Registered: Sep 1999
Location: Texan in Calgary for a while
Posts: 1361

Discuss the news item on the Bluetooth hotel demo here.

__________________
James Hromadka
Old Friend

Registered: Jul 2000
Location:
Posts: 3034

My biggest question is "How do I get an invitation?" Definitely going to have to hit the Bluetooth Pavillion and Widcomm's booth early.

Registered: Dec 1999
Location: "Children are a gift from God, they are a reward"
Posts: 1049

I may be a little pessimistic, but has anyone else thought that it might be a tad less then secure to allow rooms to be unlocked via radio waves? Most hackers would probably only take up the challenge to crack such a system for fun, but I can see a criminally minded individual having at it too. I guess a system with some sort of rolling code is possible. I do like the idea of having seamless connectivity between my PDA, computer, and peripherals though.

Registered: Jan 2000
Location:
Posts: 434

I'm still in "wait and see" mode re: bluetooth. Not only do I want to see real world independent compatibility test results between bluetooth devices; I also want to see testing that confirms that there is no impact on wireless ethernet. The hotel demo is cool, and hopefully this signals that there are now enough devices available for real testing to begin.

Registered: Jul 2000
Location:
Posts: 3034

quote:

---

Originally posted by BobbyMike
I may be a little pessimistic, but has anyone else thought that it might be a tad less then secure to allow rooms to be unlocked via radio waves?

---

No less de facto secure than my truck alarm or garage door. It all depends on implementation.

quote:

---

Most hackers would probably only take up the challenge to crack such a system for fun, but I can see a criminally minded individual having at it too. I guess a system with some sort of rolling code is possible. I do like the idea of having seamless connectivity between my PDA, computer, and peripherals though.

---

I can't see how they could not implement it with some sort of rolling code functionality. Otherwise someone sitting next to you on a bus/subway/whatever could start using your bluetooth phone to talk to his friends in Afghanistan with his bluetooth headset and dialing pad.

Registered: Oct 2000
Location:
Posts: 4

RF access security

I agree that RF access security isn't the greatest idea. It might be fine for your garage door, where no one is lurking around to sneak in as soon as the door opens (hopefully). But in a public setting where a door needs to open for a lot of people in close proximity to each other, but still distinguish between them, IR would be much more suitable. You can set up a narrow passageway with an IR sensor at the end, and each user needs to point their PDA at it and send an authorization code. Because of the whole line-of-sight thing, narrow beam angle, and limited distance, this can work quite well. Using RF with a reach of 30 feet or so, however, it becomes virtually impossible to distinguish between you and the guy behind you. You definitely need a secondary means of identification, which kind of defeats the whole purpose of the PDA then.

__________________
Uwe Wolfgang Radu

Registered: Jan 2000
Location:
Posts: 434

While I believe the bluetooth spec allows for signaling out to the distances you mention, I believe that most vendors are designing their devices to "only" operate with another device that is within three to six feet. Signal range is a function of signal strengh and receiver sensitivity (but in this class of devices, signal strength is king); therefore the weaker of any two devices will determine communication range. It has been awhile, but I believe that it is possible to configure a bluetooth device to only interoperate with "approved" devices (via a process not unlike adding a network printer to a local PC).

BTW, I do agree that IR would be a better solution for this particular application.

Registered: Jul 2000
Location:
Posts: 3034

Re: RF access security

quote:

---

Originally posted by uwradu
I agree that RF access security isn't the greatest idea. It might be fine for your garage door, where no one is lurking around to sneak in as soon as the door opens (hopefully). But in a public setting where a door needs to open for a lot of people in close proximity to each other, but still distinguish between them, IR would be much more suitable.{...}

---

Registered: Oct 2000
Location:
Posts: 4

RF security

Why does it have to address the original poster's concerns? He mentioned access security, and I thought of a different reason why RF isn't a good technolgy for that. I never implied to address his particular concerns. I believe there are acceptable cryptographic approaches for his concerns, which are already in use outside the Bluetooth realm, so I don't share that particular concern. However, I do believe that the non-directional nature of RF makes it intrinsically less suitable for the kind of application that was mentioned.

