to upgrade their firmware.
  Um, no. Allowing a firmware change mechanism is the flaw here, and should not be commended.
  The time to harden a lock isn't after it's sold.
4. Re:Cloud equivalent by TWX · 2017-08-13 05:09 · Score: 1
  
  Why? They did more harm than if they'd left the firmware well enough alone. The aphorism, "the road the hell is paved with good intentions," comes to mind. The results dwarf any intentions.
  
  --
  Do not look into laser with remaining eye.
5. Re:Cloud equivalent by phantomfive · 2017-08-13 05:31 · Score: 1
  
  No. If you're making something like locks, you need to make a huge effort to write solid code in the first place. People are depending on your code to keep things secure, and you need to follow either formal logic design, or the DJB school of programming. You don't release things and fix them later, your lock needs to have pretty close to zero bugs.
  
  This is just a sign that they have lousy procedures, and the code is just as bad.
  
  --
  "First they came for the slanderers and i said nothing."
6. Re:Cloud equivalent by msauve · 2017-08-13 05:37 · Score: 1
  
  Allowing unapproved updates is the issue - if owners simply got a notice asking them to approve an update when they signed onto the website (along with an accurate changelog, so they could determine its importance), it wouldn't have spread as quickly, and would have given the vendor more time to withdraw it before it spread so widely.
  
  Also, beta testing.
  
  --
  "National Security is the chief cause of national insecurity." - Celine's First Law
7. Re:Cloud equivalent by Anonymous Coward · 2017-08-13 06:22 · Score: 0
  
  Code today is written with libraries that each could have an unknown flaw. Unless you plan on spending the same amount of money we spent on the space program, your lock will cut some corners and have some unknowns that cant be accounted for in a cost effective way.
  Like all other situations, the firm does a cost benefit analysis that says, sometimes lawsuits are cheaper then fixing the product.
8. Re:Cloud equivalent by ssufficool · 2017-08-13 06:30 · Score: 1
  
  "The time to harden a lock isn't after it's sold."
  A physical key is still allowed. At that point, you can't harden the lock through firmware updates. A physical key will always be a vulnerability.
9. Re:Cloud equivalent by Hylandr · 2017-08-13 06:41 · Score: 2
  
  Can't wait for car manufacturers to start updating firmware / car computers over night or while I am at the store and bricking my car.
  
  --
  ~ People that think they are better than anyone else for any reason are the cause of all the strife in the world.
10. Re:Cloud equivalent by phantomfive · 2017-08-13 06:49 · Score: 1
  
  Do you know what a bug is? It's a mistake. What do you do when you find a mistake? You find some way to avoid it in the future.
  
  There are entire classes of mistakes that should never happen. SQL injection? Never. We know how to make this not happen. The extra time it takes to avoid SQL injections is minimal to none. You can be perfect at avoiding SQL injections. There are many other ways to avoid bugs, techniques that can be learned and used. Because this company is making security devices, ideally they should devote some real resources to QA, giving them a multi-layered bug avoidance system. They should keep their bug tracker empty, fixing all known bugs as soon as they are reported. How much do you want to bet they don't have QA?
  
  Keep your interfaces simple so you can reason about them. Test your code. Learn how to avoid bugs that can be easily avoided. Soon you will find that your code is solid, and bugs are rare (even without QA).
  
  --
  "First they came for the slanderers and i said nothing."
11. Re:Cloud equivalent by Anonymous Coward · 2017-08-13 07:00 · Score: 0
  
  * It could be a real upgrade ( adding more or better features) even if the product was already bug-free before
  * It could be an update of the wifi-chip firmware to fix vulnerabilities discovered recently ( https://googleprojectzero.blogspot.fr/2017/04/over-air-exploiting-broadcoms-wi-fi_4.html )
  * It could be a fix for something that was impossible to discover during development , and only once it was installed in a more diverse / real-world environment ( like a workaround for buggy internet boxes that blacklist some network traffic needed for the product)
  I say this because I did work on connected devices (not for this company) and those are real case I encountered for a firmware upgrade.
  But yes, it could also be a fix for a real bug. Let's be honest, absolutely 0 consumer electronic product launches without bug -- or it would cost 10x more and never sell.
  And IoT (or anything) MUST be upgradable, or you get this: https://flic.io/first-batch-lesson-learnt-hardware-early-assumptions/ or Chinese IP camera host to worms and botnet that can never be fixed because their firmware is in ROM.
12. Re:Cloud equivalent by Calydor · 2017-08-13 07:15 · Score: 2
  
  A hammer and chisel, crowbar etc. will always be a vulnerability.
  Remember, no lock is stronger than the door in which it sits.
  
  --
  -=This sig has nothing to do with my comment. Move along now=-
13. Re:Cloud equivalent by AmiMoJo · 2017-08-13 07:36 · Score: 5, Insightful
  
  Their mistake was trying to build an impossible product: an internet connected, secure lock that people can rely on.
  
  --
  const int one = 65536; (Silvermoon, Texture.cs)
  SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
14. Re:Cloud equivalent by Anonymous Coward · 2017-08-13 07:56 · Score: 0
  
  Or the wall that it is installed in, if it's a wood frame house one can always cut a hole through the wall next to the door and reach in to unlock it from the other side. Then again it's usually simpler to just break a nearby window and climb in through there and unlock the door for your accomplices.
15. Re:Cloud equivalent by ctilsie242 · 2017-08-13 08:13 · Score: 5, Insightful
  
