This is from my backlog of previously unfinished posts. I'm trying to go back and finish some up. This was from early 2012:
I was recently staying at the Hsinchu Sheraton hotel in Taiwan, and as with most hotels, there was a lockbox / safe in the room to store your valuables while you're out of the room. This particular lock box had an interesting security vulnerability: Every button on the keypad produced a friendly, and uniquely identifiable, press-tone.
 |
| Hotel Lockbox with Button-Identifying Tones |
Someone wanting to know the combination for the lockbox would need only hide an audio recording device anywhere in earshot of the box to record the tones. From that recording, they could determine every button pressed when either setting the combination or subsequently opening the box. There's a good reason that lock keypads usually use a single tone to indicate button press on all the keys! It's helpful to have audio feedback that you have, in fact, pressed the key, and that you haven't bounced it. But having a unique tone for each button is only slightly more secure than having every key announce itself with a recorded voice enunciation as you press it: "EIGHT!" "SIX!" "SEVEN!" "FIVE!" That, by the way, is a level of dumb I haven't yet encountered, but I'm sure it's out there somewhere.
Anyway, I wonder if the Hsinchu Sheraton has upgraded these in the last 6.5 years? If you've stayed there recently, or you've seen some other "security" device design fails, post a comment!
No comments:
Post a Comment