Bluetooth Locks

My experience with bluetooth has been pretty successful over the course of the last few years.  I have a mouse that works wirelessly through this tech, my car stereo connects to my phone and plays music using it, etc.  I also have an RC helicopter which is supposed to work through bluetooth and let my phone control it but it doesn’t work at all.  The helicopter seems not to receive commands all the time, and a pilotless helicopter doesn’t stay airborne long.

This brings us to the newest bluetooth device of interest: The Kevo bluetooth deadbolt made in coordination with Kwikset.  It looks like a really fantastic device and knowing my high-tech clientelle I immediately started working to find out if any of my distributors were selling it, because I know there will be demand by tech savvy people who want to use hands-free locks.

Carrying this lock and recommending it, however, are two different things.  I rarely take a chance on new technology because there is always a lot of bugs to iron out, especially in the last twenty years.  I have a lot of experience with open source software and the trend lately seems to be to push the product out the door working or not and then roll out fixes later.  Product manufacturers seem to think it is fine to use their customers as beta testers!  And so what if the device malfunctions or gets bricked in the course of this testing?  The stipulations of the warranty are that the customer has to pay for shipping, and half the time that alone is half the cost of a new device!

With my bluetooth-enabled RC helicopter experience in mind, I suggest to my customers that they hold off on buying any bluetooth enabled locks.  There are lots of things people haven’t thought through here, like how hard is it to clone a phone’s bluetooth profile and spoof somebody’s phone?  If somebody made a device that could read the handshake between the phone and the lock, they could probably spoof the device and do that themselves when the owner left his home next.

Second question: if you are in your house with your bluetooth phone, can somebody else walk up and touch the deadbolt and it will open, because the bluetooth device is nearby?  That would be worrisome if you were asleep and your phone was in range of your lock.

Finally, this lock is $200 but at its heart there is still an insecure kwikset deadbolt with smartkey tech, and this has been shown to be vulnerable to numerous attacks involving brute force which leave no sign of entry.  Adding bluetooth to this lock is sort of akin to polishing a turd, if you get my drift.

So, if you are interested in hands free technology, there are other options like Zwave technology as well as the Arrow touchpad, and also voice recognition technology.  Just don’t get a Kwikset Kevo until the tech has been around one generation.  Especially with real world hardware that can lock you out if it malfunctions!  I like to sit back for six months and watch all of the early adopters break their new toys and find fixes before I embark on the upgrade process.  This is how I’ve been doing it with my android phone, my mp3 player, my linux computer, my routers, etc for years and years.

Poor Kwikset is dragged through the mud again

Today Wired ran an article about Kwikset Smartkey locks and how easily they are compromised. They use nearly the same technique that I use when people are locked out of a Smartkey lock, except that I torque an actual key. They hammer a key blank into the lock so they can’t take it back out. My method, I take the key back out after I am done, and the regular key still works half the time.
The main premise of their argument, however, is correct: Smartkey locks are not that smart. They won’t keep criminals out. Their main use is for low security rental units that landlords want to rekey after each change in occupancy. I know my key looked very worn when I got it from my property manager.
So, in an analysis of what these guys did wrong: They should have tried torquing a nickel key so that they could remove it. This would have two beneficial results: they wouldn’t have damaged the lock face with their screwdriver, and there would not be a key still inside the keyway. There would be absolutely no sign of forced entry. The lock would probably still work. I feel like an idiot for not pulling their grant money for this study, because I could have done this a lot better. On the other hand, maybe they purposely obfuscated the methods I describe because they don’t want to give criminals the ability of forced entry with no forensic signs.
At any rate, the old adage remains true: if the criminal wants into your house, they will get in. The trick is making it look harder to get into your house than your neighbor’s (but not so hard as to attract interest). Kwikset advertises this deadbolt as grade 1, meaning that it can be used thousands of times without failure. I have lots of customers whose smartkey locks have failed after a few years. They seem more likely to fail if poorly copied keys are used in them.
Another thing this video points out is the need for a keyway that is less common or restricted entirely. This method wouldn’t work if these men weren’t able to stick a blank that fit the keyway into the lock. I always offer customers the choice of changing the keyway to a less common one or a restricted keyway for a little bit more money. Then you are far safer from bumpkey attacks, not to mention how much harder picking a lock is if it is not kw1 or wr3. There is a lot of room for manoeuvrability in these latter keyways.

