lock escalation?
Yale Weds: Just some system maintenance, nothing to worry about. Yale Thurs: Nobody's smart alarm app works
Yale Security UK says it is repairing its online systems after some unplanned maintenance turned into a total outage – and prevented folks from controlling their Yale smart home alarms via its smartphone app. The locksmith said it was working through the night into Friday morning to address the gremlins that had left its users …
COMMENTS
-
-
-
-
-
-
-
-
Friday 12th October 2018 11:36 GMT defiler
Re: "I’m an engineer, I work in IT..."
Came here fully expecting this legitimate tirade.
I looked at the Yale smart alarms when I was alarm shopping. Then I realised that it offered me almost precisely nothing I cared about and introduced 1000 things that could go wrong and which I was in no control of.
At least one of those should have flagged itself in the mind of an 'IT' 'engineer'. Unless, of course, he's a civil engineer who unjams printers because nobody's pouring concrete just now.
-
-
-
-
-
-
-
Friday 12th October 2018 20:59 GMT Anonymous Coward
Re: "I can’t enter my property I only have the App!"...
In my experience on the Hell Desk, the phrases "I'm an engineer" or "I work in IT" usually means the grand sum of the caller's technical experience is that they once upgraded the video card in a computer that they purchased from a retail store.
-
Friday 12th October 2018 21:27 GMT Orv
Re: "I can’t enter my property I only have the App!"...
I've worked in IT for almost half my life at this point, and I never use it to pull rank with helpdesk staff. For one thing it doesn't actually help.
I will say that this Yale screwup offends my sense of professionalism, though. It's painful watching someone do something you're good at badly.
-
Saturday 13th October 2018 07:28 GMT Ken Moorhouse
Re: "I'm an engineer"
Reminds me of an incident in a London Transport ticket office many year's ago where a bloke dumped a pile of shrapnel (1p's and 2p's) in the cash bowl to buy a tube ticket. The booking office clerk said "Sorry, I'm afraid that's not legal tender." The bloke then went into meltdown about how he was a lawyer and how he was going to sue London Transport. He even got his cheque book out to prove he had LLB after his name.
-
Sunday 14th October 2018 17:32 GMT stiine
Re: "I can’t enter my property I only have the App!"...
re AC "In my experience on the Hell Desk, the phrases "I'm an engineer" or "I work in IT" usually means the grand sum of the caller's technical experience is that they once upgraded the video card in a computer that they purchased from a retail store."
You must work for Comcast or AT&T.
The last time I called AT&T to report a problem with their equipment, I had to remove my commercial firewall and connect the link directly to my pc because they said my commercial firewall (which had only recently been relocated from an office network to my home network) was not compatible with their service (that was the same at both the office, and my house).
-
-
-
-
Friday 12th October 2018 07:32 GMT Giovani Tapini
I still have an old-school rule to follow
Never trust an electronic lock.
Also note - lock makers are better at engineering than software and have made the most basic errors more than defeating all but the illusion of security. This may change one day, but I will not be holding my breath.
Either way, their server has locked up, their PR team has locked down communication, and people are locked out of the homes. All I need is a lock in at my pub to finish the day...
-
Friday 12th October 2018 08:02 GMT Steve the Cynic
Re: I still have an old-school rule to follow
Never trust an electronic lock.
It's not a good idea to put blind trust in a *mechanical* lock either. Mechanical locks have two advantages, though:
* They continue to be locked, and unlockable, when the power is off.
* Someone trying to open them has to be physically present at the lock while doing it.
-
Friday 12th October 2018 08:09 GMT Anonymous Coward
Re: I still have an old-school rule to follow
I think this was affecting their alarms, rather than the Yale smart locks. Nobody who had the system properly set up should have been prevented from entering their home - it was only the app that didn't work so the keypad/fobs were still functioning (they work completely independently of the "smart" side of it). And the alarm system continues to function without internet or power, it just can't send alerts.
-
-
This post has been deleted by its author
-
Friday 12th October 2018 09:07 GMT Down not across
To be fair, they are at least doing maintenance and attempting to improve the system and security that they are providing the public...
Given it was unplanned maintenance it sound more like something went wrong and they were trying to fix it rather than improving anything. Looks like they may have broken something else while trying to fix the original issue.
-
Friday 12th October 2018 14:27 GMT EveryTime
> "To be fair, they are at least doing maintenance and attempting to improve the system ..."
No. "Unplanned maintenance" is a PR phrase for "the system crashed, probably corrupting all of the data. We don't have a backup system, and the recovery plan was stored only on the system that crashed."
