Questioning Smart Lock Security

The benefits of installing a keyless smart lock to replace the physical key and cylinder include:

  • Identity: the removal of anonymity from each person that unlocks the assets you protect
  • Security: keyless smart locks do not have an external locking mechanism — fewer ways to defeat the lock
  • Data: the records of “who”, “when” and “where” and even “why” the smart lock was opened

While it is easy to understand these benefits, it can be challenging to understand the complexity of keyless smart lock security.

Ars Technica, The Register, and threatpost all highlight the problems that can occur when basic security measures in the domains of physical, transport, embedded, and cloud security are not addressed.

As an Enterprise Security focused company, Sera4 strives to educate everyone about the benefits of smart locks and keyless access control. We want you to understand the differences between a locking mechanism that can be opened with a phone and a complete cyber-secure platform that provides a set of tools to help secure and protect your assets.

The Four Domains of Keyless Smart Lock Security

When investigating a keyless access control solution, we encourage you to identify the following concerns and ask the right questions.

  1. Physical Security: the aspects that prevent theft or vandalism due to the hardware’s shape, size, and installation
    • Concern: Keyless smart lock hardware is perceived to be expensive and can disappear as fast as it is installed. Securing the theft of keyless smart lock hardware itself may be critical to your security program.
    • Example: Company XYZ installs a keyless smart lock. One week later after arriving on site, a user finds the door open, and the lock is missing entirely. The user can’t even secure the site before he leaves.
    • Question: Does your keyless smart lock provide options to install securely to the structure, preventing theft of the keyless smart lock itself?
  2. Embedded Security: the software that ensures data security and integrity within the keyless smart lock and the mobile device
    • Concern: Keyless smart locks need to track the time and date to allow and disallow users access within the desired time frame.
    • Example: User arrives on site, a day after his digital key expired. The user turns off his mobile radios, changes the date on his phone, and attempts to open the lock using his digital key from yesterday.
    • Question: How do you ensure timely access that isn’t dependent on the mobile device for date/time?
  3. Transport Security: the protocols and algorithms that ensure identity, digital keys and access logs are safely and securely transferred between lock, mobile device and the Cloud
    • Concern: Even using secure transport protocols, mobile devices transfer and store digital keys – exposing them to modification.
    • Example: User downloads digital keys onto his phone. User can root his mobile device, change the details of a digital key, e.g. user and time of access. User still has the code to get in, but the logs record a different user, and at a different time.
    • Questions:
      • Does a digital key incorporate the user, time, and permission to access the keyless smart lock?
      • Can the integrity of all three be assured and verified by the keyless smart lock before access is permitted?
  4. Cloud Security: the hardware and software components that allow the ubiquitous access of users, and prevent hackers from getting in to steal data or to provide unauthorized access
    • Concern: Compliance with global privacy laws imply responsibility to protect people’s information.
    • Example: Users access their account information at: https://(somewebsite.com)/user/1234. User manipulates the web address to: https://(somewebsite.com)/user/4567 and views the information of another user.
    • Questions:
      • How do you protect user information from others?
      • Do you understand and implement the concepts of Security by Design, Privacy by Design and RBAC (Role based access control)?
      • Are you compliant with country specific privacy laws (e.g. GDPR, LGPD, PIPEDA, CCPA)?
More Information

Learn more about how Sera4 addresses these questions and concerns:

AP3 Fact Sheet
Sera4 Embedded Security Fact Sheet

As always, feel free to Contact Us to ask any other questions you might have!

A peek inside the Teleporte Cloud from Rancher

Here is a link to a blog from our friends at Rancher. It provides a sneak peek inside how we do cloud. Our own Jeff Klink discusses the advantages of the current Teleporte Cloud architecture. Read it and see how we deliver the security, reliability and scalability that Teleporte is known for.

Rancher is a container orchestration software company. We use their services to help us manage the Teleporte network.

Failsafe Unlock Explained

The Teleporte keyless access control system uses digital certificates as keys and controlled through a mobile phone application.  We have proven this method to be secure, scalable and reliable. Teleporte works on practically all Android and iOS devices (over 700 models in use and counting), so we ensure great user adoption. Users access the vast majority of our locks in this way.

With the recent launch of Teleporte server 3.4, we introduced the Failsafe Unlock feature. With this, you can still get into your locks in the event your smartphone isn’t working; whether the phone’s battery is dead at the end of a long working day or somehow your phone is damaged and no longer functions. The Failsafe Unlock feature provides you with a 4-digit flash pattern that you replicate by holding the button on the lock or with our Access Pad. Entering the valid code will grant access to the lock.

How Failsafe Unlock works as a user.

Failsafe Unlock is even easier to use from the administrator’s side. The administrator will tell the user the code and record who they gave it to in the admin panel. This way, Teleporte system maintains the access logs. The code is unique to each lock and is only valid for a few hours. Failsafe Unlock is now available to all Teleporte Enterprise subscribers.

With this innovation, we are enabling the transition to digital access control by eliminating the last of the reservations for going keyless. For more information, contact us or click here for more product information.

Deploying Teleporte during the pandemic

The COVID-19 pandemic is the biggest adjustment in business operations in a generation. Authorities worldwide are asking everyone to stay home or to maintain a social distance from others if we need to go out. No one knows how this situation will evolve, how long until we get a vaccine, and what permanent effects will persist in a “new normal”.

At Sera4, while we can’t practically retool to make facemasks, we can help with social distancing and help to monitor remote sites when technicians visit less frequently. Teleporte’s keyless infrastructure means that you grant access virtually – no handing out keys, cards or fobs; no paper sign-in sheets. You can make your process more efficient and secure, while maintaining the social distance that is now required. 

