back to article Yale Weds: Just some system maintenance, nothing to worry about. Yale Thurs: Nobody's smart alarm app works

Yale Security UK says it is repairing its online systems after some unplanned maintenance turned into a total outage – and prevented folks from controlling their Yale smart home alarms via its smartphone app. The locksmith said it was working through the night into Friday morning to address the gremlins that had left its users …

  1. Phil Kingston Silver badge

    lock escalation?

    1. A Non e-mouse Silver badge

      Lock contention?

      1. doublelayer Silver badge

        Deadlock?

        1. Muscleguy Silver badge

          Dreadlock?

  2. tfewster Silver badge
    Facepalm

    "I’m an engineer, I work in IT..." - and PJMorgan never considered what would happen if he lost his phone/signal/cloudy app? Personally, I'd be keeping very quiet if I'd allowed that to happen to me.

    1. Phil Kingston Silver badge

      I also wonder why he didn't just enter the property, trigger the alarm, and then simply silence the alarm with PIN/fob/whatever.

    2. A Non e-mouse Silver badge
      Joke

      I think he's suffering from priority inversion...

    3. DougS Silver badge

      Beat me to it. If I had a resume from this guy and googled him and found that tweet his resume would go into the circular file. What a moron!

      What was his plan to "enter his property" if his phone was lost, stolen, broken or out of battery?

      1. SloppyJesse
        Facepalm

        > What was his plan to "enter his property" if his

        > phone was lost, stolen, broken or out of battery?

        Backup phone fully charged with the app installed underneath the dustbin, obviously. The guy's not a complete idiot...

    4. Anonymous Coward
      Anonymous Coward

      He must be very new at this IT work thing... Because it shouldn't take that long to notice how fragile a lot of that IT stuff is.

    5. rmason Silver badge

      @tfewster

      Came here to say that too.

      "I work in IT and decided ONLY having access to my property via an app was a good idea"

      What an absolute sponge.

    6. Down not across Silver badge

      Re: "I’m an engineer, I work in IT..."

      I would expect an engineer working in IT to understand the difference between unplanned and planned maintenance.

      1. iron Silver badge

        Re: "I’m an engineer, I work in IT..."

        "I can’t enter my property I only have the App!"

        ROFL What a muppet and to compound it he told the world what a muppet he is!

        1. YetAnotherLocksmith

          Re: "I’m an engineer, I work in IT..."

          Indeed, it's only the alarm, it isn't like he fit a £400 Yale door lock that works via the same system.

          Wait, what's that? They sell exactly that?

          Fail.

          1. defiler Silver badge

            Re: "I’m an engineer, I work in IT..."

            Came here fully expecting this legitimate tirade.

            I looked at the Yale smart alarms when I was alarm shopping. Then I realised that it offered me almost precisely nothing I cared about and introduced 1000 things that could go wrong and which I was in no control of.

            At least one of those should have flagged itself in the mind of an 'IT' 'engineer'. Unless, of course, he's a civil engineer who unjams printers because nobody's pouring concrete just now.

    7. BOFHfollower

      PJ Morgan Rollback

      Surely he had a rollback plan!

      1. Captain Scarlet Silver badge

        Re: PJ Morgan Rollback

        Well my rollback plan would be to have locksmith on my phone, have a key with a member of the family.

        Anything to stay away from an iot crappy lock.

        1. vtcodger Silver badge

          Re: PJ Morgan Rollback

          "have a key ..."

          A key? How 20th century. How about a 18th century solution -- a brick or cobble through the window?

          1. Captain Scarlet Silver badge

            Re: PJ Morgan Rollback

            Since none of your neighbours know or care who you are, the moment you do this the old bill will turn up and nick you (As they are all nosey neighbours).

    8. Craig 2

      "I’m an engineer, I work in IT..."

      Who signed off on him not carrying alternative options? What was his rollback plan? Calls himself an IT engineer....

  3. malle-herbert Silver badge
    Trollface

    "I can’t enter my property I only have the App!"...

    Use a brick (or your phone) to smash in a window...

    1. Doctor Syntax Silver badge

      Re: "I can’t enter my property I only have the App!"...

      "Use a brick (or your phone)"

      Not a lot of difference if the app's not working.

      1. Anonymous Coward
        Anonymous Coward

        Re: "I can’t enter my property I only have the App!"...

        In my experience on the Hell Desk, the phrases "I'm an engineer" or "I work in IT" usually means the grand sum of the caller's technical experience is that they once upgraded the video card in a computer that they purchased from a retail store.

