Smart tech is the smart choice so long as it’s well-engineered

A few weeks ago, we learned about Amazon’s ambitious plans for Amazon Key. Amazon Key is a solution that allows Amazon delivery people to leave packages inside the home rather than outside the door. They do this by converting traditional door locks to smartlocks, which can be accessed by Amazon when needed. A camera is included to monitor the drop offs. I expect that Amazon has done their market research; They know that some consumers will prefer the risk of giving Amazon access to their home over the risk that packages could go missing. Additionally, the service avoids the inconvenience of having to wait at home for deliveries  This is the same tradeoff between operational efficiency and security that Sera4 solves for industrial infrastructure.

Smartlock security was put to the test at last year’s DEFCON conference, where hackers try to break security. Twelve out of sixteen tested smartlocks were hacked within 15 minutes using simple digital equipment. I had hoped that this would send a message to our industry to take security more seriously. Unfortunately, Amazon’s newly-released smartlock system has already been hacked. Although the current vulnerabilities don’t show how to unlock someone’s house without authorization, the security holes destroy trust in the video surveillance that is a core component of the Amazon Key system. I don’t feel confident to put this on my front door. I doubt anyone wants a lock on their house that let hackers walk in, no matter how “smart” the feature list appears.

Designing secure smartlocks is not easy. It requires both physical security and logical security. People have been designing for physical security for centuries. We’ve largely figured out how to do that. Designing for secure wireless control is a new area, where many designers are still just learning. It’s not surprising that they overlook things.  Security is Sera4’s specialty. Since we don’t aim to get our products in residential front doors, I hope that someone else brings secure residential smartlocks to market soon. If not, adoption is going to be very slow, or we’re going to have a lot of unexpected burglaries in the near future.

Why Businesses Need to Retire the Master Key

At Sera4, we make physical assets easily accessible to people who need to get to them, while keeping them safeguarded from others. Many of the companies we help are working to solve a problem with theft and vandalism. I was surprised when I learned that in almost all cases, the majority of theft was from people who were entrusted with a key.

The companies we work with want to protect sensitive points in a network or service. To do this, they build physical walls around these sensitive points and put locks on the doors. Access is given out to the people who help maintain, facilitate, and run these points. This could be a large employee base, or a contractor force.

From here, companies have faced a choice. They can either choose to maintain their security by limiting the number of keys that are distributed, which becomes inefficient in having to pass physical keys, or they make multiple copies of a key.  Most companies opt for speed and efficiency over maximum security. They elect to trust the employees and contractors who have signed contracts, and issue them all keys. In extreme cases, all the locks are keyed to the same cylinder or all combination locks are set to the same sequence.  Thus, the Master Key. While it is a simple and easy solution for access control, the employees and contractors are now aware that their colleagues also have the same keys they do.

A desperate contractor or employee finds courage behind the curtain by anonymity. They reason that they can steal with low risk because they know that when the company discovers a problem, they will hide in a sea of others who are all holding the key that opened the door. And usually, they are right. Add to this that putting something behind lock & key adds to perceived value, and maybe there is more theft with the locks on than with no locks at all.

With smartphone-based access control, anonymity is removed. Anyone who opens a lock is reliably identified by their phone.  This removal of anonymity has been proven to dramatically reduce the occurrence of theft. Since the black market value of the things that are stolen is just pennies on the dollar, I think there is an opportunity here for everyone involved to come out ahead.