Preventing a Relay Attack

This story has been another unfortunate illustration of Bluetooth security vulnerabilities and lock vendors who may lack the expertise in cybersecurity to secure your property properly when using digital keys. In this case, the attack strategy used is known as a relay attack.

How we prevent relay attacks

Relay attacks are well known. The only excuse we can understand for making it possible is “we didn’t know better”. Security experts should. We prevent relay attacks with the following process.

  1. Every lock has its own digital certificate signed by the Teleporte Digital Signing Authority (DSA).
  2. Every Teleporte Mobile App downloads the digital certificate and authenticates the lock’s digital certificate with the Teleporte DSA.
  3. The mobile device only communicates with locks that are verified authentic through steps 1 and 2. Mobile devices use the lock’s public key to encrypt information, knowing the only endpoint capable of decryption is the lock itself.
  4. We change the encryption for every new connection between the lock and the mobile device.

Step number 4 is the key (no pun intended) to preventing a relay attack. While a sniffer might be able to see and repeat the byte sequence that unlocked the lock moments ago, the lock enforces a new method of encryption for each connection. Repeated old data is useless in future connections.

We like our competitive advantage in digital security. We’d like it even more if people could trust keyless access solutions in general.

New Icons in the Teleporte Mobile App

We’ve always considered the padlock icon in our app to be generic. It can represent all types of lock, and is meant to show the open/closed or locked/unlocked status visually.

With Teleporte Mobile App 6.2 and above, we are introducing new icons that match certain types of known lock. Our own AP3 armored padlock is the first of the new icons that customers are likely to notice. The old generic padlock icons will continue to represent unidentified lock types.

This is a cosmetic update that we hope can bring moments of charm to our users experience.

Certified Ethical Hacker (CEH)

Sera4 is, first and foremost, an information security company. Earlier this year, we achieved ISO 27001 certification to demonstrate our commitment to cybersecurity. That project involved adapting all our company processes to match cyber-secure best practices. But we didn’t stop there.

We’ve also recognized the need for cyber-certified personnel to ensure we have the necessary expertise on staff. We’re proud to announce that we now have a Certified Ethical Hacker (CEH) on our team at Sera4.

What does CEH mean and do for our organization?

Ethical hackers (or white-hats) focus heavily on the hackers perspective. In the cyber world, we have primarily those who hack people (called the red team) and those who defend and fortify against them (called the blue team). The blue team learns both the toolsets and the perspectives of hackers and learn and constantly apply blue team logic to red team activities. Ethical hackers are blue team. They spend time actively doing reconnaissance activities, learning about new ways to break into a system, and then put up barriers to defend against them.

Ethical hackers certifications are another way that Sera4 continues to raise the bar on security and defence. When combined with penetration testing, this approach provides the best overall end-to-end security. We’re actively staying ahead of the pervasive threats that are becoming more common every day.

To learn more about CEH and understand why it should be a requirement for any connected service today, contact us.

Download with Confidence

We write all our own software at Sera4.

We choose to do it because we believe this is the best way to ensure both the security of the platform and the best possible user experience. Not all keyless access control providers insource their app development or software engineering resources. We believe that the risks are too high to save money like that.

There are some things you can look at before downloading an app that can give you some clues to how well-designed and maintained it is.

  • How recent was the latest update? Operating systems constantly change and security threats evolve. Apps need to be constantly updated to keep pace. We suggest that an app that hasn’t been updated within the last 4 months has been suffering for lack of attention.
  • How many downloads does it have? This can give a good sense of how much real-world use this mobile app has seen. Apps with recent Release Dates or few downloads may still have some bugs to work out.
  • How big is it? Bigger downloads are often a result of the inclusion of cross-platform libraries, media or extra code. All this extra code can present added attack surface. Besides, who wants to run out of phone memory faster?
Teleporte on Google Play — captured on April 11, 2022.

And, of course, take a look at the ratings and reviews in the app store, and decide for yourself.

If you’d like to learn more about how we design the app, our embedded code, our cloud servers for security from the ground up, contact us.