  A lock is a relatively simple device, where the states are obviously known. Devices like this should ship and not need firmware upgrades from the factory. There are many embedded subsystems that cannot or will not be upgraded, so the people who made them did it right the first time, and didn't follow the philosophy of "it builds, ship it."
  A lock isn't rocket science. It also is the last thing you need fetching OTA updates. Instead, updates should be delivered via some physical means, if only to ensure someone is on site to test and verify functionality.
  Making sure a device doesn't brick itself is not impossible. I have an older Nook tablet that, if it doesn't boot after eight times, it automatically reloads itself from its original firmware, just so the device is usable in some degree. With a deadbolt, you might want a more secure way of failing, so having multiple areas where ROMs are stored, so if it fails to boot, it goes back to a previous ROM. That way, it might grab some bad code and brick a few times, but once the failed update is off the servers, it would fetch a correct one and be fine.
  Lesson learned from this... find a lock maker that treats their offerings as a security item, and not some throwaway IoT device.
16. Re:Cloud equivalent by Darinbob · 2017-08-13 08:43 · Score: 2
  
  Yup, the lock is owned by the customers, the customers should be told that there's an upgrade and then they apply it themselves.
  Also, there must always be a rollback mechanism, or a reset to factory settings.
17. Re:Cloud equivalent by Shoten · 2017-08-13 09:05 · Score: 1
  
  Yet another data point to underpin the motto "Never allow any data or access or service that you value to be controlled by Somebody Else's Computer"
  The problem here isn't that the data or access or service was controlled by someone else's computer...that's true of all software updates. It's that the process behind the update was controlled by someone else's business model. IoT is much like SCADA, in that there are physical consequences to cyber actions. As such, it's very important to maintain control of your own systems. This played out with Nest thermostats that pulled down updates without notice or warning...some of which bricked them. You had pipes freezing in winter in some homes as a result.
  So...when buying something that is IoT, ask the vendor (or look through the documentation) to find out how and when updates are done. Bad news: no OTA update option. Worse news: OTA updates that you have no control over.
  
  --
  
  For your security, this post has been encrypted with ROT-13, twice.
18. Re:Cloud equivalent by LynnwoodRooster · 2017-08-13 10:28 · Score: 1
  
  Because they probably got the PWM code for the blue lock LED strobe just that much smoother and so a better user experience?
  
  --
  Browsing at +1 - no ACs, I ignore their posts. So refreshing!
19. Re:Cloud equivalent by arth1 · 2017-08-13 10:35 · Score: 1
  
  Their mistake was trying to build an impossible product: an internet connected, secure lock that people can rely on.
  I'm an atheist, but amen.
  I can't upmod you because I've posted, but if anyone here have points to spare, look one up.
20. Re:Cloud equivalent by Anonymous Coward · 2017-08-13 13:21 · Score: 0
  
  You can say amen whether or not you are religious. It means the same thing.
21. Re:Cloud equivalent by arth1 · 2017-08-13 16:11 · Score: 1
  
  * It could be a real upgrade ( adding more or better features) even if the product was already bug-free before
  That's a good reason to release a new product. Not to foist an upgrade on people who might not want the "more or better features".
22. Re:Cloud equivalent by pixelpusher220 · 2017-08-13 16:49 · Score: 1
  
  users don't patch without prodding. And that's just software. Firmware isnt something users have even heard of.
  
  --
  People in cars cause accidents....accidents in cars cause people :-D
23. Re:Cloud equivalent by pixelpusher220 · 2017-08-13 17:07 · Score: 2
  
  The issue here isn't security...it wasn't compromised by attackers. The issue is redundancy in firmware upgrades and no ability to roll back. I get that it's likely massively expensive but remotely upgrading something that can go wrong requires proven backup measures for when things do go wrong.
  
  --
  People in cars cause accidents....accidents in cars cause people :-D
24. Re:Cloud equivalent by rtb61 · 2017-08-13 17:10 · Score: 1
  
  Does not matter. Imagine if that company was global with tens of millions of locks all shut down. A fuzted door lock used to mean just you and a lock smith, now they can shut down entire business and even countries. There need to be some regulations and penalties for widespread computer bugs going forward.
  
  --
  Chaos - everything, everywhere, everywhen
25. Re:Cloud equivalent by goose-incarnated · 2017-08-13 18:35 · Score: 1
  
  Their mistake was trying to build an impossible product: an internet connected, secure lock that people can rely on.
  Don't worry. They'll get it correct when they build a self-driving car that cannot be remotely hacked.
  
  --
  I'm a minority race. Save your vitriol for white people.
26. Re:Cloud equivalent by tlhIngan · 2017-08-13 18:45 · Score: 2
  
  Um, no. Allowing a firmware change mechanism is the flaw here, and should not be commended.
  The time to harden a lock isn't after it's sold.
  So tell me what internet-connected device, accessible from the internet, will be secure always?
  The reason this lock is there is because it can be accessed over the Internet. Presumably, the instant AirBnB, the owner and the customer agree, the lock will be auto-provisioned with a new access code, and the code activated for the duration of the stay. Once the stay is over, the code auto-deactivates and thus the visitors cannot re-enter the dwelling after their stay is over.
  Sure, you can do it old school and hand out keys, but those get annoying (and you can never be sure they haven't been duplicated). It's why most hotels use electronic door locks - when a guest checks in, the key cards are provisioned which also provisions the lock on their room. If you lose the card, they give out new cards and remove the old cards from the lock.
27. Re:Cloud equivalent by thegarbz · 2017-08-13 21:07 · Score: 0
  
  Yet another data point to underpin the motto "Never allow any data or access or service that you value to be controlled by Somebody Else's Computer"
  Unless they are better at controlling it by you. Quite frankly if history has proven anything it's that "your own computer" is by far the worst place for the data of the majority of people and even many major companies.
28. Re:Cloud equivalent by thegarbz · 2017-08-13 21:09 · Score: 2
  
  You're assuming security is black and white. Most locks aren't very secure and can easily be bypassed with a few seconds of lock picking. The goal is not to make something secure, but rather to make something secure enough.
  In a case where you need to hand over keys to strangers, an internet connection is by far not the biggest problem in the scenario.
  Now would I want an internet connected remotely unlockable safe for all my wealth? No.
29. Re:Cloud equivalent by thegarbz · 2017-08-13 21:13 · Score: 1
  