-
Friday 12th October 2018 07:48 GMT Lee D
"I’m an engineer, I work in IT, this is not acceptable. Who signed this work off? What was the rollback plan ? Call yourselves a security company ? Shameful. @BBCBreaking @Channel4News @BBCRadio4 @CNN @Reuters here is a story for you! I can’t enter my property I only have the App!"
Gosh. You'd think a guy who worked in IT would understand the importance of a way to enter when the app went down, really wouldn't you? I mean, backups and resiliency, and all that. I wonder if he even has two Internet connections at home in case one fails and he can't get back in?
People like this annoy me greatly - I work in IT and though Yale might be damn shoddy, for sure I wouldn't be embarrassing myself saying "I have no other way to get into my property except a smartphone app dependent on a third-party". For a start, I'd have a manual key lock or a bypass code on a secondary lock that overrode it, even if I never really needed to use it.
-
Friday 12th October 2018 08:04 GMT Anonymous Coward
I've got a Yale smart alarm, and have a keypad inside that can be used to arm/disarm. If this guy has chosen not to install one of those (and I'm not sure why - they're included when you buy the thing) that's bloody stupid. You can also get key fobs and tags, so there's really no excuse.
I really wouldn't want to rely on the Yale software at the best of times, it's quite buggy.
-
-
-
Monday 15th October 2018 08:11 GMT fajensen
Re: If this guy has chosen not to install one of those ...
Then he probably wouldn't say "my property" and would probably be yelling at his landlord, instead of Yale
The average Daily Mail reader would absolutely say "my property" about their rented room in a shared flat a good 40 minutes walk from the tube!
-
-
-
-
-
Friday 12th October 2018 08:15 GMT hokum
Re: Not Surprised
Well, you can see when your door is opened and set up temporary access for visitors remotely. There are a number of scenarios where someone may find that sort of thing useful.
Though as someone who is otherwise all in on the internet of s**t, I don't trust smart locks just yet.
-
Friday 12th October 2018 08:49 GMT Anonymous Coward
Re: Not Surprised
I don't trust smart locks just yet
Just yet? You mean you foresee a day when you will? What's the possible advantage of a smart lock over a mechanical lock, other than not having to carry a key?
Companies like Google, Apple and Microsoft, who have unlimited resources and employ some of the smartest people around don't get security right all the time. Does anyone really believe that a company like Yale with a fraction of their resources and probably none of the smartest people around should be trusted with the security of their home, or their business from which they make their livelihood?
Mechanical locks aren't perfect, but the risks are known and can be mitigated such that it would be easier for a thief to enter via another method than the door. With an electronic lock you have the ever-present risk that a remotely exploitable 0 day could be found against it.
Its conceivable someone could hack Yale's system and set every electronic lock of theirs to permanently open, or permanently locked, so that having your lock replaced would be the only fix!
-
Friday 12th October 2018 09:59 GMT Lee D
Re: Not Surprised
Smart locks are dumb ideas.
But non-mechanical locks are fine. E.g. magnetic strikes, mag-locks, etc. People - and businesses - use them the world over.
The advantages are many: Auditability of access. Alerts on access. Ability to rescind access (try taking a key back from a tenant - you'll end up just changing the locks).
And if you don't "cloud" every-fecking-thing, then it works great. To get in my workplace, you have to force entry. It's that simple. Even if the power goes out, the Internet goes down, etc. then you have to force entry. Except... if you are an authorised user. When you just tag and in you go. The only complicated scenario is a seriously extended power-outage which exhausts ALL the batteries. In which case there is a single method of entry in "fail-open" instead of "fail-secure", which is protected by a physical key. Thus entry can be made only by the genuine people even in absolute power-failure for weeks on end.
What you don't do is have this smartphone-connected junk or, if you're going to have that, you remote-access your secure internal systems via a proper method, not a junky smartphone app that relies on Yale. What you do is VPN into your own system and access it directly. If someone works out how to get into your VPN, it's already game over anyway, presumably. And you can do that from a smartphone really easily.
It's a matter of "design", not the tools you use in that design. You have to consider what happens in every circumstance, not just "I'll assume this will always work".
The other thing is - can this Yale lock, in theory, lock you in the house? Because that's a death-in-a-fire waiting to happen.
-
Friday 12th October 2018 14:35 GMT SloppyJesse
Re: Not Surprised
@Lee D
I agree. With most IOT devices it's the architectural decision to include a 3rd party server in the mix that makes me twitch. An app could be designed to contact the iot device directly, no need for the manufacturer to put their server in the middle. But then how would they slurp data on usage to
improve their productsell more tat? -
Monday 15th October 2018 08:22 GMT fajensen
Re: Not Surprised
To get in my workplace, you have to force entry. It's that simple.
