Coming soon to the App Store … Android Lockpick

Introduction

4d60a-pandora27sboxThe application of the smart phone continues making new in-roads into mobile banking, on-line shopping and video streaming. In fact if you watch many of the advertisements for sports channels you’ll find it is not a TV that is the device of choice for the viewer, it is their smart phone or tablet. increasingly, too, it is the one thing that we carry around with us. At one time it was our keys that we carried around, and these were are main security item which, if lost, would generally make our lives difficult. In this Information Age, though, it is now our smartphone which we use to identify ourselves, and which contains all our secret passwords and our secure connections into the Cloud. It’s our physical device which is basically becoming our pass key, without it we would struggle to identify ourselves, and end up having to find a general-purpose desktop computer. And so our smart phone is becoming our pass key in this electronic world, and it is the trust that we are placing in it, which is allowing our world to be re-designed. While it has problems with security, in the same way that losing a key causes, we can backup our world to the Cloud, and be ready with new keys, each re-programmed with new codes, if we need too.

Smartphones become more trusted

There are places where we need strong security, and the smartphone has been picking its targets and testing the water to see if both the consumer and service provider accept them. One of the most recent successes for the smartphone has been in airport check-in, where the technology has, within a short period of time, changed the way that many people identify themselves and their flight details. While hardly the most secure method in the world, it is just as secure as a piece of paper with dots on it, and the ability to retrieve the information at any time is a massive enhancement on having to use a printer and/or photocopier.

Hotel room access

One of the most trusted areas that we need strong security, and make sure that we identity people properly, iLarge safe, opens in hotels, where a slip in security could be costly. In fact, hotels tends to be more secure than homes, with only 0.3% of properly theft reported related to hotel incidents (from 2004-2008 – Bureau of Justice Statistics). So it is to the credit of smartphone technology that the Hilton hotel chain, with their Conrad Concierge application, plans to allow guests to select their rooms with their smartphone, and use them to check-in. They then intend to take this one step forward by using the smartphone itself to unlock the room, and will be implemented in our 4,000 hotels across the world, within more than 80 countries. Hilton thus have made the linkage of “my smartphone is me and I use it to control my world”. In their research they found that users wanted more control of their bookings, and the smartphone was the device of choice for setting this up. The target for the complete roll-out of the ability of lock/unlock rooms is 2016. Hilton obviously hope for … to use a bad pun … that there is a lock-in on the services that they provide, so that their application becomes key (another bad pun!) to the business traveler.

There have been worrying signs, though, such as in September 2012, when a Dell consultant had their lap stolen from a Hyatt room in Houston. For this it was conclused that the thief had gained access by exploiting a vulnerability in an Onity digital lock. This vulnerability for this lock had previously been disclosed, in July 2012, at a Black Hat security conference, and although an updated had been posted within a month, it had not been implemented in the hotel in question.

The rise of the App Stores

Cartoon hacker with laptopAt one time we received software through physical media, and this evolved to downloads from sites, but, as Gartner have identified in their top technology trends, it will be to the App Store that many users will focus their attention. The room lock/unlocker will thus be available through the main Apps Stores, especially focused on Apple and Google Live, so some customers without their operating systems may struggle to take full advantage of the services provided. So, as we see the new app in the App Stores, we must wonder, how long it will take for a whole lot of other apps, focusing on lock picking, as, unfortunately, the past has shown, that as long as there is a vulnerable element in the overall infrastructure, it will be exploited by some budding security specialist wishing to either showcase their talent, or with a motivation to make some money. In the unpicking of locks, for centuries, there has been a healthy business for lock pickers, and so it will be to the App Store that the future lock pickers could look too.

Conclusions

Hopefully there has been as much testing on the technology, than there has been on customer adoption. Again, unfortunately, many examples have shown that there is often too much focus on whether users like the technology, and rather less on discovering flaws in the systems, but it could be that this is just the way that we kick the tyres of a new technology, and know that there is going to be problems, and, as a society, we know that it will be worth it in the end. We are thus all part of a great big beta project, and it is one that is transforming the world. Well done smartphone!

Unfortunately digital locks are always likely to have vulnerabilities, in the same way that physical locks have, so it’s important that hotels monitor vulnerability reports, and make sure that they update their systems with patches, otherwise there may be a whole lot of people sniffing around their rooms with rooted apps on their smartphone. One thing we need to do, is to make sure that the people creating the apps, and the companies selling them, actually are trained in software security testing! In something a critical as gaining access to rooms, the application of patches, which in themselves may cause more problems than the fix, might not be top of the agenda for busy hotel administrators. While secrets about lock picking have been passed on from thief to thief over the centuries, the Internet is a much more open place, where secrets are disseminated and acted upon in short time periods, and there’s little that can be done about them – apart from strong patch management!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s