No need for any sniffing or surviellance to get in to other bluetooth locks
https://www.youtube.com/watch?v=PqeWupKN2W0
Bosnian Bill reviews the Noke and then shows a foolproof method to pick it without a smartphone or computer.
Attackers can locate and pop safes protected with high security commercial locks thanks to poor Bluetooth implementations, say researchers at Somerset Recon say. The SecuRam ProLogic B01 locks are badged as the industry's only Bluetooth-packing lock for safes that can be paired with smartphones. The researchers (@ …
The phone a key has promise. No limit on the number keys + secure storage/high end crypto.
You can (in theory) generate strong crypto keys on the phone crypto module which cannot be retrieved on most high end phones without 3-letter class equipment to dissect the phone and physically extract the contents of the TPM.
From there on, it is trivial to implement a lock-key application. The lock runs a mini-CA, you submit your new key, the CA signs it and gives it back to you. If you can secure _THIS_ part, the cat is in the bag - the lock unlocks purely based on strong crypto, not hackable unless you are in the NSA league. You can run a small CA capable of holding a few thousands of keys on Pi Zero class Arm SoC. In fact, even on smaller ones. So technically there is no issue. The mere act of establishing successfully a secure channel by using BOTH server and client keys in the exchange guarantees the authentication. No need to do anything else. Works over Bluetooth, WiFi or even RFC1149 carrier pidgeons.
The problem is that instead of using well known, secure bomb-proof tech (TPM + RSA >2048bit) you have either web developers (hello Tesla) who stick oAuth and a oAuth server where it does not belong or even worse (as in this case) IoT developers and embedded developers which proudly ROLL THEIR OWN CRYPTO. Rather unsurprisingly you get the full range of attack via man in the middle, replay, token and pin hijack. It comes with the territory - does not matter which brain rotting disease is at play. Is it "web2.0itis" or "realtime embedditis" the effect is all the same - security which can be hijacked any time you like.
The phone a key has promise. No limit on the number keys + secure storage/high end crypto.
basket.add(eggs);
You can (in theory) generate strong crypto keys on the phone crypto module which cannot be retrieved on most high end phones without 3-letter class equipment to dissect the phone and physically extract the contents of the TPM.
Vic.
"Bluetooth-enabled safe...? And this seemed like a good idea to someone... why, exactly?
Well, to quote from the article: "Researcher Anthony Rose said the smart locks "appear to be made by dumb people” were flawed thanks to the design bias of "convenience over security" and a lack of patching."
One would assume that the reasons for opening a safe include putting things in it or taking things out, both of which require physical presence at the safe door. This doesn't make it hard to actually unlock it by hand as you're already right next to it. Being able to do so from a phone handset at a distance of a few feet seems a bit redundant. Then again, I control my hifi via Bluetooth so what do I know...
Remote unlocking for car doors.
Remote controls for auto-starting your engine.
Someone please explain why you need to press a button when your VERY NEXT ACTION is to touch the door you wanted open / start the car you wanted started.
(Remote-locking? Slightly different as you're walking AWAY).
Because anyone can cut a replacement/duplicate mechanical key if they have the original - it costs a couple of pounds.
However with an electronic one, despite it being a simple case of data transfer, the CAR MANUFACTURER can bilk you for hundreds of pounds.
its not about convenience, it is about extortion.
@Loud speaker
"Because anyone can cut a replacement/duplicate mechanical key if they have the original - it costs a couple of pounds."
The intersting bit there *ANYONE* can cut a replacement.. I used to be able to use my megane key to open my mums clio... Of course being a law abiding citizen I never tried it on other cars but I am CERTAIN that it would open other Renaults too :)
Are you proposing that we go back to that for the sake of saving a few ££ *IF* you lose your key?
My car has a remote unlock, I never used it.
Until recently that is, when some scrote attempted to break into the car* and destroyed the key way on the drivers side. So now I press the remote control button rather than walking all the way round the car to unlock it.
