dwyl / door

:door: self-explanatory. Soundtrack:
https://www.youtube.com/user/thedoors
GNU General Public License v2.0
2 stars 1 forks source link

Doors! Why? What? Where? Who? When? How? #1

Open nelsonic opened 6 years ago

nelsonic commented 6 years ago

Todo

Why?

I cannot trust some random person with the security my house. There will be a nice laptop and phone forEach person in the house. That means a thief could get a sizeable "score" if there is any weakness (within reason) in our external doors. There are Five External Doors.

All electronic access (e-access) doors will all have magnetic locks https://github.com/dwyl/door/issues/11 and key-less entry. We will be writing our own (relatively basic) Open Source Software using https://nerves-project.org strong encryption: https://github.com/dwyl/phoenix-ecto-encryption-example and an append-only log: https://github.com/dwyl/phoenix-ecto-append-only-log-example to control all the doors on a closed circuit network (with no internet access).

All access will be multi-factor auth. Doors will have (both) cameras and RFID/Bluetooth. When presence is detected via motion detection the camera will capture a photo and analyse the face. Thankfully this is already being worked on: https://github.com/dwyl/door/issues/6 if the detected face is recognised, we show the first "green light". (a physical LED in the door)

Why not use an Existing ("3rd Party") System?

Three reasons:

  1. Insecurity: All off-the-shelf systems are closed source ("security through obscurity") and all are Hackable https://github.com/dwyl/door/issues/8
  2. Cost: having 17 e-access doors at €300 each is silly. €5,100 + installation for something that is insecure by default seems absurd to me.
  3. Learning: Buying something I can (relatively) easily assemble from "parts" would result in virtually zero learning and 100% vendor lock-in.

Considering that I plan to re-use these locks/system in future projects, I feel that the up-front investment of my time is justified. Having our own (Open Source) security/access system will also unlock (excuse the pun) many other possibilities.

What?

An electronic door lock with strong digital and physical security for a low cost. Open Source Software and Hardware that anyone around the world can use and improve.

Where?

The Braga home Co-living/Working House!

Who?

Me. I cannot "outsource" or delegate this work to anyone else (at least not initially). The hope/plan is that other community-based housing/living projects will use and improve ("harden") the system and in the not too distant future, all locks and security systems will be open source.

When?

Now!

How?

List and Categorise the Various Types of Door in the Braga Home:

How Many Doors are there in the House? 46 (20 e-access)

Basement 14

Middle Floor 12

2nd Floor 16

Attic Floor 4

iteles commented 6 years ago

@nelsonic On your question above, we don't need a door to the basement bathroom, just the shower and toilet stalls.

nelsonic commented 6 years ago

@iteles sweet! 🍭 that means we will have 42 Doors in the house. 🎉 😉 image https://youtu.be/D6tINlNluuY

2020 Update:

we converted the attic into useable rooms so now there are 46 doors ... not quite as cool as 42, but still interesting: https://en.wikipedia.org/wiki/46_(number)

nelsonic commented 6 years ago

@iteles I sent you the email with the dimensions and details for the rear Emergency Exit / Access Doors: emergency-exit-doors-email-1of2 emergency-exit-doors-email-2of2

Please CC me when you send it to Sr. Antonio. thanks.

nelsonic commented 6 years ago

@iteles same for the front door: braga-front-door-design-email

(please + thank you!) ✨

nelsonic commented 6 years ago

On Wednesday 3rd October @iteles sent 2 separate emails to Sr. Antonio with details of the two Types of External door: image

Yesterday 4th October we spent 3h walking around the house with "Chico" (the carpenter) clarifying the spec for all the internal doors.

I feel the "doors" issue is "on track" so I'm decreasing the priority from P1 to P2. Still important but not much we can do to move the process forward.

The next action (already added to the main task/todo list above) is to start working on the electronics. In order to get a start on that, we need to finish: https://github.com/dwyl/phoenix-ecto-append-only-log-example

stefek99 commented 6 years ago

General observation from a keyboard jockey.

Home security is a generic problem, that applies to homes (in general).

When building the home, dealing with X Y Z etc it is not unreasonable to prioritize and focus on the areas that you know best.

Taking some ready, off the shelf components is a sensible balance. These guys are building some security products:

And probably 100+ other companies in the space, maybe there are a few who are doing open hardware: https://www.google.co.uk/search?q=open+hardware+home+security


Maybe simplify? Only the outside doors to be secure? People inside the house by definition are trusted... Is there really need fo granular access?

Maybe negotiate and bargain, get a massive discount?

My genuine (and blatantly honest observation) this is geek porn. Unless this is dogfooding and you want to branch off into security solutions...

I'm honestly thinking it's a bigger problem, much more involved that just door. It includes access cards, and logging, and managements software, everything.

#keyboardjockey

nelsonic commented 6 years ago

@stefek99 we appreciate your enthusiasm for this project and feedback on this issue. ✨ We agree that home security is a "generic problem" and as such there are several companies/teams attempting to solve the it.

"it's a bigger problem, much more involved than just a door"

Agreed. The name of this repository is deliberately brief as is that of "home" where the doors will be used. We don't want anyone thinking that we are "overly ambitious" or "grandiose" with our aims.

Naming the repo something like "most-secure-home-door-in-the-world" would be naive at best.

