What we found
Eufy Smart Lock: FSmart lock that sends your entry patterns to the cloud. Eufy already lied about local-only storage once.
Security researcher Paul Moore proved on November 23, 2022 that eufy devices uploaded facial recognition thumbnails to AWS cloud servers without consent. Unique facial IDs were shared across different user accounts, proving a cloud-side facial recognition database existed. Anker CEO admitted the breach in January 2023. New York AG investigation confirmed video streams were not always encrypted and were accessible without authentication. Eufy silently removed ten "privacy promises" from their website on December 8, 2022.
Assure Lock SL: FYale calls its smart lock "enterprise-grade protection." At DEF CON 2016, researchers hacked 75% of Bluetooth smart locks wirelessly, from outside the door.
At DEF CON 2016, researchers hacked 75% of Bluetooth smart locks wirelessly. A broader study found 14 of 18 commercial BLE locks remain vulnerable, affecting 20 million users. When researchers contacted vendors, response was "we know it's a problem but we're not gonna fix it."
Saflok Hotel Locks: FEvery Saflok hotel lock installed since 1988 could be opened with $50 of hardware and two blank cards.
In March 2024, researchers Lennert Wouters and Ian Carroll disclosed "Unsaflok" — a vulnerability affecting every Saflok lock deployed since 1988. Using $50 of off-the-shelf hardware (a MIFARE Classic card writer), they could create a master key for any Saflok lock in any hotel. 3 million locks across 13,000 properties in 131 countries were affected, including Marriott, Hyatt, IHG, and Wyndham hotels.
Master Lock Smart Padlock: FMaster Lock — the company synonymous with "lock" — made a smart padlock where: the API leaks the unlock code to guests, revoking access doesn't work, the ant...
USENIX WOOT 2025 researchers found the Master Lock smart padlock API leaks primary unlock codes to guest users — who retain access even after revocation. The mobile app is unobfuscated, API endpoints use hard-coded static credentials, the anti-theft PIN is stored in plaintext on the device, and malformed Bluetooth messages cause denial-of-service. Attackers can also forge audit events and suppress real ones.
Eufy Smart Lock C230: DFingerprint lock from the company that secretly uploaded your camera footage to AWS.
Eufy/Anker was caught secretly uploading camera biometric data (facial recognition) to AWS cloud despite identical "local-only" marketing claims. BIPA lawsuit allowed to proceed in Illinois (Jan 2024) after evidence showed facial recognition thumbnails uploaded to AWS even when cloud storage was disabled. Same company, same app (com.oceanwing.battery.cam), same marketing language — proven false for cameras, now applied to fingerprint data.
Wyze Lock: DThe company that let strangers watch your camera feed now wants your fingerprints and your front door.
Dec 2019: Elasticsearch database with 2.4M customers' records exposed on open internet for 23 days. Leaked: emails, camera device IDs, Wi-Fi SSIDs, body metrics from Wyze Scale, Alexa tokens. Found by Twelve Security, not Wyze. Class action: Schoolfield v. Wyze Labs (2020).