BIAS against Bluetooth

Another vulnerability of the Bluetooth security stack has been revealed this week: Bluetooth Impersonation AttackS (BIAS).

Unfortunately, this highlights another concern with the Bluetooth stack and is, in-part, due to the wide range of devices and configurations that Bluetooth has to support. The suggested remedy is for “the Bluetooth SIG [to update] the Bluetooth Core Specification”. (Source: bluetooth.com)

All this implies it will be up to chipset vendors to find and work around the problem in the interim.

Credit: The Hacker News tells us more …

The biggest risk is likely to be against mobile devices (mobile phones and laptops). Previously-paired devices can no longer be trusted. i.e. you could be communicating with a bad actor (impersonator).

As a word of caution: other Bluetooth-enabled smart locks and mobile software solutions may incorporate this same flaw. This would allow you to pass the digital keys to the wrong device: A “man-in-the-middle” attack.

Rest assured: Teleporte relies on digitally signed certificates to ensure that communications are encrypted. Only true Sera4 locks or lock controllers have the decryption key. All this happens without using the Bluetooth security stack — so access to your Teleporte locks remains secure and unaffected by BIAS.

Don’t Call Us, We’ll Call You (Webhooks Are Here)

With every security component added into a critical infrastructure, comes the inherent need for information, automation and control. As the number of critical components in your infrastructure grow, so does complexity and the necessity to stream information as it happens. Integrators and clients are now looking to being on the receiving end of data in real time in order to provide critical dashboard updates. We’ve listened and we’ve delivered.

With Teleporte Cloud server 3.5, we have added a critical component to our API capabilities: the concept of webhooks. In a “don’t call us, we’ll call you” manner, Teleporte Cloud is now capable of calling your secure endpoint with real-time data concerning events that are happening inside your system. Webhooks are to APIs as fuel is to a fire; they can ignite your integrations and get your organization on the receiving end of updates as they happen. Remember, polling APIs is so 1990’s, go real-time by enabling webhooks.

To better understand what the difference between an API and Webhooks are, consider this simple analogy:

APIs are request based. They are useful for pulling data on demand.
Webhooks are event-based. They are useful for receiving critical events when they happen.

API + Webhooks = Complete Automation Capabilities

Teleporte Cloud now supports webhooks that can be configured for updates to important events (such as the creation or deletion of digital keys), access requests to locks and even the creation, deletion or update of system users. As an example, if you’re looking to know that ‘administrator X with email [email protected] created a digital key to lock 21, on site B that is valid from Tuesday at 9am to Tuesday at 5pm’ as it happens, then webhooks are your holy grail! Get on top of and react quicker to events happening in your infrastructure by enabling webhooks.

Feel free to ask us about our Slack integration. Our webhooks support Slack out of the box and can have your team seeing the benefits of webhooks within seconds.

Get more details about webhooks at https://apidocs.sera4.com or contact us to discuss how you can get webhooks working for you.

High-Security Keyless

In protecting your assets, there is always a tradeoff between convenience and security. For example, when you go into your office every day, you want to get in through the main doors without any delay.  But when the asset requires the highest security,  added rigour such as additional security checks are necessary.

The vault application is a good example of how keyless solutions are catching up with old standards for addressing high-security requirements.

  • Vaults often include locks whereby 2 keys are required and placed more than 6 feet apart. Two individuals, each of whom have their own unique key, must open the lock at the same time for the door to open. This approach prevents a single rogue actor from opening a door when they do not have authorized access
  • Another high-security standard opens a door after several minutes of unlock delay. This delay, connected with alarms, is a strong deterrent for criminals. They know that law enforcement will be coming while they are waiting for the door to open.

Bringing these features to Keyless

Sera4 has released Teleporte Cloud server 3.5 and Teleporte Mobile application 5.2. All Teleporte Enterprise customers now have access to high-security protocols to match the use cases above. 

  • The new Multi-Authentication Unlock feature requires two or more users to unlock a lock. Each user has their own key for that one lock and each user must issue the unlock command to the same lock. The lock only opens after all required users try to open the lock on their own account.
  • The new Delayed Open feature can be enabled on a lock-by-lock basis. The administrator can configure the delay. When someone unlocks a Sera4 lock in the Teleporte Mobile application, it will open only after the specified delay.

