Who..?
... would use a wireless lock on their front door?
A pair of security researchers probing the Z-Wave home-automation standard managed to unlock doors and disable sensors controlled by the technology. Behrang Fouladi and Sahand Ghanoun took a long hard look at Z-Wave for their presentation at last week's Black Hat hacking conference in Las Vegas. The wireless standard dominates …
Wouldn't they just lose the RFID tag/key too? Unless you are planning to chip your parents like cattle...
No need to secure the keys to a person.
If you lose a regular key, you assume it's no longer secure and you change your locks.
It's the same for RFID, but "changing the locks" instead involves a mere few keystrokes decomissioning the single RFID key that was lost. Faster and cheaper than replacing your locks.
@AC 09:46 GMT
As others have asked already I also wonder how they are not going to lose the RFID tag.
No need to be aging though to get oneself locked out. Happened to me quite recently (or maybe I'm showing some age, too?!) and cost me a few hundred quid to open/replace the lock. I'm probably going to biometrics soon since it's rather difficult to forget ones hand inside the house when leaving. I'm fully aware of the possible problems with biometrics but for me that's just the right solution.
Hah, I was 11 when I was induced into climbing through a lavvy window to let in the responsible adult who'd locked us out. After I'd asked if he'd got the key.
No whining from me tho. A simple bribe to not tell my mother :) not sure how well this will fit into your child rearing toolbox
" I'm probably going to biometrics soon since it's rather difficult to forget ones hand inside the house when leaving. "
I had the great pleasure of experiencing state of the art consumer biometrics while visiting Universal Studios Islands of Adventure in Florida this year, where the lockers they provide are locked and released by fingerprint.
The biggest issue with the idea seemed to be the high levels of exhaustion exhibited by the people employed to unlock lockers that refused to open again, and the increasing levels of irritation of non-English speaking merry-makers who couldn't get their stuff and couldn't find the locker-opener-upperer. One French lady was reduced to tears by the swinish machine until I found someone to help her out.
I developed the theory it was down to changes in shape of peoples' fingers due to humidity and A/C since people would lock the lockers after standing outside in the heat and/or rain but unlock them after upwards of an hour in cool, dry air, though one of my lockers testily announced that it didn't like the cut of my jib, had quarantined my stuff and wouldn't even attempt reading my fingerprint until I had consulted a human. Presumably the computer was having a bad day and was tired of the names people were calling it.
I wish you well during the depths of a cold wet English winter as you struggle with your own front door. I suggest a backup keyed entry be installed and the neighbours alerted to the possibilities of strong invective.
"just get a key chain that attaches to a belt"
You know, it took me almost a year to figure out where the horizontal scratches on my new car were coming from. Seemed like every time I drove to the station I would return from work to find a new scratch.
Then I realized that fucktards with dogchains on their belts were dragging past my car while it was parked in the station carpark. I made a point of not parking next to SUVs or pickups after that and the problem was much mitigated.
Then there are those who proudly deploy the belt-mounted retractable key hawser. Why do morons think it is cool to carry a dozen keys and a bottle opener dangling off one hip?
"Why do morons think it is cool to carry a dozen keys and a bottle opener dangling off one hip?"
It isn't cool, but it *is* efficient. My keys are attached to an anodised bright red carabiner (with a torch in it!), all the time. In the house they are hung up in the same place. Out of the house they are on my belt (unless I'm dressed up, in which case in my computer bag or suit pocket). No-one else in my house does remotely the same thing - guess where the delays and panics come from when keys can't be found? I then get told off for being grumpy due to basic inefficiency.
I do take care not to scratch people's cars though - mainly by not squeezing through gaps between them!
To cut a long story short - you'll prize my keys from my cold, dead belt-loop!
Many businesses use such locks, this isn't just about homes.
As for why... the humble key was not originally chosen because it's the best possible way of securing a lock. It was chosen because at the time, it was the best solution afforded by modern technology. Assuming an old solution must be better than a new one is as bad as assuming a modern solution is better than a old one.
But the businesses don't use a wireless lock! The reader might be RFID, but it runs over a nice bit of cable inside the building to the main control box.