That's probably the most important point of having a lock. If the place is burgled, we want evidence of the burglary so that the insurance pays up.
With the IOT-crap dropping its knickers on every occasion, and the police IT-skills being what they are for the foreseeable future, it might be hard to prove an illegal entry.
-
Monday 15th October 2018 10:08 GMT Lee D
Re: Not Surprised
It's the only reason that locks and British Standards clauses exist.
Nothing is secure. Any front door can be taken down in under 60 seconds, as can any car. What matters is that you can't do *without damage*. Insurers want to see signs of forced entry, or no-payout.
Nobody even tries to pretend that your car is secure. It's a mobile device like any other. That's why we put GPS trackers and stuff on them. But I don't have any involvement with Ford to open my car door. I press a button, or I put the key in the lock, it CANNOT talk home - it doesn't even have any method by which to do so.
The difference is - I'm not relying on my car locks to secure my car from theft. They can't. They secure it from "opportunist" opening of my doors and nicking whatever is in the footwell/centre console. I also don't leave anything in my car overnight. What I do is, I take it out... and put it in the house. Because forcing entry to my house is a) harder, b) more obvious, c) much more likely to attract attention (not just mine, but mine's the only one that matters), d) can't be had as a quick getaway.
But, certainly, my car and my house have something in common - you could easily get in if you really wanted to, but you would have to leave evidence of doing so... and that means my insurance pays out. If the Yale lock decides to just randomly open, or they get hacked and an "open all customer's doors" command is sent, I have precisely zero recourse to my insurers (seriously, read your policy... "forced entry"), though I might be able to sue Yale (though it's unlikely I'd get full compensation for anything that was taken even then... more likely Yale would go bankrupt first!).
-
-
-
-
Friday 12th October 2018 17:51 GMT Anonymous Coward
Re: Not Surprised
Yes, my car's fob has a real key too. Plus it connects directly with the car, it doesn't depend on the cloud.
But if you care about your car's security, you best not look too closely into how easy it is to defeat such systems. At least when someone physically breaks into the car it leaves evidence making insurance claims a bit easier.
-
-
-
Monday 15th October 2018 10:53 GMT Muscleguy
Re: Not Surprised
The problem with an electronic lock is what happens when the power goes out? If that causes the lock to fail open then it is inherently insecure, cut the power and enter. If it fails locked you are locked out, or in, without a physical backup. IF you must carry a physical backup then it defeats the object of the powered solution.
This is the fundamental reason why I am not in any way sold on IoT. Pace the epic tale of the guy trying to get his internet enabled kettle to boil who ended up eating dinner in the dark because his smart lights were updating.
-
Monday 15th October 2018 11:44 GMT Anonymous Coward
Re: Not Surprised
I'm sure the reply will be "there are batteries in them, duh" but batteries go flat eventually. I wonder if the software is able to detect that so you will know to replace the battery before you find out the hard way trying to get into your house during a power outage?
I'll bet most of them recommend replacing the battery on a schedule to avoid that, as if everyone will remember. The only way most people remember to replace batteries in smoke detectors is in the US every time daylight savings time changes the news will remind people they should change the batteries in their smoke detectors. Six months is a little quick, but better too often than not often enough. I wonder if the people who want to eliminate daylight savings time have included the potential deaths from people with flat batteries in their smoke detectors as a cost of that?
-
-
-
-
-
Friday 12th October 2018 11:34 GMT MJI
Just use an old debit/credit card.
It is THAT Yale isn't it?
I keep an old debit card in my pocket as it is easier to get in the house using that than hunt for the key.
I keep saying, top lock is rubbish use the bottom lock (deadlock).
So if any other family member uses the Yale I use my old debit card, then mention so can thieves.
-
Monday 15th October 2018 10:44 GMT Muscleguy
When I locked myself out*, old door, can't with the new one, I rang several numbers of local locksmiths I found with my phone. They were all the same guy who refused to come out.
So I was forced to break into my own home. Fortunately my garage workshop was open so I armed myself with a chisel and some card scrapers (stiff metal cards) and some hitting implements. I moved the protecting strip of wood out of the way with the chisel then used the card scrapers being hit to get the Yale lock to move. I then used the hitting implements to put the wood back. None of the neighbours batted an eyelid.
New door, all steel frame into all steel frame, multipoint locking needs a key to lock it.
*A case of the wrong trousers.