  A lock isn't rocket science.
  No but everything else on the device is computer science and bugs happen. A firmware update sounds preferable to having to send it back to vendor every time there's a problem. A firmware update sounds preferable to a major security flaw having been discovered.
  The problem is you're generalising. Maybe this firmware update was to change the LED to blink when unlocking. Maybe it was for something far more critical like an identified bug that makes it open by itself randomly that wasn't caught in testing.
30. Re:Cloud equivalent by Nocturna81 · 2017-08-13 23:32 · Score: 1
  
  * It could be a real upgrade ( adding more or better features) even if the product was already bug-free before
  That's a good reason to release a new product. Not to foist an upgrade on people who might not want the "more or better features".
  You're seriously arguing against adding more, free(!), value to an existing product you own? You'd rather buy a completely new device? I for one hate the planned obsolesce of consumer goods nowadays where I have to chuck out perfectly fine devices just because the manufacturer deemed it end of life without hope of an open sourcing of the software
31. Re:Cloud equivalent by Anonymous Coward · 2017-08-13 23:37 · Score: 0
  
  You sir, or madam, are a moron.
32. Re:Cloud equivalent by OolimPhon · 2017-08-14 03:00 · Score: 1
  
  You're seriously arguing against adding more, free(!), value to an existing product you own?
  Hooray! We found somebody who has never run Microsoft software! Office ribbon, anyone?
Ode for a key! by Anonymous Coward · 2017-08-13 04:33 · Score: 0

Is this not a solution trying to invent a problem and producing a miriad of new problems.
It's nice to have a Plan B by hyades1 · 2017-08-13 04:36 · Score: 1

Whenever you adopt this kind of new technology (or a novel application of older technology, for that matter), you have to be prepared for screw-ups. It goes with the territory. This was definitely a one of those, but if LockState is telling the truth, they're putting everything they have into fixing the problem. I would bet they'll also take steps to make sure this situation doesn't come up again.
I'm a lot less tolerant of situations where large, well-established software/hardware manufacturers cause major problems thanks to buggy updates, especially when the updates are jammed down the user's throat. How many horror stories have we heard about major security problems going unfixed for months after they were reported?

--
I've calculated my velocity with such exquisite precision that I have no idea where I am.
1. Re:It's nice to have a Plan B by arth1 · 2017-08-13 05:13 · Score: 2
  
  but if LockState is telling the truth, they're putting everything they have into fixing the problem
  Nothing less should be expected, but that does not in any way diminish what happened. It is also likely not out of a desire to do what's right, but to reduce the number of lawsuits.
2. Re:It's nice to have a Plan B by Darinbob · 2017-08-13 08:50 · Score: 2
  
  Fundamental problems exist though, and they have fixes. First, allow the device to rollback to previous firmware, or allow a reset to original firmware/configuration. That's almost mandatory for serious companies selling to serious customers, but it's often treated as unnecessary by silly companies selling to the consumer market.
  Second, put the customer in charge of when upgrades happen. The device belongs to the customer unless you're merely leasing it. Again, this is mandatory for serious companies selling to serious customers (and sadly, Microsoft isn't in this category anymore)
  Finally, always test any change, no matter how innocuous, do not ever believe the developers when they say the last minute change is safe. If you're the CEO of a company you do not want to put your company's fate into the hands of an underpaid and overworked low level manager or developer. Sadly, serious companies for serious customers screw this up all the time, but they can recover from the disaster because of the first two guidelines.
3. Re:It's nice to have a Plan B by Shoten · 2017-08-13 09:07 · Score: 1
  
  but if LockState is telling the truth, they're putting everything they have into fixing the problem
  Nothing less should be expected, but that does not in any way diminish what happened. It is also likely not out of a desire to do what's right, but to reduce the number of lawsuits.
  Indeed. And they should have put everything they have into not causing the problem in the first place. Not only has this sullied their name, it's impacted AirBnB as well. I doubt that AirBnB (who selected them as an official choice to recommend) will ever forget this.
  
  --
  
  For your security, this post has been encrypted with ROT-13, twice.
Software Engineers for the Win! by Anonymous Coward · 2017-08-13 04:37 · Score: 5, Insightful

Way to Go Software "Engineers". I can't wait for the self driving cars to roll out.
We are sorry that your self driving car veered off the road and killed all its passengers. We have isolated the bug to the periphery scanning routine. Please accept 1 Mo of free self-driving car time, or 1 Mo of free Uber/Lyft service, and this complimentary condolence ham. Remember, our liability is limited to the price of the software, please accept this 1499.99 as full compensation for the death of your relatives.
Your insurance is fully liable for the remaining costs, re: the 4 pedestrians that were killed. Our liability ends here, have a great day!
1. Re:Software Engineers for the Win! by stabiesoft · 2017-08-13 05:16 · Score: 1
  
  Why is this marked as a troll. Does the mod actually believe self driving car software is simpler than lock software? Does the mod actually believe the lock company was any less careful than the self drive company?
2. Re:Software Engineers for the Win! by Megane · 2017-08-13 05:27 · Score: 5, Funny
  
  Way to Go Software "Engineers".
  But they were the finest Millennials that stock options could buy!
  
  --
  #naabhaprzrag, #sverubfr-000, #agi-fcbafberq, negvpyr[pynff*=' negvpyr-ary-'] { qvfcynl: abar !vzcbegnag; }
3. Re:Software Engineers for the Win! by Anonymous Coward · 2017-08-13 05:49 · Score: 0
  
  Does the mod actually believe self driving car software is simpler than lock software?
  No.
  