I can't really see the point otherwise though.
* By sticking a large screwdriver into the keyhole and hitting it with a hammer. This, of course, did not work. Clearly the would-be thieves did not know that they could have been in within minutes just by bending the top of the door back and pulling the lock up, which has the side benefit of being easy for me to fix.
* By sticking a large screwdriver into the keyhole and hitting it with a hammer.
Works a treat on all old Renaults, some old Toyota stock and a few others. Everything where the lock looks like a metal bump on the door and is not an integral part of the door handle. Example - Renault 5 or Renault Clio Mk 1. There are also various cabinet locks which follow the same design.
The lock is held in place by two "ears" made of its sheet metal skirt - basically a big "washer" around it.
Once the screwdriver is firmly embedded in the lock you can twist the lock out of place and push it in (or force it to turn with the whole lock body, not just the internal bits). The result is that you unlock the door. Job done.
My wife's old rustheap had some k1dd10ts break into it this way so I had to remove the locks completely and seal the door. It was remote locking only from outside (as long as inside locks work it is street legal) and getting in through the tailgate if the battery dies.
@LeeD
"Remote unlocking for car doors.
Remote controls for auto-starting your engine.
Someone please explain why you need to press a button when your VERY NEXT ACTION is to touch the door you wanted open / start the car you wanted started.
(Remote-locking? Slightly different as you're walking AWAY)."
Remote unlocking - "Phone Call to wife : " Ive locked my keys in the car can you open it for me?" - though I agree that this is a bit daft.
Remote Start - Sitting in the house eating my breakfast waiting for the car to de-ice and warm up the passenger compartment during winter (With the doors locked and the keys not in it)
Remote Locking - Sitting in the house at night thinking "Did I lock the car?"
I can think of use cases for
A car being unattended while the engine is running falls foul of an obscure law,
Actually, it does not. There is now law against that.
The law which applies is "not having valid insurance". Check your T&Cs - ALL UK insurance policies have a clause which invalidates them if you leave the keys in the vehicle (regardless is the engine running or not) and the vehicle is unattended.
"Actually, it does not. There is now law against that."
From the Highway Code - the reference "Law CUR regs 98 & 107" suggests there is a law? However it may be the one about Third Party Insurance - if insurance companies exclude it for unmanned vehicles.
"123
You MUST NOT leave a parked vehicle unattended with the engine running or leave a vehicle engine running unnecessarily while that vehicle is stationary on a public road. Generally, if the vehicle is stationary and is likely to remain so for more than a couple of minutes, you should apply the parking brake and switch off the engine to reduce emissions and noise pollution. However it is permissible to leave the engine running if the vehicle is stationary in traffic or for diagnosing faults.
Law CUR regs 98 & 107"
http://www.highwaycodeuk.co.uk/general-rules-techniques-and-advice-for-all-drivers-and-riders---control-of-the-vehicle-117-to-126.html
"Actually, it does not. There is now law against that."
"Stationary idling is an offence under section 42 of the Road Traffic Act 1988," says Jeanette Miller, a managing director of Geoffrey Miller Solicitors.
The Act enforces rule 123 of the Highway Code which states: "You must not leave a vehicle engine running unnecessarily while that vehicle is stationary on a public road."
And doing this can incur a £20 fixed-penalty fine under the Road Traffic (Vehicle Emissions) Regulations 2002. This goes up to £40 if unpaid within a given timeframe.
https://www.confused.com/on-the-road/driving-law/stopped-parked-engine-running-idling-breaking-law-police-fine
@Annon
"You MUST NOT leave a parked vehicle unattended with the engine running or leave a vehicle engine running unnecessarily while that vehicle is stationary on a public road."
Ok, but we are talking about warming the cabin of the car and de-icing it outside my house, on my drive, nothing that you posted applies to what we are discussing.
Actually, it does not.
Yes it does.
There is now law against that.
There so is.
