• EmperorHenry@discuss.tchncs.de
    link
    fedilink
    arrow-up
    2
    ·
    1 year ago

    Mechanical locks CAN be designed well. If you put good security pins in there and have decent springs in them and make the exterior of the lock out of a good material they can be way more secure than any digital “smart” lock

    • ed_cock@feddit.de
      link
      fedilink
      arrow-up
      1
      ·
      edit-2
      1 year ago

      Mechanical locks CAN be designed well.

      So can even the most superfluous IoT devices, though. It’s just that they aren’t.

      they can be way more secure than any digital “smart” lock

      Typical mechanical locks are fundamentally flawed. Think of it like this: They are opened by a short combination of digits, represented by the key. There is no lock-out mechanism if someone keeps trying to guess the combination, even if they try many per second and there is no user-friendly way of resetting the combination if it has been compromised.

      The tolerances, even in good locks, have to be high enough to enable attackers to guess the combination digit by digit, not as a whole, significantly reducing the time needed to guess it. You can try to mitigate this a little with special pins and weird key ways, but it’s ultimately a necessity, otherwise the lock would constantly fail to open or even break.

      When you have a master-keyed system, the digits represented by the master key (the root password, essentially) will always be lower or equal to any non-master key you find. This, too, can be exploited, allowing an attacker to safely derive a master key from any other key in the system.

      Also, keys can be reproduced from photographs. That alone is a disastrous flaw. Just imagine the CVEs that would be written about the flaws above, and the manufacturer’s response. “But you need skills for that” is never an excuse in the digital realm, it shouldn’t be in the analog either.

      Meanwhile a well-implemented digital lock has all the important components on the other side of the door, exposing only a contactless card reader to interact with. The cards or tokens aren’t dumb data storage, they support public/private authentication, meaning they can not be copied by someone walking up to you with a high-powered reader. There is no port to connect to, no pins to jiggle, just a dumb NFC reader that you can’t even open non-destructively.