At Sera4, we envision a fully keyless world. With these innovations, we bring keyless benefits to the highest-security applications, such as vaults. We expect that there will be many applications for these new features that we haven’t even imagined yet.

For more information on the available features on the Teleporte Cloud server, click here. Or simply and contact us to arrange for a demo. We’re excited to show off our latest innovations.

Questioning Smart Lock Security

The benefits of installing a keyless smart lock to replace the physical key and cylinder include:

  • Identity: the removal of anonymity from each person that unlocks the assets you protect
  • Security: keyless smart locks do not have an external locking mechanism — fewer ways to defeat the lock
  • Data: the records of “who”, “when” and “where” and even “why” the smart lock was opened

While it is easy to understand these benefits, it can be challenging to understand the complexity of keyless smart lock security.

Ars Technica, The Register, and threatpost all highlight the problems that can occur when basic security measures in the domains of physical, transport, embedded, and cloud security are not addressed.

As an Enterprise Security focused company, Sera4 strives to educate everyone about the benefits of smart locks and keyless access control. We want you to understand the differences between a locking mechanism that can be opened with a phone and a complete cyber-secure platform that provides a set of tools to help secure and protect your assets.

The Four Domains of Keyless Smart Lock Security

When investigating a keyless access control solution, we encourage you to identify the following concerns and ask the right questions.

  1. Physical Security: the aspects that prevent theft or vandalism due to the hardware’s shape, size, and installation
    • Concern: Keyless smart lock hardware is perceived to be expensive and can disappear as fast as it is installed. Securing the theft of keyless smart lock hardware itself may be critical to your security program.
    • Example: Company XYZ installs a keyless smart lock. One week later after arriving on site, a user finds the door open, and the lock is missing entirely. The user can’t even secure the site before he leaves.
    • Question: Does your keyless smart lock provide options to install securely to the structure, preventing theft of the keyless smart lock itself?
  2. Embedded Security: the software that ensures data security and integrity within the keyless smart lock and the mobile device
    • Concern: Keyless smart locks need to track the time and date to allow and disallow users access within the desired time frame.
    • Example: User arrives on site, a day after his digital key expired. The user turns off his mobile radios, changes the date on his phone, and attempts to open the lock using his digital key from yesterday.
    • Question: How do you ensure timely access that isn’t dependent on the mobile device for date/time?
  3. Transport Security: the protocols and algorithms that ensure identity, digital keys and access logs are safely and securely transferred between lock, mobile device and the Cloud
    • Concern: Even using secure transport protocols, mobile devices transfer and store digital keys – exposing them to modification.
    • Example: User downloads digital keys onto his phone. User can root his mobile device, change the details of a digital key, e.g. user and time of access. User still has the code to get in, but the logs record a different user, and at a different time.
    • Questions:
      • Does a digital key incorporate the user, time, and permission to access the keyless smart lock?
      • Can the integrity of all three be assured and verified by the keyless smart lock before access is permitted?
  4. Cloud Security: the hardware and software components that allow the ubiquitous access of users, and prevent hackers from getting in to steal data or to provide unauthorized access
    • Concern: Compliance with global privacy laws imply responsibility to protect people’s information.
    • Example: Users access their account information at: https://(somewebsite.com)/user/1234. User manipulates the web address to: https://(somewebsite.com)/user/4567 and views the information of another user.
    • Questions:
      • How do you protect user information from others?
      • Do you understand and implement the concepts of Security by Design, Privacy by Design and RBAC (Role based access control)?
      • Are you compliant with country specific privacy laws (e.g. GDPR, LGPD, PIPEDA, CCPA)?
More Information

Learn more about how Sera4 addresses these questions and concerns:

AP3 Fact Sheet
Sera4 Embedded Security Fact Sheet

As always, feel free to Contact Us to ask any other questions you might have!

A peek inside the Teleporte Cloud from Rancher

Here is a link to a blog from our friends at Rancher. It provides a sneak peek inside how we do cloud. Our own Jeff Klink discusses the advantages of the current Teleporte Cloud architecture. Read it and see how we deliver the security, reliability and scalability that Teleporte is known for.

Rancher is a container orchestration software company. We use their services to help us manage the Teleporte network.