Preventing a Relay Attack

This story has been another unfortunate illustration of Bluetooth security vulnerabilities and lock vendors who may lack the expertise in cybersecurity to secure your property properly when using digital keys. In this case, the attack strategy used is known as a relay attack.

How we prevent relay attacks

Relay attacks are well known. The only excuse we can understand for making it possible is “we didn’t know better”. Security experts should. We prevent relay attacks with the following process.

  1. Every lock has its own digital certificate signed by the Teleporte Digital Signing Authority (DSA).
  2. Every Teleporte Mobile App downloads the digital certificate and authenticates the lock’s digital certificate with the Teleporte DSA.
  3. The mobile device only communicates with locks that are verified authentic through steps 1 and 2. Mobile devices use the lock’s public key to encrypt information, knowing the only endpoint capable of decryption is the lock itself.
  4. We change the encryption for every new connection between the lock and the mobile device.

Step number 4 is the key (no pun intended) to preventing a relay attack. While a sniffer might be able to see and repeat the byte sequence that unlocked the lock moments ago, the lock enforces a new method of encryption for each connection. Repeated old data is useless in future connections.

We like our competitive advantage in digital security. We’d like it even more if people could trust keyless access solutions in general.

Keyless Network and Server Cabinets Made Easy

Most critical infrastructure environments contain some form of network and/or server cabinets. No matter where these cabinets may be — in IT/telecom closets, wall mounted above factory floors, in remote hallways and parkades, at remote shelters, or even in data centers — the consensus is clear: access control at the network or server cabinet is a common challenge.

Keyless access makes sense in these applications. When each cabinet should be controlled independently, that’s a lot of keys to get to people and a lot of fumbling through a keyring to find the right key for that specific rack. There are no keys to forget at home, leave in the car, or to lose!

Go Keyless

Teleporte makes it easy to go keyless from a cabinet with a traditional key system. A retrofit can often be done in less than 30 minutes. Pop the old one off and put an electric one in. Pair it with a Sera4 Lock Controller and optional AccessPad, and you’re done! No wiring to the door. No mess. No IT integration required.

Take out the old handle, add a new e-handle with a Sera4 Lock Controller and you’re done.

Then, as with all our access points, you get to know who is in your specific network or server cabinet, for how long, and you can grant or revoke digital keys from anywhere, instantly. There is no limit to the number or users, keys or access events to the solution. And there is no network required to operate the management platform.

Whether you start with 1 cabinet or 1000, the experience is the same and there is no capacity limit.

Contact us and we’ll share the full details of this process and help you through the steps.

Mechanical Keys: An Anachronism in 2021?

In 2021, your mobile device is likely the hardest-working item you own. If you left your house with only your mobile device in your pocket, would that stop you from having a productive day? Need to check your bank balance? Use the banking app. Buying a latte? Your mobile wallet can take care of that. Have to show your proof of vaccination? Your proof of insurance? Trade stocks? Turn up the heat in your house? Check to see who’s at your front door? You can do all that, from your phone.  
 
We have placed so much trust in the devices we carry around in our pockets, and the cloud software that secures them. We often don’t think twice about adding a password to Apple Keychain, or storing the most personal details of our lives on our phones. But for some reason, many are reluctant to place that kind of trust in their mobile device when it comes to keyless access control. 

Traditional keys are an anachronism in today’s digital world. An artifact from the past, we find some kind of comfort in having a metal key in our possession, to protect what’s important to us. As long as we have “the key”, no one else does, and we derive a great amount of security from that knowledge. 

Ring with many keys before keyless access control

In our homes, this might make sense. Most of us can say, with a high degree of confidence, that we know exactly how many keys to our front door exist, and who has them. However, most organizations are experiencing key sprawl, and they don’t even know how widespread it might be. It’s impossible to know how many times keys have been copied, who has them, who’s using them, and why. Organizations traditionally deal with a misplaced key by rekeying locks, at significant expense and inconvenience. It’s easier, people think, to give a key to anyone who needs it, and deal with the consequences of a key getting into the wrong hands, than it is to design an access control system with digital keys and identity management in mind from the beginning. 

