Search This Blog

Thursday, May 24, 2012

(W) House Key in your Smartphone Yikes !!!!

Ever wish your smartphone could open the door to your house? I just watched Shark Tank and this was one of the products. A lock for your home that has the technology (via Bluetooth) when in close proximity can unlock your door when you press a button on the door lock.

We all love gadgets and using your iPhone, Droid or Crackberry to open your house seems like a cool idea.... Or is it?

First question... How many of you have your home address in your phone for a contact card to be used with Bump for example on the iPhone?

Second question... If I steal your phone will you be worried I can unlock your house?

Known this first before you answer... By looking at the lock on your front door, I know you have this type of lock because it has two buttons to lock and unlock the door.

Afraid yet?

Smartphone, DumpApps as Dan Cornell says in one of his many entertaining InfoSec presentations. This application must send a command sequence via Bluetooth to your door lock in a secure manner... What if the developers don't consider us Security researchers know how to sniff BT traffic? What if they use just a pin or code to open the lock? Or send it in the clear versus encrypting it as that adds $$$ to the lock, needs a processor and battery to decrypt it all in the lock. What if they forget to do this?

Afraid yet?

I reviewed a solution similar to this years ago for a large customer service entity looking to add features to their service to break into the home market. The solution is now available by Schlage at Home Depot. What I found with the first gen of this solution was that each code sent to each home over the service, in this case the Internet, was the same code for each house, so I was able to turn on and off the lights that were in the pilot users home... They were not happy this could be done and killed the project... Let's hope Schlage corrected the issues I found...

Now would you use UniKey?

The potential of what could go wrong with this solution is scary, VERY scary!

The reason keyless entry for cars works is the ring of keys don't have the license plate and location of the car if you were to find or steal the keys. Your smartphone has your home address in most cases so you know exactly what the key belongs to and where the key fits or works.

Knowing all I would need to gain entry into your home is to steal your phone, or reverse engineer the solution, as we did with the Key Card exploit, there is not much you could do. Worse.. People leave their phones in their cars often to run into a store, go to a movie, hospital and various other businesses or situations like the beach, volleyball, softball, etc. where we leave our phones in our cars so we don't lose them.

And what about kids? How many have lost their phones?

I will be contacting them to share my thoughts and warn the sharks about their investment risk...

Stay tuned.

UniKey website


Thursday, May 3, 2012

BSidesAustin is over, but BSidesDFW coming Nov 2012

Well, BSidesAustin 2012 is over and it was GREAT! We had 2 days of talks, presentations, discussions and panels. Lots was learned and even a gr33nh0rn elevated to beginner by winning the CTF Badge challenge.

As we collect speaker preso's, pictures and video we will post them on the BSidesTexas website so watch for them.

It was a blast and we look forward to 2013! Watch for announcements in the next few months!!!!

BSidesTexas website