back to article New York Attorney General settles with Bluetooth lock maker over insecurity claims

Computer-controlled locks are some of the more popular Internet of Things devices making it into the home, and in the first settlement of its kind, the New York Attorney General has reached an agreement with a manufacturer to make them more secure against hackers. At last year's DEF CON hacking conference, two researchers …

  1. Anonymous Coward
    Anonymous Coward

    "I'm as frustrated with Chinese knockoffs as anyone," Hyde said. "I believe that other attributes such as memory and data logging for localised security systems in locks is where I see the future."

    My Hyde please just hold your hands up and say you created a rubbish lock and didn't give a second thought to security.

    The clue is in the name "lock", they are supposed to be secure. I won't be using any of your "future" locks.

  2. Anonymous Coward
    Anonymous Coward

    But but but.

    Your whiny is worse than my 11yo.

    Your shit got hacked. You're a dick. Your stuff is shit.

  3. Anonymous Coward
    Anonymous Coward

    IoT getting spanked? More please US Prosecutors:

    ....."Today's settlement with SafeTech marks the first time an Attorneys General's Office has taken legal action against a wireless security company for failing to protect their customers' personal and private information," said Attorney General Eric Schneiderman."....

  4. beast666

    Get real.

    "When working inside dangerous machinery, it's normal for the staff inside to take the keys to turn the device with them, to avoid it being inadvertently turned on with them inside. The SafeTech keys are built to do this without needing to have multiple locks and keys hanging off a worker's belt."

    Like you'd get inside dangerous machinery prevented from being turned on by a bluetooth key!

    1. Anonymous Coward
      Anonymous Coward

      Re: Get real.

      The bluetooth key can't turn on the machinery. There is a physical lock in place preventing that from happening. The bluetooth function alliws yiu to unloick the lock - it woukd still need to be physically removed.

      1. Lee D Silver badge

        Re: Get real.

        Then just use a stick.

        The point of taking the key is that others CAN'T DO IT EVEN IF THEY WANT TO.

        1. Anonymous Coward
          Anonymous Coward

          The Just Use A Stick

          So for Tagout/Lockout what would be easier in this situation:

          1) Getting a copy of the key or combination to a regular lock, given that they are probably all over the place anyway.

          2) Obtain the necessary equipment to capture the bluetooth signal, etc, etc.

          I think situation #1 is the one you need to worry about.

          Another commenter's remark about using his own lock and key is on the mark.

          1. defiler

            Re: The Just Use A Stick

            "I think situation #1 is the one you need to worry about."

            That's a problem that's been solved, solved well, and solved in a pretty foolproof fashion. Google/Bing/DuckDuckGo/Altavista for "multi lock hasp".

            Then you put *your own* lock on, and others can lock it too if several people are working in that area. I'd much rather have one of these than a Bluetooth anything protecting my safety.

  5. Donn Bly

    Equipment Lockout != Security

    It comes down to fitness for purpose. Standard equipment lockout locks are not generally all that secure, are easily defeated, and often don't even have unique keys. Lockout locks are even less secure than TSA locks! It sounds like these Bluetooth locks are actually MORE secure than the existing standard mechanical locks that they are replacing.

    The reality is that anybody that says that they won't be using the locks based on this report would most certainly never have been using these locks anyway, thus their boycott or threat of one is empty and meaningless.

    That said, there is no additive production cost for encryption. If they are using wireless communication such as Bluetooth then it should have been baked into the design from the beginning. Even though it sounds like the software they generally provide is a "reference design" not intended for production use, we all know just how often those reference designs get implemented with little more than a branding change.

    1. Peter2 Silver badge

      Re: Equipment Lockout != Security

      This is a lockout.

      http://www.shardasafety.com/wp-content/uploads/2015/05/Ball_Valve_Lockout_Safety_Products_Locks_Safety_Locks.jpg

      Bring your own padlock(s) if you don't trust the ones provided. Now I don't work in factory environments but I am passing familiar with industrial safety measures and like most IT Pro's who have seen things go badly wrong I'm somewhat paranoid.

      Would I trust my life to a physical warning sign warning I'm working on equipment backed up with a couple of padlocks physically preventing somebody from throwing the power switch short of deliberately cutting the locks off with an angle grinder? Probably yes.

      Would I trust my life to a Bluetooth fob...? Hell no. The list of problems with that idea is so long I hardly know where to begin. What if the signal gets blocked and the machine coding decides that I have left the area as has happened with deaths covered by el reg previously. No way am I trusting my life to a piece of computer code written by somebody in a hurry to meet a deadline that probably didn't have any QA testing "cos that's expensive and the programmer can do it". No, just no.

      I'm going with a big physical lock on the breaker for the equipment. Seems far safer to me from my life experience.

      1. Anonymous Coward
        Anonymous Coward

        Re: Equipment Lockout != Security

        "Would I trust my life to a Bluetooth fob...?"

        It is a padlock. The key is bluetooth. You would have to physically remove the lock just as with any other lock.

  6. Olivier2553

    Is IoT things developed by non IT people?

    I am seriously wondering if the problem with security in IoT is because they are conceived by non IT people.

    Like a company building lock suddenly consider how they could use a smartphone instead of a key. I have a thing, how can I apply computer to it?

    While the IT approach would rather be: I have a computer, how can I use it to drive a thing? And it is called embedded computer.

    The difference being that in the first case, the computer part is handled by someone that has very limited knowledge of computers, while in the second case, we can hope security is part of their very nature.

    1. Stoneshop
      Pirate

      Re: Is IoT things developed by non IT people?

      while in the second case, we can hope security is part of their very nature.

      Maybe you still have that hope; I don't.

    2. ChrisB 2

      Re: Is IoT things developed by non IT people?

      Well, you might be right but remember - it was IT people that did the coding. Not all IT people are good at what they do.

  7. Anonymous Coward
    Anonymous Coward

    Penny Blossoms

    Because everything is better with Bluetooth

  8. Flywheel
    FAIL

    "we leave the communications open for them to develop their own security"

    Yeah, pull the other one!

    1. Anonymous Coward
      Anonymous Coward

      No doubt 90% of those commercial customers are just duplicating the sample code and creating systems that are equally insecure.

  9. EnviableOne
    Coat

    Intresting name

    You think he was Dr. Jekyll before his locks got hacked?

    Mines the one with the bluetooth sniffer in the pocket .....

  10. Tigra 07

    Encryption?

    Theresa May will want a backdoor built into your front door...

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like