  Does the mod actually believe the lock company was any less careful than the self drive company?
  Probably.
  The real reason was that the mod is a software engineer that thinks like typical software engineers: tech is inherently good, flaws are no big deal in comparison, and software engineers are scions of humanity which are beyond reproach by mere plebeians.
4. Re:Software Engineers for the Win! by Anonymous Coward · 2017-08-13 06:23 · Score: 0
  
  You say that like its not true
5. Re:Software Engineers for the Win! by Anonymous Coward · 2017-08-13 07:39 · Score: 0
  
  I don't think it is legal to limit your liability by contract for the above mentioned incidents.
6. Re:Software Engineers for the Win! by Anonymous Coward · 2017-08-13 09:13 · Score: 0
  
  *Why is this marked as a troll*
  Because human drivers actually did kill a couple of people while you were reading the post about how autonomous cars are going to kill people, one day, real soon now, maybe.
7. Re:Software Engineers for the Win! by CanadianMacFan · 2017-08-13 09:26 · Score: 2
  
  Why does it have to be self driving cars? There is at least one car company, Tesla, doing over the air software updates now and it has the possibility to brick your car any time. Why you "buy" your car you agree for these to happen without your knowledge.
  Imagine the damage done to Tesla if they did an over the air update that did brick their cars. In a way I would like to see it, not because I hate Tesla, but it would bring attention to the masses. A door lock isn't going to do it. And it would be better for this to happen early on and hopefully allow us to gain some control back before the self driving cars arrive. Let me delay the updates for a day because I have an important meeting tomorrow. Most people have lost control of when their computer updates.
8. Re:Software Engineers for the Win! by cyberchondriac · 2017-08-13 12:52 · Score: 1
  
  It's not marked troll anymore, but here on /., self-driving car tech has practically founded it's own religion, and you don't want to anger the priests by saying anything negative or pessimistic about the insidiously complex logistics or ramifications of the technology.
  
  --
  
  Look back up at my post, now look back down, you're on the Internet. Now look back up. I'm a signature.
9. Re:Software Engineers for the Win! by jdossey · 2017-08-13 13:06 · Score: 1
  
  Maybe they were outsourced.
10. Re:Software Engineers for the Win! by Anonymous Coward · 2017-08-13 15:31 · Score: 0
  
  Deeper than that. There is no such thing as a "Software Engineer". The closest you'll get is a formally trained engineer, preferably electrical, and expose to 5-10 years of real-world software development. That's a person who has developed intuition and solid design skills based on lots of math, logic and physics training.
  No way do these Facebook-ey Javascript slinging code monkeys with the title of "Software Engineer" have any sense of what engineering really is. And it shows.
IOT-based "security" product by Anonymous Coward · 2017-08-13 04:42 · Score: 1

What could possibly go wrong?
1. Re:IOT-based "security" product by Anonymous Coward · 2017-08-13 06:01 · Score: 0
  
  This is another reason why I work in the industrial sector rather than residential/commericial anymore, because stuff has to work 24/7 stuff like OTA updates aren't done for reliability reasons so as to avoid nonsense like this.
2. Re:IOT-based "security" product by CanadianMacFan · 2017-08-13 09:28 · Score: 1
  
  What, it stayed locked and kept people out. Some people are never happy.
QA testing.... by Minupla · 2017-08-13 04:45 · Score: 5, Insightful

I've seen it increasingly over the last few years, shortcuts on testing in order to get an update/new product out the door. This is short sighted. In a year, noone is going to remember it took you a week longer to get it out the door. People WILL remember if you brick all your devices.

--
On the whole, I find that I prefer Slashdot posts to twitter ones because I don't get limited to 140 chars before
1. Re:QA testing.... by Maximum+Prophet · 2017-08-13 05:42 · Score: 4, Informative
  
  If you are late delivering the product, you *will* be fired. If you send the product prematurely, you *might* brick the device, and have to stay up late fixing it. You decide.
  
  --
  All ideas^H^H^H^H^Hprocesses in this post are Patent Pending. (as well as the process of patenting all postings)
2. Re:QA testing.... by Anonymous Coward · 2017-08-13 06:13 · Score: 0
  
  But, But, But.... It's AGILE!!!
3. Re:QA testing.... by Anonymous Coward · 2017-08-13 06:28 · Score: 0
  
  People will remember for *some* time. Maybe for a month. Some of them maybe for a year. Only a few will remember for a whole life-time. People WILL defintely forget.
4. Re:QA testing.... by AmiMoJo · 2017-08-13 07:43 · Score: 1
  
  Even under the best of circumstances a firmware update will brick some percentage of devices. Some will have bad flash memory, some will have failed hardware (oscillators, RAM, peripherals, voltage regulators, capacitors etc.) such that the failure only becomes apparent when the update is applied.
  Thus you mus accept that every time you push out firmware remotely, you will get some customers who need urgent support to replace their safety and business critical hardware.
  Software vendors are so bad at this that companies have to employ IT staff to help recover from bad updates. All that is really new here is that people don't think of locks as IT that needs IT support, spares on hand and has a terrible failure rate.
  
  --
  const int one = 65536; (Silvermoon, Texture.cs)
  SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
5. Re: QA testing.... by Anonymous Coward · 2017-08-13 07:58 · Score: 0
  
  And 'because CI/CD' ... awesome!
  More seriously, some form of on device, automatic blue/green would make sense. Like the display adapter asks 'can you read this screen? Reverting in 15, 14, 13... `in this case, some monitor to ensure that the device can revert to a prior policy and/or release...
6. Re:QA testing.... by Minupla · 2017-08-13 08:47 · Score: 4, Interesting
  
  In most companies I've worked in, *you* don't decide. You raise the risk to your risk management team, who breaks the bad news to the people who get paid to make the 'hot seat' decisions.
  So failure analysis suggests one of the following happened, all of which fall under the "QA" side of the business processes::
  1) QA was not thorough enough to detect that this firmware update would have enough of a worse failure rate to raise business risks to an unacceptable level.
  2) Risk management wasn't doing their job
  or
  3) Management made a poor business call on letting this go out, and didn't plan for the risk coming to pass (e.g. with pre-staged replacement devices, prepared messaging, etc)
  