PS. Of course, we code our embedded firmware and cloud servers 100% in-house at Sera4 as well, and our apps are coded natively and independently for Android and for iOS.

Keyless Network and Server Cabinets Made Easy

Most critical infrastructure environments contain some form of network and/or server cabinets. No matter where these cabinets may be — in IT/telecom closets, wall mounted above factory floors, in remote hallways and parkades, at remote shelters, or even in data centers — the consensus is clear: access control at the network or server cabinet is a common challenge.

Keyless access makes sense in these applications. When each cabinet should be controlled independently, that’s a lot of keys to get to people and a lot of fumbling through a keyring to find the right key for that specific rack. There are no keys to forget at home, leave in the car, or to lose!

Go Keyless

Teleporte makes it easy to go keyless from a cabinet with a traditional key system. A retrofit can often be done in less than 30 minutes. Pop the old one off and put an electric one in. Pair it with a Sera4 Lock Controller and optional AccessPad, and you’re done! No wiring to the door. No mess. No IT integration required.

Take out the old handle, add a new e-handle with a Sera4 Lock Controller and you’re done.

Then, as with all our access points, you get to know who is in your specific network or server cabinet, for how long, and you can grant or revoke digital keys from anywhere, instantly. There is no limit to the number or users, keys or access events to the solution. And there is no network required to operate the management platform.

Whether you start with 1 cabinet or 1000, the experience is the same and there is no capacity limit.

Contact us and we’ll share the full details of this process and help you through the steps.

New Dashboard for Teleporte Admins

Although there have been many new features introduced and many behind-the-scenes improvements, the overall look and feel of the Teleporte Admin Dashboard has remained largely the same since 2017.

With the launch of our server 3.14 (released today, on pi day) we are previewing our new Dashboard design, built on the latest technology. After 5 years and a lot of customer use, it was time for a major upgrade. Any customers who want to try out the new interface can do so easily, as follows:

  1. Login to Teleporte.
  2. Click on your user name in the top right corner of the interface
  3. Select the option “Teleporte Dashboard (Beta)”

And that’s it: you’re in. You’ll notice an interface that should feel familiar and brand new all at the same time.

Some Highlights of the New Dashboard

The new menu

We designed this update to be intuitive and have very little re-orientation time for our existing users. For example, the Menu has been redesigned as you see to the left. This design is just more intuitive and useful than the old straight list.


New Notification Format

One of the first changes you’ll likely notice is that the Notifications look different. You can see much more information and add comments. For photo notes, you can now see the associated pictures. You can dismiss notifications by clicking the checkmark. A new Filter function is useful for selecting the types of Notifications that you are interested to see.


Real-time updates

Perhaps the most compelling feature of our new dashboard is that it updates data in real time. The original dashboard will display information that is current when it is loaded, but requires reloads to refresh the data. Real-time updates without user interaction make this Dashboard even more ready to deploy to a NOC out of the box.


There are many other updates to discover. Some are subtle improvements to be discovered in time. Others are obvious. Our goal in designing this was that by the time you have logged 30 minutes, you never want to go back to the old one.

The new Teleporte Dashboard will remain in preview for a couple of months while we encourage all our users to try it and share their candid feedback to [email protected]. After the Beta period ends and you’ve had the change to test it in your environment, we plan to migrate everyone to the new Teleporte Dashboard as the only available view. This will mean the retirement of an interface that many of us have grown very familiar with, but we are confident that the new one is worth the switch.

If you aren’t a Teleporte user yet, contact us and we’ll be happy to show you the new dashboard in a demo.

Log4j: We remain secure

A few days ago, the online world became aware of a security vulnerability in the Java log4j module, which is commonly used in web services around the world. Details about this security flaw are found in across the internet in sites like this.

At Sera4, we took action immediately with a complete security audit of our systems. This notice is meant to help our customers who are doing a security audit. We assure you that Teleporte and Sera4 remains secure and unaffected.

Sera4 does not natively use Java in our technology stack, which is the primary way services are compromised. We identified one internal tool which uses Java and log4j. However, that internal tool is not vulnerable (due to the log4j configuration) and a scan to confirms that security is maintained. 