The wireless locks are for the lazy / cheapskate customers who want something swanky, but don't want the cost involved in doing it properly by laying cables around the house and redecorating afterwards.
"security through obscurity has, yet again, arguably proved to be worse than no security at all."
This is not true, there is a lock on the door and it will repel most potential burglars. The exploit shows that security through obscurity must always be considered as potentially flawed, but in the real world it still works most of the time.
Arguably my ass. That qualifier doesn't save yours this time :).
A thief (or a so-called locksmith in much of Europe) does not piss around picking a lock when it can be drilled or, more often, a window smashed.
Note that there are countermeasures to both attacks I describe above. The point is they will not waste their time trying not to fuck up your lock.
"A thief (or a so-called locksmith in much of Europe) does not piss around picking a lock when it can be drilled"
This is noisy, it attracts attention (especially if the barrel is hardened against drilling). As for snapping, an anti-snap lock will leave the thief holding a useless shard of metal with the lock still firmly in the door. Bumping? Well helloooooo anti-bump locks. Yes, if you buy a £10 piece of crap then your points hold. If, however, you throw some actual wedge at an actual lock you improve your chances. And one good lock at that, not six shitty ones weakening the door and frame
When we moved house we changed the locks after a few lock-picking classes. Eye-opener. Bumping is a piece of piss on a cheap lock. If you are reading this, own property and you haven't been to lock-picking classes, go.
The goal is not to be impenetrable - the goal is to be too much bother so bastards move on.
> And yet camouflage is still used even on armoured vehicles.
Nice try, and I did chuckle.
"Security by obscurity" is more like painting your armoured vehicle luminescent yellow and then getting all upset when people can see it. And, if you were the MPAA/RIAA/BPI demanding a law be passed to make it illegal for people to look at your luminescent yellow armoured vehicle rather than fix the actual issue.
Security is a myth. Look, a lock on a door only keeps honest people out.
And if the security on a house is "That" good that it can't be cracked, the next avenue of attack is a crowbar. Not on the locks themselves, but menacingly waved at the owner of the house.
Of course, if you don't wish to go down the direct physical route, there is always social engineering, and good old blackmail and extortion.
With any security, humans are the weakest link. And, well, you know the rest....
A burglar would have trouble getting into my home with a brick. I think they would struggle to throw it through the second storey windows and even if one did break it would require a very long set of ladders and draw a lot of attention from my neighbours.
Even more difficult would have been when I lived on the 20th floor.
So a burglar can't always get in using a brick, no matter how determined they are.
If you lived in an apartment that had fire code compliant doors they are designed to break open fairly easily. Even doors with steel doors with steel frames have weakness designed into the area on both sides of the knob and deadlock cylinders.
Unless you put your own security doors in then a cinder block will open almost any door. The thing the police carry is massive overkill.
and i was quite taken with this solution so i don't have to struggle to use keys to unlock the door when my hands a full of shopping or large boxes: http://www.kwikset.com/Kevo/Default.aspx
Kwikset? They can bolt on all the electronic bits and bobs they want, but when the SmartKey barrel itself can be picked or destroyed within 15-30 seconds it's all a bit moot.
http://www.wired.com/threatlevel/2013/08/kwikset-smarkey-lock-vulns/
This post has been deleted by its author
... can work.
A business near me was getting repeated break-ins without triggering the alarm, so had the alarm upgraded... same thing happened.
It only stopped when they installed some plain boxes with flashing LEDs. The burglars were familiar with the standard alarm systems and knew how to get around them, but the blinking light on a no-name box they were unsure of :)
Anonymous for obvious reasons.
Once again, Yale lock for when everyone is home in the daytime, plus mortise locks and bolts for the evening. Double glazing should stop all but the most determined bastard coming in through the window (but I've witnessed a fireman, who must have thought no one else was looking, deal with one of those with ease, during a fire emergency).
If the "key" was challenged by the "lock" replay wouldn't work.
Key says, "Hi I'm Mr Smith"
Lock says "Hi Mr Smith 15821547", which is a random number.