  --
  On the whole, I find that I prefer Slashdot posts to twitter ones because I don't get limited to 140 chars before
7. Re:QA testing.... by antdude · 2017-08-13 11:46 · Score: 1
  
  Ha. Or worse, no QA like MS. It is quite frustrating! :(
  
  --
  Ant(Dude) @ Quality Foraged Links (AQFL.net) & The Ant Farm (antfarm.ma.cx / antfarm.home.dhs.org).
8. Re:QA testing.... by phantomfive · 2017-08-13 15:51 · Score: 1
  
  If you are late delivering the product, you *will* be fired.
  I've seen many late products (in one case, an entire year late), but I've never seen anyone fired because of it.
  
  --
  "First they came for the slanderers and i said nothing."
9. Re:QA testing.... by Anonymous Coward · 2017-08-13 19:23 · Score: 0
  
  I believe this is called "Agile."
10. Re:QA testing.... by thegarbz · 2017-08-13 21:15 · Score: 1
  
  You raise the risk to your risk management team
  Which one of the 3 people in my IoT startup is that?
11. Re:QA testing.... by Anonymous Coward · 2017-08-13 23:45 · Score: 0
  
  You.
12. Re:QA testing.... by Minupla · 2017-08-15 02:53 · Score: 1
  
  I realize that was probably a rhetorical question, but I'm gonna be that guy and answer it seriously anyways.
  In a way, that's the tough one. You NEED someone to be the 'risk champion' just like someone in the 3 of you needs to ensure the bills get paid. And maybe Mr AC is right and it should be you as you've at least shown the interest to get involved in my conversation. In a small company, your ability to recover from a risk event is very limited, but your chief asset is the ability to take risks, so you need to carefully decide which bets you're going to take. Also, one of the key dangers in a small group like yours is echo-chambering. Having someone whose job it is to look at risk in a structured manner is one of the best defenses against group-think in my opinion.
  They tend to be the folks who raise their hand and point out that doing a major project release on the day most of your customers are doing their end of month, when you're a key piece of that process is likely not worth the benefit of releasing a week earlier. (I literally once saw a release control meting go from all yes with one no to all nos in exactly that scenario).
  
  --
  On the whole, I find that I prefer Slashdot posts to twitter ones because I don't get limited to 140 chars before
13. Re:QA testing.... by thegarbz · 2017-08-15 11:36 · Score: 1
  
  Yeah it was rhetorical and while you're right what you have is a lot of this thing that a lot of companies lack called "experience".
  This is just one very small part that is missing from the groups of people who think they can change the world for the better. It's one of the reasons so many small businesses fail, they underestimate just how complicated running a business can be. If lack of risk management doesn't kill them, then lack of policy, procedures, consistency, or any of that other boring non-agile stuff that's written down like those slow moving non-innovative multinationals who know nothing will.
  Risk management and business continuity are two subjects that even large experienced companies get very wrong. The only time you'll find some small IoT based company doing this is if their director(s) have had a previous failed company.
Young developer problems by Anonymous Coward · 2017-08-13 04:52 · Score: -1, Flamebait

This is exactly the type of shit that happens when you have millennial dipshits writing your code. Experience matters, a lot. Something the borderline millennial dipshits that run these companies don't understand.
Quite possibly the worst, stupidest, generation in the history of mankind.
1. Re:Young developer problems by Anonymous Coward · 2017-08-13 05:06 · Score: 0
  
  I wonder if they saved all those participation trophies.
2. Re:Young developer problems by arth1 · 2017-08-13 05:19 · Score: 2, Insightful
  
  This is exactly the type of shit that happens when you have millennial dipshits writing your code. Experience matters, a lot. Something the borderline millennial dipshits that run these companies don't understand.
  No. Some code should not be written.
  Find a different way.
3. Re:Young developer problems by The+Grim+Reefer · 2017-08-13 06:18 · Score: 1
  
  Quite possibly the worst, stupidest, generation in the history of mankind.
  Until the the next generation comes of age. My generation was the laziest, dumbest, etc. until the next one, then the one after that,and so on. Hell, this has been going on since Socrates, at least. Granted, I do find things millennials do and say baffling quite often, but I'm still not too old to remember hearing the same thing about my generation when we were up and coming too.
4. Re:Young developer problems by geantvert · 2017-08-13 06:20 · Score: 1
  
  I think that you put too much faith in the old generations. As far as I can remember, most companies have been releasing products containing shit codes. Most managers do not understand technical issues and that has nothing to do with millennials.
5. Re:Young developer problems by Anonymous Coward · 2017-08-13 11:24 · Score: 0
  
  The simple fact is, millennials have learned optimization. Like robots. If their parents continue to provide substantial resources, even when they are capable of supplying these resources themselves, then why not take advantage? This is a cruel, inconsiderate generation that has no problem stepping on and destroying their very own providers. An evil generation.
  Generation X was childish an immature but they never wanted to depend on and deliberately suck out resources from people they care about. These next generations are very different. These generations destroy lives and they don't even know it.
  I'm not exaggerating at all. Lets take one example: My daughter and her boyfriend make $100k per year in the US. They both still live at home, putting a drain on us as parents and despite many attempts to talk to them, they give NOTHING, literally nothing back. if it weren't for my grandkids, the innocents, then I would kick my kids to the curb but as it is I just can't do it. I hate this generation, they are literally sucking the life out of people that care about them and they have no personal responsibility at all. I love my kids and support them but at the same time I hate them and wish they would grow up!
6. Re: Young developer problems by Anonymous Coward · 2017-08-13 13:28 · Score: 0
  
