7 comments

[ 3.9 ms ] story [ 37.5 ms ] thread
Oh, cute. I like that the design marries the traditional function with the power source. When it comes down to it, this isn't logically different from a badge and a doorknob unlocked by one. The act of inserting a key is familiar, though, and the fact that it doubles as a way to power it is nice.

I do wonder how it handles revocation though. After all, if you were to revoke a key, there'd have to be an efficient distribution mechanism or someone could just use it before the lock was updated.

WRT revocation, it says

> Lock acts as a part of D2D network which allows easy updates to blocked keys list.

However that makes me wonder how it gets power? Or does it use the power from insertion to phone home at that moment? Can an attacker jam right then?

Also, AES256 is sort of a weird algorithm to put front and center. I'd expect something instead based on asymmetric crypto, probably public/private certs.

Also, I kinda want to see lock picking lawyer's take on the physical construction itself. I know enough to know I don't know anything in that space.

Assa Abloy's eCliq stuff (similar to this) uses asymmetric crypto for some parts and symmetric for short-lived stuff. The lock cylinders in that system are updated with new CRLs when inserting a key which has been updated, and authorisations are typically pretty short-lived (we use 1 day for most stuff - engineers sync up their key via an app in the morning and then they're set - and only 15 minutes for high security things, which is enough to go find signal and get back if you're in an area with spotty 4G). The keys also pull access logs off cylinders whenever they're inserted and sync up to the server next time they're synced with the app.

Dunno if this system works the same way. We went through a few of these sorts of things before settling on the Abloy solution, and most of the stuff we saw was atrocious from an infosec perspective (let alone physical). The Abloy system uses CR2032s in keys, which last a year or two, whereas this seems to do some sort of low-power networking off of mechanical energy harvesting?

> The act of inserting a key is familiar, though, and the fact that it doubles as a way to power it is nice.

One annoying issue at least with their older keys were that there was essentially certain speed you had to use to insert the key. If it was too fast or too slow it simply didn't work and you had to re-insert the key.

Not completely sure about revocation, but I think it requires using kind of "setup" key to update (i.e. ends up requiring physical visit to lock). https://www.iloq.com/en/products/iloq-s5-en/programming-equi... https://www.iloq.com/en/single_product/programming-device-p1...

From some cursory searching, it looks like earlier versions of ILOQ were pretty weak from a security perspective. Is that still the case? The product sounds kind of cool.
This (iLOQ S5) was released in 2019.

It and its predecessor (S10 released in 2007, which is a similar battery-free digital lock) are fairly popular locking systems in Finland, e.g. in apartment buildings.

Their main competitor Abloy also has similar products (Abloy Pulse), along with traditional locks (e.g. Protec2). Practically all door locks in Finland are either Abloy or iLOQ.

I wonder - has LockPickingLawyer taken a look at this thing?