SoylentNews is people
SoylentNews
A hi-tech padlock secured with a fingerprint can be opened by anyone with a smartphone, security researchers have found.
On its website, Tapplock is described as the "world's first smart fingerprint padlock".
But researchers said it took just 45 minutes to find a way to unlock any Tapplock.
[...] The "major flaw" in its design is that the unlock key for the device is easily discovered because it is generated from the Bluetooth Low Energy ID that is broadcast by the lock.
Anyone with a smartphone would be able to pick up this key if they scanned for Bluetooth devices when close to a Tapplock.
Using this key in conjunction with commands broadcast by the Tapplock would let attackers successfully open any one they found, said Mr Tierney.
In response, Tapplock said in a statement that it was issuing a software update.
-- submitted from IRC
(Score: 3, Interesting) by JoeMerchant on Saturday June 16 2018, @02:08PM (2 children)
First place I worked used a "fancy" 8 bit checksum on their RS232 command input, all confident in how hashed up it was and optimally error resistant... whatever. Our first customer hooked up 250' cables to the 232 input ports (against our max 50' labeling) routed them through the ceiling with a bunch of noise sources, and then the devices started reprogramming themselves within a couple of hours of being connected to the noisy cable - after a couple of days just about every setting on the device would be messed up. There's no beating the infinite number of monkeys with an 8 bit checksum.
Next place I worked was much more serious: implantable neurostimulators, and on the first day of the job what did I discover? The programmer, which was capable of programming the device to deliver up to 4x the current approved for use in humans - potentially stopping the patient's heart, used (I'm disappointed if you haven't guessed already) an 8 bit checksum. Concerned that this might be some kind of competency / courage to speak up test, I spoke up and was directed to the "expert witness" engineer who did a calculation "proving" so many millions of years between erroneous programming events yadda yadda yadda. I told him, politely, "I don't believe your calculations." and let it drop - first day on the job, just moved over 1000 miles to be there, wife 8 months pregnant, etc. Less than 2 years later he, I, and the lead engineer on the programmer software were called into a room to investigate reports of erroneous programming events, painful stimulation, and an unconnected disappearance of a patient while surfing the day after one of these reports... seems that the checksum for maximum stimulation, and the programming code for it as well, is identical to a common setting but with the last 11 bits all set to 0 instead (this thing programmed at about 50 baud...), so... start a normal programming transmission and pull away the wand at the right moment and your patient will (thankfully immediately) begin to scream OW OW OW OW!!!! while they get maximum stim. Cool heads prevailed and reprogrammed the device to normal settings in all cases, nobody's heart stopped (that we are aware of), and we rolled an update to the programmer software that changed the sequence to make that scenario not happen anymore, but... at least the next generation device (not released for another 2 years with ~15,000 patients being implanted per year) upped the checksum from 8 bits to 16... I pitched the argument that 32 bits absolutely kills the security question, but was overruled by a battery life zealot who did a calculation showing that 32 bit checksums would reduce the implant life from 7 years to 6 years 11 months, and 7 years was our target...
🌻🌻 [google.com]
(Score: 1) by anubi on Sunday June 17 2018, @10:16AM (1 child)
Thanks, Joe... I found that very interesting.
Very few people have the experience to post such a thing, or are even aware of stuff like this.
It probably would not surprise you if I told you one of the first things I do with "high reliability" power supplies is go get some jumper wires and a file. I connect one jumper to the file, and rub the other up and down the file, while its connected to the power supply output. A winding to a small power transformer in series with the circuit increases the severity of the test significantly, but you gotta be careful as the inductive kickback will send you sailing if you touch the setup while testing. I've ruined more power supplies that way. But best do it in my office in front of the sales rep than have it happen in the field. ( I'm referring to those little power supplies that are intended for powering field microprocessors. ).
If I did not do this, mother nature will. This was in a oil refinery in Mississippi. We had lots of thunderstorms and lightning. In the middle of a thunderstorm is a really bad time for our stuff to fail.
I will also do that to I/O ports. Another thing I will do is hit 'em with piezoelectric barbeque starters. The ESD protection is supposed to protect against things like that. You never know when you connect to a long piece of wire just what pin makes connection first, anyway.
And I would just watch as the sales rep grimaced, and my mentor smiled.
Incidentally, Lambda, you made some damned good power supplies!
"Prove all things; hold fast that which is good." [KJV: I Thessalonians 5:21]
(Score: 2) by JoeMerchant on Sunday June 17 2018, @01:31PM
Thank you. Over the years I've noticed A) that the ESD "standard" tests don't seem to hit devices with nearly as much energy as I can generate in a finger while wearing wool pants on a dry day (in Florida, no less) and B) ever so slowly, little by little, the standards are increasing their requirements. Nonetheless, it seems that failing ESD testing is one of the most common development experiences - people think they've got it handled then something changes and they start failing again. It's a hard test to pass - lots of tradeoffs when trying to pass high frequency signals through the port, or in the case of the neurostimulators - efficiently deliver nice sharp low energy pulses.
In the early 1980s we had a cable box on top of our TV - when lightning would strike off in the distance we'd get sparks arcing between the box and TV - bad grounds, not to code, I'm sure, but that didn't change the fact of it happening.
🌻🌻 [google.com]