Organizations are sacrificing security for convenience every day, with both cyber/information assets, and critical infrastructure. While a lot of effort is put into creating the illusion of compliance protocols, not enough is being put into actually securing assets. We believe that it’s not enough to lock up an asset; organizations must understand who is accessing what, when, and why.  

Access control is about more than securing assets; it’s also about implementing a defensible solution to assure regulatory compliance. Cloud-enabled access control solutions allow organizations to proactively improve operations, generate reliable audit trails, enforce safety protocols, control regulated materials, and defend litigation.  

Before you issue another mechanical key, or rekey a set of locks after an asset has been compromised, stop and think about the real value of that piece of metal. We’re confident that it’s not as valuable as the security and insights to be gained from a robust keyless access control solution. To learn more about our cloud-enabled access control platform, Teleporte, and the supporting locks and controllers, visit us here or connect with us. We’d be happy to explore these ideas with you. 

Why Go Keyless?

The challenges associated with lost and stolen physical keys are often top of mind when security teams start thinking about keyless options. However, there are many more benefits to consider if you’re thinking about going keyless.  

Keyless padlock on telecom MNO towerco gate

What do we mean when we say “keyless access control”?  

Obviously, keyless access control solutions don’t require traditional metal keys. But people often refer to access control systems that require a card or fob as “keyless”. While this type of access control solution is becoming more popular, when we say “keyless”, we mean that the solution doesn’t require any physical thing to control access rights: no keys, no access cards, and no fobs. The keys are virtual; digital tokens are stored in mobile devices and automatically transmitted over the air. 

The benefits of going keyless 

Control 

Digital keys allow you to control not only who has access to your assets and infrastructure, but when. Concerns about bad actors getting their hands on master keys are alleviated, and there are none of the headaches associated with retrieving keys from departing staff. Virtual keys pair access with identity, so you know exactly who is accessing your sites.  

Security

Securing your assets is important to protect your assets, but it is equally important for the cybersecurity of your network. A keyless access control solution designed with security at the forefront is an order of magnitude more secure than traditional locks and keys. Virtual keys are much harder to duplicate than mechanical keys, and can’t be lost, stolen, or misplaced. And because digital keys are matched to a specific user, people tend to behave better when they know their name is attached to an access event.  

Scalability 

With explosive growth in some sectors, and unprecedented circumstances related to the recent pandemic in others, no one knows what their business will look like one, three, or five years from now. Keyless access control allows you choose whether you want to start with a few test sites or go for your whole network, and then effortlessly scale access with your business. Whether you’re looking to scale with acquisition of assets or employees, or adding more, or more remote sites, to your portfolio, digital keys provide scalability without exponentially compounding operational expenses. Virtual keys future-proof your access control strategy. 

Operational Insights 

Virtual keys, backed by a cloud infrastructure, provide insights into operational processes across your assets and organization. These insights can help refine strategies from everything to resource planning to reconciling billing with contractors. It’s often challenging for operations teams to understand the actual processes being undertaken at remote or satellite sites. Access logs and audit trials provide the intelligence needed to make better business decisions and understand process gaps.   

Compliance 

Keyless access control goes beyond securing your sites and assets. Regulated industries require identity management and the burden of proof falls on organizations to prove regulatory compliance to governing bodies. Keyless access control, backed by a robust cloud solution, allows organizations to create defensible audit trails, safeguard regulated assets and processes, and assure compliance with industry requirements. We envision a world where the access control strategy drives innovation in the areas of regulatory and safety compliance. 

The benefits of cloud 

Most of the benefits of a truly keyless solution are found in the integration with cloud technology. A good cloud implementation makes customer adoption easy.  With a cloud solution, there are no costly servers to install or maintain on-site. The cloud infrastructure manages everything from issuing and revoking keys to the capture and storage of data related to the access control solution.  
 
As with any cloud solution, you need to make sure that your data is protected and appropriately encrypted. The right partner for your keyless access control solution will put security at the forefront of their platform, and ensure that the software is kept up to date to comply with evolving security standards. 

