A Brief History of Everything Wireless Blog: Unexpected side effects of modernizing old things

Unexpected side effects of modernizing old things

2018-09-20 [Petri]

Locks are age-old technology: you create a clever mechanical system and a matching key, and depending on the quality of the lock, breaking in by brute force is often more successful than trying to pick the lock. Some such solutions from 100+ years back are still going strong.

With the advent of ultra-cheap wireless technologies, there has been a trend to bring the good old mechanical locks to the 21st century: sometimes this stemmed from real desire to improve usefulness, like opening the garage door from inside the car, but this trend has now spread to many cases where the actual additional usefulness is not so imminent.

We are all used to opening our car doors with remote wireless keys, but this traffic can be intercepted easily, and in cases where the locking protocol is flawed, the code is copied and re-transmitted, making it possible to steal the car without leaving any traces of a forced entry.

Even the most advanced car makers have been hit: the keyless entry used by Tesla, made by Pektron, was recently hacked by a team from a Belgian university, allowing them to unlock a Tesla and drive away as if they were the owner. But as Tesla's software is fully upgradeable remotely, this security hole was promptly plugged, and a further PIN code requirement was added to the unlocking procedure.

The same unsafe system from Pektron, however, is in use by many other car manufacturers, the systems of which are not upgradeable, so Tesla clearly has added flexibility to fight new problems like this.

Of course, the fact that you can upgrade Tesla remotely is another potential vector for car hacking, so the jury is still out, as nothing is perfect: a recent Tesla upgrade inadvertently disabled the autopilot function.

Another recently failed example is the good old padlock:

A new secure lock project by Tapplock originally got over 300,000 dollars via IndieGoGo campaign. The product is a traditional-looking padlock, but you can open it via fingerprint, Bluetooth, or even by tapping Morse Code as a backup: due to this last feature, this lock is probably the first product in the last 50 years that relies on this oldest encoding format in the world.

But for the price of 100 dollars, what do you actually get?

Just from a physical point of view, the specs are impressive on paper: it is also IP66 water resistant and made of professional-looking metal alloy, although based on recent tests, the looks appear to have been more important than durability and unbreakability.

But it is the fancier, modern side of security that has been proven to fail even more miserably.

The way the lock ID was generated was predictable, traffic was unencrypted and the lock could be opened by just replaying the recorded messages. What was worse, it was possible to deduct enough information of the lock protocol to make an app that opens EVERY Tapplock.

An in-depth list of issues can be found here.

The company has promised to address these issues, of course: they basically have no choice. But the problems stated above are very trivial and should be well known by anyone who has ever spent even the slightest amount of time thinking about secure connectivity. It is just astonishing how a product that promises all these new security features over the century-old physical ones can ignore even the basic guidelines of wireless security.

Maybe the design team just subcontracted the most crucial job from the lowest bidder...

Permalink: https://bhoew.com/blog/en/39

Show latest Earlier entries