__________________
Uwe Wolfgang Radu

Registered: Dec 1999
Location: "Children are a gift from God, they are a reward"
Posts: 1049

In theory it is possible to develop an uncrackable cryptographical solution to this problem, my concern invloves the omni-directional nature of radio waves. A decent programmer familiar with how a system could, also in theory, over ride a PDA with a stronger transmitter and basically "tell" the room that it was the PDA. Therefore defeating the security function. You can argue that it would be hard for someone to crack such a unit, I posit that anything that can be made, can be cracked. Also, if a company is telling itself -"this unit will only have a sphere of influence of six feet", how far will they go with the crypto? Not all codes are created equal, as we all know. Ask yourself this, do you think that any security minded instituion (the CIA, Banks, etc.) would think to use such a system- one that is inherently open? If they won't use one and they're just protecting information, why should you be excited about using it to access your hotel room? I think that it would be great to use for availing your self of services once inside the room, or at the checkout desk, but I stop at room access. I may be a bug about it, but I don't even like those cards they use. Hotels are notorious (sic) about being lax with room security, will that change suddenly?
By the way, your truck alarm and garage door are not secure, anyone with the desire to bypass them can find out how easily. They may serve to hinder casual thieves, but they also function in areas mostly covered already by your personal social space (ie, your neighborhood, workplace). Hotels are open ground, where the boundries of who is supposed to be there is unclear.
My concerns are not unfounded. I would need to see such a system rigorously attacked by third party testers before I was comfortable renting a room equipped with such a system. My wife and boys are very dear to me, and I intend to make sure nothing ever happens to them that I can prevent.
(by the way, I'm not a armchair philosopher, I have a background in Military security and cryptography)
BobbyMike

Registered: Jul 2000
Location:
Posts: 3034

Re: RF security

quote:

---

Originally posted by uwradu
Why does it have to address the original poster's concerns?

---

Registered: Jul 2000
Location:
Posts: 3034

quote:

---

Originally posted by BobbyMike
In theory it is possible to develop an uncrackable cryptographical solution to this problem, my concern invloves the omni-directional nature of radio waves.

---

Registered: Oct 2000
Location:
Posts: 4

RF access security

> It doesn't have to, but if you're going to change the
> context, it helps to be more clear that you're doing so.

Toby, I hate to say this, but pull your head out of your ass, matey! I was entirely on context--opening a door with a PDA--if you care to check the original topic. My point was that opening a door via IR where you have to point the PDA at the door within a narrow angle seems a lot more secure than some exchage via RF between the door and a PDA that it can't know is actually standing in front of it. It might actually be in a security transaction with the PDA in the guy's pocket at the next door down the hall.

To stay within your favored truck/garage door paradigm, if you're in the habit of unlocking your truck from far away and your remote has a very far reach, a guy standing next to your truck could jump in as soon as the door is unlocked and either hotwire it and drive off, or make off with some dearly beloved object from inside your truck.

But I've exhausted my interest in this topic, so I will stop now.

__________________
Uwe Wolfgang Radu

Registered: Jul 2000
Location:
Posts: 3034

Re: RF access security

quote:

---

Originally posted by uwradu
> It doesn't have to, but if you're going to change the
> context, it helps to be more clear that you're doing so.

Toby, I hate to say this, but pull your head out of your ass, matey!

---

Registered: Dec 1999
Location: "Children are a gift from God, they are a reward"
Posts: 1049

