Why Tower Companies and Mobile Network Operators Should Share Keyless Access Systems

A lot of value is unlocked (no pun intended!), for both the landlord (towerco) and tenant (MNO) when they share a system, not only from a security perspective, but from an operational efficiency perspective as well.

Keyless padlock on telecom MNO towerco gate

Shared Systems = Better Security

Imagine that every time you left the house, you put a lock on the refrigerator, but left the front door open. That wouldn’t make sense; someone could break the lock in the privacy of the house, or even steal the whole fridge, without much effort. But it’s analogous to what often happens when MNOs and towercos don’t share security systems or standards. MNOs put so much effort and stringency into the security of their networks, and often less so into the security of physical sites; especially sites that they don’t own or control. It’s critical for cybersecurity that MNOs have reliable control of who accesses network elements behind firewall protection. With physical keys, it’s hard to keep track of them, and therefore hard to ensure that bad actors can’t wreak havoc on the network. In markets where theft and vandalism are common, MNOs are at risk for major disruption if the security of the site is breached. In our opinion, MNOs should not accept a security standard from a towerco that is any less than their own asset security. The risk is too high. Our experience shows that, not only does sharing a keyless system on both the towerco and MNO assets eliminate the liability of physical keys and the potential for bad actors to get their hands on them, it also reduces petty theft and inside jobs on site. Identified people tend to behave themselves, and that’s what we’re really selling: identity. Sera4 provides a reliable mechanism for identifying which individuals are accessing which site, and when.

Work Better Together

In addition to reduced vandalism and theft, a shared wireless access control system improves operational efficiencies.

Reduce access control overhead
Sera4’s Teleporte platform allows administrators to automate key issuance based on work orders, whether from the towerco or the MNO. This automation reduces the overhead that comes with maintaining an access control system, and ensures that only specified individuals are gaining access when required.

Issue keys for multiple assets at once
On a shared system, administrators can issue keys for multiple assets at once, whether owned by the towerco or the MNO. Separate keys for the gate and the panel? No problem!

Remove logistical challenges of physical keys
With some towercos managing 200,000+ sites, it’s a logistical nightmare to get physical keys to contractors/staff who need them, when they need them. These challenges are eliminated with wireless keys, allowing towercos to serve their tenants faster, thereby serving the MNOs customers faster.

Improve end-user experience
End users only have to learn one system, and only need one app to not only access the site, but the assets within, like active equipment cabinets or panels.

Gain insights into on-site processes
Teleporte provides an on-site audit trail of when locks were opened and closed, allowing operations teams to optimize SOPs, manage resources appropriately, and identify when processes aren’t being followed.

We offer special packages for MNOs and towercos looking to implement a shared wireless access control system. Visit us at https://www.sera4.com/demo/ to learn more about how we can help you work better together.

When Wireless Infrastructure Changes Hands

With the rollout of 5G networks, wireless infrastructure assets, such as cellular towers, are becoming one of the most valuable real estate investments. With 300,000+ towers in the US and companies such as UnitiAT&T, and Phoenix Tower entering large scale tower deals over the last 18 months, it prompts a natural question: what does buying and selling physical wireless infrastructure mean for security? 

A Short History Lesson 

20 years ago, when the mobile network industry was exploding, wireless telecom operators bought up a lot of real estate to build towers to support their networks. These real estate holdings created a bunch of assets and liabilities, independent of the primary wireless network business. Management came up with a grand idea: sell off the assets and lease them back to run their networks. And the towerco was born. 

At the same time, smart entrepreneurs saw the opportunity to buy up land, erect a tower, and enter into lucrative contracts with carriers to host their antennas and equipment.  

Where Keyless Access Control Comes In 

Telecom towers are assets, being bought and sold all the time. The average tower transaction ranges from 1 to 50,000 towers. Sellers are looking to maximize the value of their portfolio for sale; buyers are looking to buy something that integrates into their existing operations, as seamlessly as possible, even at scale.  

Buyers of telecom assets have the same concerns as buyers of a new home. They wonder if whether they have keys for all the locks, and whether they all the keys have been returned or if there are still some floating around out there. Home buyers often solve this by changing the locks. Now, imagine you’re buying many houses at once and they’re spread across the countryside, sometimes without road access. Changing the locks is expensive and time-consuming, and creates a liability for the new buyer. A keyless access control solution, like Sera4’s padlocks and Teleporte platform, can help alleviate these challenges for both buyers and sellers. 