  Sounds like your daughters generation has terrible parents.
THE BRICK! by Templer421 · 2017-08-13 05:11 · Score: 3, Insightful

Is the backup unlocking device.
Bricked the house by Anonymous Coward · 2017-08-13 05:14 · Score: 0

36, 24, 36, oh what a winning hand
'Cause it's a bricked-- house
It's mighty-mighty, just lettin' it all hang out
It's a bricked-- house
Ow, that lock is stacked and that's a fact
Ain't holding nothing back
Didn't they test the update on real locks? by Anonymous Coward · 2017-08-13 05:26 · Score: 0

Before pushing out the update one would assume the "engineers" tested the software for all versions of the locks and discovered the problem. Maybe it was tested and somehow become corrupted over the Internet, but then if it were tested by sending the update to the company's locks using the Internet the problem could have been discovered.
1. Re:Didn't they test the update on real locks? by Anonymous Coward · 2017-08-13 06:50 · Score: 0
  
  Yeah.."pushing out" an update. I pushed out an update today after my coffee. It was about the same quality as those updates "pushed out" by MSFT and most software "Engineers".
  I'd like to be able to be in control over which "pushed'" updates I get, thank you very much.
  Now excuse me, I have to stream out some content.
2. Re:Didn't they test the update on real locks? by Anonymous Coward · 2017-08-13 08:10 · Score: 0
  
  YOU would assume. Anyone with half a brain wouldn't.
Quote from LockState employee: by Kaenneth · 2017-08-13 05:46 · Score: 3, Funny

"Oh fuck, oh fuck, we're fucking fucked!"
1. Re:Quote from LockState employee: by Tablizer · 2017-08-13 05:54 · Score: 2
  
  More like, "Oh shit! Now only Microsoft will hire me."
  
  --
  Table-ized A.I.
World equivalent by Anonymous Coward · 2017-08-13 05:56 · Score: 0

Yet another data point to underpin the motto "Why do you need that high tech POS in the first place? You got what you deserved."
1. Re:World equivalent by Anonymous Coward · 2017-08-13 10:07 · Score: 0
  
  Because this device is aimed at absentee landlords (absentee hoteliers, actually) who don't want to actually have to visit their property to allow the clucks who rented it into the premises.
The PHB does not want to pay for QA! by Joe_Dragon · 2017-08-13 06:04 · Score: 1

The PHB does not want to pay for QA!
Wait, wait, wait... WHAT? by Opportunist · 2017-08-13 06:06 · Score: 4, Informative

Can I hear that again?

[...]causing the devices to lose connectivity to the vendor's servers[...]
So, lemme get this straight: These things, that lock my home doors, have a connection to their vendor, reacting to this vendor's command to unlock or lock my home. Did I get that right?
What sane person would WANT that in the first place???

--
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
1. Re: Wait, wait, wait... WHAT? by Anonymous Coward · 2017-08-13 06:37 · Score: 1
  
  *All* locks can be opened by the vendor, always. This was true in ancient Egypt, and has never changed.
2. Re:Wait, wait, wait... WHAT? by Anonymous Coward · 2017-08-13 06:39 · Score: 0
  
  What sane person would WANT that in the first place???
  Go and ask the people who bought into it. Pretty sure they're at least not certified insane, since able to buy locks for their houses.
  It is an interesting question which possibly might lead to insights as to why people buy into patently stupid things, like, oh, this one, or so many others in tech. Are they teachable? Can we reach out and tell them that it's a stupid thing and why this is so?
  Captcha: losers, which we'll all be if we refuse to learn. So we can't just say "oh they're losers", but we have to make them become less of a loser, with regard to nifty shiny tech like this at least.
3. Re:Wait, wait, wait... WHAT? by MMC+Monster · 2017-08-13 07:24 · Score: 1
  
  My wife wants me to look into this sort of thing for a door from the garage into the house. Take pictures when someone enters the house from that entrance and send a text to us if it's entered during work hours.
  Reason: My daughter is old enough to be coming home from the bus and enter the house on her own. My wife wants to make sure she isn't coerced into opening the house for a burglar/home invasion.
  Yeah. I think it's ridiculous (which explains my procrastination), but happy wife = happy life.
  
  --
  Help! I'm a slashdot refugee.
4. Re:Wait, wait, wait... WHAT? by Anonymous Coward · 2017-08-13 07:30 · Score: -1
  
  > These things, that lock my home doors, have a connection to their vendor...
  Yep.
  > ...reacting to this vendor's command to unlock or lock my home. Did I get that right?
  Almost certainly not. Let me reformat that sentence for you:
  On Tuesday, August 8, smart locks manufacturer LockState botched an over-the-air firmware update for its WiFi enabled [RemoteLock 6i] smart locks, causing the devices to lose
  * connectivity to the vendor's servers
  * the ability to open doors for its users
  Does that clarify things for you?
  Check their very-poorly-formatted FAQ page. It'll become obvious that WiFi is only needed for provisioning and updating the codes stored in the lock: http://lockstate.elevio.help/en/categories/10-faqs
5. Re:Wait, wait, wait... WHAT? by Anonymous Coward · 2017-08-13 07:35 · Score: 1
  
  you don't need a "smart lock" for that to get a text and a picture or video when someone opens a particular door. procrastinate a little more and do some actual research instead of latching on to the first and seemingly 'easiest' thing.
6. Re: Wait, wait, wait... WHAT? by Anonymous Coward · 2017-08-13 09:08 · Score: 1
  
