Cloud Security is Not the Culprit in Recent Cyberattacks

Last week, Silicon Valley-based Internet of Things (IoT) security and surveillance provider Verkada announced a major cyberattack, which allowed hackers to gain access to live feeds and archive video associated with 150,000 cloud-connected devices. Most organizations affected by the attack found out about it when their surveillance imagesincluding footage from inside prisons, hospitals, and software providersstarted circulating online. The attackers were able to gain access to the command-and-control systems of these cameras, which gave them unfettered access to cameras in organizations across the world. 

access control cloud security

Whenever there is a cyberattack of this nature, it leads people to question the security of cloud solutions. However, this shouldn’t cause general fear, uncertainty, or doubt around using systems that have a cloud architecture. A well-designed cloud system is perfectly secure. 

While the details of the compromise are not yet available to the public, there are several hints as to the vulnerabilities of this specific hack, and some key actions enterprise IoT users can take to protect themselves against similar attacks. 

“The attack targeted a Jenkins server used by our support team to perform bulk maintenance operations on customer cameras.” 

A note from CEO Filip Kaliszan, Verkada 

The system was compromised by accessing a vulnerable support server. The fact that a support server has either direct access to the command-and-control of cameras themselves, or the fact that it could be used to penetrate another system with access, suggests vulnerabilities in the vendor’s overall design. Simply, their network infrastructure is not configured with a model of zero trust. Founded by former Forrester Vice-President and Principal Analyst John Kindervag, zero trust is a security framework that reduces the potential for data breaches by removing default trust/access to systems, even those within the firewall. 

“…we have no evidence at this time that this access was used maliciously against our customers’ networks.” 

Filip Kaliszan 

If the IoT device is installed within a corporate network, it’s easy to setup the network so devices don’t have access to anything within the network. VLANs and Layer 2 switching make physical separation of networks easy, and can avoid security concerns. Most hacks are not due to the inherent security of the solution, but the mistakes made in securing it. 
 
Enterprise IoT customers can also ensure that any connected device coming into the organization is updated from default passcodes or admin passwords. In an interview regarding the Verkada breach with CCTVBuyersGuide, Asaf Hecht, Cyber Research Team Leader from CyberArk commented, “The potential for breaching common IoT devices, like security cameras, is something we’ve been talking about for years. Cameras, much like other hardware devices, are often manufactured with built-in or hard coded passwords that are rarely, if ever, changed by the customer.” 

“While we can’t be sure that’s what happened in this case, recent breaches certainly have ‘scale’ in common, demonstrating attackers’ growing confidence and precision – and ability to efficiently extrapolate weaknesses for impact.” 

Is Sera4’s Teleporte cloud solution for keyless access control safe?
TL;DR YES! 

At Sera4, we easily argue that our Teleporte cloud architecture enhances your organization’s security. 

Cloud Security By Design 

Teleporte implements a network design that doesn’t have support servers connected to our private cloud. Teleporte implements its services in independently ISO 27001 managed data centers; there is no dependence or connectivity on support servers in our office. The office is a place to worknot a place we depend on to run our products. 

Teleporte, when implemented in the cloud instead of an enterprise network, means our customers don’t have to worry about compromised systems affecting Teleporte services—and neither do we. Internal enterprise systems, and even your employees, don’t have direct access to the Teleporte servers. 

Finally, Teleporte locks and lock controllers don’t have IP addresses.  They aren’t directly connected to the Internet, and as such can’t be opened en mass by an external hacker. Equally, they could never be taken over to compromise your enterprise network. 

Cloud Security By Experts 

Ultimately, there are many examples of products that operate effectively from the cloud. The best cloud products were built by experts who approach products and solutions with a security first mindset. The Sera4 team is comprised of network, mobile, and embedded experts, and a security first approach is in our DNA. Our solutions were purpose built to provide the most secure, scalable, and reliable keyless access control on the market. Book a demo of our Teleporte solution and you’ll find that the decision is easier to trust than the alternatives. 
 

Why Reliability is Your Keyless Access Control Program’s Most Important KPI

Keyless access control systems are becoming more common, especially to safeguard critical infrastructure and remote sites. While there are a number of benefits to going keyless, there is always a risk of low adoption. In our experience, the reliability of a solution, whether actual or perceived, is the most significant factor in a successful implementation. 

