story
It isn't a man-in-the-middle attack, because nothing is being altered, crypto doesn't mean shit.
I'd call it a man-in-the-mirror attack ;-) The receiver/sender can't tell the difference.
Automatic unlock is a huge vulnerability.
I would not trust a company that doesn't bother to even mention these issues, even if they've defeated them, which I highly highly doubt. This product plays on the convenience factor, and does not really address anything technical. Cute, but no thanks. I'd rather have a safe house than a hipsterly cute one.
Physical locks aren't unbreakable. A deadbolt does not make your house a fortress.
I am all for good data security here, but if someone has targeted you to the point of following you around to clone your phone's interaction with your front door, I am pretty sure the glass windows provide a far easier target. Most of them can be just lifted out of their frame.
Yes, it could be breakable. No, it is no less secure than an existing deadbolt. Threat model matters.
Physical locks with heavy-set sprung pins, double shear lines, mushroom pins, and additional security features can be almost unbreakable given the amount of effort and noise that picking or breaking them will incur.
Your post is a contrite logical fallacy. The bluetooth mirror is trivial to execute once the mirror is created. No one has to 'follow around', they walk next to you for 2 seconds, and the signal is transferred bidirectionally, the door unlocks.
Yes, it is way less secure than an existing deadbolt. Your post is akin to saying a new operating system is secure because no viruses have been coded for it. And we might as well put shitty locks on our doors, because they can break in through the window anyways..right..and no one has bars on their windows, because you don't?
Now, say it with me: "I'm okay with lax security, so everyone else should be too."
Also say: "I don't know shit about pin-tumbler locks, so I can make posts about security to misinform other people."
Now slap yourself twice for being a dolt. Thanks, class. Now back to nap time.
In order to arbitrarily generate a correct unlock signal, you would need to know the phone's key so as to encrypt and sign an unlock message containing the correct date. You can't do that unless you've broken the crypto.
Are you talking about moving the radio signal between the victim and the door live while he's out and about? That's clever, but the attack could be easily precluded by requiring his approval (on the phone) before sending an unlock message. Which he won't give unless he's at his front door.
I see the product includes Automatic Unlock as a feature, but as long as it's optional I see no problem. Unless your threat model includes Oceans 11-style thieves and government agents, that's pretty freaking unlikely; anyone that sophisticated would probably have an easier time picking your $25 deadbolt, social engineering the landlord, breaking a window, etc. anyway.
If your threat model does include these things, what are you doing buying consumer security hardware anyway?
And you can buy one for less than $100: http://www.sena.com/products/industrial_bluetooth/sd1000.php
So let me see, EV of robbery equals: Price of macbook + tv + jewelry, etc, etc, etc minus $100
Seems likely that you are gonna be robbed if anyone with mal-intention has any grain of understanding how easy it is to mirror an auto unlock signal...
Picking and bumping these locks requires cheap, dumb hardware and minimal skill. Your attack requires two operatives and some tradecraft - choose a target that uses August and has auto-unlock turned on, shadow him, get within Bluetooth range at an opportune time, etc. It requires planning, skill, and coordination. That's a bit harder than bumping a Kwikset or breaking a window.
Also, some possible electronic countermeasures (in software):
1) Confirm proximity to the door with a GPS fix before sending an unlock signal. Require confirmation if location is unavailable. Yes, civilian GPS can be spoofed, but that's a pretty sophisticated hack for a burglar. We're now at a difficulty level on par with defeating even the most expensive mechanical locks.
2) Always ping the user when an automatic unlock signal is sent. If your phone tells you it's just opened your door while you're at Starbucks, you know there is an intrusion in progress and you can call the police.