Hey Toby,
I hate quoting, so I'll just ramble on. My last comment on not being an armchair philospher was directed towards myself- ie, I don't just take a casual interest in the matters I was bringing up- personal safety and access to secure facilities. I was trained to look at situations and pick them apart from a security viewpoint. My gut feelings (truly unscientific, I know) is this is a system ripe for criminal exploitation. I'm not a guru though and I admit that I could be way off base.
My actual concerns have nothing to do with material possessions being stolen from a hotel room, or credit card theft. I doubt if hotels will change their policies on these matters even if they leave themselves open in such a way. They're not responsible now, why would they want to change that? (I do see a leap in credit card fraud inventiness coming about as such systems are developed)
If someone gains access to a hotel room with a crow bar, someone will notice quickly. The kinds of hotels that would be able to put in such a system are busy all the time, so I don't worry about that. My concern is that some could gain access and be in a room when my wife, my sister, etc. came in to the room. You can check the figures if you want, but hotels are one of the places a woman is most likey to be attacked in, when she is away. My concern here is personal safety.
As to your comment about windows, that was a bit facetious (sic) as gaining access through a hotel window is only done in movies. Next time you're in a hotel, check it out.
Your comment on the doorknob I take to mean picking the lock. That is rarely ever done in real life (picking locks is actually quite hard, it's a learned skill. I liken it to when some asks my wife how long it takes to make one of our handblown glasses- the physical act takes 5-10 minutes, but it took her 15 years to get to that level of ability). Most times access to a hotel room occurs with a stolen (or borrowed) key. This is where my concern comes in. If the theft, etc. occurring presently comes from people accessing physical keys they have filched in some way, there is an limit to how much can happen before someone notices. You have to usually have staff involved. If an 'outside party' finds a way to access rooms without any connection to staff at a hotel, the odds that they will be caught, is drastically reduced. Thus making the enterprise more attractive.
If you were a seriously bent individual, knowing that you could walk into any hotel equipped with such a system and get into a room easily, wouldn't you be more likely to try it out?
I also don't think that any of the agencies I mentioned would use Bluetooth, because it's not secure by it's nature. They don't mind spending more money on biometrics, etc. 'cause it's usually not their money they spend. I used that example because I wanted to point out that they don't have anything to protect more valuble than my family- why should I trust a system they don't?
As to your car alarm- unless it's a system like Nissans' vechicle immbolizer system, it's just that- an alarm. It doesn't do anything to physically slow down some one from getting into your car. A determined miscreant will steal your car regardless. There is no need to defeat your rolling code.
What I'm saying is that rolling codes will not prevent someone from cracking the system. The Return On Investment just has to be attractive enough.
I figure that with so much money on the table right now with research into applications a few niggling thoughts like mine are like to be ignored. I would just hope that they pay someone to find things wrong with their system and take steps to correct any openings BEFORE they put the system into widespread use.
Shoot, if they prove to me that it's safe I'll use it. I'm not an idiot, just skeptical.
BTW Toby, I don't think you have your head up there, your post are generally quite lucid.
BobbyMike

Registered: Jul 2000
Location:
Posts: 3034

quote:

---

Originally posted by BobbyMike
Hey Toby,
I hate quoting, so I'll just ramble on. My last comment on not being an armchair philospher was directed towards myself- ie, I don't just take a casual interest in the matters I was bringing up- personal safety and access to secure facilities. I was trained to look at situations and pick them apart from a security viewpoint. My gut feelings (truly unscientific, I know) is this is a system ripe for criminal exploitation. I'm not a guru though and I admit that I could be way off base.

---

No, actually, I don't think your assessments are anywhere near being off-base. They're quite accurate. My point was more that the existing system isn't that secure to start off with, so why is there likely to be any higher of a bar placed on new technology?

quote:

---

If someone gains access to a hotel room with a crow bar, someone will notice quickly. The kinds of hotels that would be able to put in such a system are busy all the time, so I don't worry about that. My concern is that some could gain access and be in a room when my wife, my sister, etc. came in to the room. You can check the figures if you want, but hotels are one of the places a woman is most likey to be attacked in, when she is away. My concern here is personal safety.

---

Wholly understandable, and the reason that my wife rarely travels without me, and never alone. I think your concerns are valid, but I think that there already exist easier ways to accomplish the same goal. Social engineering is the least watched by some security people, and yet is the most used by some of the most dangerous, e.g. Ted Bundy types.

quote:

---

As to your comment about windows, that was a bit facetious (sic) as gaining access through a hotel window is only done in movies.

---

Yeah, some of my comments were made facetiously (which is easy to spell properly since it uses all the vowels in English in the correct order), but I frequently cloak serious points in humor.

quote:

---

Next time you're in a hotel, check it out.

