At the USENIX WOOT 2025 conference, researchers from the University of California San Diego exposed multiple vulnerabilities in Master Lock’s D1000 Smart Padlock and its Vault Enterprise app ecosystem. Their paper “No Key, No Problem” detailed how attackers could exploit design flaws to reopen locks, bypass revocation, and tamper with audit logs.
The investigation revealed a fundamental truth: smart-lock ecosystems remain poorly integrated with enterprise identity governance. Encryption alone doesn’t ensure control if the access lifecycle is not linked to a trusted identity source.
The team uncovered five critical weaknesses now broadly recognized across the smart-lock industry:
Expired-Key Persistence – Locks continued accepting credentials even after user revocation.
Session Replay – Reusing BLE traffic allowed unauthorized access.
Audit-Log Manipulation – Logs could be deleted or falsified.
Clock Tampering – Adjusting local time extended authorization windows.
Malformed Messages / Firmware Flaws – Weak message validation and memory safety.
For operators of critical infrastructure — energy networks, transport assets, utilities — these are more than software issues. They directly violate the CER and NIS2 principles of continuous control, traceability, and auditability.
When digital identity and physical access are managed in separate systems, revocation delay and shadow credentials become inevitable. An employee removed from Entra ID may still retain a working digital key in a lock vendor’s cloud.
This gap undermines both security and compliance, exactly what the WOOT 2025 research demonstrated in practice.
Key2XS was created to remove that governance gap. The platform connects enterprise identity management with vendor-specific locking systems, enforcing a unified and policy-driven access model across IT and OT domains.
Supported integrations include:
IAM platforms: Microsoft Entra ID, SailPoint, Okta, One Identity, OpenText
Locking systems: ASSA ABLOY eCLIQ/PROTEC², iLOQ S5/10/50, DOM Tapkey, SimonsVoss
Key2XS has filed two patents that directly address the vulnerabilities highlighted at WOOT 2025:
Patent #1 – Identity-Linked Physical Access Provisioning
Defines a mechanism that binds key or cylinder authorization directly to IAM entitlements.
When a user is disabled, access to any associated lock or cylinder is revoked automatically, closing the “exceeding access” loophole identified in the Master Lock study.
Patent #2 – AI-Based Key Plan Automation and Anomaly Detection
Introduces an AI engine that generates, validates, and continuously audits key-to-identity mappings.
It detects discrepancies, stale credentials, and misuse patterns, ensuring audit integrity and early risk detection across thousands of field assets.
Together, these patents establish a vendor-neutral access control framework that ensures every lock event can be traced back to a single, governed digital identity.
During migrations, for example, from SailPoint to Entra ID or vv, or from CLIQ to iLOQ or vv, the risk of overlapping or inconsistent authorizations peaks. Key2XS’s patented synchronization layer enables parallel operation of old and new systems while maintaining continuous policy enforcement and complete audit logging.
This eliminates the downtime and uncontrolled access typically seen in large-scale transitions.
Under CER and NIS2, operators must demonstrate that physical and logical access rights are:
centrally governed,
instantly revocable, and
fully auditable.
Key2XS enforces these requirements automatically and provides tamper-evident logs suitable for both internal audit and regulator inspection.
The WOOT 2025 research serves as a wake-up call for the entire access-control industry. Smart locks have evolved faster than their governance models and that imbalance is now a security risk.
With its patented technologies, Key2XS delivers the missing integration layer between identity and infrastructure. It prevents the replay, persistence, and audit-tampering flaws observed in uncontrolled ecosystems and guarantees continuity even during IAM or lock vendor migration.
Key2XS: bridging digital identity and physical access, securely and provably.
Because in critical operations, no key should ever mean no control.