[javindo]

It seems cool but I have a couple of concerns. Firstly, how exactly is it detecting when someone is nearby? The iPhone doesn't have NFC for example and GPS isn't exactly the most accurate thing in the world. Secondly, it seems as though the device somehow connects to a front panel with a direct shaft to move the lock mechanism, it seems as though it would be fairly easy to compromise with a bit of brute force. How solid is the front panel? The large size also gives a lot of leverage for breaking off.

[garrettlarson]

The site says it uses Bluetooth and attaches to a standard deadbolt (that panel is presumably only on the inside of the door).

[goldenkey]

It's not particularly difficult to use two devices to act as a bluetooth mirror and rob someone's house by just walking next to them for 5 seconds.

[superuser2]

I doubt the phone is just constantly broadcasting an unlock code. If it's correctly designed, the lock and the phone would authenticate each other cryptographically using a nonce or time/date to prevent replay attacks.

[goldenkey]

And that doesn't mean anything when the signal is mirrored in duplex. We're talking about EMG, a wireless signal, not quantum bits that can be secured against reflection.

It isn't a man-in-the-middle attack, because nothing is being altered, crypto doesn't mean shit.

I'd call it a man-in-the-mirror attack ;-) The receiver/sender can't tell the difference.

Automatic unlock is a huge vulnerability.

I would not trust a company that doesn't bother to even mention these issues, even if they've defeated them, which I highly highly doubt. This product plays on the convenience factor, and does not really address anything technical. Cute, but no thanks. I'd rather have a safe house than a hipsterly cute one.

[calciphus]

Say it with me now:

Physical locks aren't unbreakable. A deadbolt does not make your house a fortress.

I am all for good data security here, but if someone has targeted you to the point of following you around to clone your phone's interaction with your front door, I am pretty sure the glass windows provide a far easier target. Most of them can be just lifted out of their frame.

Yes, it could be breakable. No, it is no less secure than an existing deadbolt. Threat model matters.

[goldenkey]

I'm not 5. I don't need to 'say it with you now.' Take that smug attitude and shove it up your ass.

Physical locks with heavy-set sprung pins, double shear lines, mushroom pins, and additional security features can be almost unbreakable given the amount of effort and noise that picking or breaking them will incur.

Your post is a contrite logical fallacy. The bluetooth mirror is trivial to execute once the mirror is created. No one has to 'follow around', they walk next to you for 2 seconds, and the signal is transferred bidirectionally, the door unlocks.

Yes, it is way less secure than an existing deadbolt. Your post is akin to saying a new operating system is secure because no viruses have been coded for it. And we might as well put shitty locks on our doors, because they can break in through the window anyways..right..and no one has bars on their windows, because you don't?

Now, say it with me: "I'm okay with lax security, so everyone else should be too."

Also say: "I don't know shit about pin-tumbler locks, so I can make posts about security to misinform other people."

Now slap yourself twice for being a dolt. Thanks, class. Now back to nap time.

[superuser2]

If you alter nothing when you replay the signal later, the door won't open because the "number used once" was used twice and/or the timestamp is wrong.

In order to arbitrarily generate a correct unlock signal, you would need to know the phone's key so as to encrypt and sign an unlock message containing the correct date. You can't do that unless you've broken the crypto.

Are you talking about moving the radio signal between the victim and the door live while he's out and about? That's clever, but the attack could be easily precluded by requiring his approval (on the phone) before sending an unlock message. Which he won't give unless he's at his front door.

I see the product includes Automatic Unlock as a feature, but as long as it's optional I see no problem. Unless your threat model includes Oceans 11-style thieves and government agents, that's pretty freaking unlikely; anyone that sophisticated would probably have an easier time picking your $25 deadbolt, social engineering the landlord, breaking a window, etc. anyway.

If your threat model does include these things, what are you doing buying consumer security hardware anyway?

[goldenkey]

The threat model will eventually include these things if automatic unlock becomes the norm. Why be the first to experience theft at the hands of someone savvy enough to have an EMG mirror. It's not hard to make an EMG mirror for bluetooth frequencies with two arduinos or rasberry pi. It's literally a weekend project. I don't know why you're saying this attack requires Ocean's Eleven style planning. It's more of an amateur hobby project than anything intellectually clever.

And you can buy one for less than $100: http://www.sena.com/products/industrial_bluetooth/sd1000.php

So let me see, EV of robbery equals: Price of macbook + tv + jewelry, etc, etc, etc minus $100

Seems likely that you are gonna be robbed if anyone with mal-intention has any grain of understanding how easy it is to mirror an auto unlock signal...