---

Always do. That was kinda related to my point as well. I know that I'm more diligent and security conscious than the average person (for various reasons). I consider hotels highly insecure to start off with, and don't see Bluetooth with a modicum of security measures to be making them any less secure than they already are.

quote:

---

Your comment on the doorknob I take to mean picking the lock.

---

Not necessarily. I was referring more to any sort of social engineering skills to get into the room (waiting for the cleaning ladies to make their rounds, bribing someone on the inside, etc.).

quote:

---

That is rarely ever done in real life (picking locks is actually quite hard, it's a learned skill. I liken it to when some asks my wife how long it takes to make one of our handblown glasses- the physical act takes 5-10 minutes, but it took her 15 years to get to that level of ability).

---

Very valid point, but it also points out why it's harder to compromise Bluetooth than a key.

quote:

---

Most times access to a hotel room occurs with a stolen (or borrowed) key. This is where my concern comes in. If the theft, etc. occurring presently comes from people accessing physical keys they have filched in some way, there is an limit to how much can happen before someone notices. You have to usually have staff involved. If an 'outside party' finds a way to access rooms without any connection to staff at a hotel, the odds that they will be caught, is drastically reduced. Thus making the enterprise more attractive.

---

If this is likely to happen, though, it's already possible with key cards. Careless hotels will likely continue to be careless and diligent ones will continue to be diligent.

quote:

---

If you were a seriously bent individual, knowing that you could walk into any hotel equipped with such a system and get into a room easily, wouldn't you be more likely to try it out?

---

If I were a seriously bent individual, would I likely think the consequences that far through?

quote:

---

I also don't think that any of the agencies I mentioned would use Bluetooth, because it's not secure by it's nature. They don't mind spending more money on biometrics, etc. 'cause it's usually not their money they spend. I used that example because I wanted to point out that they don't have anything to protect more valuble than my family- why should I trust a system they don't?

---

I'm guessing you only apply this to physical security? Otherwise, I'd hesitate to ask you what kind of money you spend on utilities (secured phonelines, etc.).

quote:

---

As to your car alarm- unless it's a system like Nissans' vechicle immbolizer system, it's just that- an alarm. It doesn't do anything to physically slow down some one from getting into your car. A determined miscreant will steal your car regardless. There is no need to defeat your rolling code.

---

It's not a factory system, but it's not just an alarm. It's made by Clifford Electronics (highly recommended BTW - http://www.clifford.com ). If activated, the ignition can't be started even if the control unit is disconnected.

quote:

---

What I'm saying is that rolling codes will not prevent someone from cracking the system. The Return On Investment just has to be attractive enough.

---

heh...I doubt that my truck is worth the investment in a tow truck.

quote:

---

I figure that with so much money on the table right now with research into applications a few niggling thoughts like mine are like to be ignored. I would just hope that they pay someone to find things wrong with their system and take steps to correct any openings BEFORE they put the system into widespread use.

---

heh...that's exactly the reason I'm so keen to attend the demo. I want to grill the manufacturers on the specifics to see if it's got any significant holes that would preclude other applications.

quote:

---

Shoot, if they prove to me that it's safe I'll use it. I'm not an idiot, just skeptical.
BTW Toby, I don't think you have your head up there, your post are generally quite lucid.

---

ditto

Registered: Dec 1999
Location: "Children are a gift from God, they are a reward"
Posts: 1049

OK with all you said, except about a seriously bent person not thinking far enough ahead. Ted Bundy is an example of what I think of as a seriously bent person. Most sociopaths of that caliber are extremely careful and plan their mayhem so there is a minimum of risk to themselves.
With that cheery thought in mind I wish you a good morning!
BobbyMike
P.S. does your alarm lock the ignition, or shut down the battery? The Nissan system actually will allow someone to hot wire the ignition, but without the chipped key it will lock the transmission.

Registered: Jul 2000
Location:
Posts: 3034

quote:

---

Originally posted by BobbyMike
P.S. does your alarm lock the ignition, or shut down the battery? The Nissan system actually will allow someone to hot wire the ignition, but without the chipped key it will lock the transmission.

---