For sellers, including a wireless access control system in the sale increases the value of the portfolio because the locks can be sold as assets, along with the towers. Buyers are often willing to pay a premium because they trust that there aren’t any loose keys post-acquisition, and they’re acquiring a more efficient operation, complete with insights to help them optimize their processes.  

The value of assets beyond the towers themselves isn’t traditionally part of the consideration process in these transactions, but it should be. If you’d like to learn more about how Sera4 is helping telecom, and other industries, safeguard their physical infrastructure assets, book a demo at https://www.sera4.com/demo/.

Keyless Padlocks in Winter

Winter is hard on padlocks. We know. We live in Canada. Cold can make oil sticky. Freezing rain and a hard frost can seal moving parts. Here are some things you should be considering when deploying keyless padlocks in a winter climate.

Battery Types

Most battery types (and all rechargeable types we know of) have significantly shorter battery life as temperatures drop below freezing. A typical rechargeable battery will not only lose charge in the cold, but will not recharge well in the cold either. Batteries that can’t perform in the cold will leave you locked out in the cold.

When a battery has charge, it needs to be designed for the cold to deliver its rated current in the cold. This is why automotive batteries in cold climates advertise Cold Cranking Amps. Lower current leads to less powerful or slower internal motor operation. This may result in a lock that does not open or close as it was designed to do.

The solution is simple. Ensure a battery is designed to work in the cold for reliable winter performance operation.

Sera4’s AP3 padlock uses replaceable Lithium Thionyl Chloride batteries. These military-grade batteries are formulated to perform similarly in the coldest and hottest natural temperatures on Earth.  In the event that the battery is out of power after a time (this happens to every battery), the micro-USB port is convenient and accessible and facilitates access. An added bonus is that maintenance is a lot faster on a replaceable battery than with a rechargeable padlock. We can also deliver our products will full charge and ready-to-deploy, where rechargeable batteries need to ship at 30% charge.

Electronics

Electronics used outdoors in the winter must be designed and qualified for reliable use in cold temperatures. Consider that most consumer electronics in winter climates is still consistently used above the freezing point. Electronics require additional design and quality considerations to function reliably in deep cold. Designing electronics for the cold follows well-known quality standards (such as AEC-Q100), requiring specific attention during product development. We don’t expect consumer-grade electronics to consistently work outside in the dead of winter.

Ice Buildup

You should be concerned about ice buildup on padlocks in the winter. Humidity or water can get into parts of a lock and then freeze. Once there is solid ice around a mechanism that needs to move to open or close, the best thing to do is to melt the ice.  This is obviously inconvenient. We recommend focusing on simple installation tricks that will keep precipitation off the padlock in the first place.

AP3 is IP66-certified, so it will be fine to be left out for years in the rain. In winter climates, we recommend installing a simple vinyl flap over top of the padlock as shown below. This simple solution has proven in our tests to be more effective than more complicated approaches. 

In case you do find a padlock with significant ice deposits, try to resist the urge to hit at it with a hammer to chip away at accumulated ice. This usually only removes superficial ice and can result in surface/finish damage to the padlock body or shackle. Instead, try pressing the shackle deeper into the lock body. This will often dislodge stuck compoenents. Another smart option is to use a lock de-icer fluid. These bottles are small, inexpensive and effective.

Don’t let winter get between you and the benefits of going keyless. With the right products and a little bit of care during installation and operation, winter won’t be an issue. Feel free to talk to us if you have any questions about padlocks in winter weather.

Hidden Access Control: Security through Obscurity

Sometimes the best way to protect something is to hide it.

To some people, a keyhole or a padlock or a handle on something will act as a public notice that reads Valuables Inside. Those who are motivated to steal notice these signals. And when they’re identified by those people, they can tell the story about how to break them at a glance.

With keyless access, you can design a more secure system to protect your assets with a fully hidden mechanism. Imagine how the hood of your car opens, and you’ll have a good idea of what we mean. With a Sera4 Lock Controller, you can design a door, a panel or other secure hinged compartment that pops open by the touch of a smartphone. A door like this is more secure because it’s more hidden. It won’t have a handle, a keyhole, a padlock or other signals that it opens. And even when somebody might want to break in, it’s not clear where or how to start an attack.

Vertical Infrastructure: AX5 controlling access on a smart light pole.

