back to article Bluetooth-enabled safe lock popped after attackers win PINs

Attackers can locate and pop safes protected with high security commercial locks thanks to poor Bluetooth implementations, say researchers at Somerset Recon say. The SecuRam ProLogic B01 locks are badged as the industry's only Bluetooth-packing lock for safes that can be paired with smartphones. The researchers (@ …

  1. bleh_meh

    No need for any sniffing or surviellance to get in to other bluetooth locks

    https://www.youtube.com/watch?v=PqeWupKN2W0

    Bosnian Bill reviews the Noke and then shows a foolproof method to pick it without a smartphone or computer.

    1. Bronek Kozicki

      Re: No need for any sniffing or surviellance to get in to other bluetooth locks

      You mean, rather large angle grinder? That does not scale to well-made safes.

  2. RIBrsiq
    FAIL

    Bluetooth-enabled safe...?

    And this seemed like a good idea to someone... why, exactly?

    1. Anonymous Blowhard

      "And this seemed like a good idea to someone... why, exactly?"

      Because, um, ...Shiny!

    2. Voland's right hand Silver badge

      The idea is sound, the implementation is horrible

      The phone a key has promise. No limit on the number keys + secure storage/high end crypto.

      You can (in theory) generate strong crypto keys on the phone crypto module which cannot be retrieved on most high end phones without 3-letter class equipment to dissect the phone and physically extract the contents of the TPM.

      From there on, it is trivial to implement a lock-key application. The lock runs a mini-CA, you submit your new key, the CA signs it and gives it back to you. If you can secure _THIS_ part, the cat is in the bag - the lock unlocks purely based on strong crypto, not hackable unless you are in the NSA league. You can run a small CA capable of holding a few thousands of keys on Pi Zero class Arm SoC. In fact, even on smaller ones. So technically there is no issue. The mere act of establishing successfully a secure channel by using BOTH server and client keys in the exchange guarantees the authentication. No need to do anything else. Works over Bluetooth, WiFi or even RFC1149 carrier pidgeons.

      The problem is that instead of using well known, secure bomb-proof tech (TPM + RSA >2048bit) you have either web developers (hello Tesla) who stick oAuth and a oAuth server where it does not belong or even worse (as in this case) IoT developers and embedded developers which proudly ROLL THEIR OWN CRYPTO. Rather unsurprisingly you get the full range of attack via man in the middle, replay, token and pin hijack. It comes with the territory - does not matter which brain rotting disease is at play. Is it "web2.0itis" or "realtime embedditis" the effect is all the same - security which can be hijacked any time you like.

      1. Vic

        Re: The idea is sound, the implementation is horrible

        The phone a key has promise. No limit on the number keys + secure storage/high end crypto.

        basket.add(eggs);

        You can (in theory) generate strong crypto keys on the phone crypto module which cannot be retrieved on most high end phones without 3-letter class equipment to dissect the phone and physically extract the contents of the TPM.

        Betcha it can

        Vic.

    3. Dwarf

      Bluetooth-enabled safe...?

      And this seemed like a good idea to someone... why, exactly?

      The same people who are probably working on making them IoT enabled at the moment.

      1. AndrueC Silver badge
        Joke

        Maybe you can 'like' the robbery?

    4. allthecoolshortnamesweretaken

      "Bluetooth-enabled safe...? And this seemed like a good idea to someone... why, exactly?

      Well, to quote from the article: "Researcher Anthony Rose said the smart locks "appear to be made by dumb people” were flawed thanks to the design bias of "convenience over security" and a lack of patching."

    5. Trigonoceps occipitalis

      Look, I often want to open my safe from afar. For instance, if I buy some jewelery on my way through Dubai airport, I open my safe and it is ready when I get home. It gives the bad guys only a minute or two to mug me between my front door and the safe.

  3. steamrunner

    One would assume that the reasons for opening a safe include putting things in it or taking things out, both of which require physical presence at the safe door. This doesn't make it hard to actually unlock it by hand as you're already right next to it. Being able to do so from a phone handset at a distance of a few feet seems a bit redundant. Then again, I control my hifi via Bluetooth so what do I know...

    1. Lee D Silver badge

      Remote unlocking for car doors.

      Remote controls for auto-starting your engine.

