After IOActive put out an advisory warning about what it called serious security flaws in CyberLock electronic locks, the lock company has fired back through its attorneys that it hadn’t had enough time or data to address the vulnerabilities.
The IOActive alert said that the locks “are easily cloned” through reverse engineering and “new keys can be created from lost cylinders and keys regardless of the permissions granted to the key.”
Since the key rather than the cylinder enforces time-of-day restrictions, an attacker can gain access “at any time regardless of the configuration.”
The “encryption” algorithm, the advisory said, doesn’t “sufficiently protect credentials or enforce authenticity.”
IOActive researchers reportedly revealed the flaws to CyberLock numerous times and IOActive had said it would report the findings on April 30.
Mike Davis, a researcher with the security company, posted a portion of a redacted letter dated April 29 from CyberLock outside counsel Jones Day, in which the firm asked the company to “refrain from the public reporting of any security vulnerabilities.” The letter claimed that Davis had “declined to share any information” with the law firm regarding the products, including which ones “IOActive allegedly researched, the nature of the supposed vulnerabilities, or how [he] uncovered such vulnerabilities.”