In short: if the people using electronic keys aren’t able to successfully open what they need to open, it threatens the adoption of a chosen solution. And without widespread adoption, companies lose out on the benefits of implementing a keyless solution, like cost savings, identity control, scalability, and operational insights.  

So, what does reliability mean? 

Reliability means that locks open when a user tries to open them. It’s that simple. Or is it? 

All locking systems have a mechanical element to them, and all mechanical elements are prone to failures. Rust, wear and tear, freezing, and other extreme conditions can all lead to mechanical failure. Electronic elements are also prone to failure. Sometimes components get lost, sometimes devices break, sometimes batteries die. And when these elements fail, the lock is considered less reliable. 

How can reliability be achieved? 

There are two approaches to achieving reliability in opening a lock: 

  1. Precision manufacturing and design for high-reliability use in rough environments 

Locks need to be able to stand up to extreme conditions—environmental, or otherwise. Moisture, temperature, extreme weather, and other environmental conditions can all affect the performance of a lock over time. And people will try to break into whatever is being secured. Locks need to be designed and manufactured to stand up under almost any condition, over and over, without issue. 

  1. Reducing the number of points of failure 

This is where electronic key systems have traditionally had fundamental challenges. Electronic keys can fail. Batteries run out of juice, people drop them or otherwise damage them, or people lose them. Electronic key chargers can fail. Electronic key data relays and local servers can fail. The electronic lock itself, like a cylinder or padlocks, can fail. The central management system can fail. And when they do (because they will), it’s frustrating and inconvenient for the person trying to open the lock. 

That’s a lot of failure. Is there any hope? 

Yes! A good keyless system eliminates many of the electronic points of failure above, reducing opportunities for unsuccessful opens. Yes, electronic locks can fail. Yes, smartphones can fail. (Even though most people can’t even remember a time their smartphone spontaneously failed, a good keyless system includes a failsafe). Yes, the software can experience temporary outages. But these are all far less likely than the key itself causing a problem. 

When the electronic key is the weak point in an electronic access control system, it’s time to consider going keyless, because it means your system isn’t reliable.  
 
Reliability means that key management is always available. 

In order to deliver a truly reliable keyless access control system, providers must invest in modern, high-reliability, self-healing, self-monitoring cloud server architectures.  

When an access management service relies on one computer, (whether it’s on-premises or cloud-based), this system does not deliver high-reliability. Hardware faults inevitably happen to all hardware at one point or another. Reliability is all about having redundancy and monitoring to prevent a single failure from taking out a system. Reliability is all about enabling 9,999 successful accesses out of 10,000 attempts, and a >99.9% uptime on admin service (which are, coincidentally, Teleporte’s most recent stats). 

The Consequences of Unreliable Systems

Key management system reliability is more important than it may sound at first pass. If it’s just a question of the admin dashboard at the NOC being unavailable on rare occasions for a time, this is easy to trivialize. But most access control systems are integrated into workflow automations. Having the access control automations stop can bring an entire operation to a halt. 

And don’t underestimate the impact that unreliable systems have on the people that use them. To realize the many benefits of keyless access control, the system must be used. People will not embrace a system that makes their jobs more difficult. Much in the same way that people resist corporate software that doesn’t meet their needs, and compensate with shadow IT, your employees will find a way around a system that they can’t count on. The best way to ensure adoption of a keyless access control solution is to provide a reliable system that helps people do their jobs, instead of hindering it.  

We’ve worked with a number of organizations to help maximize adoption of reliable keyless solutions, and we’ve come up with a pretty great list of dos and don’ts. If you’d like to learn more about whether Teleporte is right for you, get in touch

Keyless Access Control: Facts and Friction

Keyless access control is changing the way we protect and grant access to critical infrastructure and remote sites. While the technology isn’t new—key cards and touch pads have been around for a while—it has evolved to bring benefits far beyond not needing to carry keys.

hand holding phone with keyless access control sera4 teleporte

Working with customers across industries and across the globe, we’ve identified the top benefits of implementing a keyless access control solution

Cost savings

Keying and re-keying locks is expensive, and those costs can add up if re-keying takes place regularly due to numerous sites, high staff turnover, and/or lost keys. There’s also the resource cost and overhead of keeping track of physical keys. Most organizations have better things to do with their time and money, and should consider the savings they can realize with a keyless solution.

