[superuser2]

If you alter nothing when you replay the signal later, the door won't open because the "number used once" was used twice and/or the timestamp is wrong.

In order to arbitrarily generate a correct unlock signal, you would need to know the phone's key so as to encrypt and sign an unlock message containing the correct date. You can't do that unless you've broken the crypto.

Are you talking about moving the radio signal between the victim and the door live while he's out and about? That's clever, but the attack could be easily precluded by requiring his approval (on the phone) before sending an unlock message. Which he won't give unless he's at his front door.

I see the product includes Automatic Unlock as a feature, but as long as it's optional I see no problem. Unless your threat model includes Oceans 11-style thieves and government agents, that's pretty freaking unlikely; anyone that sophisticated would probably have an easier time picking your $25 deadbolt, social engineering the landlord, breaking a window, etc. anyway.

If your threat model does include these things, what are you doing buying consumer security hardware anyway?

[goldenkey]

The threat model will eventually include these things if automatic unlock becomes the norm. Why be the first to experience theft at the hands of someone savvy enough to have an EMG mirror. It's not hard to make an EMG mirror for bluetooth frequencies with two arduinos or rasberry pi. It's literally a weekend project. I don't know why you're saying this attack requires Ocean's Eleven style planning. It's more of an amateur hobby project than anything intellectually clever.

And you can buy one for less than $100: http://www.sena.com/products/industrial_bluetooth/sd1000.php

So let me see, EV of robbery equals: Price of macbook + tv + jewelry, etc, etc, etc minus $100

Seems likely that you are gonna be robbed if anyone with mal-intention has any grain of understanding how easy it is to mirror an auto unlock signal...

[superuser2]

Kwikset is already the norm, but the burglars in my area almost exclusively hit open garages, break windows, or pry open doors.

Picking and bumping these locks requires cheap, dumb hardware and minimal skill. Your attack requires two operatives and some tradecraft - choose a target that uses August and has auto-unlock turned on, shadow him, get within Bluetooth range at an opportune time, etc. It requires planning, skill, and coordination. That's a bit harder than bumping a Kwikset or breaking a window.

Also, some possible electronic countermeasures (in software):

1) Confirm proximity to the door with a GPS fix before sending an unlock signal. Require confirmation if location is unavailable. Yes, civilian GPS can be spoofed, but that's a pretty sophisticated hack for a burglar. We're now at a difficulty level on par with defeating even the most expensive mechanical locks.

2) Always ping the user when an automatic unlock signal is sent. If your phone tells you it's just opened your door while you're at Starbucks, you know there is an intrusion in progress and you can call the police.