  *All* locks can be opened by the vendor, always. This was true in ancient Egypt, and has never changed.
  This is mindbogglingly untrue. How did this get a modpoint? Go talk to any locksmith.
  That statement was true long ago for a couple thousand years. All locks within a city were made by the same locksmith-apprenticeship line and behaved the same. Skeleton keys did truly exist that were locksmith specific and would unlock anything they made.
  Today the only lock manufacturers (they don't "vend" their products like software companies) that can unlock what people install are ones that keep records of locks with serial numbers and those locks must not have been rekeyed at any time. Those situations are intentional and incredibly rare. No traditional residential lock has a serial number and the ones that do are typically professonally installed, rekeyed, and you would have to contact the locksmith, not the manufacturer on the other side of the planet.
  In any case, no lock manufacturer at any time could unlock someone's door remotely until the Idiots with Things revolution.
7. Re:Wait, wait, wait... WHAT? by Anonymous Coward · 2017-08-13 09:16 · Score: 1
  
  Procrastination is not a sign of happiness with the situation. She could always do it herself.
  
  happy wife = happy life.
  Giving up your say for someone else, putting their happiness above yours when they do not do the same, is your life really happy? Do you really have a fair say in your own life? /cynicism mode
8. Re: Wait, wait, wait... WHAT? by Anonymous Coward · 2017-08-13 09:47 · Score: 0
  
  Even if that was true it was never the case that the lock-maker could simply dial up a lock on the other side of the state/country/planet and tell it to unlock, or unintentionally do same with a poorly aimed "replace roller 2" command. At minimum they would require physical access by a human with an appropriate set of keys and/or tools, plus time to somehow read off the appropriate serial/ID/model numbers (assuming they are visible externally, which, shall we say, stretches credulity).
9. Re:Wait, wait, wait... WHAT? by CanadianMacFan · 2017-08-13 09:50 · Score: 1
  
  Connecting to the vendor's server is the whole point of the lock. That's how I can send you a virtual key that you can put on your phone. When you get near the lock you transfer it to the lock via BlueTooth. The lock needs to know about the key so there are two options. Either the lock can ask the vendor to validate the key or the vendor has sent a list of keys along with a set of restrictions (times, dates, days of week, etc) to the lock.
  Yes you could do it yourself but then you would need to have your own server or to go and be physically present to make the changes. For the average person it's not a hassle to be present the article is about Airbnb hosts and it's inconvenient if they have more than one property or they want to make changes while there guests are there (say they lost their phone).
  The other thing that the lock companies say is an advantage is that you can unlock the door if needed and you are away from home. For example a friend could drop by some stuff when it was convenient for them, give you a call to say they had arrived, and you could unlock the door for them, and lock it again when they had finished.
  I don't have one of the locks myself. Personally I would like one without the connectivity because I don't trust these companies to keep from being hacked. Or if they close down your lock is useless, except for possibly the current configuration (depending on how things work).
10. Re:Wait, wait, wait... WHAT? by Anonymous Coward · 2017-08-13 09:55 · Score: 1
  
  Procrastination is not a sign of happiness with the situation. She could always do it herself.
  
  happy wife = happy life.
  Giving up your say for someone else, putting their happiness above yours when they do not do the same, is your life really happy? Do you really have a fair say in your own life? /cynicism mode
  Beat me to it. I lived by that motto for my first marriage. Hint: it's bullshit. All it does is signal to the other person that you're a pushover. It kills respect and leads to escalating demands and ever more childish tantrums if you dare to even suggest that the latest "request" (read: demand, with cutesy act thrown in) might not be a good idea.
  Long term you're much better off treating your wife as an equal, not a child to be pampered and spoiled. If you disagree say so and make your point like you would with anyone else. Sure you won't always get your way, and sometimes you'll get the cold shoulder, but that's what adults do, and believe me when I say it beats the alternative.
11. Re:Wait, wait, wait... WHAT? by Carewolf · 2017-08-13 10:03 · Score: 2, Insightful
  
  Can I hear that again?
  
  [...]causing the devices to lose connectivity to the vendor's servers[...]
  So, lemme get this straight: These things, that lock my home doors, have a connection to their vendor, reacting to this vendor's command to unlock or lock my home. Did I get that right?
  What sane person would WANT that in the first place???
  Apparently people running illegal hotel services, and need a hotel key system for their "non-hotel" on airbnb.
12. Re:Wait, wait, wait... WHAT? by Rockoon · 2017-08-13 11:31 · Score: 1
  
  Check their very-poorly-formatted FAQ page. It'll become obvious that WiFi is only needed for provisioning and updating the codes stored in the lock
  The device is OTA programmable. Full stop, ignorant fuck.
  
  --
  "His name was James Damore."
13. Re: Wait, wait, wait... WHAT? by Overzeetop · 2017-08-13 11:42 · Score: 1
  
  Oh, I don't know. The last time I got locked out I called a local representative who sells locks and he came and unlocked it in a few seconds. No serial number, just a set of picks. These are residential locks, not some vault at a high security location which has been designed to be uncircumventable.
  
  --
  Is it just my observation, or are there way too many stupid people in the world?
14. Re:Wait, wait, wait... WHAT? by Anonymous Coward · 2017-08-13 18:22 · Score: 1
  
  Fortunately, the vendors are always the good guys, right?
15. Re:Wait, wait, wait... WHAT? by Anonymous Coward · 2017-08-13 19:54 · Score: 0
  
  The only reason why the lock would need any remote connectivity would be to revoke keys and to spy on whoever uses it.
  As long as you can live without that a lock could work with just key files cryptographically signed by the owner. No need to inform the lock about valid keys. Just store the appropriate public key inside the lock and create the key files later.
16. Re:Wait, wait, wait... WHAT? by goose-incarnated · 2017-08-13 21:06 · Score: 2
  
  procrastination), but happy wife = happy life.
  My observation is that all the men who say that are exceptionally unhappy.
  