Getting a business onto Google Maps and keeping it there

Everybody knows that successfully running a business is a PITA.  You have to constantly be worrying and networking and thinking about your business.  Mine is no different.  Complicating matters is the recent removal of my business’s listing from Google Maps.  You can read about it here.  Or, you can read my summary

1.  Google removes my listing from Google Maps

2.  I ask google why they removed my listing via email as they recommend

3.  4 weeks later they respond and say that my business listing doesn’t meet their quality criteria, and that my business’s category, locksmith, is very contentious.

4.  I renew questions on a thread I started about my deleted listing, because I already made one when google deleted my business listing the last time.

5.  Some guys that hang out in the Google products forums respond, and basically tell me that my business looks sketchy and they can’t tell my business from all of the other sketchy locksmiths around, even though my business is registered with the city and the state and I only have one listing.  They tell me that they would reinstate me, but they just don’t have enough evidence that I run a legitimate business.  They suggest I should join ALOA amongst other things.  Apparently seeing my business registered with the state is not enough for them.  They also suggest that my business name is an example of keyword stuffing, even though my business name is succinctly expressing my location and my profession.

This all reminds me of the time my parents started a winery, and the city of Lacey made up some arbitrary rule that they couldn’t have a sign on the freeway advertising a winery unless they also had a vineyard.  So my father planted a grape vine next to the door of the warehouse we are using as our winery.  Unfortunately, these guys want me to jump through far more hoops.

I am getting more business now than I ever have before thanks to positive reviews on yelp and also references from happy customers, so now I am just tilting at windmills trying to get reinstated because I am angry about getting kicked off of Google Maps while a bunch of obvious scammers’ listings remain.  I report all of these listings, and yet they remain.  As a result of Google’s actions I am planning on running my own email server and weaning myself off of all google services including gmail, which I happily used for the last decade and also set up those I know who are technically inept with.  Harder will be the process of removing their software from my Android hardware.

If you are a locksmith thinking about paying for adwords, don’t bother.  Just go with Yelp.  Yes, they charge more per click, but you are going to get a better return.  Nobody is going to click on your ads on yelp trying to learn how to lockpick in a video game, or find out where to buy a deadbolt.  And chances are after you invest $800 in adwords like I did, Google will decide that your business isn’t real and delete your business listing from Google Local, a.k.a. stab you in the back.  So, consider yourself warned.

Update: It has been almost two months since Google deleted my listing and I am still waiting for Google to tell me what I did wrong.  The most they can tell me is this:

Dear Bjorn,

Thank you for your inquiry.
Thanks for contacting Google. Your account has been suspended due to quality violations and we will be unable to assist you further. For more information on our quality guidelines, please see this article: http://support.google.com/places/bin/answer.py?hl=en&answer=107528

 

Sincerely,



Mike S
Thank you ever so much, Mike S.  You and Faride deserve a pat on the back with this in depth customer service and sending me a link which confirms that there is nothing wrong with my listing.
Something new happened though.  Google actually called me and asked me what my business address was.  This guy with an Indian accent.  So I gave them my business address and he said thank you and hung up.  That was four days ago.  My business is still not on Google Maps.

Hands-Free locksets are here

Months ago I was pondering taking apart a car’s authentication system and using a car ignition as my front door lock due to the added security of transponders and the car’s ECU, which is two-factor authentication, somewhat rare on consumer door hardware. Today I noticed that manufacturers of door hardware have caught up with the times and I would be reinventing the wheel. Mul-T-Lock has had two factor authentication for some years now, but “unikey” has just come out with their “Kevo” lockset which interacts with Bluetooth 4.0 devices.
Apparently all you have to do is touch the lock while your phone is in close proximity. Knowing the distance that Bluetooth can go, I wonder if somebody could amplify the signal and unlock the Kevo by touching it while you are inside, if the phone is within 30 feet or so of the lock (distance required by bluetooth to work). According to this article the lock can determine if you are inside or outside, so this may already have been addressed by the manufacturer.

Most interesting to me is that the Kevo has the ability to share e-keys to different people’s phones, including one use only e-keys.  Unfortunately, the only devices able to interact with the Kevo at the moment are iOS devices, though android apps are in development.  Probably iPhone owners are the only ones who would buy a $200 deadbolt that works with their phone anyway.