The benefits of mobile access 

Issuing virtual keys to mobile devices ensures that keys get to the people who need them, when they need them, and for however long they need them. Whether you’re issuing a key to a long-standing employee or a service contractor, to a site in the city, or 500 miles away in the middle of nowhere, the experience is the same. 

Sera4’s keyless solution is powered by Teleporte, a proprietary app which uses multiple methods of authentication to ensure that identity and permissions are verified. These authentication methods provide a more secure, compliant access control solution than traditional locks and keys, and Teleporte is also able to capture attempted accesses, not just successful opens.  

No network? No problem. Teleporte isn’t dependent on live network access. It’s important that users be able to access sites and infrastructure, no matter how remotely located, so the app doesn’t require internet access to open a lock.  

Moving from a point solution to a strategic initiative 

With advancements in keyless technology, and the growth of cloud infrastructure, access control is now considered an integral part of the overall security strategy. Keyless solutions allow the creation of holistic, cohesive access control systems, where the access mechanisms integrate with each other, as well as with existing systems and applications. 

Sera4 provides all the convenience and benefits of a keyless solution without sacrificing security or reliability. Our solutions are purpose-built to provide secure, scalable, and reliable access control across all of your assets and sites, from cabinets and cages to outdoor enclosures. Our hardware is built to withstand the harshest environments, and our software is elegantly designed to manage identity, generate audit trails, prove compliance, and improve operational efficiency.  

While we don’t envision a world without mechanical keys, keyless solutions provide flexibility, scalability, and customization that just isn’t possible with traditional locks and keys. Different industries and sites face different security and access control challenges, whether due to number of access points, number of users, or the remoteness of a site. Cloud-based access control systems can be configured to meet any need.  

To learn more about Sera4 keyless access control solutions, book a demo with our team. 

Keyless Access Control: Facts and Friction

Keyless access control is changing the way we protect and grant access to critical infrastructure and remote sites. While the technology isn’t new—key cards and touch pads have been around for a while—it has evolved to bring benefits far beyond not needing to carry keys.

hand holding phone with keyless access control sera4 teleporte

Working with customers across industries and across the globe, we’ve identified the top benefits of implementing a keyless access control solution

Cost savings

Keying and re-keying locks is expensive, and those costs can add up if re-keying takes place regularly due to numerous sites, high staff turnover, and/or lost keys. There’s also the resource cost and overhead of keeping track of physical keys. Most organizations have better things to do with their time and money, and should consider the savings they can realize with a keyless solution.

Identity control

Even with the best policies, procedures, and oversight, it’s hard to guarantee that your mechanical keys stay in the appropriate hands. Keyless access control solutions provide a link between access and identity, and it’s easy to grant and revoke access to specific individuals as needed.

Our solutions create an automated access log, so administrators can reliably identify who accessed which locks, and when.

Convenience

There’s no doubt that keyless access control solutions are more convenient than traditional mechanical keys. People who need to open doors, cabinets, gates, and other access points can do so without carrying around heavy key rings; and administrators can issue electronic keys, in real-time, to anyone who needs them, wherever they are.

Operational insights

Automated access logs allow you to gain key insights into processes and operations within your business. Through these logs, you can understand how long processes take, identify discrepancies between work completed and billing, and schedule and resource jobs and projects appropriately.

This all sounds great; where does the friction come in?

Despite the significant benefits of implementing keyless access control, not everyone will be on board right away. Moving from mechanical locks to keyless, electronic locks is a big shift, and will likely raise concerns and create friction with a few of the stakeholders in your access control strategy.

Your go-to locksmith

To your locksmith, implementing locks that don’t require keys and rekeying may be bad for business. Their business, not yours.

However, we’ve worked with a number of locksmiths who are eager to evolve with the times and round out their offering with a modern, keyless solution. Your local locksmith might be more of an ally than you think!