        1. Orv Silver badge

          Re: "I can’t enter my property I only have the App!"...

          I've worked in IT for almost half my life at this point, and I never use it to pull rank with helpdesk staff. For one thing it doesn't actually help.

          I will say that this Yale screwup offends my sense of professionalism, though. It's painful watching someone do something you're good at badly.

        2. Ken Moorhouse Silver badge

          Re: "I'm an engineer"

          Reminds me of an incident in a London Transport ticket office many year's ago where a bloke dumped a pile of shrapnel (1p's and 2p's) in the cash bowl to buy a tube ticket. The booking office clerk said "Sorry, I'm afraid that's not legal tender." The bloke then went into meltdown about how he was a lawyer and how he was going to sue London Transport. He even got his cheque book out to prove he had LLB after his name.

        3. stiine Bronze badge
          Thumb Down

          Re: "I can’t enter my property I only have the App!"...

          re AC "In my experience on the Hell Desk, the phrases "I'm an engineer" or "I work in IT" usually means the grand sum of the caller's technical experience is that they once upgraded the video card in a computer that they purchased from a retail store."

          You must work for Comcast or AT&T.

          The last time I called AT&T to report a problem with their equipment, I had to remove my commercial firewall and connect the link directly to my pc because they said my commercial firewall (which had only recently been relocated from an office network to my home network) was not compatible with their service (that was the same at both the office, and my house).

        4. Fonant

          Re: "I can’t enter my property I only have the App!"...

          See also: opinions that start with "I'm a cyclist..."

  4. Anonymous Coward
    Anonymous Coward

    Maybe it's down because they are installing a back door.

  5. Anonymous Coward
    Anonymous Coward

    Ultimate security: it won't even let the owner in.

    1. monty75

      This is IoT we're talking about. It probably lets in everyone *except* the owner.

      1. Muscleguy Silver badge

        Well you have to allow your groceries and all your Amazon deliveries to get inside the door while you are at work. So that is likely. The solution? order something for immediate delivery and follow the delivery inside.

  6. Giovani Tapini

    I still have an old-school rule to follow

    Never trust an electronic lock.

    Also note - lock makers are better at engineering than software and have made the most basic errors more than defeating all but the illusion of security. This may change one day, but I will not be holding my breath.

    Either way, their server has locked up, their PR team has locked down communication, and people are locked out of the homes. All I need is a lock in at my pub to finish the day...

    1. Steve the Cynic Silver badge

      Re: I still have an old-school rule to follow

      Never trust an electronic lock.

      It's not a good idea to put blind trust in a *mechanical* lock either. Mechanical locks have two advantages, though:

      * They continue to be locked, and unlockable, when the power is off.

      * Someone trying to open them has to be physically present at the lock while doing it.

    2. Anonymous Coward
      Anonymous Coward

      Re: I still have an old-school rule to follow

      I think this was affecting their alarms, rather than the Yale smart locks. Nobody who had the system properly set up should have been prevented from entering their home - it was only the app that didn't work so the keypad/fobs were still functioning (they work completely independently of the "smart" side of it). And the alarm system continues to function without internet or power, it just can't send alerts.

      1. YetAnotherLocksmith

        Re: I still have an old-school rule to follow

        You can buy an add on module for the Keyfree electronic lock so that you can use the App for locking and unlocking, iirc.

    3. imanidiot Silver badge

      Re: I still have an old-school rule to follow

      Given the trackrecord of the likes of MasterLock I wouldn't trust the engineering side of em all that much either.

  7. This post has been deleted by its author

    1. Anonymous Coward
      Anonymous Coward

      >> people aren't going to stop using them because of one small issue like this

      True, but that's because they are idiots.

    2. Inventor of the Marmite Laser Silver badge
    3. m0rt Silver badge

      "To be fair, they are at least doing maintenance and attempting to improve the system and security that they are providing the public"

      So....doing a shit job is ok because at least the job is getting done, right?

      Cool.

    4. Down not across Silver badge

      To be fair, they are at least doing maintenance and attempting to improve the system and security that they are providing the public...

      Given it was unplanned maintenance it sound more like something went wrong and they were trying to fix it rather than improving anything. Looks like they may have broken something else while trying to fix the original issue.

    5. EveryTime Silver badge

      > "To be fair, they are at least doing maintenance and attempting to improve the system ..."

      No. "Unplanned maintenance" is a PR phrase for "the system crashed, probably corrupting all of the data. We don't have a backup system, and the recovery plan was stored only on the system that crashed."