  --
  I'm a minority race. Save your vitriol for white people.
17. Re:Wait, wait, wait... WHAT? by thegarbz · 2017-08-13 21:25 · Score: 3, Informative
  
  What sane person would WANT that in the first place???
  You think the only application for locks is one where you are in complete control. That isn't remotely true. Who would want this? Anyone who's main course of business relies on handing a stranger a key. The ability to control temporary locks digitally is far more security than a fixed easily copyable mechanism that can't be easily changed and is given to random strangers.
  Based on airbnb's stats alone I see 50 million applications.
18. Re: Wait, wait, wait... WHAT? by Opportunist · 2017-08-13 23:49 · Score: 1
  
  Even if that is true, the average maker of old fashion locks does not know which of his locks is used in what door. This vendor very obviously must know just that.
  
  --
  We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
19. Re: Wait, wait, wait... WHAT? by Opportunist · 2017-08-13 23:50 · Score: 1
  
  That says more about the quality of the lock than the honesty of the vendor.
  Depending on the lock, I can open it in a few seconds, too, with a set of picks. And no, I am not a vendor of locks. I'm just someone who picks them for fun.
  
  --
  We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
20. Re:Wait, wait, wait... WHAT? by Opportunist · 2017-08-13 23:51 · Score: 1
  
  Intelligently Designed Internet Of Things Systems, made for their acronym.
  
  --
  We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
21. Re:Wait, wait, wait... WHAT? by Opportunist · 2017-08-13 23:58 · Score: 1
  
  Make a counter offer. Offer to hire some bum off the street that neither you nor she knows but who claims you can trust him to act as your butler. You and your wife would surrender all keys to him, and he'd sit all day by the door and only open it if someone knows the secret knock. He'll also sit there all night and open the door for anyone who knows the secret knock. Of course only you and your wife, and kids, would know the secret knock, unless someone clever comes along and somehow finds out how to fake the secret knock. Or maybe the butler isn't that honest and has "friends" that he'll let in regardless.
  And if (or more likely, when) she asks if you're insane, ask her why she wants to buy a system that does just that.
  
  --
  We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Only apps can app apps! by Anonymous Coward · 2017-08-13 06:14 · Score: 0

This is just an Appernet of Apps app apping apps while apping other apps! Only LUDDITES hate apps!
Apps!
1. Re:Only apps can app apps! by Anonymous Coward · 2017-08-13 06:17 · Score: 0
  
  I think I love you....
Obvious by Anonymous Coward · 2017-08-13 06:33 · Score: 1

As it said in the article; people that put their homes up for rent on AirBnB.
1. Re:Obvious by Carewolf · 2017-08-13 10:04 · Score: 1
  
  As it said in the article; people that put their homes up for rent on AirBnB.
  They won't need this it if it was there home. And you can't have more than one home. If they are renting out multiple apartments they are landlords or hotel managers, and if they are doing it on airbnb, illegal ones at that.
This is why by Anonymous Coward · 2017-08-13 06:48 · Score: 0

This is why only dolts install supposedly smart devices.
two copies by sjames · 2017-08-13 07:14 · Score: 2

And the real lesson is that if you're going to do firmware updates like that, you need to ALSO have a backup in ROM that is at least good enough to get connected and re-flash the primary firmware, and a mechanism to boot into it.
Other useful precautions include only doing upgrades when explicitly permitted (so, not just before the owner takes his dream vacation when a screw up would ruin his week). Perhaps best of all, get it right the first time or at least try hard enough that you feel comfortable making updates a very rare manually initiated end-user procedure.
Does anyone even know what the update was supposed to actually fix? It seems the users weren't complaining before the update went out.
You think wrong. by Anonymous Coward · 2017-08-13 09:20 · Score: 0

And that's all thanks to Congress passing a law to make arbitration mandatory without also making it illegal for an arbitrator to be partial or providing a route for redress when an arbitrator gets the law wrong.
SCOTUS just plain got it wrong when they failed to rule that it is unconstitutional for the Legislative branch to delete the Judicial branch with a law.
1. Re:You think wrong. by Anonymous Coward · 2017-08-13 20:03 · Score: 0
  
  uhm, ok.(I am the AC talking about impossibility of limiting your liability). I wasn't talking about the US law specifically. I didn't know those things about forced arbitrationin USA.
  At least in my country the right to "ask help/protection from the courts" is written in the constitution. So unless they amend the constitution they can't pass a law forcing you to arbitration and not being able to go to the courts if you don't agree with the outcome.
Convenience and remote access trumps freedom? by jbn-o · 2017-08-13 11:27 · Score: 1
Corporate and proprietary software sycophants will no doubt claim to want that. Posters like you find right here on /.. But this is another situation where software freedom and fully-free software driven hardware could have saved people from experiencing the problems described. Users could be notified of an update, download the complete corresponding source code to that update (and the software already installed in their locks) and then do due diligence for their own locks: inspecting the complete corresponding source code and finding bugs, altering that software, and sharing their improved code with others (a job opportunity). Non-technical users (who, I imagine, make up the largest percentage of computer users and owners of these locks) could have hired people they trust to do this same inspection and improvement work on their behalf.
Instead users apparently get updates from the very organization they can't trust to render their locks inoperative ("bricked" locks) and angry customers await lock replacements.
I ask the same question you asked about many computer-driven things posters here claim to want:
- voice-controlled systems that always listen for the users to give the command word (TV remote controls, phones, stationary devices intended to sit in one's bedroom, kitchen, or living room),
- mic/camera devices that are not detachable from the computer (such as those built into most laptops and tablet computers) driven with proprietary software drivers and often attached to computers running proprietary software,
- computers featuring Intel's AMT or any workalike (a cryptographically-signed computer system separate from the main computer but connected to the system's bus thus granting AMT access to USB, sound, storage, and network and AMT works across any OS installed on the main computer). All of this backdooring is pitched to sysadmins as a management advantage which would be true if AMT were free software which the computer owner could sign with their key and remove any keys they don't want to keep.
On /. you'll find posters claiming to think highly of them all chiefly driven by either paid shills or convenience-seeking sycophants who don't foresee the obvious security and privacy implications of these horrible designs.
--
Digital Citizen