Locks are the kind of thing that you don't want computerized unless it involves biometrics. The 'tech-it-all' attitude is getting kind of tiresome. I've had newer washers with spin alignment sensors that break every year as oppose to my old analog washer that lasted 20 years.. A lock simply shouldn't have any hackable components. A microcontroller with wireless connectivity inside of a lock is the kind of ignorance that the 'omg, tech' attitude invites. As much as I like technical people, there are some folk who will orgasm at anything that has a microcontroller on it - I'm kind of ashamed of those folk - tech is a means to an end, not something you need to turn everything into.
I will say this is very cool though. I would not use it or recommend others do because the components and firmware are NOT open-source, and therefore it cannot be audited and is a HUGE security risk.
It seems cool but I have a couple of concerns. Firstly, how exactly is it detecting when someone is nearby? The iPhone doesn't have NFC for example and GPS isn't exactly the most accurate thing in the world. Secondly, it seems as though the device somehow connects to a front panel with a direct shaft to move the lock mechanism, it seems as though it would be fairly easy to compromise with a bit of brute force. How solid is the front panel? The large size also gives a lot of leverage for breaking off.
I doubt the phone is just constantly broadcasting an unlock code. If it's correctly designed, the lock and the phone would authenticate each other cryptographically using a nonce or time/date to prevent replay attacks.
And that doesn't mean anything when the signal is mirrored in duplex. We're talking about EMG, a wireless signal, not quantum bits that can be secured against reflection.
It isn't a man-in-the-middle attack, because nothing is being altered, crypto doesn't mean shit.
I'd call it a man-in-the-mirror attack ;-) The receiver/sender can't tell the difference.
Automatic unlock is a huge vulnerability.
I would not trust a company that doesn't bother to even mention these issues, even if they've defeated them, which I highly highly doubt. This product plays on the convenience factor, and does not really address anything technical. Cute, but no thanks. I'd rather have a safe house than a hipsterly cute one.
Physical locks aren't unbreakable. A deadbolt does not make your house a fortress.
I am all for good data security here, but if someone has targeted you to the point of following you around to clone your phone's interaction with your front door, I am pretty sure the glass windows provide a far easier target. Most of them can be just lifted out of their frame.
Yes, it could be breakable. No, it is no less secure than an existing deadbolt. Threat model matters.
If you alter nothing when you replay the signal later, the door won't open because the "number used once" was used twice and/or the timestamp is wrong.
In order to arbitrarily generate a correct unlock signal, you would need to know the phone's key so as to encrypt and sign an unlock message containing the correct date. You can't do that unless you've broken the crypto.
Are you talking about moving the radio signal between the victim and the door live while he's out and about? That's clever, but the attack could be easily precluded by requiring his approval (on the phone) before sending an unlock message. Which he won't give unless he's at his front door.
I see the product includes Automatic Unlock as a feature, but as long as it's optional I see no problem. Unless your threat model includes Oceans 11-style thieves and government agents, that's pretty freaking unlikely; anyone that sophisticated would probably have an easier time picking your $25 deadbolt, social engineering the landlord, breaking a window, etc. anyway.
If your threat model does include these things, what are you doing buying consumer security hardware anyway?
I will say this is very cool though. I would not use it or recommend others do because the components and firmware are NOT open-source, and therefore it cannot be audited and is a HUGE security risk.