#cyberkey

CyberLock offers a line of "high security" locks and cylinders as well as related products and services for updating, managing, provisioning, and storing CyberKeys. In various marketing materials, CyberKey is described as "unclonable" and suitable for use in money handling and critical infrastructure systems as a secure and auditable solution.

However, after some reverse engineering it appears that these devices are easily cloned, and new keys can be created from lost cylinders and keys regardless of the permissions granted to the key. Additionally, time-of-day restrictions are enforced by the key, not the cylinder, allowing an attacker access at any time regardless of the configuration.

From the findings of the security audit on CyberLock systems.  The CyberLock response:

Moreover, IOActive's reverse engineering process required the use of skilled technicians, sophisticated lab equipment, and other costly resources not generally available to the public to extract [company name redacted]'s firmware from an embedded semiconductor chip... To suggest, as your report does, that [company name redacted]'s products suffer from "severe" vulnerabilities simply because you were able to develop a bypass in your lab ignores the fact that the exploit in question was not possible without the use of costly and sophisticated lab equipment and highly skiled technicians—not exactly a real-world scenario for the intended use of [company name redacted] products.