FIGURE 2-10. Sending electronic keys to external parties
However, someone with a new iPhone that has never been programmed can just down-
load the Kevo app and open the door, as long as that person is able to guess or obtain the pass-
word and sign into the app. Though the app implements security mechanisms to control the
password, a case could be made that the lock could be made more secure by requiring the
pairing of a new device to use the program button even when the password is known.
This brings us to the issue of physical access to the lock itself. Lock bumping using vari-
ous methods is a known art and a technique that many individuals have perfected. In fact,
when the Kevo lock itself was tested against bumping, individuals were able to bypass the
physical key mechanism.
Physical bumping is a known issue affecting many locks, but in addition the mobile app
feature implemented in Kevo can allow someone with an iPhone and temporary physical
access to the lock to reprogram the lock within seconds to associate with a new device—in
essence, virtually bumping the lock. This can easily be done by holding the reset button
shown in Figure 2-12 for a few seconds and then following the steps in Figure 2-11 to associate
the lock with a new device. Someone with temporary physical access to the lock can easily do
this without having the skills to physically bump the lock, which requires additional training
and tools.
CHAPTER 2: ELECTRONIC LOCK PICKING—ABUSING DOOR LOCKS TO COMPROMISE(^54) PHYSICAL SECURITY