A lot of people we speak with are concerned about the risks of going digital on something as important as site access control. No one wants a system that doesn’t work as intended every single time, and many people are afraid of the risks of a hacking attack. These are legitimate concerns, given the poor reliability of many new technologies and the steady stream of bad press about smartlock solutions that have been hacked.  

We are very aware of these concerns and work hard to address them. Starting from a security infrastructure that has its roots in BlackBerry, we have built Teleporte to be the most secure keyless access system, built on a patented system that uses digital certificate – just like internet banking. Having measured a 99.97% access success rate over the last 1 million openings on the Teleporte network worldwide, we maintain that Teleporte is as reliable as a traditional lock and key.

We’ve also made Teleporte a very safe and simple system to deploy. Being a cloud-based solution, it requires no IT integration project, no servers, no data connections, no power (in the case of our padlock), no maintenance routines. Just install a padlock or a lock controller on your door, enclosure or gate and visit teleporte.sera4.com to manage access. And that’s it!  

Contact us or our network of distributors and integrators to learn how Teleporte is the right solution to roll out in the face of social distancing. Or click here and take a look through some of our information to decide for yourself.

Teleporte 5.1 for Android: French Support

We are pleased to announce the immediate availability of our Teleporte Mobile Application version 5.1 for Android. In addition to numerous minor usability and bug fixes, we now provide French language support natively in the app. Teleporte for iOS to follow shortly.

Teleporte Cloud Server 3.4 Launched

Cloud server 3.4 introduces one major new feature: 3.0 of the REST API.  This new API has additional security controls, allows for multi-organization control and surfaces new features and better performance than the existing API.  API onboarding and usage instructions can be found publicly at https://apidocs.sera4.com. Existing customers using the prior generation API will not be affected and a sunset date will be announced sometime in the future.

In addition, we have added support for flexible lock licensing. This feature tacks the exact license dates and features for each lock, allowing organizations to supplement additional locks with licenses at any time. Administrators may now see greyed out icons for features which can be enabled via additional licenses.

Finally, small feature fixes have also been implemented that target improved readability of reports, the usability of the administration dashboard as well as performance fixes for the download of digital keys to mobile devices.

Teleporte 5 now available for iOS

We’re excited to share that the Teleporte 5 mobile app for iOS is now available on the Apple App Store. This new release brings the current Teleporte experience to iPhone, aligning with the look and feel of the latest Android releases. This release is part of our ongoing commitment to compatibility with as many smartphones as possible.

Sera4 exhibiting at SICUR 2020

Together with our partner Jonyco, we are exhibiting at the SICUR 2020 tradeshow in Madrid.  Come and visit us to see and hear about the latest innovations in keyless access management at booth 10A01 from February 25 – 28, 2020.

Sera4 Exhibits at Distributech

Sera4 is Exhibiting for the first time at Distributech 2020 in San Antonio from January 28-30. Come and visit Sera4 at booth 4247 in the Ontario pavillion.

Access Digitization and 5G

The telecom industry has talked about little other than 5G for the past couple of years. All I hear about at IoT or telecom technology conferences is the potential of 5G and the opportunities with 5G. Despite all the hype, IoT 5G still seems to be stuck in the future.

I’m sure that the industry will eventually get there. So far however, I see few customers willing to pay for the costs of putting 5G inside their IoT applications.

These costs include:

  1. Adding an always-connected service to a device requires the addition of a LPWAN radio, including the chipset, firmware and antenna. These radio systems are not yet available at prices that will facilitate mass-market adoption.
  2. The power consumption of being always connected is falling, but is still high enough to seriously impact battery life in portable devices. Always connected portable devices either need to have bigger batteries or be recharged more often. Less time between charges is not attractive in remote mission-critical applications.
  3. The costs and time it takes to certify new wireless devices for use and for sale in each market.
  4. The ongoing cost of the wireless subscription service.

We have designed Teleporte to securely virtualize an IoT network through the smartphone. This approach has the obvious disadvantage that it’s not always connected and doesn’t serve real-time alarms in case of physical vandalism.  But the advantages in the design are numerous.

  • The current Teleporte system is fully redundant to the core network of our customers. This means that it is more resilient: working even when other networks are failing.
  • The battery life of portable or remote devices is much longer.
  • Products like this can be significantly less cost to deploy, both in the up-front costs and the ongoing costs of the 5G wireless connectivity service.

Our approach with Teleporte also provides a higher level of cyber-resilience than any always-connected device does:

  • Any nefarious hacking into our customer’s core networks doesn’t affect Teleporte and if any compromise was found on the Teleporte network it couldn’t be a vector into other sensitive networks. Access control data networks should be independent of the other systems. Cyber-attacks are routinely carried out through connected “smart” devices that seem to perform a tangential function.
  • A possible hacking attack with an always-connected device might try to reach all networked access points simultaneously. For example, to unlock all sites on a network. With a network topology like Teleporte, which requires physical presence at the node to make the connection, such an attack is extremely impractical as it would involve visiting each site at the same time otherwise there is no connectivity to carry out such an attack. With most cyber-attacks being conducted by AI today, the most secure form of defence is having the connection only when it is needed.

At Sera4, we participate in building a world of machine-to-machine connected devices. We are already innovating toward secure always-connected solutions in our labs that overcome the challenges described here and when it’s feasible such features will soon integrate seamlessly in the Teleporte network. We encourage those who want the benefits of IoT access devices and smartlocks to proceed today with confidence that today’s Teleporte networks are secure and pragmatic, and that Sera4 will remain at the forefront by introducing always-connected devices as soon as it’s commercially practical to do so.