Key
Latest
Google simplifies its Titan security key lineup
The Bluetooth model is no more, it has made space for an all-NFC range.
Amazon's in-garage delivery is now available in over 4,000 US cities
Amazon has expanded its Key in-garage delivery to over 4,000 US cities, and it's introducing grocery delivery as well.
iOS 13.4 could turn your iPhone and Apple Watch into car keys
You might be able to use your iPhones and Apple Watches to lock, unlock and start your cars when iOS 13.4 comes out. According to 9to5Mac, the first beta version of the mobile OS contains references to a "CarKey" API that will let you use your devices as keys for vehicles with NFC. Based on the internal files the publication saw, you won't even have to authenticate with Face ID -- you simply have to hold your device near the reader to work, even if it's out of battery.
Fraud forces Valve to kill ‘CS:GO’ loot box key trading
Valve's policy of allowing Counter Strike: Global Offensive players to buy and re-sell keys to access in-game loot boxes is no more. The company has announced that the marketplace has apparently been taken over by large fraud networks as a way of laundering money. On the CS:GO blog, an unnamed staffer wrote that "nearly all key purchases that end up being traded or sold on the marketplace are believed to be fraud-sourced."
Deep Silver deactivates 'Metro Exodus' keys stolen from a factory
If you've been sold a code for post-apocalyptic adventure Metro Exodus, you might want to check where it came from. According to publisher Deep Silver, a number of keys have been stolen from the factory where physical key printing for the game had been taking place, before it became an Epic Games Store exclusive. In a post on Steam, the company explained that physical keys don't have the necessary files to run "as they were not meant to be released."
Amazon's Key delivery service is coming to businesses
Amazon first introduced Key because porch piracy is a thing, but many folks were shocked with a system that would let couriers enter into their homes when they were out. Amazon has slowly reduced those fears by bringing in new smart lock manufacturers like Schlage and beefing up security. As we roll into 2019, Amazon is now expanding the service (renamed to Key by Amazon) with garage entry, smart doorbell support and the latest feature, Key for Business.
Bluetooth key fob for Tesla Model 3 spotted in FCC pictures
Among the quirks of the Tesla Model 3 is that unlike most cars, it doesn't come with a traditional key or key fob at all. Instead, it relies mostly on a Bluetooth Low Energy link to its owner's nearby iPhone or Android device, with keycards available as a backup system to start and unlock the car. Electrek reports that some people have had issues with this system, and spotted a Tesla BLE device making its way through the FCC filing process. Now the documents have been updated with photographs which clearly show the device (as well as its internals and the manual), which is shaped like a Tesla sedan and labeled "Model 3." In real life it will likely look a little slicker than in these unglamorous shots, and it already closely resembles the units available for the Model X and Model S. While Tesla isn't walking back decisions like its center-mounted console in the Model 3, it's definitely taking hints from owners on at least this small part of the experience. Whenever it becomes available, we'd anticipate the newly strengthened security elements will be included, and that other manufacturers working on Digital Keys are taking notes.
Thieves could have cloned Tesla's Model S key fob
Tesla may be more security-conscious than many car manufacturers, but it's still vulnerable to the occasional glaring exploit. KU Leuven researchers have detailed a technique that let them bypass the encryption on Tesla's key fob for the Model S, making it trivial to clone the key, get inside and start the vehicle. They discovered that the fobs used an easy-to-crack 40-bit cipher to safeguard the codes. Once they got two codes from a specific fob, they only had to try using encryption keys until they discovered the one that unlocked the EV. From there, the researchers created a data table for code pairs that would let them find the encryption key for cloning any Model S fob.
'Digital Key' standard uses your phone to unlock your car
You can already use your smartphone as a car key if you own the right vehicle (just ask Tesla Model 3 owners). There hasn't really been a common standard for it, though, and that has hurt adoption -- you can't guarantee that you'll have phone access if you switch brands, or even individual models. You might soon have a solution. The Car Connectivity Consortium, a mix of major smartphone and automotive brands, has posted a Digital Key 1.0 standard (PDF) that will let you download (what else?) a virtual key that can unlock your vehicle, start the engine and even share access with other drivers.
Amazon can deliver packages to the inside of your car
Amazon Key's in-home delivery is all well and good (assuming you trust it in the first place), but there's an obvious caveat: you have to go home to get your package. Now, you might not even have to go to that trouble. Amazon has launched a Key In-Car service that, as you can guess, lets couriers deliver packages to the trunk of your vehicle as long as it's in a publicly accessible parking space. You'll need a 2015 or newer GM-made or Volvo car with an internet-savvy account (OnStar or Volvo On Call), but after that it's relatively seamless: the delivery driver requests access to your car, and you'll get a notification when the package has been dropped off and your car is relocked.
Amazon's home security Cloud Cam supports Alexa
Along with its "Key" indoor delivery service for Prime members, Amazon has unveiled a new AWS cloud-powered surveillance camera. The infrared-capable Cloud Cam lets you confirm deliveries via the Key service and get custom notifications depending on the activities or people it spots. You can also control up to ten Cloud Cams and see specific views with your Echo device by saying "Alexa, show me the [camera name]."
Game studio claims it lost $450,000 to key resales
Game key resales are theoretically ideal for players -- you can buy that must-have title at a discount from someone who wasn't going to use it anyway. However, SpeedRunners publisher TinyBuild would beg to differ. It's accusing G2A of facilitating a black market in game keys that amounted to $450,000 in potential lost sales at retail prices. The studio maintains that G2A is refusing proper help (including compensation) after fraudsters bought keys from the TinyBuild store using stolen credit cards and posted them on G2A, making a tidy profit while TinyBuild made nothing. Supposedly, the only way to get help would be to forge a deal with G2A itself and undercut its own retail partners in order to compete with the bootleggers. Simply blacklisting a range of keys wasn't an option, either.