      Someone please explain why you need to press a button when your VERY NEXT ACTION is to touch the door you wanted open / start the car you wanted started.

      (Remote-locking? Slightly different as you're walking AWAY).

      1. imanidiot Silver badge

        Because pressing the button on the key is still simpler than having to stick the metal bit into a small receptacle on the vehicle and twist it to unlock? And to prevent someone from opening your vehicle when you are close but not next to the car?

        1. Loud Speaker

          Because anyone can cut a replacement/duplicate mechanical key if they have the original - it costs a couple of pounds.

          However with an electronic one, despite it being a simple case of data transfer, the CAR MANUFACTURER can bilk you for hundreds of pounds.

          its not about convenience, it is about extortion.

          1. d3vy

            @Loud speaker

            "Because anyone can cut a replacement/duplicate mechanical key if they have the original - it costs a couple of pounds."

            The intersting bit there *ANYONE* can cut a replacement.. I used to be able to use my megane key to open my mums clio... Of course being a law abiding citizen I never tried it on other cars but I am CERTAIN that it would open other Renaults too :)

            Are you proposing that we go back to that for the sake of saving a few ££ *IF* you lose your key?

      2. phuzz Silver badge
        Facepalm

        My car has a remote unlock, I never used it.

        Until recently that is, when some scrote attempted to break into the car* and destroyed the key way on the drivers side. So now I press the remote control button rather than walking all the way round the car to unlock it.

        I can't really see the point otherwise though.

        * By sticking a large screwdriver into the keyhole and hitting it with a hammer. This, of course, did not work. Clearly the would-be thieves did not know that they could have been in within minutes just by bending the top of the door back and pulling the lock up, which has the side benefit of being easy for me to fix.

        1. Voland's right hand Silver badge

          * By sticking a large screwdriver into the keyhole and hitting it with a hammer.

          Works a treat on all old Renaults, some old Toyota stock and a few others. Everything where the lock looks like a metal bump on the door and is not an integral part of the door handle. Example - Renault 5 or Renault Clio Mk 1. There are also various cabinet locks which follow the same design.

          The lock is held in place by two "ears" made of its sheet metal skirt - basically a big "washer" around it.

          Once the screwdriver is firmly embedded in the lock you can twist the lock out of place and push it in (or force it to turn with the whole lock body, not just the internal bits). The result is that you unlock the door. Job done.

          My wife's old rustheap had some k1dd10ts break into it this way so I had to remove the locks completely and seal the door. It was remote locking only from outside (as long as inside locks work it is street legal) and getting in through the tailgate if the battery dies.

      3. d3vy

        @LeeD

        "Remote unlocking for car doors.

        Remote controls for auto-starting your engine.

        Someone please explain why you need to press a button when your VERY NEXT ACTION is to touch the door you wanted open / start the car you wanted started.

        (Remote-locking? Slightly different as you're walking AWAY)."

        Remote unlocking - "Phone Call to wife : " Ive locked my keys in the car can you open it for me?" - though I agree that this is a bit daft.

        Remote Start - Sitting in the house eating my breakfast waiting for the car to de-ice and warm up the passenger compartment during winter (With the doors locked and the keys not in it)

        Remote Locking - Sitting in the house at night thinking "Did I lock the car?"

        I can think of use cases for

        1. Lee D Silver badge

          Pre-warming your car is actually illegal.

          A car being unattended while the engine is running falls foul of an obscure law, no matter the driver's intention, or whether a nuisance is caused.

          Your wife locking your keys in the car is solved by the simple solution of a new wife.

          1. Voland's right hand Silver badge

            A car being unattended while the engine is running falls foul of an obscure law,

            Actually, it does not. There is now law against that.

            The law which applies is "not having valid insurance". Check your T&Cs - ALL UK insurance policies have a clause which invalidates them if you leave the keys in the vehicle (regardless is the engine running or not) and the vehicle is unattended.

            1. Anonymous Coward
              Anonymous Coward

              "Actually, it does not. There is now law against that."

              From the Highway Code - the reference "Law CUR regs 98 & 107" suggests there is a law? However it may be the one about Third Party Insurance - if insurance companies exclude it for unmanned vehicles.