5G demands denser networks in urban areas. This means that communications equipment is being installed in places like fake trees, park benches and lamp posts. These are places where people aren’t expecting to find anything valuable, and keeping access points obscure keeps them out of sight and out of mind. The only way to tell that there is an access point is to check with the Teleporte app on your phone.

Reliability

In the unfortunate event of a system failure, a door without a handle can be a difficult thing to open. The most common type of failure is a power failure: dead batteries. This is where our Access Pad can help. It provides a power connector (for a common 9V battery) to conveniently and discreetly power a dead system to get it open. In the rare case of a radio or app incompatibility, the Access Pad enables our Failsafe Unlock feature.

Sera4 Access Pad

With the latest technology, access points can be designed to be more secure and look better at the same time.

Please reach out to us. Each application is a little bit unique. We’d love to discuss how we can help conceal your access points.

The case against Remote Unlock

Every now and again we are asked the question “can we remotely unlock things with Teleporte?”  We understand where the question comes from. Most IoT devices are focused on remote sensing or control from a distance. Smart devices allow you to do things like set your home’s temperature from the other side of the world. It’s easy to assume that smart locks should behave in a similar way.

We often get asked to include this feature but we have purposefully built Teleporte so that a person is required in the physical presence of the device. We wanted to render unlocking something remotely from a command center impossible. And it is important for you, our customers to understand why.

Practical Risks

First, we do allow you to remotely enable a user, so there is no argument for someone new or unexpected needing access. In what situation then would you want to release a lock without an individual there? We can’t think of a practical scenario. Having someone on-site means that when the lock is opened the asset is being watched the whole time. Someone can close a gate behind them, reducing the time an asset is not secured. And most importantly, a person on-site can lock up again. Many locks are designed to fall or pop open when unlocked, and without someone there to close them, a remote unlock function would not guarantee a corresponding and critical lock function. 

Second, you don’t just want anyone on site when access is granted: you want to know who is getting in. With a remote unlock, there is little guarantee that the person going into a site is the one who is supposed to be. Smartphones are actually very sophisticated to identify a user with passwords and biometrics and their location with GPS. A local virtual key is much more reliable than a remote unlock process.

Cybersecurity

Finally, we want to mitigate the risks of hacking and cybercrime. In 2019, artificial intelligence designed and carried out more cyberattacks than people did. The attacks are getting more sophisticated. At Sera4, we use the best cybersecurity practices, but no one can predict everything.  If there is a logical path to remotely unlock something, there is a risk that it will happen; be it a sophisticated hacking attack or something as innocent as an error in an API integration. Imagine the catastrophe if the locks on a critical infrastructure network were all remotely opened at the same time. We designed Teleporte to ensure that this is impossible. 

We appreciate the excitement around technical feasibility and fancy features such as remote unlock, but every feature comes at a cost. Our goal is to the safety and security of our systems first, ensuring less risk and more reliability to you.

Go Keyless

It may not be apparent at first glance: going keyless is about a lot more than just not having to carry around a key or a fob. It’s about added security, new concepts of control, smarter operations and reporting. 

When we say “go keyless”, we mean abandoning any physical thing that controls access rights. That means no keys, no access cards, and no fobs. The keys are virtual; digital tokens stored in smartphones and automatically transmitted over the air.

Control

Virtual keys afford greater control over who has access to your assets. Keys can be granted to or revoked from people who aren’t physically present. Virtual keys can do things that ordinary keys can’t, like only permit access within a time window or limit the number of times they can be used. And with virtual keys, they can be automatically given many people in a service team and to many sites at once. These things would be impossible or very cumbersome with traditional keys.

Security

Despite first impressions and consistent news about poorly-executed smartlock designs, virtual keys can be more secure than physical keys. Imagine how we all do internet banking today. At Sera4, we use the same security principles and architectures to keep the same levels of reliability, security and scale. Where physical keys can be mechanically cloned, it is much harder to hack a digital certificate. Physical keys can be passed from person to person, or misplaced and picked up by strangers. Even more relevant is that virtual keys identify the user, which provides a lot of practical security. Many fewer people will brazenly steal from a site when they know they are being identified in real time.

Information

When business sites go keyless, they get automatic real time access logs. This can greatly reduce the cost of security protocols or even compliance with standards like ISO 9001. The data that comes back is already digital, more accurate and more detailed than traditional paper logs. Businesses should be analyzing this data routinely to identify waste in their processes and optimize their operations. Profiling site accesses can yield valuable insight about where contractors are not doing their jobs. Imagine a contractor that has billed to do a job that will take at least 2 hours, but the access logs show them on site for only 3 minutes.