Section 107 of The Road Vehicles (Construction and Use) Regulations 1986 makes it unlawful to leave an vehicle idling and unattended except in a couple of specific circumstances which won't normally apply.
This would usually be prosecuted under Section 42 of the Road Traffic Act 1988, which makes it an offence to operate a vehicle in contravention of Construction and Use regulations.
The law which applies is "not having valid insurance". Check your T&Cs - ALL UK insurance policies have a clause which invalidates them if you leave the keys in the vehicle (regardless is the engine running or not) and the vehicle is unattended.
Absolutely not. The requirement is to have third-party insurance, and insurance companies are prohibited from repudiating the third-party element of a policy for such transgressions. They will, of course, repudiate any claims in excess of third-party cover, and they might even counter-sue to recover the costs of any third-party claim they do pay, but the driver would not be guilty of the offence of driving without insurance.
Vic.
@VIC
You have done the same as the annon poster earlier, that might apply to cars on the road. We are talking about my car, on my drive attached to my house engine running, Doors locked, Keys in the kitchen with me.
We are not talking about the car being on a public road which is what is covered in your post.
@Lee
"Your wife locking your keys in the car is solved by the simple solution of a new wife."
I know you were joking but let look at that option for a moment... I'd replace the wife, I'd lose half of my company, need a new house and only see the kids once or twice a month... or remote unlocking.
Seems a no-brainer to me.
@d3vy
I agree to all of the above. Especially the remote start.
With remote start, I don't have to tromp through a foot of snow to get to the car, start it, turn on all of the defrost settings, and then leave the car running in the driveway with the keys in it. I also don't track all of that snow back into the house on my return. On my SUV the remote start is smart enough to read the outside temperature, and then decide to turn on max AC or max heat/defrost.
At first I thought remote start was just a gimmick, but now I love it!
Any modern efficient vehicle will not warm up while just idling. So remote start would only be helpful if you have a crappy car that is inefficient.
And yes fortunately it is also illegal to have your car idling in many places.
The insurance terms are interesting, since remote start does not involve the keys being left in the car, so you can't take the car out of park (remote start is for automatics only of course).
"Any modern efficient vehicle will not warm up while just idling. So remote start would only be helpful if you have a crappy car that is inefficient."
A few counter points :
1. I have a modern efficient car, however the laws of physics still exist and the combustion of fuel still produces heat inside the engine.
2. My cars heaters are independent of the engine running but if its cold enough for me to want to pre-heat the cabin I probably want the engine warm before I make it do any work so I normally run both.
"The insurance terms are interesting, since remote start does not involve the keys being left in the car"
My old renault had a key card, you could get in, start the car take the card out and lock the doors and leave it unattended with the doors locked.. not remote but same affect.
The insurance terms are interesting, since remote start does not involve the keys being left in the car, so you can't take the car out of park (remote start is for automatics only of course).
"remote start is for automatics only of course"
Is it balls, you know cars are not dumb instruments any more, the ECU on a car if capable of remote start is also capable of determining based on certain parameters if its safe to start the engine.
So its quite possible to start a manual if its been left in neutral and has the handbrake applied (both bits of data that the car itself can figure out - bonus points if it can rectify these (every car I have had for the last 10 years has been capable of switching the handbrake on and off itself)
"Cold climate, mostly. Locks freeze (literally) and remote start means you can get the interior warmed up before leaving the house."
IIRC in Sweden in the1970s they had independent heaters to warm the car interior on winter's mornings while the owner had breakfast. They also had electric heaters in the engine block to warm up the oil - even on outdoor parking places.
One would assume that the reasons for opening a safe include putting things in it or taking things out, both of which require physical presence at the safe door.
The (perceived) downside of physical keys is that they each add a certain weight and volume to your keychain, where an implementation using an item you're already carrying anyway (smartphone) doesn't. Of course, as you're already at the safe door, the better solution would be a keypad, a display and a challenge/response system if some random fixed long unlock code stored in your phone's vault is too boring, but hey. Wireless! Smart (err, not)! Shiny!