Key applies algorithm and says "Mr Smith 75452458"
Lock compares this to its own calculated answer and voila, the door unlocks.
This is so simple and so fundamental to security that not to implement it, is tantamount to assisting in a crime.
I've mentioned this technique before on The Reg, but it's worthy of mention again and again and again, until the muppets who sell "security" get it.
Er... did you read the article? The replay attack was on a wireless sensor not a door lock.
"Our attacker just identifies a lock on the network and sends it a new network key from his own network controller; the fickle door lock happily forgets its previous attachment and stands ready to respond to new commands, suitably encrypted using the new key, such as "open the door, please"."
The network key is part of the "algorithm" you mentioned.
That would help with the sensor example, but not the lock in this article. The security flaw here is that the lock was re-paired to a new controller, which then told it to open. The authentication was done correctly, and the door opened as commanded - only it was told to do so by the intruder's controller, not the house's correct one.
Are you serious?! You trust your house security to a £20 tin box from Wilkos?
Locating it out of sight means the person who opens it with a tin opener won't be observed in the 30 seconds it takes them to do this.
Give your spare key to a trusted neighbour, and use the £20 to buy them some wine/chocolates.
I suggest that Anonymous replier to my message looks at the particular key safes from Wilkos before making comments. The key safe that I bought is made of hardened steel. In fact, very similar ones are provided by some Social Services departments to older people.
I use Lightwave RF (a similar standard to Z-Wave) at home, and had considered using a wireless-controlled relay to open and close my electric garage door. Then I thought about the protocols, looked into it's security, and found almost half a dozen ways of triggering the relay from outside; in some cases no prior knowledge of or access to the network was needed. Truly scary!
In the case of LWRF it's not a case of flawed implementation, but simply no security in the design whatsoever.
All of these manufacturers need to either take security seriously, or make it clear in big writing on their packaging that it shouldn't be used for anything security or safety related. I can cope if some criminal wants to turn my fountain on and off, or even flash my house lights - but wouldn't use any of these technologies anywhere near a security or safety device unless they make massive improvements in security.
As far as I know, ALL security relies on some form of obscurity. Most times it's something we know that we don't have, like a password, the secret key etc. Security through obscurity is the norm in the computer industry. As we all know, having a transparent process that everyone can see is not a guarentee of security either. We have lots of open source software where we continue to find security flaws, even years after the code is released.
We find exploits in the wild for open software before those that have code for the process know that there's a hole. I agree that having a flawed security stack and obscuring it is not a guarentee that the flaws won't be found out. It's also true that by obscuring the stack, it took the researchers a bit more effort to break into the system than it would have if they'd had all the specs and code in front of them to begin with.
The combination on those keysafes is not that impressive - both the cheapie and expensive ones use the same system. Pick 1 to 9 numbers as the combination. However, the order is irrelevant 1234=2341=4231 etc reduces the possibilities quite a bit, They are tough buggers when properly fitted to a wall though.
Wireless is really stupid for alarm sensors. Alarms by default go off if they detect jamming. So you repeatedly "jam" the frequency/band without attempting entry. Then when the alarm doesn't go off, you break a window at the rear. You park the white van in front or even the driveway. During the day! Carry everything out by the front door (Mains angle grinder at bolts if a deadlock).
Locks and wired alarms are a deterrent. Wireless alarms are an illusion for Cheapskates that don't want 4 core alarm wiring.
To get those who have the items to subscribe to a service that has a (unreasonable) monthly fee. No more, no less.
If they were "open" then they couldn't count on the subscription fee (where the $$$ is) and couldn't sell the items. I see ads for these things (nice wireless front door goodies) and they tout nice iPhone apps. The problem is that they use MY internet connection to do all the dirty work, and charge me a monthly fee. Sorry, that doesn't work for me.
I'll stick with locks and keys for now.
As for 'alarms': I built up a little box that had a couple of batteries in it and just blinked a nice LED. It had a nice looking keyswitch, and an antenna. It cost about $5 total to make (the box was a big factor). I used it on a storage locker, but the blinking light drove one of the other tenants crazy and I needed to remove it. After that, the storage locker was broken into. I will fight better next time.