Well....
The Mk1 could be opened with a screwdriver and a bit of work
The Mk2 can be opened with a magnet
Will the Mk3 need just a hard scare.
Most locks would be more secure with each new version, this seems to be getting weaker?
The manufacturer that claimed its Bluetooth-connected fingerprint-reading smart lock was “unbreakable,” only to find it being opened in seconds by someone armed with nothing more than a mount and a screwdriver, has been slapped down by a US watchdog. Tapplock “did not take reasonable measures to secure its locks, or take …
Maybe our dependence on "hands off" technology leads us to so overcomplicate our solution that we for get how uncomplicated the problem can be, as illustrated in this fine vintage example of an obligatory xkcd
Another one relevant to over complicating things - xkcd: I'm An Idiot
The real problem is that security is actually very hard indeed. It is even harder than safety critical systems, since a secure system has to defend against an intelligent, resourceful attacker who can try time and time again, whilst a safety critical one only has to defend against bad luck or an idiot.
Unless you put a lot of time, effort and experience into design and testing then the result will generally be be disappointing. Having said that, the majority of padlocks on the market are only nominally secure, because they are mostly only used to deter opportunist thieves, and this one is no different. Youtube is full of videos of people easily defeating padlocks - either by force or by circumventing the locking mechanism. e.g. this, this and this
If you need to spend $100 on a lock for it, then you don't want a padlock.
I remember being told about a branch of a bank in Scotland. They did not need to bother with security during the day.
As the few mile long road into and out of the area meant you knew of anyone trying to raid you, and if they tried to escape, it would take a tad bit longer than the cops showing up at the only exit would!
The real problem is that security is actually very hard indeed. It is even harder than safety critical systems, since a secure system has to defend against an intelligent, resourceful attacker who can try time and time again, whilst a safety critical one only has to defend against bad luck or an idiot.
One company who a previous employer used for one of their software progs had very lax password rule. It could be just one character if you wanted but not blank. This was for access to company propriety information that would have been invaluable to competitors. Another security hole was that your password was used to access the program. Then once in you could access any of the databases in the correct folder. So you could purloin a database from a rival company and access it from your copy of the program. I pointed this out and was told it would be hard to replicate in the real world. I was told about the security on the entry to the room and how difficult it was to enter.
Then they pointed out that even if you got into the room the racks and the drives were secured by good locks. I said you didn't need to breech any of that and anyway it just prevented physical damage. To get hold of the seriously valuable data you just copied the databases from the server to your desktop. From there you just burned them onto a CD-R. Doing it that way as opposed to directly off the server helped avoid detection. Again I was told the risk was low which worried me.
Conversely the code to authenticate and license the damn thing was about twenty characters. It required reading your multi character code down the phone to the lady at head office. She'd input that into her machine and give you another code to input (this was at the dawn of the internet). All this had to be done quite quickly as your machine would generate a new code every minute or two. If that happened you had to start again. Painful wasn't the word for it.
This post has been deleted by its author
"a bit like buying Alaskan air conditioners"
Almost mandatory, then?
My brother made quite a decent living selling and maintaining refrigeration and HVAC systems in Fairbanks. When weather is as extreme as they get there, maintaining nicely conditioned indoor air isn't quite as easy as it is in a more Mediterranean climate.
.. it's an open and shut case then, but the shutting didn't work so well :).
Lock security is hard. First of all it's never an absolute, it's about delaying someone long enough for them to give up or be caught so you have to decide right there on a cost/benefit point, keeping in mind that you still have to keep the price low enough that someone will actually buy it (although this has "hipster" written all over it). Next, the world is full of people who will be at least as clever as you so you're fighting an uphill battle anyway.
I feel sorry for them. I liked the idea, but yeah, you have to involve some people who break things for a living IMHO, and I'm not even sure that is enough.
I put an expensive heavy duty padlock and clasp on my elderly father's garage for him. It looked very secure. However, when he died a few years later I found myself without a key to get into said garage. I found an old pick (the ground digging type) and within around 30 seconds and some brute force and leverage managed to break the lock gaining entry.