A competitor that also offers these abilities is “Lockitron”.  Interestingly, they have engineered their lock to be connected to your wireless network allowing the owner to lock or unlock the door remotely from anywhere in the world they have internet access.  I imagine it is only a matter of time before somebody figures out how to defeat the security of this detail, if this lock becomes more popular.

Somebody reading this, if you buy one of these locks I will help you install it for free.  I am interested in seeing this beast up close.

Identity Theft and Your Mailbox

There are some crews around the Seattle area pillaging mailboxes and using the information gleaned from their bounty to steal your identity!  One thing you can do to prevent this is to get a locking mailbox.

Before you go out and buy a locking mailbox though, you have to know what kind of locking mailbox.  Sometimes the mailman won’t deliver your mail because the slot isn’t big enough!  Take notice of the size of your daily mail deliveries, because the thickness of these deliveries is the necessary dimensions your mailbox slot must have at a minimum.  Otherwise, the mailman will claim the slot isn’t large enough and you will have to go to the post office to get your mail that wouldn’t fit!

While on the subject of mailbox locks, I will change a mailbox lock or install one for $65 flat, no fees, service call already included, parts already included.  You can also see my mailbox lock page to view a video on how to change them yourself.

Worried about lending out your key?

Here is the dilemma: you need to let somebody into your house while you aren’t there for some reason, but you are worried that the key may be used for an ulterior motive.  I have the answer for you.

1.  The cheapest solution is to have a side or back door keyed differently.  Make the doorknob work with a key you lend out but the deadbolt lock is thesame as the rest of the house.  When you want somebody to be able to access your house, just leave the deadbolt unlocked.  After the workman has finished his work, leave the deadbolt locked and nobody can enter with the spare key because the deadbolt is still locked.

2. A more elegant solution is to masterkey the doorknob.  Then the doorknob can be unlocked and relocked with both keys.  You can lock out people with the loner key with the deadbolt.

3. Another solution is to get locksets installed that are interchangeable core.  Then you can change your locks at will.  Change the lock for the day, when you get home change it back.  This is probably too extreme for most homeowners and reserved for sufferers of paranoia and control freaks.

4. My favorite solution, a combination of 1 and 2, is to change your locks to use a restricted keyway and masterkey the doorknob on any door of your choosing.  Then you lend out a key to somebody and they can’t copy it anywhere.  I can supply you with the MX2 keyway, one which locksmiths and distributors are legally bound to not sell blanks or copies of.  If you get MX2 locks from me, I write down your name and bitting and encrypt it using PGP.  If anybody asks me to copy an MX2 key, unless I made it I will say no.

I can assist you in this matter using any of the strategies outlined.  Keep a knob separately keyed and save $20 on rekeying.  Have me rekey just one lock for $20.  Installing interchangeable core locks is more expensive and worth an estimate.

If you get the wrong key stuck in your ignition…

Today a charming lady called me because she was locked out of her car.  After making quick work of opening the 2003 Saab, I returned to my own car to get back home before my better half.  In my haste, I inserted my motorcycle key into the ignition.  It felt like the first tooth might have cleared two wafers.

It was interesting being the 1% of people who could remove the key without actually getting any additional tools.  A lockpick was all that was necessary for manipulating the stuck wafers out of the way and getting the motorcycle key out.  It made me think what would happen to somebody else though.

For people without lockpicks or a firm understanding of how locks work, getting your key out will be more difficult.  The first step is of course to wiggle and pull the key lightly.  If you pull too hard you could bend the wafers and damage the lock.

The second step is to find something really thin made of metal, like a hacksaw blade.  You have to stick it in alongside the stuck key, right down the middle.  Then, you move it up and down and try to visualize what it is getting stuck on.  If you feel something that won’t move easily, try pushing slightly harder.  Hopefully it is the wafer that is sticking.

Of course, this whole process has an added level of complexity if you have successfully turned the ignition partially with the wrong key.  Then you have to torque it back into the position for taking the key out before performing the above steps.  You can also possibly remove the entire ignition if you have turned the key and more easily manipulate the inner workings of the ignition, assuming it is the type where the wafers are visible.  Don’t bend it too hard or you will shear off the key!  The best way to accomplish this is with some vicegrips and grip as close as possible to where the key comes into contact with the keyway.

Of course, if you mess anything up this was just friendly advice and I am not to be held liable for your own dumb self.  Call a pro if you can’t get it!

Could somebody steal from you without entering your house? Of course!

