[apawloski]

Cool and interesting idea, but for obvious reasons* I have some slight reluctance with using a service like this for my home. For less valuable targets though -- like a conference room or shared workspace -- this is a really clever solution to sharing keys.

*I hate it when people say that so I'll expand. Simply put, I'm worried about it getting hacked. For instance, could you gain access to someone's wifi and then flash a new image (which includes a rogue key) onto the device?

[rdl]

Basically no commercial locks provide a perfect (or even very good) audit trail facility -- guaranteeing the device isn't tampered with. Even the government/military X09 standard lock (from Kaba-Mas; it's a pretty awesome self-powered combination lock) can be forced, then replaced with a new lock with a faked serial number and internally trojaned electronics. You could detect this on internal destructive inspection later, but you might even be able to hack the electronics with self-deleting firmware.

The standard for secure facilities is 24x7 monitoring and roving patrols which are frequent enough to prevent defeating the lock/door initially. If it takes 1h to cut through a vault door, and you do patrols every 15 minutes, it doesn't matter as much that once you compromise the door, you can subvert the lock for future access.

That said, there's more potential to make an electronic locking system (and seal/tamper evidence) really secure than there is to make a mechanical keylock secure -- keylocks are basically deprecated for even moderately high security, and mechanical combination locks for high security -- the future is all electronic systems with online checking of credentials. A system like lockitron has a lot of room to grow.

[schiffern]

Your threat model seems a bit out of whack. Picking your conventional lock has a much better cost/benefit ratio for a thief.

[nickbarnwell]

Breaking a window is actually a far more effective (and common) method of entry for thieves than bothering to pick a lock.

[apawloski]

Not necessarily, but I see your point. The threat model you suggest seems to be for a "one and done" event (which is a perfectly valid scenario). But the initial threat model was geared towards repeated, quick, and relatively inconspicuous access to a secure facility.

[mdip]

Sadly, the lock on your front door is most likely so easy to break, a thief wouldn't waste time trying to hack anything but the keyhole. I learned how to make and use a bump key from YouTube, practiced on my own front door and after a couple of hours could consistently spring the lock with a few whacks (seconds).

The weaker component is the (still available as a backup entry method) keyhole. A year ago, my neighbor locked herself out. I found out that she also had a Schlage lock and figured I'd try to help. After finding my disused bump key, I had sprung her lock after about twenty whacks. My total experience was two hours of practice three years ago. I don't consider myself to be uniquely skilled here.

Personally, I'd prefer a mechanism that would allow me to eliminate the key entirely. I'd rather live with the risk of battery drain/malfunction/phone loss.

[catch23]

probably not. it uses an arduino mega according to the video, so you'd need serial access to reprogram the arduino.

[apawloski]

From the FAQ [1]:

"However, if you would like to access Lockitron only via your local network, then we welcome you to flash your base-station with a new image that gives you full access to develop as you see fit"

https://lockitron.com/faq

Obviously I've done about as much research as you so far, so it's very possible the scenario that I describe is unlikely. The point of my initial post was simply to reflect on the fact that in some cases I'd love to use this, and in other cases, maybe not so much.

[catch23]

right. but it doesn't say how it is flashed -- perhaps it requires you to hook up via usb?

I can understand people's fear of technology when it is used for security purposes, but if someone wanted to break in, there are easier ways than flashing the base station. All someone would need to do is take a picture of your physical key and they'll be able to make an identical one.

[icebraining]

Unless you use the TFTP bootloader: http://arduino.cc/playground/Code/TFTPBootloader1

[veemjeem]

Well, that one is only for the ethernet shield. I'm guessing you probably need more code for communicating over wifi or bluetooth and supporting wpa/wpa2.