|
|
|
|
|
|
by e12e
2515 days ago
|
|
|
First, this is obviously hilariously bad from a system perspective (un-authenticated/unauthorized rebind of lock) [1] OTOH it appears the problem is entirely server side, and could be patched/mitigated by the provider? It still seems possible that the lock is secure-ish. It might conceivably have some form of anchored trust (pinned cert?) to communicate with the server - and a secure/better rekey flow could maybe be implemented? Still sounds crazy to delegate authorization entirely to the cloud (I'm guessing you can open the lock wo internet, but not re-key). I'm not even crazy about "find my phone"-services - and that's considering the vendor typically owns the hw, the kernel and can push updates (ie: all bets are off anyway). [1] I'm also curious about the "lock code" field in the data - does the service advertise the pin if you give the correct serial/hw ID of the lock? Or something else? |
|
|