If you are like most Seattlites, you have a wireless access point transmitting and receiving your data for all the world to listen to.  If you are smart, you will encrypt this traffic using WPA2 using a complicated passphrase involving letters, numbers and symbols.  If you are really cagey, you won’t transmit information wirelessly at all but use ethernet cables.

The reason for this paranoia is that there are entire linux distributions written for the express purpose of decrypting your passphrases and gaining access to your wireless network, where various actions of ill intent can be taken such as hijacking your internet sessions with facebook or even worse your bank, accessing your financial records and important information about you that can be used to steal your identity, etc.  This can also be accomplished by those with less technical knowhow by applying elbow grease and digging through your trash.

How to prepare against this possibility?  Put a passphrase on your wireless internet.  Shred important documents.  Practice good computer security, i.e. don’t set up data shares without passwords on your home network.

There are programs available that can let somebody crack WEP in a few seconds flat, if the password is easy.  Likewise for windows user passwords.  Therefore, use strong encryption like WPA2 and use complicated passwords, and especially don’t use common passwords like the word password, because people who like to compromise networks have built dictionaries (called rainbow tables) of the most common passwords and can cycle through the 5000 most common ones in ten seconds.

Restricted Keyways Now Available

If you are concerned about lending out a key to somebody and then they go to the hardware store (or Fred Meyer’s) and copy it and then give it back to you without telling you that they still retain a copy, you can prevent this hypothetical problem with getting keys in a restricted keyway.  This means that the profile of the key looking at it when pointed at your eye will be a different shape than fits in other locks.  This also means that people can’t buy the same key blank, and thus can’t copy your key.  If they had detailed information about the key they could copy it, or they could use a lost wax method or something to copy the key with a different medium than pre-cast key blanks.  They will also have to go to a great deal more trouble to do so however.  More trouble than simply pulling your door off with a tow hitch or blowtorching through your wall, etc.

The point of all of this is that with a restricted keyway, you can protect against a lot of scenarios involving security breaches that you can’t protect against if you have a common keyway.  The costs are minimal: changing your keyway won’t break the bank.  You are also not tied to my business.  If you want you can pay another locksmith to change the keyway.  If you want key copies however you have to come to me, and I maintain a database of who has what keys, and if you aren’t the same person who bought that key I will call the person in my database for that key.  That is called key control management, and it means that nobody has the key unless you give it to them.

When I rekey people’s houses I always ask if they would like one knob or lever to be keyed differently to allow them to give out a key to workmen.  On days when workers are expected, the deadbolt can be left unlocked and entry is permitted by unlocking the knob or lever.  When entry by people without the common housekey is not desired, the deadbolt is left locked.  This allows you to maintain a relatively safe and secure house though it still leaves you vulnerable to impressioning, picking and bumping.  Criminals don’t usually employ these methods but it is worth thinking about to employ a keyway that makes it almost impossible to use a bumpkey or impressioning on.  Such a lock is still susceptible to picking, but I also offer the upgrade of anti-pick pins which will defeat those of common criminal lockpicking skill.  If your door is thick and your door frame is secure and your lock is grade 2, with a restricted keyway and anti-pick pins you are going to be nearly unassailable.

For those who are interested in the most reasonable prices, I can also give you a less expensive keyway that isn’t restricted, but is old and unused by most and only a locksmith will probably have access to the same key blank.  Let me know!

Masterlock “bump-proof” locks

Today I was reading lock related periodicals as I am wont to do when time weighs heavily and I came across some interesting information regarding masterlock.  Nobody thinks of this company as producing anything that could be called high security as everybody knows somebody that can open their combination locks using a pop can or by listening to the clicks and writing down numbers and doing a small amount of number crunching.

Apparently masterlock did a study on bumpkeying locks and figured out a way to prevent it.  Unfortunately the changes they made to their locks make it even easier to pick them.  You can turn the plug after setting 3 of the 4 pins!  They have always been easy to impression as well.  The silly part is that their locks are now being marketed as “high security” and “ultra security” at Home Depot even now.  Of course, none of this will stop anybody who has a $35 bolt cutter found farther down the store a few aisles, or even a digging bar that will fit in the shackle.

The best security against bumpkeying to my knowledge without buying better locks is to retrofit your locks with higher tension springs and spool pins or serrated pins.  These won’t stop bumpkeying but they will require about ten more taps which is enough to make burglars think twice in the middle of the night.  A well-lubricated Kwikset lock with no security pins only requires one or two taps, for comparison’s sake.