RFID cardkeys is old hat at this point, but opening those doors with a smartphone is rather more intriguing. Doing so without permission of the people who put the locks on the doors, well, that brings things up to a whole new level of awesomeness. That's what Caribou does, a little Android app that remotely connects to a server managing the locks at a supposedly secure location. The app then diddles the ports and security settings of that server until it finds the magic phrase and, in a couple of seconds, it's open sesame time. Doors are unlocked remotely and then, 30 seconds later, automatically locked again. How thoughtful.
We first saw this demonstrated a few days ago but weren't entirely convinced of its legitimacy. But now, after exchanging a few e-mails with Michael Gough, who discovered the exploit, and Ian Robertson, who wrote the app, we're convinced. They're actually working with US-CERT on this issue so that appropriate measures will be taken but, in the short-term, if you have a system like this and it's sitting out there, IP open to the internet and being caressed by every passing breeze, you might want to think about pulling that in behind your firewall. Lots more info at both source links below, though you can see it working for yourself right here in a video after the break, running on an HTC Incredible.