Leaked D-Link code-signing key could make malware look legit
When your company is known for making wireless routers, network switches and home security cameras, leaking your code-signing private keys yourself is the last thing you want to do. Back in February, that's exactly what D-Link did, accidentally leaving a valid key visible in its open-source firmware. If found by an attacker, the key could have been used to make malware that can pass as official software from D-Link -- malware that wouldn't trigger security warnings when installed to Windows or OS X machines.
TSA inadvertently shows the dangers of master baggage keys
Security researchers have long warned of the dangers of using master-keyed locks -- if thieves get their hands on just one key, they compromise all of the compatible locks at the same time. And unfortunately, the US' Transportation Security Administration is learning this lesson the hard way. It briefly let the Washington Post show a photo (we've blurred the details) of the master baggage keys it uses for approved locks, giving crooks a crude guide to making duplicates. And you can't just switch to a non-standard lock to get around this, since TSA agents will rip it off if they catch it during an inspection.
Facebook will encrypt the emails it sends to you with PGP
Facebook, the social network where there's no such thing as too much information is handing another olive branch to the privacy crowd. The company has announced that it'll allow users to add PGP keys to their profiles, enabling them to encrypt the regular missives that the social network sends out. That way, no-one but you will be able to find out that Dave, the bully from junior high, has tried to add you as a friend twice this month. If you're wary about the legitimacy of Facebook's project, take comfort from the fact that one of the testers was noted security expert and former Tor lead, Runa Sandvik.
Yogventures gives Landmark keys as additional consolation gifts
Supporters of Yogventures have another consolation gift to go in take the edge off of the loss of their dream game: a key for Landmark. Massively readers might remember that Yogventures was a Kickstarter campaign that over-funded, was mismanaged, and then imploded, taking over almost $570,000 from 13,000 backers with it. Owner Yogcast then partnered itself with TUG, providing free TUG Steam keys for those backers and transferring all Yogventures assets to Nerd Kingdom. It looks as though Landmark has some sort of alliance with Yogcast, as the official site encourages gamers to play with the Yogcast crew. Further compensation for Yogventures backers may be forthcoming.
Hilton will let you use your phone as a hotel room key
Starwood isn't the only hotel chain that wants you to use your smartphone as a hotel room key; Hilton is launching an initiative that lets you use your Android or iOS device to control virtually every aspect of your stay. Later this summer, a Hilton app will let you choose your preferred room, make special requests, check in and check out. You'll only have to speak to staff when it's time to pick up or return your keys. And in 2015, you won't even need to do that much -- your phone will also unlock your room, letting you make a beeline for your bed after a long flight.
Cloudflare Challenge proves 'worst case scenario' for Heartbleed is actually possible
Many already thought that the "Heartbleed" security flaw in OpenSSL could be used to steal SSL keys from a server, but now there's proof. This is important because if someone stole the private decryption key to servers used by any of the many web services that used OpenSSL, then they could spy on or alter (supposedly secure) traffic in or out until the key is changed. The Cloudflare Challenge asked any and all comers to prove it could be done by stealing the keys to one of their NGINX servers using the vulnerable version of OpenSSL, and it was completed this afternoon by a pair of researchers according to CEO Matthew Prince. Fedor Indutny tweeted that he'd done it earlier this evening, which the Cloudflare team later verified, crediting Indutny and another participant Illkka Mattila. Indutny has promised not to publish his method for a week so affected servers can still implement fixes, but according to Cloudflare his Node.js script generated more than 2.5 million requests for data over the span of the challenge. Confused by all the programming and security terms and just need to know how this affects you? It means that while you definitely need to change your passwords, but wait until affected services announce they've not only fixed their OpenSSL, but also swapped out (potentially compromised) security certificates for new ones. Update: If you're wondering how he did it, Indutny has posted more details and the script on his blog. Image credit: snoopsmaus/Flickr
Starwood swapping room keys for mobile phones at two hotels
Starwood plans to roll out refreshed SPG apps that can unlock your guest room later this quarter. The new tech, which the company refers to as "keyless key" in its intro video (embedded after the break), will soon let you bypass the front desk and enter your room using an Android 4.3 or iPhone 4s (or newer) device at the Aloft Harlem and the Aloft Silicon Valley. Existing locks must be upgraded in order to communicate with the Android and iOS apps via Bluetooth, according to a WSJ report, but Starwood's CEO says that the "investment would not be substantial." Starwood currently offers a Smart Check-In solution at several Aloft hotels, but the existing system requires guests to obtain (and carry) a compatible membership card. It's also quite limited, with only nine hotels currently participating. Meanwhile, if this initial smartphone rollout is a success, your phone could be the key to all W and Aloft hotels worldwide by the end of next year.
New Kevo lock uses your iPhone for keyless entry
Kwikset has made a new lock it's calling Kevo that makes use of your iPhone to lose your keys for good. The idea on this one seems great, and apparently the company picked up some money from a pitch on the Shark Tank TV show. The lock has both standard key-based and wireless mechanisms, so instead of using your key, you can simply put your smartphone or a branded fob up to the lock, and it'll open up for you. You can also send a key to someone else's smartphone, so if they need to get in your house for some reason, you can send them a temporary key that only works for a given amount of time. That's great, and because the lock is still a standard mechanical lock, it'll work like a traditional lock as well if all else fails. The Kevo lock runs on two AA batteries for about a year, at which point those need to be replaced. Still, I'd love to have one on my apartment door. It's set to be available this summer.