Since then I regard all padlocks as more of a visible deterrent than a real one. They may deter a casual opportunist thief such as your average druggy, but certainly not someone "going equipped" as the police call it.
Building a securely locked vault starts with a securely built vault.
I remember the story of a physical intrusion testing team going into a company, with the target being their secure records room. They made it to the door of the room - steel door, keypad access. Very nice. Mounted in a plasterboard wall...
The team member simply punched a hole in the wall, opened the door by turning the inside handle, and put generic safety-awareness stickers over the holes.
They made it to the door of the room - steel door, keypad access. Very nice. Mounted in a plasterboard wall...
Depressingly common. See also building secure rooms on top of suspended floors. Lift floor tile(s) outside using a pair of screwdrivers, pop up inside room. This method was eventually defeated in one popular UK shared datacentre due to the amount of cable underfloor creating a barrier to entry. Rumors of net eng's playing tunnel rat whilst bored can neither be confirmed nor denied.
I know of a company that moved some of it's operations in to a very nice, state of the art, custom designed building (they were involved in all aspects of the design).
My friend's department needed to store some valuable equipment, and they were given access to some cages on one of the corridors in the basement, near their office. My friend queried the lack of CCTV, and was told that it wasn't needed, as all doors to that corridor had swipe card access, and the cages were secure anyway.
The problem was that hundreds of staff members had access to that corridor, most didn't need it, but had it anyway due to a misconfiguration of the the door access system. Even without that, it was entirely possible for a staff member to give their swipe card to a friend as there was no ID checking beyond the swipe card.
So, one day, my friend came in to find that someone had broken into a couple of the cages, stealing > 10 thousand pounds worth of equipment. It turns out they'd actually (stupidly) used their own ID card, and a decent pair of bolt cutters to get into the cages.
In that case, the police did actually catch and charge the person, but criticised the company heavily for having no CCTV in the area. The new cameras are now stored in a very heavily secured room, with heavily restricted access, and CCTV everywhere.
Q1: how tough is the metal loop on the lock? Related q: how tough is whatever the lock is used to lock? A good bolt-cutter or a heavy hammer would work wonders.
Q2: how good is the fingerprint reader? Fingerprint readers on cell phones can be fooled, with a bit of effort. How does it deal with extreme heat or cold? Some of these locks would be outside, exposed to the elements. They're gonna get hot, they're gonna get cold, how do they react? What happens when your finger touches the fingerprint reader that's been outside when the temp hits 100F, which it has around here in summer? What happens when your finger touches the fingerprint reader that's been outside when the temp hits -30F, which doesn't happen here, thank Christ, but which does happen in the Wilds of Northern Minnesota, where my insane sister lives. (It gets hotter than Florida and temps of lower than -40F(or C, same thing) have been recorded. Why anyone lives there is beyond me. It could be worse. It could be Canukistan. I have an insane cousin in Alberta.)
Q3: in these, Ye Years of Ye Plague, how resistant is it to cleaning agents, ranging from plain water to isopropyl alcohol to bleach? You are, after all, _supposed_ to touch it with your bare hand... A lot of electronics doesn't take kindly to liquids...
Q4: it uses Bluetooth. Apparently at least one BT hack has already been found, and an incredibly stupid one: they used the BT MAC to generate the key. One wonders what other BT vulnerabilities lurk.
Shirley you mean Montréal? Isn't that one of those benighted places that thinks the French should still be in charge? Its a nice place to visit[0], but there is no way I'd want to live there. For one, you only have two seasons, winter and mosquito ... I need at least four. (Here in Northern California we have four: summer, fire, mudslide and earthquake. Sometimes all on the same day.)
Ah, well. Vive la différence? This round's on me.
[0] Especially if the Sharks are playing the Canadiens and I have tickets ... In my experience the locals are very tolerant of out-of-town sports fans, even us left-coasties, once they discover some of us actually know something about hockey.
"Q1: how tough is the metal loop on the lock? Related q: how tough is whatever the lock is used to lock? A good bolt-cutter or a heavy hammer would work wonders."
The linked article discusses the shortcomings of the metal used for the lock.
https://www.theregister.co.uk/2018/06/15/taplock_broken_screwdriver/