LockState accidentally bricks hundreds of locks through a failed firmware update
When those invisible updates aren't so invisibleBy Cal Jeffrey 9 comments
The Internet of Things (IoT) has been growing at a rapid rate. It seems that every day there is a new connected product that is designed to make our lives easier. Some have connections that are obvious; smart speakers and televisions are good examples. Other products are connected in an unobtrusive way and simply download updates without you even knowing.
LockState's RemoteLock LS-6i is just such a device. The LS-6i is a lock designed to be used on home or business doors. It is very popular for Airbnb businesses because the knob has a programmable keypad, which is excellent for generating guest codes. The lock is equipped with wifi, which allows for remote control, as well as for keeping the firmware updated quietly in the background.
Last week owners of the 6i began finding themselves locked out of their residences and businesses. Customers started flooding Twitter with complaints.
@lockstate Update your Twitter feed on massive 6i/6000i lock failure. 14-18 days for a replacement? All #Airbnb Guests locked out #lockstate--- Paul Falworth (@pfalworth) August 8, 2017
@LockState #nosupport #techsupport nonexistent. Upgrade has knocked out my #6ilock. #theydontcare. #buyersbeware #jacklegs--- paul robert (@PRobert406) August 8, 2017
LockState CEO Nolan Mondrow sent out an email to impacted customers explaining that the lock failures were due to a "fatal error" caused by a bad firmware update. Worse yet, the error prevented the components from connecting to the company's servers. Therefore, remotely fixing the software was impossible.
"We realize the impact that this issue may have on you and your business, and we are deeply sorry," Mondrow apologized. "Every employee and resource at LockState are focused on resolving this for you as quickly as possible. We hope that you will give us a chance to regain your trust."
At least 500 LS-6i customers had been affected including as many as 200 Airbnb businesses. According to Kaspersky-run blog Threatpost, the update also bricked 10 other LockState products. Most of the customers voicing complaints on Twitter are unimpressed at the time it is taking for the company to handle the situation.
@lockstate Your firmware update bricked at least 500 locks. Very costly. Replacement in 14-18 days? Email response over 12 hours? Not OK.--- Coffee Review (@coffeereview) August 8, 2017
I sent an email. You are on the clock. Still unsatisfactory with how @LockState has handled this. #someoneshouldbefired--- paul robert (@PRobert406) August 8, 2017
To fix the problem, bricked devices have to be sent back to LockState for a manual reset, which takes five to seven days. Customers may also opt to receive a replacement lock and send back the faulty unit. Inexplicably this process takes much longer - two to three weeks. The company claims that it has fixed 60 percent of the failed devices. At that rate, it looks like the remainder of the locks should be taken care of by the end of this week.
In addition to paying all shipping costs, the firm is including one year of its premium LockState Connect Portal free to impacted customers.