This story has been another unfortunate illustration of Bluetooth security vulnerabilities and lock vendors who may lack the expertise in cybersecurity to secure your property properly when using digital keys. In this case, the attack strategy used is known as a relay attack.
How we prevent relay attacks
Relay attacks are well known. The only excuse we can understand for making it possible is “we didn’t know better”. Security experts should. We prevent relay attacks with the following process.
- Every lock has its own digital certificate signed by the Teleporte Digital Signing Authority (DSA).
- Every Teleporte Mobile App downloads the digital certificate and authenticates the lock’s digital certificate with the Teleporte DSA.
- The mobile device only communicates with locks that are verified authentic through steps 1 and 2. Mobile devices use the lock’s public key to encrypt information, knowing the only endpoint capable of decryption is the lock itself.
- We change the encryption for every new connection between the lock and the mobile device.
Step number 4 is the key (no pun intended) to preventing a relay attack. While a sniffer might be able to see and repeat the byte sequence that unlocked the lock moments ago, the lock enforces a new method of encryption for each connection. Repeated old data is useless in future connections.
We like our competitive advantage in digital security. We’d like it even more if people could trust keyless access solutions in general.