Identity control

Even with the best policies, procedures, and oversight, it’s hard to guarantee that your mechanical keys stay in the appropriate hands. Keyless access control solutions provide a link between access and identity, and it’s easy to grant and revoke access to specific individuals as needed.

Our solutions create an automated access log, so administrators can reliably identify who accessed which locks, and when.

Convenience

There’s no doubt that keyless access control solutions are more convenient than traditional mechanical keys. People who need to open doors, cabinets, gates, and other access points can do so without carrying around heavy key rings; and administrators can issue electronic keys, in real-time, to anyone who needs them, wherever they are.

Operational insights

Automated access logs allow you to gain key insights into processes and operations within your business. Through these logs, you can understand how long processes take, identify discrepancies between work completed and billing, and schedule and resource jobs and projects appropriately.

This all sounds great; where does the friction come in?

Despite the significant benefits of implementing keyless access control, not everyone will be on board right away. Moving from mechanical locks to keyless, electronic locks is a big shift, and will likely raise concerns and create friction with a few of the stakeholders in your access control strategy.

Your go-to locksmith

To your locksmith, implementing locks that don’t require keys and rekeying may be bad for business. Their business, not yours.

However, we’ve worked with a number of locksmiths who are eager to evolve with the times and round out their offering with a modern, keyless solution. Your local locksmith might be more of an ally than you think!

Your operations team (or whoever controls the keys)

As mentioned above, keeping track of mechanical keys requires a lot of oversight—and a lot of human resources. Introducing a keyless solution increases operational efficiencies, and sometimes those efficiencies are found by reducing staff and/or consolidating responsibilities. When discussing a keyless proposal with your operations team, carefully consider what this means for their roles and responsibilities, and identify areas where they can now refocus their energies and freed up time. Your

Manager/Director of Security

Introducing a keyless solution may create friction with your security team, especially if they’ve been around for a while and have gotten comfortable with traditional access control solutions. Inertia and the status quo can be a formidable opponent when considering a new solution. Even if the team is open to a keyless option, existing access points may require that they manage a hybrid solution, which isn’t ideal for either the security team or for the end users.

If your team members are agile in their thinking, they can see how they can be more effective and valuable in their job with a tool like Teleporte. If they have spent decades honing habits and processes that make them effective with lock and key infrastructure, then keyless solutions may be perceived as a threat. It’s understandable that someone might be concerned about being replaced with automation. However, it’s likely that businesses will continue to modernize and team members can either resist the change or embrace it as a new opportunity to future-proof their skills.

Technicians, site visitors, and end users

You may run into friction with people who object to installing an app on their own phones for work purposes. While this may not apply when people are given work phones or an expense credit for the phone bill, your end users will sometimes be hesitant to being tracked. However reasonable it is for companies to require reliable identification for access control, some people like their anonymity and don’t want to be identified, even if they are not doing anything wrong.

Thieves

As an example, millions of dollars’ worth of copper cables are stolen each year in Latin America, and someone is profiting. Whether it’s petty thieves selling scrap metal or looking to insulate their electricity supply against unreliable utilities, or organized crime, keyless access threatens the value that they have come to enjoy.

When it comes to keyless access control, the benefits and efficiencies gained far outweigh the potential friction with internal and external stakeholders. We’ve worked with a number of organizations to help maximize adoption of keyless solutions. If you’d like to learn more about whether Teleporte is right for you, get in touch.

Why Tower Companies and Mobile Network Operators Should Share Keyless Access Systems

A lot of value is unlocked (no pun intended!), for both the landlord (towerco) and tenant (MNO) when they share a system, not only from a security perspective, but from an operational efficiency perspective as well.

