FWIW, there seems to have another attempt (about a year later) to bring these issues to the company's attention, also without success:
> 1st September 2023 - Initial contact - Multiple points of contact within eLinkSmart e-mailed with a high-level description of the issues and proof-of-concept code.
> 19th September 2023 - Follow-up after no response from vendor.
> 11th October 2023 - Follow-up after no response from vendor. Intention to publicise findings communicated.
> 8th December 2023 - Public presentation of findings at BSides London.
> 6th February 2024 - Blog post publication.
https://labs.withsecure.com/publications/elinksmart---unlock...
Here are some lessons from this:
1) One of the most important aspects of software is support. No support means an insecure device.
2) Devices should state when they will stop receiving security updates. People should stop using devices once they stop receiving updates.
3) Do not buy from manufactures who do not state how long they support a product or do not tell you when they stop supporting a product. Note putting a notice on a page buried in a web site is not good enough. The product itself should tell people when it is no longer receiving security updates.
Good idea in general, but kinda missing the mark here.
All of the problems seem from the bad server-side implementation. The company could have fixed all of them with just server-side upgrade, worst case with a mobile app upgrade. The lock itself or its firmware does not need to be modified.
Also, those locks are still being sold, so the after-purchase support does not matter - the locks come broken at the time of purchase.
(yes, the BLE protocol is vulnerable to sniffers and built-in password persists even after full reset. But I think those are pretty insignificant problems given the glaring other problems, and might not be deal-breakers in a lot of cases)