Building security technology Archive

Delivery-consignment storage to be part of the floorplan

House in Toorak

How is online delivery going to be handled securely when no-one’s at home?

Most of us who buy goods on the Internet are likely to run in to situations where they miss a parcel delivery due to, for example, no-one being at home. This includes situations with families that have teenagers that arrive home earlier than the parents and it is desirable that adults sign for packages that have been delivered.

This can also extend to situations where you need to have a courier collect goods from your place, something I have had to do every time I have finished with review-sample products where I return them to the distributor or PR agency. But it would also apply when you have to return unwanted merchandise to an online retailer or send faulty equipment to a workshop to be repaired, or simply to use a messenger service to run printed documents from your home office to a business partner. Here, you have to make sure someone you trust is at home looking after the consignment until the courier arrives to collect it.

Intercom panel with codepad

These systems may need to be modified to support secure unattended parcel delivery

There has been recent Internet discussion about the Amazon Key product which is a smart-lock ecosystem that allows Amazon couriers to drop off your orders inside your home after you confirm with them that they have your order. The constant issue that was raised was the fact that courier could wander around your home unsupervised after they drop off the order, thus being a threat to your privacy and home security.

But this may raise certain architectural requirements and possibilities to cater for the rise of online deliveries. These requirements and possibilities are about creating secure on-premises storage for these consignments that have been delivered or are to be collected by a courier while you are absent. It is also about making sure that the courier cannot enter your home unsupervised under the guise of dropping off or picking up a consignment.

They will affect how homes are designed whether as a new-build development or as a renovation effort and will affect how apartment blocks and similar developments are designed. It is very similar to the use of specially-installed lock-boxes to keep front-gate or meter-box keys that are only opened by the utility’s meter reader with a special master key when they read your utility-service meter.

Architectural requirements

One of these could be a cabinet or small storeroom located towards the front of your home and used primarily for storage of delivered goods. Of course, you may use these spaces to store items like clean-up tools or solid fuel. Some householders may see a garage or a shed also serve this same purpose.

An alternative would be to implement a small vestibule or porch enclosure with an inner front door and outer front door, Here, these spaces would be secured with a smart lock or access-control system that ties in with secure consignment-drop-off arrangements like what Amazon proposes.

In the case of a vestibule, the inner entry door that leads to the rest of the house would be secured under the control of the household and not be part of these arrangements. This also applies to arrangements where the vestibule opens to other rooms like a home office.

Apartment block in Elwood

Multi-dwelling units like apartment blocks may have to have luggage-locker storage facilities for unattended parcels

For multi-dwelling developments, this could be achieved through the use of a storage facility similar to a cluster of luggage lockers. Here, one or more lockers are shared amongst different apartments on an as-needed basis. In these buildings, they would be located close to or within the mail-room or as a separate storeroom. For those buildings that have multiple entry vestibules for different apartment clusters, it may be plausible to have a group of parcel-delivery lockers in each vestibule.

If your property has a front gate that is normally locked, you may have to use a smart lock or access-control system compliant with the abovementioned secure consignment drop-off arrangements on that gate.

Security requirements for these spaces

All these arrangements would be dependent on a smart lock or access-control system that ties in with the couriers’ or online-delivery platforms’ ecosystems and would be used when you aren’t at home. Such systems would be dependent on consignment numbers that are part of consignment notes or delivery dockets, along with the recipient being notified by the courier of the pending delivery.

But you would be able to have access to these spaces using your own code, card or access token held on your smartphone as expected for all smart-lock setups.

Integration with the courier’s workflow

Such setups would require the household to register them with an online-shopping platform or a courier / messenger platform operated by the incumbent post-office or an industry association. Here, the household would notify whereabouts the secure storage space is on their property

Product delivery

Typically, when you receive a delivery, the courier would ring the doorbell and find that no-one is at home. Or the door is answered by a child and the standing arrangement regarding the chain of custody for deliveries is for the parcel to be received and signed for by a responsible adult.

In this situation, the courier would have to enter details on their handheld terminal about no-one being home. You would then be contacted by email, text messaging or a similar platform regarding the pending delivery and then you use the platform’s companion mobile app or Website to authorise the drop-off of your consignment in the safe storage space.

Then the courier would receive a one-shot authority code which they use to unlock the storage space so they can lodge your parcel there. Once they have delivered the parcel, you would be notified that the parcel is waiting for collection. You would then use your keycode to open up that space to collect your goods when you arrive.

Product collection

There are also times where we require a courier to collect goods from us. This can be situations ranging from returned merchandise, through equipment being collected for repairs, to sending goods out as gifts. In these situations, a responsible adult may not be home to hand over the item and you don’t want to wait around at home or co-ordinate a pickup time for the consignment.

Here, you would organise the consignment paperwork with the courier or the recipient organisation if they are organising the pickup. As part of this, you would receive a consignment number as part of the consignment note, returned-merchandise authorisation or similar document.

Then you would place the goods in the storage space and make sure this is locked. Subsequently you would enter the consignment number in to the smart lock or platform app on your phone or computer. This consignment number works as a one-shot authority code for the courier to open the secure storage space.

When the courier arrives to collect the consignment, they would enter the consignment number in the smart lock to open the storage space in order to collect the goods. Once they have collected the goods, they then lock up the storage space before heading onwards with the consignment. You would then be notified that they have collected the consignment, with the ability to track that parcel as it is on its way.