              "123

              You MUST NOT leave a parked vehicle unattended with the engine running or leave a vehicle engine running unnecessarily while that vehicle is stationary on a public road. Generally, if the vehicle is stationary and is likely to remain so for more than a couple of minutes, you should apply the parking brake and switch off the engine to reduce emissions and noise pollution. However it is permissible to leave the engine running if the vehicle is stationary in traffic or for diagnosing faults.

              Law CUR regs 98 & 107"

              http://www.highwaycodeuk.co.uk/general-rules-techniques-and-advice-for-all-drivers-and-riders---control-of-the-vehicle-117-to-126.html

              1. Anonymous Coward
                Anonymous Coward

                "Actually, it does not. There is now law against that."

                "Stationary idling is an offence under section 42 of the Road Traffic Act 1988," says Jeanette Miller, a managing director of Geoffrey Miller Solicitors.

                The Act enforces rule 123 of the Highway Code which states: "You must not leave a vehicle engine running unnecessarily while that vehicle is stationary on a public road."

                And doing this can incur a £20 fixed-penalty fine under the Road Traffic (Vehicle Emissions) Regulations 2002. This goes up to £40 if unpaid within a given timeframe.

                https://www.confused.com/on-the-road/driving-law/stopped-parked-engine-running-idling-breaking-law-police-fine

              2. d3vy

                @Annon

                "You MUST NOT leave a parked vehicle unattended with the engine running or leave a vehicle engine running unnecessarily while that vehicle is stationary on a public road."

                Ok, but we are talking about warming the cabin of the car and de-icing it outside my house, on my drive, nothing that you posted applies to what we are discussing.

            2. Vic

              Actually, it does not.

              Yes it does.

              There is now law against that.

              There so is.

              Section 107 of The Road Vehicles (Construction and Use) Regulations 1986 makes it unlawful to leave an vehicle idling and unattended except in a couple of specific circumstances which won't normally apply.

              This would usually be prosecuted under Section 42 of the Road Traffic Act 1988, which makes it an offence to operate a vehicle in contravention of Construction and Use regulations.

              The law which applies is "not having valid insurance". Check your T&Cs - ALL UK insurance policies have a clause which invalidates them if you leave the keys in the vehicle (regardless is the engine running or not) and the vehicle is unattended.

              Absolutely not. The requirement is to have third-party insurance, and insurance companies are prohibited from repudiating the third-party element of a policy for such transgressions. They will, of course, repudiate any claims in excess of third-party cover, and they might even counter-sue to recover the costs of any third-party claim they do pay, but the driver would not be guilty of the offence of driving without insurance.

              Vic.

              1. d3vy

                @VIC

                You have done the same as the annon poster earlier, that might apply to cars on the road. We are talking about my car, on my drive attached to my house engine running, Doors locked, Keys in the kitchen with me.

                We are not talking about the car being on a public road which is what is covered in your post.

          2. d3vy

            @Lee

            "Your wife locking your keys in the car is solved by the simple solution of a new wife."

            I know you were joking but let look at that option for a moment... I'd replace the wife, I'd lose half of my company, need a new house and only see the kids once or twice a month... or remote unlocking.

            Seems a no-brainer to me.

        2. usbac Silver badge

          @d3vy

          I agree to all of the above. Especially the remote start.

          With remote start, I don't have to tromp through a foot of snow to get to the car, start it, turn on all of the defrost settings, and then leave the car running in the driveway with the keys in it. I also don't track all of that snow back into the house on my return. On my SUV the remote start is smart enough to read the outside temperature, and then decide to turn on max AC or max heat/defrost.

          At first I thought remote start was just a gimmick, but now I love it!

        3. Lennart Sorensen

          Any modern efficient vehicle will not warm up while just idling. So remote start would only be helpful if you have a crappy car that is inefficient.

          And yes fortunately it is also illegal to have your car idling in many places.

          The insurance terms are interesting, since remote start does not involve the keys being left in the car, so you can't take the car out of park (remote start is for automatics only of course).

          1. d3vy

            "Any modern efficient vehicle will not warm up while just idling. So remote start would only be helpful if you have a crappy car that is inefficient."

            A few counter points :

            1. I have a modern efficient car, however the laws of physics still exist and the combustion of fuel still produces heat inside the engine.

            2. My cars heaters are independent of the engine running but if its cold enough for me to want to pre-heat the cabin I probably want the engine warm before I make it do any work so I normally run both.