To our customers, Sera4 confirms:

  1. All of our applications and cloud environment have not been affected by this exploit.
  2. We use one internal tool which relies on log4j; it was not affected by this exploit.  The tool has since been upgraded to 2.17.0 to ensure that future configuration changes do not render the application vulnerable.

To our anyone new to Sera4 and Teleporte, talk to us about how to get started with a keyless access control that is as digitally secure as it is easy-to-use.

Is Your Critical Infrastructure Security “Abysmal”?

recent report published by Sparsh Kulshrestha, Senior Security Analyst at CloudSEK, describes the current state of critical infrastructure security as “abysmal”. And with good reason. Kulshrestha points out that, due to increases in remote work, most security efforts have been focused on IT assets, while critical infrastructure assets have largely been neglected.  

“While most industrial control systems (ICS) have some level of cybersecurity measures in place, human error is one of the leading reasons due to which threat actors are still able to compromise them time and again,” says Kulshrestha. 

In the report, the CloudSEK team identifies some of the most common weaknesses in Operational Technology (OT) which can be exploited by bad actors, including weak or default credentials, outdated software, and infrastructure vulnerabilities. The report references recent cyberattacks on critical infrastructure, including water supply management, gas transport, the Colonial oil pipeline, and the port of Houston. 

The scope of potential damage resulting from these cyberattacks ranged from exposure of sensitive data, to the manipulation of the chemical composition of the public water supply. While the former is embarrassing and bad for business, the latter could be disastrous. 

Part of CloudSEK’s research included scanning the web, and the team discovered “hundreds” of vulnerable ICSs. 

While this research was focused primarily on vulnerabilities in the software used to manage and control critical infrastructure assets, it highlighted that the physical security of the assets must be just as, if not more, abysmal. While organizations have been investing in some degree of cybersecurity to protect ICSs, much of our critical infrastructure—”the backbone of governments and large businesses”, according to CloudSEK—is woefully undersecured, with rudimentary technology, such as traditional locks and keys, or three-digit combinations known by many individuals (including current and former employees and contractors). 

That’s why we’re trying to do something different at Sera4. We believe that critical infrastructure and assets need to be secured to the same, or greater, degree as IT assets, and we’re leveraging best-in-class software design to do it. 

Our access control platform, Teleporte, provides bank-grade security to physical assets. Through Teleporte-enabled access control hardware, including padlocks and unlock controllers, we’re able to eliminate many of the challenges identified in the CloudSEK report, including weak or default credentials, outdated software, and architecture vulnerabilities. 

Teleporte delivers reliable keyless access control and identity management to the critical services and infrastructure we rely on most: telecom, power, utilities, oil and gas, and traffic signals. The cloud-based platform means that it’s continually kept up to date in response to security threats and changing standards, and the fact that it doesn’t rely on existing network infrastructure makes our solution suitable for remote areas, and reduces the risk of network exposure and exploitation. 

We think it’s time to move past the Dark Ages. Literally. With all of our advancements in technology, we’re functionally still using the same technology—mechanical locks and keys—as we did in the 10th century. We can do better,  and we want you to do better. We’re all relying on the critical infrastructure that powers our lives. Let’s work harder to secure it.  

 
To learn more about Teleporte, visit sera4.com

Mechanical Keys: An Anachronism in 2021?

In 2021, your mobile device is likely the hardest-working item you own. If you left your house with only your mobile device in your pocket, would that stop you from having a productive day? Need to check your bank balance? Use the banking app. Buying a latte? Your mobile wallet can take care of that. Have to show your proof of vaccination? Your proof of insurance? Trade stocks? Turn up the heat in your house? Check to see who’s at your front door? You can do all that, from your phone.  
 
We have placed so much trust in the devices we carry around in our pockets, and the cloud software that secures them. We often don’t think twice about adding a password to Apple Keychain, or storing the most personal details of our lives on our phones. But for some reason, many are reluctant to place that kind of trust in their mobile device when it comes to keyless access control. 

Traditional keys are an anachronism in today’s digital world. An artifact from the past, we find some kind of comfort in having a metal key in our possession, to protect what’s important to us. As long as we have “the key”, no one else does, and we derive a great amount of security from that knowledge. 