Issues that need to be raised

Access to a competitive online-retail or parcel-delivery marketplace

It can be easy to bind an unattended-delivery secure-storage platform to an incumbent postal service (including a courier service owned by or a partner with one of these services), or a dominant online retailer like Amazon.

This ends up as a way for the incumbent postal service or dominant online retailer to effectively “own” the online-retail or parcel-delivery marketplace by providing more infrastructure exclusive to their platform. It can also expose antitrust / competitive-access issues where other courier firms or online retailers can’t gain access to self-service unattended-delivery arrangements.

This issue can be answered either through an app-based approach that works with the smart-home / Internet-of-Things ecosystem to interlink with IT systems associated with the goods-delivery industry; or a common platform adopted by the courier / messenger and online-retail industry that integrates unattended-delivery storage as part of the workflow.

Similarly, these systems need to have a level of flexibility such as being able to work with multiple smart locks on the one property. This would be to facilitate a locked gate and / or two or more storage spaces such as a trunk-style cabinet for small items and a larger storeroom for larger consignments; or to provide a private storage space for each dwelling on that property such as a house converted to apartments.


The online retail marketplace has brought about a discussion regarding management and secure storage of consignments that are delivered to unattended addresses.

Send to Kindle

Finnish building-management systems cop the brunt of cyberattacks


There needs to be a level of cyber-security awareness regarding the design and maintenance of building-automation systems

There needs to be a level of cyber-security awareness regarding the design and maintenance of building-automation systems

Finns chilling as DDoS knocks out building control system | The Register

My Comments

Two apartment buildings in Finland became victims of distributed denial-of-service attacks which nobbled their building-management systems. This caused the buildings’ central heating and domestic hot water systems to enter a “safety shutdown” mode because the remote management systems were in an endless loop of rebooting and both these systems couldn’t communicate to each other. The residents ended up living in cold apartments and having cold showers because of this failure.

What is being realised is that, as part of the Internet Of Things, building-management equipment is being seen to be vulnerable, due to factors like the poor software maintenance and an attitude against hardening these systems against cyber-attacks. Then there is the issue of what level of degraded-but-safe functionality should exist for these systems if they don’t communicate to a remote management computer. This also includes the ability for the systems themselves to pass alarm information to whoever is in charge.

This situation has called out data-security issues with design and implementation of dedicated-purpose “backbone devices” connected to the Internet; along with the data-security and service-continuity risks associated with cloud-based computing. It is also an issue that is often raised with essential services like electricity, gas and water services or road-traffic management being managed by Internet-connected computers with these computers being vulnerable to cyberattack.

One of the issues raised included the use of firewalls that run up-to-date software and configurations to protect these systems from cyberattack.

I would also look at a level of fail-safe operation for building management systems that can be implemented if the Internet link to remote management computers dies; along with the ability to use cellular-telephony SMS or similar technology to send alarm messages to building management during a link-fail condition. The fail-safe mode could be set up for a goal of “safe, secure, comfortable” quasi-normal operation if the building-local system identifies itself as operating in a safe manner.

Send to Kindle

August responds to its smart lock’s security weaknesses by patching its software

Article August Smart Lock press picture courtesy of August

IoT manufacturer caught fixing security holes | The Register

Here’s what happened when someone hacked the August Smart Lock | CNet

My Comments

The Internet Of Things, along with network hardware focused at consumers and small businesses, has been considered a thorn in the side of people who are involved with data security. This is because of a poor software-maintenance cycle associated with these devices along with customers not installing new software updates for these devices.

Recently, at the DEFCON “hack-a-thon” conference in Las Vegas, a few of the smart locks were found to have software weaknesses that made them vulnerable.

But August, who makes one of these smart locks which are retrofitted to existing “bore-through” single-cylinder tubular deadbolts, answered this issue in a manner that is considered out-of-place for the “Internet Of Things”. Here, they issued software patches to rectify these security issues and offered them as a user-downloadable firmware update.

What is a sad reality for a lot of these devices is that the manufacturer rarely maintains the firmware that runs these devices, if not at all. Some manufacturers think that this practice is about having to “add functionality” to these devices which they would rather do with subsequent models or product generations. But this kind of updating is about making sure that the software ecosystem associated with the product is secure and stable with all the “bugs” ironed out. Similarly, it is also about making sure that the product is complying with industry standards and specifications so as to work properly with other devices.

August uses the latest iterations of their smartphone apps to deploy the firmware updates to their products, typically requiring that you place your phone with the app running near the door that is equipped with these locks.

The computing security industry and computing press congratulated August on responding to the security weakness in its products through a firmware update with “The Register” describing it as being beyond the norm for the “Internet Of Everything”. But they wanted more in the form of them disclosing the nature of the threats in the lock’s firmware in a similar manner to how Microsoft, Google or Apple would disclose weaknesses in their operating-system software.

This issue also is something that is applying to home-network equipment like routers, along with toys and games that connect to the Internet. What is being called out for is a feedback loop where bugs and other software deficiencies in all these devices are called out and a simplified, if not automatic, in-field software-update process takes place whenever newer firmware that answers these problems is released. This also includes the manufacturers disclosing the security issues that have been found and explaining to customers how to mitigate the risks or update the affected software.

Send to Kindle