Your operations team (or whoever controls the keys)

As mentioned above, keeping track of mechanical keys requires a lot of oversight—and a lot of human resources. Introducing a keyless solution increases operational efficiencies, and sometimes those efficiencies are found by reducing staff and/or consolidating responsibilities. When discussing a keyless proposal with your operations team, carefully consider what this means for their roles and responsibilities, and identify areas where they can now refocus their energies and freed up time. Your

Manager/Director of Security

Introducing a keyless solution may create friction with your security team, especially if they’ve been around for a while and have gotten comfortable with traditional access control solutions. Inertia and the status quo can be a formidable opponent when considering a new solution. Even if the team is open to a keyless option, existing access points may require that they manage a hybrid solution, which isn’t ideal for either the security team or for the end users.

If your team members are agile in their thinking, they can see how they can be more effective and valuable in their job with a tool like Teleporte. If they have spent decades honing habits and processes that make them effective with lock and key infrastructure, then keyless solutions may be perceived as a threat. It’s understandable that someone might be concerned about being replaced with automation. However, it’s likely that businesses will continue to modernize and team members can either resist the change or embrace it as a new opportunity to future-proof their skills.

Technicians, site visitors, and end users

You may run into friction with people who object to installing an app on their own phones for work purposes. While this may not apply when people are given work phones or an expense credit for the phone bill, your end users will sometimes be hesitant to being tracked. However reasonable it is for companies to require reliable identification for access control, some people like their anonymity and don’t want to be identified, even if they are not doing anything wrong.

Thieves

As an example, millions of dollars’ worth of copper cables are stolen each year in Latin America, and someone is profiting. Whether it’s petty thieves selling scrap metal or looking to insulate their electricity supply against unreliable utilities, or organized crime, keyless access threatens the value that they have come to enjoy.

When it comes to keyless access control, the benefits and efficiencies gained far outweigh the potential friction with internal and external stakeholders. We’ve worked with a number of organizations to help maximize adoption of keyless solutions. If you’d like to learn more about whether Teleporte is right for you, get in touch.

We sell identity (not just access control)

Security. Reliability. Scalability. These are all things that we’re proud to provide to our customers, and that our customers have come to rely on. One thing we don’t talk about enough is identity. We have a suite of hardware and software solutions to help utilities, telecom, oil & gas, and other industries provide access control to their assets and critical infrastructure. But that’s not really what we’re selling. We’re selling identity intelligence, and we think it’s the most important thing we do.

The basics of identity intelligence are easy to understand: you want to know who’s accessing your assets, and when. That’s why our customers choose Sera4 over other types of access control solutions—in addition to high-quality wireless padlocks that eliminate the inherent challenges of traditional keys, Sera4 provides insights into which individuals are accessing your critical infrastructure, when they’re accessing it, and how long they’re staying.

Hand holding phone showing Sera4 access control app

These types of insights are useful for three reasons. First, and most simply, people behave better when they know they are being identified. We’ve found that vandalism on a telecom site is reduced by 60-80% when a person is tagged on site, and is held accountable for what happens while they’re there. Even when you have no bad actors in your organization or contractor network, that level of accountability helps ensure that individuals clean up and lock up the way they’re expected to.

Second, keyless locks provide automatic, real-time audit trails, eliminating the need for manual logs that are frequently subject to human error. For businesses that require audit trails for their own security or for certifications like ISO 9001, keyless locks provide much easier collection of these activity logs.

And third, and maybe most interestingly, is that once you know who is accessing controlled assets when, and how long they’re staying, you can learn a lot about processes in your organization, and how to optimize them and make them more efficient. This is why we released Work Sessions; using Teleporte, our customers can understand the flow of on site work, and gain insight into how long specific components of a process take.

Screenshot of Sera4 access control dashboard with map and audit log

Regularly analyzing audit trails and entry/exit data allows you to create a baseline for how long specific jobs take, and use that information to make better decisions. For example, these insights can help you define scope of work and billing with contractors. They can help you reconcile invoices for work performed—in fact, one of our customers is considering adding opening and closing the Sera4 lock to the SOP for all contractors, so he can analyze the data and find areas for improvement. The insights from Teleporte can also help you determine the capacity of and forecast changes for your workforce.