Keyless padlock on telecom MNO towerco gate

Shared Systems = Better Security

Imagine that every time you left the house, you put a lock on the refrigerator, but left the front door open. That wouldn’t make sense; someone could break the lock in the privacy of the house, or even steal the whole fridge, without much effort. But it’s analogous to what often happens when MNOs and towercos don’t share security systems or standards. MNOs put so much effort and stringency into the security of their networks, and often less so into the security of physical sites; especially sites that they don’t own or control. It’s critical for cybersecurity that MNOs have reliable control of who accesses network elements behind firewall protection. With physical keys, it’s hard to keep track of them, and therefore hard to ensure that bad actors can’t wreak havoc on the network. In markets where theft and vandalism are common, MNOs are at risk for major disruption if the security of the site is breached. In our opinion, MNOs should not accept a security standard from a towerco that is any less than their own asset security. The risk is too high. Our experience shows that, not only does sharing a keyless system on both the towerco and MNO assets eliminate the liability of physical keys and the potential for bad actors to get their hands on them, it also reduces petty theft and inside jobs on site. Identified people tend to behave themselves, and that’s what we’re really selling: identity. Sera4 provides a reliable mechanism for identifying which individuals are accessing which site, and when.

Work Better Together

In addition to reduced vandalism and theft, a shared wireless access control system improves operational efficiencies.

Reduce access control overhead
Sera4’s Teleporte platform allows administrators to automate key issuance based on work orders, whether from the towerco or the MNO. This automation reduces the overhead that comes with maintaining an access control system, and ensures that only specified individuals are gaining access when required.

Issue keys for multiple assets at once
On a shared system, administrators can issue keys for multiple assets at once, whether owned by the towerco or the MNO. Separate keys for the gate and the panel? No problem!

Remove logistical challenges of physical keys
With some towercos managing 200,000+ sites, it’s a logistical nightmare to get physical keys to contractors/staff who need them, when they need them. These challenges are eliminated with wireless keys, allowing towercos to serve their tenants faster, thereby serving the MNOs customers faster.

Improve end-user experience
End users only have to learn one system, and only need one app to not only access the site, but the assets within, like active equipment cabinets or panels.

Gain insights into on-site processes
Teleporte provides an on-site audit trail of when locks were opened and closed, allowing operations teams to optimize SOPs, manage resources appropriately, and identify when processes aren’t being followed.

We offer special packages for MNOs and towercos looking to implement a shared wireless access control system. Visit us at https://www.sera4.com/demo/ to learn more about how we can help you work better together.

When Wireless Infrastructure Changes Hands

With the rollout of 5G networks, wireless infrastructure assets, such as cellular towers, are becoming one of the most valuable real estate investments. With 300,000+ towers in the US and companies such as UnitiAT&T, and Phoenix Tower entering large scale tower deals over the last 18 months, it prompts a natural question: what does buying and selling physical wireless infrastructure mean for security? 

A Short History Lesson 

20 years ago, when the mobile network industry was exploding, wireless telecom operators bought up a lot of real estate to build towers to support their networks. These real estate holdings created a bunch of assets and liabilities, independent of the primary wireless network business. Management came up with a grand idea: sell off the assets and lease them back to run their networks. And the towerco was born. 

At the same time, smart entrepreneurs saw the opportunity to buy up land, erect a tower, and enter into lucrative contracts with carriers to host their antennas and equipment.  

Where Keyless Access Control Comes In 

Telecom towers are assets, being bought and sold all the time. The average tower transaction ranges from 1 to 50,000 towers. Sellers are looking to maximize the value of their portfolio for sale; buyers are looking to buy something that integrates into their existing operations, as seamlessly as possible, even at scale.  

Buyers of telecom assets have the same concerns as buyers of a new home. They wonder if whether they have keys for all the locks, and whether they all the keys have been returned or if there are still some floating around out there. Home buyers often solve this by changing the locks. Now, imagine you’re buying many houses at once and they’re spread across the countryside, sometimes without road access. Changing the locks is expensive and time-consuming, and creates a liability for the new buyer. A keyless access control solution, like Sera4’s padlocks and Teleporte platform, can help alleviate these challenges for both buyers and sellers. 

For sellers, including a wireless access control system in the sale increases the value of the portfolio because the locks can be sold as assets, along with the towers. Buyers are often willing to pay a premium because they trust that there aren’t any loose keys post-acquisition, and they’re acquiring a more efficient operation, complete with insights to help them optimize their processes.  

The value of assets beyond the towers themselves isn’t traditionally part of the consideration process in these transactions, but it should be. If you’d like to learn more about how Sera4 is helping telecom, and other industries, safeguard their physical infrastructure assets, book a demo at https://www.sera4.com/demo/.

