House lock recommendation with RFID


#21

Take my money!


#22

…and we want to show you how to actually install this lock … with your tools

Wait, what? Oh, that’s why I’m watching this… I got a little distracted

Wonder what they’d do if DT sent them a couple of implants


#23

Something tells me they are more than familiar with implants.


#24

I received my Ultraloq door lock yesterday. I haven’t installed it in the door yet, but here are my initial impressions on the RFID and smart features:

Ordered:

The UL1 contains the guts of the lock, including the fingerprint sensor, the RFID reader, and the controller logic. Both the UL1 and the U-bolt contain a Bluetooth transceiver, which is the method of communication between the two locks, between the locks and a phone, and between the locks and the WiFi bridge.

Modes:

The lock can be configured for either manual mode or phone app mode. Both modes allow the lock to be opened via either a fingerprint or RFID. In manual mode, an administrative key fob (which ships with the card) is used to enroll a fingerprint and/or RFID tag. In phone mode, an Android or iPhone app is used for the configuration.

Setup

I’ve only tested the Android app, but setup was easy and other than using the wrong app initially, setup was very easy. There are two apps available from Google Play, one called Ultraloq which is for the older locks, and a newer one called U-tec for the newer ones. After downloading the account, you need to first sign in to U-tec, then register the lock with the app via Bluetooth. Pairing was simple, although I did have to manually connect to the lock via my Samsung Galaxy’s Bluetooth setting before the app would recognize the lock.

Once paired, the app can be used to open the lock, or to enroll/modify users. Each user can then be assigned a fingerprint, key fob (RFID) or both. There is a default Admin user that cannot be deleted. The admin user has no fingerprints or keys assigned initially. I did find out that if you assign a key or fingerprint to the admin user, you can’t later delete it. You can change the assigned key or fingerprint, but once initially assigned, there is no way to go back to the “none” setting. Keys and fingerprints can only correspond to one user.

RFID

The lock definitely works with both the xNT and various random RFID tags I tested (NTAG 216, NTAG 212). Interestingly, the key fobs that the lock ships with read as non-NXP Mifare Classic 1k tags. This initially caused some concern since the Mifare Classic chips support encryption keys for reading/writing, and the NTAG 212 (xNT) does not. However, it seems that the Ultraloqs don’t use these keys at all and instead rely solely on the UID of the tag. I’ll post a full memory map of the Classic 1K keyfobs later, but from my initial look, I don’t think any of the data sections are being used, and NXP Tools is reporting that the keys are all set to the default values.

Reading the xNT

Solid! It took me a bit to find the optimal position and to work out the logic the lock controller uses, but once I did I was able to activate the lock on the first try about 90% of the time. My xNT is installed in the standard area between my thumb and index finger on my left hand. This is actually not the best for the lock on my door, which is much more suited to a right-handed opening, but that’s an issue with my door, not the lock.

The lock houses a fingerprint sensor and the RFID reader in the same area, and while I’m not positive, it seems that the sensor activates for either a fingerprint or RFID.

While I was able to use the RFID keyfob without first activating the fingerprint sensor, I found that the best and sometimes only way I could get my xNT implant to read was to first activate the sensor by briefly touching it with my hand, taking my hand away for a fraction of a second, then presenting my xNT chip. Attempting to use the chip directly without first activating the censor was much more unreliable. My guess is that in the later case, the sensor was registering skin contact and then started scanning for a fingerprint either in addition to or at the exclusion of an RFID signal. By activating the sensor first, then briefly removing my hand, I think the fingerprint scan disengaged, but I’m not positive.

I also found that contrary to the diagram in the manual, the RFID reader seems to respond best when tags are presented closer to the bottom of the sensor (towards the end of the handle) than the top of the sensor (towards the door).

My procedure for unlocking the lock is to tap the sensor with my index finger, then immediately remove my finger and align the small implant scar on my hand with a black dot I marked on the reader. With this method, I can activate the lock with a half second or so around 90% of the time. I also think this method will feel pretty natural once the lock is installed.

Considerations

The lock is very easy to use, almost too easy. The fingerprint reader works well, which is actually a bit of a problem for the implant crowd. The big draw of an RFID lock (at lest for me) was the convenience of not having to use keys, and with being able to get in the door quicker (e.g. efficiency). But, as quick as it is to use my xNT implant, I think it will be even quicker and just as easy to use my fingerprint, decreasing some of the utility of having the xNT. Using RFID is probably more secure, depending on how sophisticated the fingerprint sensor is. I know that the sensors in many phones can be fooled fairly easily. Sometimes with nothing more than a flesh colored piece of tape inked with a lifted fingerprint. Of course, the xNT can also be scanned and cloned, so in the end, I don’t think either is all that more secure than the other (but both are much more secure than a set of keys!).

The biggest security threat I think is the smartphone app. Especially if you leave it installed and set to auto-login. Anyone with your phone and knowledge of the lock could get inside. I think that after I get the lock set up, I’ll uninstall the app on my phone. Still, even with the app uninstalled, there’s a threat of your user/pass being compromised by Utech. It also appears that anyone at Utec with access to the database could open any Ultraloq door set to app mode. If you don’t need to track multiple users, or to use the WiFi bridge, then I would suggest setting the lock to manual mode and not use the app at all.

Speaking of keys, as with many of the Samsung locks, there is no option to physically use a key on the lock. The lock does incorporate batteries into both the inside and outside handles; only one of which need to be present for the lock to function. Thus even if the batteries die, you can pop in a fresh set from the outside to get in. Of course someone can also take your batteries… but the battery cover is not marked or very noticeable unless you look.

More info once I (hopefully) install the lock, and use the other two items.


#25

excellent review, thanks!