Last week, BoxLock showed off their high-tech security lock that includes a bar code scanner on the ABC show Shark Tank. The lock was designed for applications where you would want to allow third party access to the protected area. For example, a delivery driver can open the lock by scanning a package bar code, and the lock would take care of marking the package as delivered. A device like this is useful to protect packages that are left on your front porch from theft. The implementation of this lock wasn’t enough to get one of the sharks to invest though. Additionally, the lock itself was not as secure as it should be.
While a network security specialists would look at vulnerabilities on the wireless communication to see if there are any unauthenticated commands that could be sent or spoofed, a lock specialists, such as the LockPickingLawyer, would look at the physical security of the lock. This particular lock that made it onto national TV had a little flaw the LockPickingLawyer recently posted a video showing that a screwdriver could disassemble the lock. This isn’t the first or even second time a screwdriver was able to compromise a network-connected lock device. In the case of the BoxLock, he removes two screws from the bottom of the lock before pulling the lock apart with his hands in just seconds. Next he removes 4 more screws to defeat the locking mechanism. As he points out in the video, the record for tech companies creating a physical lock of quality is very poor.
As we continue to digitize many of our devices, we cannot forget about physical security. In many cases, once someone gains physical access to a device, they can bypass all passwords and security. For example, they might copy the configuration from the device through serial access, edit it and re-apply it.
Except for high-quality commercial security systems that can be expensive and out of the reach of small businesses, the old fashioned lock and key is likely the best option for physical security for the time being.