We sell identity (not just access control)

Security. Reliability. Scalability. These are all things that we’re proud to provide to our customers, and that our customers have come to rely on. One thing we don’t talk about enough is identity. We have a suite of hardware and software solutions to help utilities, telecom, oil & gas, and other industries provide access control to their assets and critical infrastructure. But that’s not really what we’re selling. We’re selling identity intelligence, and we think it’s the most important thing we do.

The basics of identity intelligence are easy to understand: you want to know who’s accessing your assets, and when. That’s why our customers choose Sera4 over other types of access control solutions—in addition to high-quality wireless padlocks that eliminate the inherent challenges of traditional keys, Sera4 provides insights into which individuals are accessing your critical infrastructure, when they’re accessing it, and how long they’re staying.

Hand holding phone showing Sera4 access control app

These types of insights are useful for three reasons. First, and most simply, people behave better when they know they are being identified. We’ve found that vandalism on a telecom site is reduced by 60-80% when a person is tagged on site, and is held accountable for what happens while they’re there. Even when you have no bad actors in your organization or contractor network, that level of accountability helps ensure that individuals clean up and lock up the way they’re expected to.

Second, keyless locks provide automatic, real-time audit trails, eliminating the need for manual logs that are frequently subject to human error. For businesses that require audit trails for their own security or for certifications like ISO 9001, keyless locks provide much easier collection of these activity logs.

And third, and maybe most interestingly, is that once you know who is accessing controlled assets when, and how long they’re staying, you can learn a lot about processes in your organization, and how to optimize them and make them more efficient. This is why we released Work Sessions; using Teleporte, our customers can understand the flow of on site work, and gain insight into how long specific components of a process take.

Screenshot of Sera4 access control dashboard with map and audit log

Regularly analyzing audit trails and entry/exit data allows you to create a baseline for how long specific jobs take, and use that information to make better decisions. For example, these insights can help you define scope of work and billing with contractors. They can help you reconcile invoices for work performed—in fact, one of our customers is considering adding opening and closing the Sera4 lock to the SOP for all contractors, so he can analyze the data and find areas for improvement. The insights from Teleporte can also help you determine the capacity of and forecast changes for your workforce.

Our solutions allow our customers to manage identity across any number of sites, in any location, at scale. Whether you need 10 locks and keys, or 10,000, we provide a complete feature set and predictable, transparent pricing. If you’d like to see our solution in action, or learn more about how our customers are using Sera4 to safeguard their most critical assets, contact us.

Keyless Padlocks in Winter

Winter is hard on padlocks. We know. We live in Canada. Cold can make oil sticky. Freezing rain and a hard frost can seal moving parts. Here are some things you should be considering when deploying keyless padlocks in a winter climate.

Battery Types

Most battery types (and all rechargeable types we know of) have significantly shorter battery life as temperatures drop below freezing. A typical rechargeable battery will not only lose charge in the cold, but will not recharge well in the cold either. Batteries that can’t perform in the cold will leave you locked out in the cold.

When a battery has charge, it needs to be designed for the cold to deliver its rated current in the cold. This is why automotive batteries in cold climates advertise Cold Cranking Amps. Lower current leads to less powerful or slower internal motor operation. This may result in a lock that does not open or close as it was designed to do.

The solution is simple. Ensure a battery is designed to work in the cold for reliable winter performance operation.

Sera4’s AP3 padlock uses replaceable Lithium Thionyl Chloride batteries. These military-grade batteries are formulated to perform similarly in the coldest and hottest natural temperatures on Earth.  In the event that the battery is out of power after a time (this happens to every battery), the micro-USB port is convenient and accessible and facilitates access. An added bonus is that maintenance is a lot faster on a replaceable battery than with a rechargeable padlock. We can also deliver our products will full charge and ready-to-deploy, where rechargeable batteries need to ship at 30% charge.

Electronics

Electronics used outdoors in the winter must be designed and qualified for reliable use in cold temperatures. Consider that most consumer electronics in winter climates is still consistently used above the freezing point. Electronics require additional design and quality considerations to function reliably in deep cold. Designing electronics for the cold follows well-known quality standards (such as AEC-Q100), requiring specific attention during product development. We don’t expect consumer-grade electronics to consistently work outside in the dead of winter.