      1. 9Rune5

        and the recovery plan was stored only on the system that crashed

        I thought they stored the plan on an airgapped server safely tucked away in a small room secured with one of those fancy Yale locks (the ones that require an app to open).

  8. Lee D Silver badge

    "I’m an engineer, I work in IT, this is not acceptable. Who signed this work off? What was the rollback plan ? Call yourselves a security company ? Shameful. @BBCBreaking @Channel4News @BBCRadio4 @CNN @Reuters here is a story for you! I can’t enter my property I only have the App!"

    Gosh. You'd think a guy who worked in IT would understand the importance of a way to enter when the app went down, really wouldn't you? I mean, backups and resiliency, and all that. I wonder if he even has two Internet connections at home in case one fails and he can't get back in?

    People like this annoy me greatly - I work in IT and though Yale might be damn shoddy, for sure I wouldn't be embarrassing myself saying "I have no other way to get into my property except a smartphone app dependent on a third-party". For a start, I'd have a manual key lock or a bypass code on a secondary lock that overrode it, even if I never really needed to use it.

    1. Anonymous Coward
      Anonymous Coward

      I've got a Yale smart alarm, and have a keypad inside that can be used to arm/disarm. If this guy has chosen not to install one of those (and I'm not sure why - they're included when you buy the thing) that's bloody stupid. You can also get key fobs and tags, so there's really no excuse.

      I really wouldn't want to rely on the Yale software at the best of times, it's quite buggy.

      1. Anonymous Coward
        Anonymous Coward

        If this guy has chosen not to install one of those ...

        Maybe he's not the owner, but only a tenant?

        1. Anonymous Coward Silver badge
          Paris Hilton

          Re: If this guy has chosen not to install one of those ...

          Maybe he's not even a tenant, but a squatter.

          Or just an idiot who has no concept of redundant systems.

        2. Lee D Silver badge

          Re: If this guy has chosen not to install one of those ...

          Then he probably wouldn't say "my property" and would probably be yelling at his landlord, instead of Yale.

          1. fajensen Silver badge

            Re: If this guy has chosen not to install one of those ...

            Then he probably wouldn't say "my property" and would probably be yelling at his landlord, instead of Yale

            The average Daily Mail reader would absolutely say "my property" about their rented room in a shared flat a good 40 minutes walk from the tube!

  9. DropBear Silver badge
    Trollface

    They fuxxored up the live system then "restored" that over the backups instead of the other way around, didn't they...,

  10. Will Godfrey Silver badge
    FAIL

    Not Surprised

    Just depend on an actual secure system.

    P.S.

    Having a dog is a good start :)

    1. hokum

      Re: Not Surprised

      Well, you can see when your door is opened and set up temporary access for visitors remotely. There are a number of scenarios where someone may find that sort of thing useful.

      Though as someone who is otherwise all in on the internet of s**t, I don't trust smart locks just yet.

      1. DougS Silver badge

        Re: Not Surprised

        I don't trust smart locks just yet

        Just yet? You mean you foresee a day when you will? What's the possible advantage of a smart lock over a mechanical lock, other than not having to carry a key?

        Companies like Google, Apple and Microsoft, who have unlimited resources and employ some of the smartest people around don't get security right all the time. Does anyone really believe that a company like Yale with a fraction of their resources and probably none of the smartest people around should be trusted with the security of their home, or their business from which they make their livelihood?

        Mechanical locks aren't perfect, but the risks are known and can be mitigated such that it would be easier for a thief to enter via another method than the door. With an electronic lock you have the ever-present risk that a remotely exploitable 0 day could be found against it.

        Its conceivable someone could hack Yale's system and set every electronic lock of theirs to permanently open, or permanently locked, so that having your lock replaced would be the only fix!

        1. Lee D Silver badge

          Re: Not Surprised

          Smart locks are dumb ideas.

          But non-mechanical locks are fine. E.g. magnetic strikes, mag-locks, etc. People - and businesses - use them the world over.

          The advantages are many: Auditability of access. Alerts on access. Ability to rescind access (try taking a key back from a tenant - you'll end up just changing the locks).

          And if you don't "cloud" every-fecking-thing, then it works great. To get in my workplace, you have to force entry. It's that simple. Even if the power goes out, the Internet goes down, etc. then you have to force entry. Except... if you are an authorised user. When you just tag and in you go. The only complicated scenario is a seriously extended power-outage which exhausts ALL the batteries. In which case there is a single method of entry in "fail-open" instead of "fail-secure", which is protected by a physical key. Thus entry can be made only by the genuine people even in absolute power-failure for weeks on end.