            "The insurance terms are interesting, since remote start does not involve the keys being left in the car"

            My old renault had a key card, you could get in, start the car take the card out and lock the doors and leave it unattended with the doors locked.. not remote but same affect.

            The insurance terms are interesting, since remote start does not involve the keys being left in the car, so you can't take the car out of park (remote start is for automatics only of course).

            "remote start is for automatics only of course"

            Is it balls, you know cars are not dumb instruments any more, the ECU on a car if capable of remote start is also capable of determining based on certain parameters if its safe to start the engine.

            So its quite possible to start a manual if its been left in neutral and has the handbrake applied (both bits of data that the car itself can figure out - bonus points if it can rectify these (every car I have had for the last 10 years has been capable of switching the handbrake on and off itself)

      4. Alan Brown Silver badge

        "Someone please explain why you need to press a button when your VERY NEXT ACTION is to touch the door you wanted open / start the car you wanted started."

        Cold climate, mostly. Locks freeze (literally) and remote start means you can get the interior warmed up before leaving the house.

        1. Anonymous Coward
          Anonymous Coward

          "Cold climate, mostly. Locks freeze (literally) and remote start means you can get the interior warmed up before leaving the house."

          IIRC in Sweden in the1970s they had independent heaters to warm the car interior on winter's mornings while the owner had breakfast. They also had electric heaters in the engine block to warm up the oil - even on outdoor parking places.

    2. Stoneshop
      Holmes

      Physical keys

      One would assume that the reasons for opening a safe include putting things in it or taking things out, both of which require physical presence at the safe door.

      The (perceived) downside of physical keys is that they each add a certain weight and volume to your keychain, where an implementation using an item you're already carrying anyway (smartphone) doesn't. Of course, as you're already at the safe door, the better solution would be a keypad, a display and a challenge/response system if some random fixed long unlock code stored in your phone's vault is too boring, but hey. Wireless! Smart (err, not)! Shiny!

  4. A K Stiles

    Bluetooth lock reasons...

    Ummm... Err.....

    About the only thing that comes to mind is to have a box you can open remotely to allow people (e.g. delivery people) to put stuff in - but then you need to be nearby anyway for the bluetooth to reach, or at least have a bluetooth transmitter nearby on the other end of a network connection.

    All of which could be achieved more simply with a standard hasp lock which you leave unlocked so the delivery person can open it, put stuff in and then lock it.

    But then why do I need remote central locking on my car? At least that doesn't transmit the same code each time (I hope!)

    1. Kanhef

      Re: Bluetooth lock reasons...

      It's the same reason many companies have switched to electronic door locks. When properly implemented, each person has a unique access code. Hard to duplicate, usage can be tracked, access can be revoked without affecting anyone else. Of course, when it's not properly implemented – as in this case – it ends up weakening security.

    2. Stoneshop
      Boffin

      Re: Bluetooth lock reasons...

      All of which could be achieved more simply with a standard hasp lock which you leave unlocked so the delivery person can open it, put stuff in and then lock it.

      Bit of a bother if you expect to have more than one delivery the same day, or when some joker either locks the box before any delivery is made or nicks the lock.

      A remotely controlled latch wired to a Pi or something would be what I'd start with.

    3. Doctor_Wibble
      Headmaster

      Re: Bluetooth lock reasons...

      > delivery person can open it, put stuff in and then lock it.

      Alternatively we can partly copy the design of an existing type of delivery-item receptacle opening that has been deployed in numerous locations, and normally incorporates a one-way security feature to prevent delivered items from being taken by unauthorised personnel from the outside.

      The effectiveness of this 'one way valve' is of course dependent on implementation, as well as e.g. presence of ravenous carnivores and those brush type draught excluders that prevent anything other than sheet steel being pushed through and leave deep gouges on your hands when all you were trying to do was drop in a simple note from your mum to one of her neighbours.

      Or try one of those bank 'night safe' type drawers - do they still use those?

      1. Anonymous Coward
        Anonymous Coward

        @Doctor_Wibble

        I hope that you are not referring to our feline overlords as "ravenous carnivores"

      2. Stoneshop

        Re: Bluetooth lock reasons...

        Or try one of those bank 'night safe' type drawers - do they still use those?