Convenience

Most people will not forget their phone at home. Their car pairs with it and it’s clear when it’s missing. So many life functions depend on it. A physical key or card can be left at home without a thought until the moment it’s needed. So much truck roll is saved by not having to drive to get keys, either ones forgotten or fetching them from a depot. Virtual keys are with you whenever you need them!

And, of course, going keyless is also about the convenience. I used to go out with a wallet, a phone and a keyring. Then the wallet was absorbed into the phone with services like Apple Pay. Now, the keyring is also absorbed, and my pockets thank me. What I like best is when I need to get into a lock that wouldn’t have been on my physical keyring. Contact us to learn more about how friendly the future can be.

BIAS against Bluetooth

Another vulnerability of the Bluetooth security stack has been revealed this week: Bluetooth Impersonation AttackS (BIAS).

Unfortunately, this highlights another concern with the Bluetooth stack and is, in-part, due to the wide range of devices and configurations that Bluetooth has to support. The suggested remedy is for “the Bluetooth SIG [to update] the Bluetooth Core Specification”. (Source: bluetooth.com)

All this implies it will be up to chipset vendors to find and work around the problem in the interim.

Credit: The Hacker News tells us more …

The biggest risk is likely to be against mobile devices (mobile phones and laptops). Previously-paired devices can no longer be trusted. i.e. you could be communicating with a bad actor (impersonator).

As a word of caution: other Bluetooth-enabled smart locks and mobile software solutions may incorporate this same flaw. This would allow you to pass the digital keys to the wrong device: A “man-in-the-middle” attack.

Rest assured: Teleporte relies on digitally signed certificates to ensure that communications are encrypted. Only true Sera4 locks or lock controllers have the decryption key. All this happens without using the Bluetooth security stack — so access to your Teleporte locks remains secure and unaffected by BIAS.

Don’t Call Us, We’ll Call You (Webhooks Are Here)

With every security component added into a critical infrastructure, comes the inherent need for information, automation and control. As the number of critical components in your infrastructure grow, so does complexity and the necessity to stream information as it happens. Integrators and clients are now looking to being on the receiving end of data in real time in order to provide critical dashboard updates. We’ve listened and we’ve delivered.

With Teleporte Cloud server 3.5, we have added a critical component to our API capabilities: the concept of webhooks. In a “don’t call us, we’ll call you” manner, Teleporte Cloud is now capable of calling your secure endpoint with real-time data concerning events that are happening inside your system. Webhooks are to APIs as fuel is to a fire; they can ignite your integrations and get your organization on the receiving end of updates as they happen. Remember, polling APIs is so 1990’s, go real-time by enabling webhooks.

To better understand what the difference between an API and Webhooks are, consider this simple analogy:

APIs are request based. They are useful for pulling data on demand.
Webhooks are event-based. They are useful for receiving critical events when they happen.

API + Webhooks = Complete Automation Capabilities

Teleporte Cloud now supports webhooks that can be configured for updates to important events (such as the creation or deletion of digital keys), access requests to locks and even the creation, deletion or update of system users. As an example, if you’re looking to know that ‘administrator X with email [email protected] created a digital key to lock 21, on site B that is valid from Tuesday at 9am to Tuesday at 5pm’ as it happens, then webhooks are your holy grail! Get on top of and react quicker to events happening in your infrastructure by enabling webhooks.

Feel free to ask us about our Slack integration. Our webhooks support Slack out of the box and can have your team seeing the benefits of webhooks within seconds.

Get more details about webhooks at https://apidocs.sera4.com or contact us to discuss how you can get webhooks working for you.

High-Security Keyless

In protecting your assets, there is always a tradeoff between convenience and security. For example, when you go into your office every day, you want to get in through the main doors without any delay.  But when the asset requires the highest security,  added rigour such as additional security checks are necessary.

The vault application is a good example of how keyless solutions are catching up with old standards for addressing high-security requirements.

  • Vaults often include locks whereby 2 keys are required and placed more than 6 feet apart. Two individuals, each of whom have their own unique key, must open the lock at the same time for the door to open. This approach prevents a single rogue actor from opening a door when they do not have authorized access
  • Another high-security standard opens a door after several minutes of unlock delay. This delay, connected with alarms, is a strong deterrent for criminals. They know that law enforcement will be coming while they are waiting for the door to open.