We are well aware that the hardware/software involved in securing the house will need to be "sophisticated" to stand any chance of avoiding compromise. This is a challenge we relish not shirk.

"it is not unreasonable to prioritize and focus on the areas that you know best."

Again, we agree that sticking to what we "know best" is excellent advice. We are prioritising! ✅

What you (and most other people) may not realise is that before we decided to start our little "Web App" company we did "technology risk consulting" (AKA "pen-testing") for some of the most high security companies in the world including DTC, LSEG, several Banks and others I can't mention. 🙊 The security of the companies we have tested vastly exceeds that of a typical "house". We are going to implement security that matches our needs. Initially this will only be RFID/NFC based access control. But before we open to the "public" we will have a system to rival those used at Gates/Bezos personal residence.

We don't like to talk about our infosec knowledge/experience much because the one thing we do know about security is that there is infinitely more to learn/know than any one of us could possibly hope to explore.

We will be deferring to the experience/expertise of several friends who are world-class experts on infosec (including people who have written core security code for Nest, Tesla, Apple and Casinos); two of them have offered to visit the house over the next few months to help with this. ✈️

Who Can We/You Trust?

"Maybe simplify? Only the outside doors to be secure? People inside the house by definition are trusted... Is there really need fo granular access?"

People on the inside of the house are (only) partially trusted; there are always levels of trust. I trust people in the house not poison my food or spike my drinks but that does not automatically mean I give them access to my OTP generator for online banking ...

There will be multiple levels of access @home; more on these later. Suffice to say that the https://en.wikipedia.org/wiki/Principle_of_least_privilege will be used.

Being "blasé" about security and blanket-trusting everyone is exactly what we will be avoiding.

Hardware?

We will be using open source hardware and components to build the security system(s) of the house.

We have already purchased the ICs and discrete electronics components for the system. Assembly of these components and writing the code to control them is not our current focus until the Physical Doors have been manufactured/delivered (hence this issue). We are managing our time as effectively as possible; there are many other things we need to focus on before writing a line of "production" code for the security systems.

Off the shelf ... ?

Most off-the-shelf door entry systems are closed source which rules them out immediately.

You name a "startup" that has created a home security system and I will point to their most recent security flaw in the popular press. Let's not even go into exploits available on the "dark web"... 🙊

@ring...?

Sunflower Labs?

https://sunflower-labs.com is vapourware and a terrible idea. image An attacker with a paintball gun can silently "take out" the drone with a single shot. As a keen drone enthusiast I know exactly how vulnerable quadcopter are to even the slightest prop disturbance. Using a drone to "protect" one's home is like wearing a bullet proof vest and no trousers in a war zone what area of the body is the enemy is going to "target"...?

"a massive discount?"

I would sooner not open the house than get a "massive discount" from anyone for this, that would be the single biggest "false economy" imaginable.

We are paying full price for all components from trusted suppliers. We have done several factory visits to the Door manufacturer's facilities and are going to be heavily customising the "blanks" that they are making for us according to our specifications.

We aren't using any "off-the-shelf" CCTV or lock products because they all require internet access. We aren't using a single piece of hardware from "TP Link" or "Huawei" for the internal network.

Software?

From our research we have not found a project on GitHub/GitLab that even begins to match our needs.

Having written a decent amount of embedded system and micro-controller code in C/C++, I feel undaunted by the task of writing a few hundred lines of RFID-checking code against a database and using a Beaglebone Green IC to run the system.

We expect our security systems to evolve quite quickly over the next few months. We must maintain the flexibility to iterate fast without having to wait months for some 3rd party to release a "patch" when someone discovers an attack vector.

Off-the-record: we expect other houses/organisations/communities to be using our security system within the next year. We will not be charging for any of it. To succeed it must be open and freely and available to everyone.

stefek99 commented 6 years ago

TLDR: I read your reply in full.

TLDR: Too long didn't reply 😎

So many threads, points, observations.

While totally appreciate your points and unique situation (not everyone is a pentester) I'll remain loyal to my initial assessment - custom security is not required for MVP.

About other organizations - https://wiki.hackerspaces.org/hackbase - worth checking how they manage access.

You seem very well organized, applying for permits and permissions is badass amazing. Full trust and full support!

iteles commented 6 years ago

For anyone interested in physical access security and how ridiculously simple it is to get into most doors (including e-access doors), this is a fascinating video about it (and how to fix the issues):

https://www.youtube.com/watch?v=rnmcRTnTNC8&feature=youtu.be

image

iteles commented 6 years ago

We went by the factory to speak to the manufacturers and added the following specs to the budget request:

Waiting for the additional budgets to come in.

nelsonic commented 6 years ago

The Search for the Perfect Door - Deviant Ollam | Shakacon

image https://youtu.be/4YYvBLAF4T8

nelsonic commented 6 years ago

Bad Doors are everywhere: https://youtu.be/yY96hTb8WgI

The “Norman” door.

nelsonic commented 5 years ago

I count 17 20 doors in the house that need electronic access. For the 13 internal doors we will be using a "fail secure" electric strike: https://github.com/dwyl/door/issues/17

nelsonic commented 4 years ago

The Electronic Access System is being built in: https://github.com/dwyl/smart-home-security-system/issues/1 🚪