Ummm... Err.....
About the only thing that comes to mind is to have a box you can open remotely to allow people (e.g. delivery people) to put stuff in - but then you need to be nearby anyway for the bluetooth to reach, or at least have a bluetooth transmitter nearby on the other end of a network connection.
All of which could be achieved more simply with a standard hasp lock which you leave unlocked so the delivery person can open it, put stuff in and then lock it.
But then why do I need remote central locking on my car? At least that doesn't transmit the same code each time (I hope!)
It's the same reason many companies have switched to electronic door locks. When properly implemented, each person has a unique access code. Hard to duplicate, usage can be tracked, access can be revoked without affecting anyone else. Of course, when it's not properly implemented – as in this case – it ends up weakening security.
All of which could be achieved more simply with a standard hasp lock which you leave unlocked so the delivery person can open it, put stuff in and then lock it.
Bit of a bother if you expect to have more than one delivery the same day, or when some joker either locks the box before any delivery is made or nicks the lock.
A remotely controlled latch wired to a Pi or something would be what I'd start with.
> delivery person can open it, put stuff in and then lock it.
Alternatively we can partly copy the design of an existing type of delivery-item receptacle opening that has been deployed in numerous locations, and normally incorporates a one-way security feature to prevent delivered items from being taken by unauthorised personnel from the outside.
The effectiveness of this 'one way valve' is of course dependent on implementation, as well as e.g. presence of ravenous carnivores and those brush type draught excluders that prevent anything other than sheet steel being pushed through and leave deep gouges on your hands when all you were trying to do was drop in a simple note from your mum to one of her neighbours.
Or try one of those bank 'night safe' type drawers - do they still use those?
Or try one of those bank 'night safe' type drawers - do they still use those?
Insofar as there are still banks with a physical presence: yes. The same kind of mechanism is often used on underground rubbish containers, so that people can insert one (1) Standard Bin Bag of Rubbish into a cylinder through a slot, which then rotates and drops the bag into a much larger bin when you close the lid. This is so that you can't put random Very Large Stuff in, and they can even be equipped with a reader for an access token, so that only Authorised Neighbourhood Waste Dumpers can put their waste in.
"It's fairly useful to be able to unlock without a key in colder climates where there is a good chance the barrel has frozen solid."
Remember to apply silicone grease to the rubber door seals. At that sort of temperature when you open the door - the seals are liable to come with it.
"Who in their right mind thinks bluetooth on a safe is in any way conducive to security?? And who in their right mind would even BUY such a thing?"
Why would any company make such a thing?
In the places where a high security commercial lock is needed phones are usually banned. Why? Because phones have cameras and an easy way to subvert security is to use a phone to record safe combination lock settings. So if a manufacturer's representative rocks up and starts to talk to me about any form of lock that requires or permits the use of a phone then that rep will be shown the door because their designers obviously don't understand the basic requirements for a security lock or the environment in which those locks are deployed.
Proper high security digital locks tend to be two-factor authentication, work without batteries and have lock-out after a number of unsuccessful attempts. This lock, as described, sounds like the sort of thing that gets fitted to a hotel room safe (i.e. useless).
As Anthony Rose is quoted as saying in the article:
the smart locks "appear to be made by dumb people”
"What happens when the lock loses its power supply - non-volatile memory? Can any battery be changed with the safe closed?"
Well, based on their current convenience over security model I'm sure it comes with another nifty feature:
Upon battery failure the door will automatically open to allow access to the battery compartment while flashing a bright "look at me" light to get their (and everyone else's) attention.
Labeling anything "Smart" is a useful warning these days. In fact, it's likely to be stupid on multiple levels - design, security, UI, etc.. Stapling the word "smart" on a product is a marketing ploy that's only devalued the word.
Wait, I just remembered the alternate meaning of "smart" as in "to cause pain." That might be more applicable in most cases.