Master Lock Smart Padlock — Master Lock

⚠️ The bottom line

Master Lock — the company synonymous with "lock" — made a smart padlock where: the API leaks the unlock code to guests, revoking access doesn't work, the anti-theft PIN is stored in plaintext, and attackers can erase the audit log. The digital lock is less secure than a $5 combination padlock from 1970. Presented at USENIX by researchers who could not believe what they found.

Legal jurisdiction

🇺🇸 United States (headquarters)

⚠CLOUD Act read more →

US govt can demand your data from this company even if stored overseas

⚠FISA §702 / PRISM read more →

NSA collects stored emails, photos, messages without individual warrants

●Geofence warrants read more →

Police can demand location data for everyone near a crime scene

Spying

0/4 N/A

Is someone spying on me?

Data Sharing

0/4 N/A

Who gets my data?

Security

3/4 HIGH

Is it actually secure?

Honesty

0/4 N/A

Can I trust what they say?

1Contradictions

1Critical

0High

0Medium

2Sources

Findings by concern

Security 3/4 HIGH 1 finding

⚠️ criticalmarketing vs third party research

What they claim: Master Lock promotes smart padlocks as convenient, secure access control

What we found: USENIX WOOT 2025 researchers found the Master Lock smart padlock API leaks primary unlock codes to guest users — who retain access even after revocation. The mobile app is unobfuscated, API endpoints use hard-coded static credentials, the anti-theft PIN is stored in plaintext on the device, and malformed Bluetooth messages cause denial-of-service. Attackers can also forge audit events and suppress real ones.

Sources

USENIX WOOT 2025: Master Lock smart padlock vulnerabilities (2025-08-01)
USENIX WOOT 25: No Key No Problem — Master Lock vulnerabilities (2025-01-01)