Hacker News new | ask | show | jobs
by foota 1017 days ago
Fwiw you could probably build this in a way that it continues to operate without internet. This creates a new attack vector (disable the internet and you can't revoke access) but that's probably acceptable given the physical attacks possible.
1 comments
amenghra 1017 days ago
Each key gets a revision number. When the first set of keys are created, they get revision number 0. The lock records a high water mark of the revision numbers it has seen. Only keys matching the water mark get to unlock the door.

When you want to revoke a key, you re-issue a new set with a higher revision number. When the guest checks out, you issue the next revision number to the next guest, effectively disabling the previous set.

You do all this as a fallback when the network fails. This way, you can still disable keys in real-time when people checkout of their room.

link
nijave 1016 days ago
Does this use something like asymmetric keys so door can verify a key came from the issuing system or is there still some online/network portion?

Assuming it does use asymmetric keys to prevent someone from creating counterfeit access cards, there would still be a window (if the network is unavailable) where the old key would continue to work until a new key is scanned the first time on the door lock?

link
themerone 1017 days ago
I think this is similar to how most hotel locks work.
link
ryukoposting 1016 days ago
Currently at a reasonably-priced hotel in the boonies. Extended my stay the other day and they had to re-issue the keys. The keys must be aware of the reservation period, and the locks must be aware of the current wall-clock time. Finding a way to tamper with the RTC in the lock could blow up the whole system. Or, you know, a crowbar.
link
foota 1016 days ago
I don't think a crowbar attack will work in this case, I doubt you'll be able to get the lock to talk. /s
link
themerone 1016 days ago
I've extended stays without needing new keys. There could be wireless updates, or resetting the lock is done when housekeeping preps the room.

There are definitely multiple solutions that don't depend on a server to authenticate every unlock.

link
ryukoposting 1016 days ago
I'd imagine the locks in most hotels don't require an internet connection. Frankly I'd be horrified if my hotel room's locks depended on this horrendous WiFi.
link