Our solutions allow our customers to manage identity across any number of sites, in any location, at scale. Whether you need 10 locks and keys, or 10,000, we provide a complete feature set and predictable, transparent pricing. If you’d like to see our solution in action, or learn more about how our customers are using Sera4 to safeguard their most critical assets, contact us.

Hidden Access Control: Security through Obscurity

Sometimes the best way to protect something is to hide it.

To some people, a keyhole or a padlock or a handle on something will act as a public notice that reads Valuables Inside. Those who are motivated to steal notice these signals. And when they’re identified by those people, they can tell the story about how to break them at a glance.

With keyless access, you can design a more secure system to protect your assets with a fully hidden mechanism. Imagine how the hood of your car opens, and you’ll have a good idea of what we mean. With a Sera4 Lock Controller, you can design a door, a panel or other secure hinged compartment that pops open by the touch of a smartphone. A door like this is more secure because it’s more hidden. It won’t have a handle, a keyhole, a padlock or other signals that it opens. And even when somebody might want to break in, it’s not clear where or how to start an attack.

Vertical Infrastructure: AX5 controlling access on a smart light pole.

5G demands denser networks in urban areas. This means that communications equipment is being installed in places like fake trees, park benches and lamp posts. These are places where people aren’t expecting to find anything valuable, and keeping access points obscure keeps them out of sight and out of mind. The only way to tell that there is an access point is to check with the Teleporte app on your phone.

Reliability

In the unfortunate event of a system failure, a door without a handle can be a difficult thing to open. The most common type of failure is a power failure: dead batteries. This is where our Access Pad can help. It provides a power connector (for a common 9V battery) to conveniently and discreetly power a dead system to get it open. In the rare case of a radio or app incompatibility, the Access Pad enables our Failsafe Unlock feature.

Sera4 Access Pad

With the latest technology, access points can be designed to be more secure and look better at the same time.

Please reach out to us. Each application is a little bit unique. We’d love to discuss how we can help conceal your access points.

The case against Remote Unlock

Every now and again we are asked the question “can we remotely unlock things with Teleporte?”  We understand where the question comes from. Most IoT devices are focused on remote sensing or control from a distance. Smart devices allow you to do things like set your home’s temperature from the other side of the world. It’s easy to assume that smart locks should behave in a similar way.

We often get asked to include this feature but we have purposefully built Teleporte so that a person is required in the physical presence of the device. We wanted to render unlocking something remotely from a command center impossible. And it is important for you, our customers to understand why.

Practical Risks

First, we do allow you to remotely enable a user, so there is no argument for someone new or unexpected needing access. In what situation then would you want to release a lock without an individual there? We can’t think of a practical scenario. Having someone on-site means that when the lock is opened the asset is being watched the whole time. Someone can close a gate behind them, reducing the time an asset is not secured. And most importantly, a person on-site can lock up again. Many locks are designed to fall or pop open when unlocked, and without someone there to close them, a remote unlock function would not guarantee a corresponding and critical lock function. 

Second, you don’t just want anyone on site when access is granted: you want to know who is getting in. With a remote unlock, there is little guarantee that the person going into a site is the one who is supposed to be. Smartphones are actually very sophisticated to identify a user with passwords and biometrics and their location with GPS. A local virtual key is much more reliable than a remote unlock process.

Cybersecurity

Finally, we want to mitigate the risks of hacking and cybercrime. In 2019, artificial intelligence designed and carried out more cyberattacks than people did. The attacks are getting more sophisticated. At Sera4, we use the best cybersecurity practices, but no one can predict everything.  If there is a logical path to remotely unlock something, there is a risk that it will happen; be it a sophisticated hacking attack or something as innocent as an error in an API integration. Imagine the catastrophe if the locks on a critical infrastructure network were all remotely opened at the same time. We designed Teleporte to ensure that this is impossible. 

We appreciate the excitement around technical feasibility and fancy features such as remote unlock, but every feature comes at a cost. Our goal is to the safety and security of our systems first, ensuring less risk and more reliability to you.