Bringing these features to Keyless

Sera4 has released Teleporte Cloud server 3.5 and Teleporte Mobile application 5.2. All Teleporte Enterprise customers now have access to high-security protocols to match the use cases above. 

  • The new Multi-Authentication Unlock feature requires two or more users to unlock a lock. Each user has their own key for that one lock and each user must issue the unlock command to the same lock. The lock only opens after all required users try to open the lock on their own account.
  • The new Delayed Open feature can be enabled on a lock-by-lock basis. The administrator can configure the delay. When someone unlocks a Sera4 lock in the Teleporte Mobile application, it will open only after the specified delay.

At Sera4, we envision a fully keyless world. With these innovations, we bring keyless benefits to the highest-security applications, such as vaults. We expect that there will be many applications for these new features that we haven’t even imagined yet.

For more information on the available features on the Teleporte Cloud server, click here. Or simply and contact us to arrange for a demo. We’re excited to show off our latest innovations.

Questioning Smart Lock Security

The benefits of installing a keyless smart lock to replace the physical key and cylinder include:

  • Identity: the removal of anonymity from each person that unlocks the assets you protect
  • Security: keyless smart locks do not have an external locking mechanism — fewer ways to defeat the lock
  • Data: the records of “who”, “when” and “where” and even “why” the smart lock was opened

While it is easy to understand these benefits, it can be challenging to understand the complexity of keyless smart lock security.

Ars Technica, The Register, and threatpost all highlight the problems that can occur when basic security measures in the domains of physical, transport, embedded, and cloud security are not addressed.

As an Enterprise Security focused company, Sera4 strives to educate everyone about the benefits of smart locks and keyless access control. We want you to understand the differences between a locking mechanism that can be opened with a phone and a complete cyber-secure platform that provides a set of tools to help secure and protect your assets.

The Four Domains of Keyless Smart Lock Security

When investigating a keyless access control solution, we encourage you to identify the following concerns and ask the right questions.

  1. Physical Security: the aspects that prevent theft or vandalism due to the hardware’s shape, size, and installation
    • Concern: Keyless smart lock hardware is perceived to be expensive and can disappear as fast as it is installed. Securing the theft of keyless smart lock hardware itself may be critical to your security program.
    • Example: Company XYZ installs a keyless smart lock. One week later after arriving on site, a user finds the door open, and the lock is missing entirely. The user can’t even secure the site before he leaves.
    • Question: Does your keyless smart lock provide options to install securely to the structure, preventing theft of the keyless smart lock itself?
  2. Embedded Security: the software that ensures data security and integrity within the keyless smart lock and the mobile device
    • Concern: Keyless smart locks need to track the time and date to allow and disallow users access within the desired time frame.
    • Example: User arrives on site, a day after his digital key expired. The user turns off his mobile radios, changes the date on his phone, and attempts to open the lock using his digital key from yesterday.
    • Question: How do you ensure timely access that isn’t dependent on the mobile device for date/time?
  3. Transport Security: the protocols and algorithms that ensure identity, digital keys and access logs are safely and securely transferred between lock, mobile device and the Cloud
    • Concern: Even using secure transport protocols, mobile devices transfer and store digital keys – exposing them to modification.
    • Example: User downloads digital keys onto his phone. User can root his mobile device, change the details of a digital key, e.g. user and time of access. User still has the code to get in, but the logs record a different user, and at a different time.
    • Questions:
      • Does a digital key incorporate the user, time, and permission to access the keyless smart lock?
      • Can the integrity of all three be assured and verified by the keyless smart lock before access is permitted?
  4. Cloud Security: the hardware and software components that allow the ubiquitous access of users, and prevent hackers from getting in to steal data or to provide unauthorized access
    • Concern: Compliance with global privacy laws imply responsibility to protect people’s information.
    • Example: Users access their account information at: https://(somewebsite.com)/user/1234. User manipulates the web address to: https://(somewebsite.com)/user/4567 and views the information of another user.
    • Questions:
      • How do you protect user information from others?
      • Do you understand and implement the concepts of Security by Design, Privacy by Design and RBAC (Role based access control)?
      • Are you compliant with country specific privacy laws (e.g. GDPR, LGPD, PIPEDA, CCPA)?
More Information

Learn more about how Sera4 addresses these questions and concerns:

AP3 Fact Sheet
Sera4 Embedded Security Fact Sheet

As always, feel free to Contact Us to ask any other questions you might have!