Security through obscurity is unacceptable.GE Supra Electronic iBox Lock Box Real Estate Key Box Deprogrammed Welcome to Particular Pickers T reasure Chest PLEASE be sure to read all the blah. Given the stakes involved (consider that many properties on sale have families living there) this is an area where
But without adequate documentation one can only guess. Granted all of these risks could have been foreseen and addressed by the architects. Such brute-force attacks could be easily mitigated by having a lock-out mechanism that disables the release after a handful of failed attempts. That may sound just as difficult as say trying all possible combinations on the old-fashioned mechanical version of the lock-box, but having computers in the loop allows such exhaustive searches to be conducted in small amount of time. With 4 digits there are only 10000 codes to try. There are also questions about PIN entry itself. (That raises the question of whether all real-estate agents receive the same key or different one.) Combined with the references to syncing the DisplayKEY, this points at a rotating key scheme where the manufacturer periodically sends updated key material to the devices, which is used to authenticate to the lockbox. At least one of the brochures has language consistent with this disturbing possibility: instructions require typing in the PIN before pointing the device at an iBox, which suggest the PIN is not in response to some challenge from the iBox. In the worst case the PIN is not even validated by the lockbox it simply unlocks functionality latent in the device. Critical detail missing here is whether the PIN is stored on the device (in which case it can be easily compromised in case of theft) or whether it is only known to the agent and lockbox. According to description of the eKEY application for PDAs, the real-estate agent has to enter a PIN before the application can proceed. It's not clear how access control is implemented, and who is granted access to the keys inside. What is missing from the picture is description of the security model: iBox and its competitors have to contend with authentication and authorization, and often systems in the past have muddled these together. It can also be programmed to block access based on time, for example to keep out visitors at inappropriate times, which implies the device must have an internal clock.
But this trace is limited to 100 entries, and it's not clear if failed access attempts are logged- which could be just important as knowing successful accesses. That in turns suggests each agent gets a different code. First the lockbox has some rudimentary concept of auditing, because it logs which real-estate agents accessed it. (quote: "Supra is the only electronic KeyBox provider that uses the IrDA standard for a flexible, open architecture YET SECURE operating system platform.") Marketing-oriented blurbs on the website offer a few clues. There is no description of the protocol used to unlock the devices, and very little in the way of addressing security concerns except for one all-capitals reference. According to information on that website the Supra iBox is compatible with several smart-phones from Kyocera, Treo and Samsung as well as PDAs from Palm and Sony. GE-Industrial manufactures one model where the lock is release by an electronic signal delivered via infra-red ports of an ordinary hand-held device. While the concept is ancient- this online merchant offers about a dozen items priced in the $10-$20 range, all with mechanical unlock schemes- new risks are being introduced as the boxes go high-tech. This is a sealed box containing the keys to an apartment or house, usually left outside the door to allow prospective buyers to visit the property when the current residents are not present. Many real-estate agents use electronic lock-boxes for properties on sale. Another example of security in virtual space translating directly into security in physical space.