          What you don't do is have this smartphone-connected junk or, if you're going to have that, you remote-access your secure internal systems via a proper method, not a junky smartphone app that relies on Yale. What you do is VPN into your own system and access it directly. If someone works out how to get into your VPN, it's already game over anyway, presumably. And you can do that from a smartphone really easily.

          It's a matter of "design", not the tools you use in that design. You have to consider what happens in every circumstance, not just "I'll assume this will always work".

          The other thing is - can this Yale lock, in theory, lock you in the house? Because that's a death-in-a-fire waiting to happen.

          1. YetAnotherLocksmith

            Re: Not Surprised

            No. The handle always lets you out from inside, as long as you have a functioning thumb as well as a free hand.

          2. SloppyJesse

            Re: Not Surprised

            @Lee D

            I agree. With most IOT devices it's the architectural decision to include a 3rd party server in the mix that makes me twitch. An app could be designed to contact the iot device directly, no need for the manufacturer to put their server in the middle. But then how would they slurp data on usage to improve their product sell more tat?

          3. fajensen Silver badge

            Re: Not Surprised

            To get in my workplace, you have to force entry. It's that simple.

            That's probably the most important point of having a lock. If the place is burgled, we want evidence of the burglary so that the insurance pays up.

            With the IOT-crap dropping its knickers on every occasion, and the police IT-skills being what they are for the foreseeable future, it might be hard to prove an illegal entry.

            1. Lee D Silver badge

              Re: Not Surprised

              It's the only reason that locks and British Standards clauses exist.

              Nothing is secure. Any front door can be taken down in under 60 seconds, as can any car. What matters is that you can't do *without damage*. Insurers want to see signs of forced entry, or no-payout.

              Nobody even tries to pretend that your car is secure. It's a mobile device like any other. That's why we put GPS trackers and stuff on them. But I don't have any involvement with Ford to open my car door. I press a button, or I put the key in the lock, it CANNOT talk home - it doesn't even have any method by which to do so.

              The difference is - I'm not relying on my car locks to secure my car from theft. They can't. They secure it from "opportunist" opening of my doors and nicking whatever is in the footwell/centre console. I also don't leave anything in my car overnight. What I do is, I take it out... and put it in the house. Because forcing entry to my house is a) harder, b) more obvious, c) much more likely to attract attention (not just mine, but mine's the only one that matters), d) can't be had as a quick getaway.

              But, certainly, my car and my house have something in common - you could easily get in if you really wanted to, but you would have to leave evidence of doing so... and that means my insurance pays out. If the Yale lock decides to just randomly open, or they get hacked and an "open all customer's doors" command is sent, I have precisely zero recourse to my insurers (seriously, read your policy... "forced entry"), though I might be able to sue Yale (though it's unlikely I'd get full compensation for anything that was taken even then... more likely Yale would go bankrupt first!).

        2. Adelio

          Re: Not Surprised

          Hang on, all this blowing off about "why are people using smart locks"

          If you have a relativly new car it probably has a button on the key fobto lock/unlock it.

          Yea! i would not want ahome lock but i do use the one for my car!

          1. keith_w

            Re: Not Surprised

            My 7 year old car has that, as did my previous 2 cars. They also had locks in the door(s) in case the fob battery died.

            1. DougS Silver badge

              Re: Not Surprised

              Yes, my car's fob has a real key too. Plus it connects directly with the car, it doesn't depend on the cloud.

              But if you care about your car's security, you best not look too closely into how easy it is to defeat such systems. At least when someone physically breaks into the car it leaves evidence making insurance claims a bit easier.

            2. KLane

              Re: Not Surprised

              ...and how many people realize there is a physical backup/valet key hidden inside in most of the keyfobs out there?

          2. LDS Silver badge

            "If you have a relativly new car it probably has a button"

            AFAIK, all of them have a mechanical backup, usually now hidden in the key fob, to open at least a door. And anyway the button commands the car directly, doesn't ask a remote server to open your car (for now, at least...)

        3. Muscleguy Silver badge

          Re: Not Surprised

          The problem with an electronic lock is what happens when the power goes out? If that causes the lock to fail open then it is inherently insecure, cut the power and enter. If it fails locked you are locked out, or in, without a physical backup. IF you must carry a physical backup then it defeats the object of the powered solution.