Ice Buildup

You should be concerned about ice buildup on padlocks in the winter. Humidity or water can get into parts of a lock and then freeze. Once there is solid ice around a mechanism that needs to move to open or close, the best thing to do is to melt the ice.  This is obviously inconvenient. We recommend focusing on simple installation tricks that will keep precipitation off the padlock in the first place.

AP3 is IP66-certified, so it will be fine to be left out for years in the rain. In winter climates, we recommend installing a simple vinyl flap over top of the padlock as shown below. This simple solution has proven in our tests to be more effective than more complicated approaches. 

In case you do find a padlock with significant ice deposits, try to resist the urge to hit at it with a hammer to chip away at accumulated ice. This usually only removes superficial ice and can result in surface/finish damage to the padlock body or shackle. Instead, try pressing the shackle deeper into the lock body. This will often dislodge stuck compoenents. Another smart option is to use a lock de-icer fluid. These bottles are small, inexpensive and effective.

Don’t let winter get between you and the benefits of going keyless. With the right products and a little bit of care during installation and operation, winter won’t be an issue. Feel free to talk to us if you have any questions about padlocks in winter weather.

Hidden Access Control: Security through Obscurity

Sometimes the best way to protect something is to hide it.

To some people, a keyhole or a padlock or a handle on something will act as a public notice that reads Valuables Inside. Those who are motivated to steal notice these signals. And when they’re identified by those people, they can tell the story about how to break them at a glance.

With keyless access, you can design a more secure system to protect your assets with a fully hidden mechanism. Imagine how the hood of your car opens, and you’ll have a good idea of what we mean. With a Sera4 Lock Controller, you can design a door, a panel or other secure hinged compartment that pops open by the touch of a smartphone. A door like this is more secure because it’s more hidden. It won’t have a handle, a keyhole, a padlock or other signals that it opens. And even when somebody might want to break in, it’s not clear where or how to start an attack.

Vertical Infrastructure: AX5 controlling access on a smart light pole.

5G demands denser networks in urban areas. This means that communications equipment is being installed in places like fake trees, park benches and lamp posts. These are places where people aren’t expecting to find anything valuable, and keeping access points obscure keeps them out of sight and out of mind. The only way to tell that there is an access point is to check with the Teleporte app on your phone.

Reliability

In the unfortunate event of a system failure, a door without a handle can be a difficult thing to open. The most common type of failure is a power failure: dead batteries. This is where our Access Pad can help. It provides a power connector (for a common 9V battery) to conveniently and discreetly power a dead system to get it open. In the rare case of a radio or app incompatibility, the Access Pad enables our Failsafe Unlock feature.

Sera4 Access Pad

With the latest technology, access points can be designed to be more secure and look better at the same time.

Please reach out to us. Each application is a little bit unique. We’d love to discuss how we can help conceal your access points.

How Teleporte achieves Scale, Security & Reliability

Our own Jeff Klink is interviewed by SiliconAngle at Kubecon 2020 and authored an article in InformationAge, sharing how Teleporte Cloud is designed for scale, security and reliability. Both pieces focus on Sera4’s leading transformation into a distributed microservices cloud architecture, with some recommendations for others who want to follow us.

Security Update June 2020

Last week the NVD (National Vulnerabilities Database) was updated with 19 new vulnerabilities affecting IoT devices.

Specifically, the ICS-Cert advisory for vulnerabilities in the TCP/IP stack used by some IoT devices, highlight important aspects of design and function of security devices. Sera4 products are not vulnerable to any of these attack vectors.

Security by Design

Our locks and controllers use the Teleporte Embedded software stack, which:

  • does not include a TCP/IP stack,
  • includes the capacity to perform software updates, and
  • is regularly tested, maintained, and updated.

As a part of Security by Design, it’s important to limit the number of software and libraries used in developing a service. Some vendors may include a TCP/IP stack or services simply because the device’s operating system includes those features. Teleporte Embedded integrates only components that it strictly requires.

In-Field Updates

Equally, it is important that IoT devices are maintained and can be updated (in the field after entering service) to ensure security certificates don’t expire, and devices are left without security or support.

Teleporte is actively maintained, with regular updates to features and capabilities – the mobile application and lock software are always improving.

Keeping these in mind, rest assured that Sera4 leads the way in innovation and security for your critical application. To learn more about Sera4’s security innovations, contact us. We’d love to talk with you.