Ring with many keys before keyless access control

In our homes, this might make sense. Most of us can say, with a high degree of confidence, that we know exactly how many keys to our front door exist, and who has them. However, most organizations are experiencing key sprawl, and they don’t even know how widespread it might be. It’s impossible to know how many times keys have been copied, who has them, who’s using them, and why. Organizations traditionally deal with a misplaced key by rekeying locks, at significant expense and inconvenience. It’s easier, people think, to give a key to anyone who needs it, and deal with the consequences of a key getting into the wrong hands, than it is to design an access control system with digital keys and identity management in mind from the beginning. 

Organizations are sacrificing security for convenience every day, with both cyber/information assets, and critical infrastructure. While a lot of effort is put into creating the illusion of compliance protocols, not enough is being put into actually securing assets. We believe that it’s not enough to lock up an asset; organizations must understand who is accessing what, when, and why.  

Access control is about more than securing assets; it’s also about implementing a defensible solution to assure regulatory compliance. Cloud-enabled access control solutions allow organizations to proactively improve operations, generate reliable audit trails, enforce safety protocols, control regulated materials, and defend litigation.  

Before you issue another mechanical key, or rekey a set of locks after an asset has been compromised, stop and think about the real value of that piece of metal. We’re confident that it’s not as valuable as the security and insights to be gained from a robust keyless access control solution. To learn more about our cloud-enabled access control platform, Teleporte, and the supporting locks and controllers, visit us here or connect with us. We’d be happy to explore these ideas with you. 

Modern Cloud Solutions Make On-Premise Deployments Obsolete

In the old days, computer programs ran on a computer. This makes perfect sense in the era where the computer was a standalone machine. The first server applications are the same: they ran on a specific server – a computer in a server room somewhere that was a single point of failure. If there was a power outage, a network outage, a cyber-attack or a fire where that one server was, it was a major crisis. On-premise deployments follow this outdated paradigm.

Modern cloud services are different. Let’s take Teleporte Cloud as an example. We take advantage of the ubiquity of the Internet. We split all the small computing tasks that build the whole service into what are called microservices

Microservices

Microservices don’t live in just one place. They are distributed and self-healing and adapt to disruptions in network infrastructure. They also exist fairly independent of place: microservices are hosted across the globe and any one of a multitude of identical stateless microservices on the Teleporte network can service a request. It’s not just a routine running on one physical computer anymore. As a Canadian company we serve our clients in Tierra Del Fuego and Malawi with exactly the same high reliability we serve clients in New York. Technically speaking, we operate to a 2N+1 redundancy standard.

Modern network infrastructure also isn’t like it was a decade ago. There isn’t one point of failure or one cable that someone might haphazardly cut with a backhoe. Of course network damage happens from time to time, but with a distributed microservice architecture our users don’t notice as the system adapts around it.

Service Reliability

Proper cloud services design and network monitoring are critical components of a high-reliability solution. At Sera4 we do all the coding and quality assurance for Teleporte Cloud in-house. More importantly, we build our own monitoring tools that ensure network health and service availability. We monitor service availability with this tool, globally and 24/7. 

Sera4's internal network health monitoring tool
Part of Sera4’s internal live network health monitoring dashboard

Of course, a network administrator will need a general connection to the internet to work. Fortunately, these are often redundant with wired, wifi and cellular options to reach the internet. Like any good modern web interface today, we design our admin consoles to work on monitors found in network operations centers and equally on the small screens of our mobile phones. 

Reminder: Teleporte keys work and log activity as usual in case of a network outage.

Perhaps the last major concern is cybersecurity. Modern cloud solutions are definitely more secure (and certainly more carefree) than an on-premise solution. As new threats emerge, our systems update automatically to minimize risk. We keep everything updated to work with new phone models as well.  From DDOS avoidance to load-balancing, we design the solution to be fully resilient.

Of course, we’d love to show off how this can work for you and why you don’t have to worry about racking another server in order to get the best of keyless access control. Request a demo with us to take the next step.