Go Keyless

It may not be apparent at first glance: going keyless is about a lot more than just not having to carry around a key or a fob. It’s about added security, new concepts of control, smarter operations and reporting. 

When we say “go keyless”, we mean abandoning any physical thing that controls access rights. That means no keys, no access cards, and no fobs. The keys are virtual; digital tokens stored in smartphones and automatically transmitted over the air.

Control

Virtual keys afford greater control over who has access to your assets. Keys can be granted to or revoked from people who aren’t physically present. Virtual keys can do things that ordinary keys can’t, like only permit access within a time window or limit the number of times they can be used. And with virtual keys, they can be automatically given many people in a service team and to many sites at once. These things would be impossible or very cumbersome with traditional keys.

Security

Despite first impressions and consistent news about poorly-executed smartlock designs, virtual keys can be more secure than physical keys. Imagine how we all do internet banking today. At Sera4, we use the same security principles and architectures to keep the same levels of reliability, security and scale. Where physical keys can be mechanically cloned, it is much harder to hack a digital certificate. Physical keys can be passed from person to person, or misplaced and picked up by strangers. Even more relevant is that virtual keys identify the user, which provides a lot of practical security. Many fewer people will brazenly steal from a site when they know they are being identified in real time.

Information

When business sites go keyless, they get automatic real time access logs. This can greatly reduce the cost of security protocols or even compliance with standards like ISO 9001. The data that comes back is already digital, more accurate and more detailed than traditional paper logs. Businesses should be analyzing this data routinely to identify waste in their processes and optimize their operations. Profiling site accesses can yield valuable insight about where contractors are not doing their jobs. Imagine a contractor that has billed to do a job that will take at least 2 hours, but the access logs show them on site for only 3 minutes.

Convenience

Most people will not forget their phone at home. Their car pairs with it and it’s clear when it’s missing. So many life functions depend on it. A physical key or card can be left at home without a thought until the moment it’s needed. So much truck roll is saved by not having to drive to get keys, either ones forgotten or fetching them from a depot. Virtual keys are with you whenever you need them!

And, of course, going keyless is also about the convenience. I used to go out with a wallet, a phone and a keyring. Then the wallet was absorbed into the phone with services like Apple Pay. Now, the keyring is also absorbed, and my pockets thank me. What I like best is when I need to get into a lock that wouldn’t have been on my physical keyring. Contact us to learn more about how friendly the future can be.

High-Security Keyless

In protecting your assets, there is always a tradeoff between convenience and security. For example, when you go into your office every day, you want to get in through the main doors without any delay.  But when the asset requires the highest security,  added rigour such as additional security checks are necessary.

The vault application is a good example of how keyless solutions are catching up with old standards for addressing high-security requirements.

  • Vaults often include locks whereby 2 keys are required and placed more than 6 feet apart. Two individuals, each of whom have their own unique key, must open the lock at the same time for the door to open. This approach prevents a single rogue actor from opening a door when they do not have authorized access
  • Another high-security standard opens a door after several minutes of unlock delay. This delay, connected with alarms, is a strong deterrent for criminals. They know that law enforcement will be coming while they are waiting for the door to open.

Bringing these features to Keyless

Sera4 has released Teleporte Cloud server 3.5 and Teleporte Mobile application 5.2. All Teleporte Enterprise customers now have access to high-security protocols to match the use cases above. 

  • The new Multi-Authentication Unlock feature requires two or more users to unlock a lock. Each user has their own key for that one lock and each user must issue the unlock command to the same lock. The lock only opens after all required users try to open the lock on their own account.
  • The new Delayed Open feature can be enabled on a lock-by-lock basis. The administrator can configure the delay. When someone unlocks a Sera4 lock in the Teleporte Mobile application, it will open only after the specified delay.

At Sera4, we envision a fully keyless world. With these innovations, we bring keyless benefits to the highest-security applications, such as vaults. We expect that there will be many applications for these new features that we haven’t even imagined yet.

For more information on the available features on the Teleporte Cloud server, click here. Or simply and contact us to arrange for a demo. We’re excited to show off our latest innovations.