          This is the fundamental reason why I am not in any way sold on IoT. Pace the epic tale of the guy trying to get his internet enabled kettle to boil who ended up eating dinner in the dark because his smart lights were updating.

          1. DougS Silver badge

            Re: Not Surprised

            I'm sure the reply will be "there are batteries in them, duh" but batteries go flat eventually. I wonder if the software is able to detect that so you will know to replace the battery before you find out the hard way trying to get into your house during a power outage?

            I'll bet most of them recommend replacing the battery on a schedule to avoid that, as if everyone will remember. The only way most people remember to replace batteries in smoke detectors is in the US every time daylight savings time changes the news will remind people they should change the batteries in their smoke detectors. Six months is a little quick, but better too often than not often enough. I wonder if the people who want to eliminate daylight savings time have included the potential deaths from people with flat batteries in their smoke detectors as a cost of that?

    2. monty75

      Re: Not Surprised

      Having a dog is a good start :)

      There are few problems in life which can't be solved, or at least ameliorated, by having a dog.

      1. Anonymous Coward
        Anonymous Coward

        Re: Not Surprised

        There are few problems in life which can't be solved, or at least ameliorated, by having a dog.

        Arguably Yale's IoT system is a dog.

        I'm not sure it has solved any problems, other than the corporate one of "the IoT is coming, what shit can we sell to idiots?"

    3. bombastic bob Silver badge
      FAIL

      "The Cloud" is overrated

      and that, too.

  11. J J Carter Silver badge
    Boffin

    Yep

    On the plus side, at least it failed safe rather than releasing every lock!

  12. MrXavia

    This is why I always ask the question will this still work without internet, and usually the answer is No and I don't buy!

    A Security system that fails to work without the Internet is no security system

  13. Pascal Monett Silver badge

    What a moron

    He works in IT, he's a fucking engineer, and still he buys into this IoT "smart" lock shit ?

    I think his education is now being perfected. Never too late I guess.

  14. SVV Silver badge

    We apologise for any inconvenience

    At least he didn't say "Users should not be alarmed by this problem".

  15. MJI Silver badge

    Just use an old debit/credit card.

    It is THAT Yale isn't it?

    I keep an old debit card in my pocket as it is easier to get in the house using that than hunt for the key.

    I keep saying, top lock is rubbish use the bottom lock (deadlock).

    So if any other family member uses the Yale I use my old debit card, then mention so can thieves.

    1. DryBones

      Re: Just use an old debit/credit card.

      Or... get a Kwikset instead?

  16. Anonymous South African Coward Silver badge

    Ha ha ha ha ha ha ha ha

    Another score for flaky IoT stuff.

    I may be old-fashioned, but I prefer a mechanical lock (or two) and a couple of four-legged friends instead of an electronical thing...

  17. Scroticus Canis Silver badge
    Facepalm

    Unplanned maintenance... like backing out the Windows 10 update maybe?

    Just a thought.

  18. Paul Hovnanian Silver badge

    I think I saw ...

    ... that commercial.

  19. joeldillon

    That's going to be a very spicy RCA for some people in a week or two...

  20. Ken Moorhouse Silver badge

    Smart

    to feel shame or remorse or to suffer in punishment or in return for something.

  21. Simon B-52

    Particularly for those of us unenamoured of "smart"phones.......

    Particularly for those of us unenamoured of "smart"phones and their (cr)apps: the perfect schadenfreude moment, like a cold beer on a hot day......nice!

  22. Nano nano

    But you're ...

    Only supposed to blow the bloody doors off !

  23. Anonymous Coward
    Anonymous Coward

    Think Yale need to give F5 a call...

    Load balancers aren't just a nice concept, they also help you avoid just this sort of outage.

  24. Anonymous Coward
    Anonymous Coward

    Old school

    Granpa sitting on the porch with a shotgun seems to work well.

    Not very agile, but it works.

  25. Muscleguy Silver badge

    When I locked myself out*, old door, can't with the new one, I rang several numbers of local locksmiths I found with my phone. They were all the same guy who refused to come out.

    So I was forced to break into my own home. Fortunately my garage workshop was open so I armed myself with a chisel and some card scrapers (stiff metal cards) and some hitting implements. I moved the protecting strip of wood out of the way with the chisel then used the card scrapers being hit to get the Yale lock to move. I then used the hitting implements to put the wood back. None of the neighbours batted an eyelid.

    New door, all steel frame into all steel frame, multipoint locking needs a key to lock it.

    *A case of the wrong trousers.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019