        Insofar as there are still banks with a physical presence: yes. The same kind of mechanism is often used on underground rubbish containers, so that people can insert one (1) Standard Bin Bag of Rubbish into a cylinder through a slot, which then rotates and drops the bag into a much larger bin when you close the lid. This is so that you can't put random Very Large Stuff in, and they can even be equipped with a reader for an access token, so that only Authorised Neighbourhood Waste Dumpers can put their waste in.

    4. Down not across

      Re: Bluetooth lock reasons...

      But then why do I need remote central locking on my car? At least that doesn't transmit the same code each time (I hope!)

      It's fairly useful to be able to unlock without a key in colder climates where there is a good chance the barrel has frozen solid.

      1. Anonymous Coward
        Anonymous Coward

        Re: Bluetooth lock reasons...

        "It's fairly useful to be able to unlock without a key in colder climates where there is a good chance the barrel has frozen solid."

        Remember to apply silicone grease to the rubber door seals. At that sort of temperature when you open the door - the seals are liable to come with it.

    5. allthecoolshortnamesweretaken

      Re: Bluetooth lock reasons... for cars

      Makes the repo guy's life a lot easier.

  5. Anonymous Coward
    Anonymous Coward

    This kind of thing only happens....

    Because shallow marketing suits are in charge... Can't wait until its announced that these have already been installed in a 1000 hotels... Because, well because the 'new shinny' etc....

  6. imanidiot Silver badge
    Facepalm

    Why??

    Who in their right mind thinks bluetooth on a safe is in any way conducive to security?? And who in their right mind would even BUY such a thing?

    1. A Non e-mouse Silver badge

      Re: Why??

      And who in their right mind would even BUY such a thing?

      A fool and their money are soon parted.

      1. frank ly

        Re: Why??

        Especially if the fool keeps it in a Bluetooth-enabled safe.

    2. Stoneshop
      Facepalm

      Re: Why??

      Bluetooth as a communication channel to run some proper crypto over is not a particularly bad idea. Same with WiFi, NFC or other forms of wireless. But in implementations like this one it's the 'proper' that's sorely lacking, with predictable results.

    3. Lotaresco
      WTF?

      Re: Why??

      "Who in their right mind thinks bluetooth on a safe is in any way conducive to security?? And who in their right mind would even BUY such a thing?"

      Why would any company make such a thing?

      In the places where a high security commercial lock is needed phones are usually banned. Why? Because phones have cameras and an easy way to subvert security is to use a phone to record safe combination lock settings. So if a manufacturer's representative rocks up and starts to talk to me about any form of lock that requires or permits the use of a phone then that rep will be shown the door because their designers obviously don't understand the basic requirements for a security lock or the environment in which those locks are deployed.

      Proper high security digital locks tend to be two-factor authentication, work without batteries and have lock-out after a number of unsuccessful attempts. This lock, as described, sounds like the sort of thing that gets fitted to a hotel room safe (i.e. useless).

      As Anthony Rose is quoted as saying in the article:

      the smart locks "appear to be made by dumb people”

  7. Anonymous Coward
    Anonymous Coward

    What happens when the lock loses its power supply - non-volatile memory? Can any battery be changed with the safe closed?

    1. DMcDonnell

      Battery is eventually going to leak and really gum up the works.

  8. Anonymous South African Coward Bronze badge

    Now all we have to do is to wait for $Big_Bank to have a bluetooth-enabled vault in which they store all their customers' valuables, like gold ingots, diamonds and other valuables... Should be a real hoot to do a Die Hard 3 in real life.

  9. NBCanuck

    @AC

    "What happens when the lock loses its power supply - non-volatile memory? Can any battery be changed with the safe closed?"

    Well, based on their current convenience over security model I'm sure it comes with another nifty feature:

    Upon battery failure the door will automatically open to allow access to the battery compartment while flashing a bright "look at me" light to get their (and everyone else's) attention.

    1. Jeffrey Nonken

      Re: @AC

      Yeah, that "feature" of the vault always bothered me in Die Hard.

  10. Tikimon
    Devil

    Newspeak Term O' The Decade

    Labeling anything "Smart" is a useful warning these days. In fact, it's likely to be stupid on multiple levels - design, security, UI, etc.. Stapling the word "smart" on a product is a marketing ploy that's only devalued the word.

    Wait, I just remembered the alternate meaning of "smart" as in "to cause pain." That might be more applicable in most cases.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like