ATTORNEY GENERAL OF THE STATE OF NEW YORK
BUREAU OF INTERNET AND TECHNOLOGY

 

In the Matter of Assurance No. 17-056

Investigation by ERIC T. SCHNEIDERMAN,
Attorney General of the State of New York, of

SAFETECH PRODUCTS, LLC, and RYAN HYDE, as an
individual,

Respondents.

 

ASSURANCE OF DISCONTINUANCE

The Of?ce of the Attorney General of the State of New York commenced an
investigation pursuant to Executive Law 63(12) and General Business Law 349
and 350 into the security of Safetech Products LLC, and its owner Ryan Hyde (?Respondents?),
Bluetooth-enabled locks. This Assurance of Discontinuance (?Assurance?) contains the ?ndings
of the investigation and the relief agreed to by NYAG and Respondents.

FINDINGS OF NYAG

1. Safetech Products, LLC (?Safetech? is a limited liability corporation with a
principal place of business at 1601 North State Street, Lehi, Utah. It is owned by Ryan Hyde.

2. Safetech sells Bluetooth-enabled locks to customers through its website
with the promise ?Privacy When You Want It, Security When
You Need It.? With Bluetooth-enabled locks, the user may control the locks with an application
installed on a smartphone.

3. Bluetooth is a wireless technology standard for exchanging data over short
distances of up to 300 feet. It uses short-wavelength UHF radio waves in the ISM band from 2.4

Page 1 of 9

to 2.485 To operate the Bluetooth-enabled lock, the smartphone and the lock must have
their Bluetooth antennas turned on at the same frequency band and broadcast their identi?ers to
each other. A default password is used to secure the connection and exchange data.

4. In August 2016, independent security researchers reported that Respondents?
Bluetooth-enabled locks transmitted passwords between the locks and the user?s smartphone in
plain text and without The researchers reported that a wrong-doer could intercept the
passwords and proceed to unlock the locks. The researchers also reported that the locks
contained weak default passwords that were not secure and could be guessed or discovered
through brute force attacks automated software used to generate a large number of
consecutive guesses).

5. In October 2016, the NYAG contacted Respondents about the ?ndings of the
researchers and the security of the locks. Just prior to being contacted by the NYAG,
Respondents voluntarily placed the following warning on the 
website:

SECURITY keys for the hardware are passed
on all current products.

We also strongly recommend the default password be changed at initial
setup. Please read ?Security Risks Explained.?

Upon clicking the ?Security Risks Explained? hyperlink, the user is taken to a webpage
that explains the risks identi?ed above.

6. Respondents? locks limited the Bluetooth range to approximately 50 feet. Thus, a
wrongdoer would need to be in close proximity to the lock to intercept the Bluetooth passwords.
Additionally, the locks shutdown for 2 minutes with two failed password attempts. Thus, a brute
force attack would be limited by the locks 2-minute lock-out feature.

Page 2 of 9

7. By violating express and implied representations of reasonable data security,
Respondents violated New York Executive Law 63(12) and New York General Business Law

349 and 350.



WHEREAS, Respondents admit NYAG Findings above;

WHEREAS, NYAG is willing to accept the terms of this Assurance pursuant to Executive
Law {5 63(15) and to discontinue its investigation into Respondents? representations concerning
the security of its Bluetooth-enabled locks; and

WHEREAS, the parties each believe that the obligations imposed by this Assurance are
prudent and appropriate;

IT IS HEREBY UNDERSTOOD AND AGREED, by and between the parties, that:

8. This Assurance shall apply to Respondent Safetech Products LLC, and any
of?cers, directors, servants, agents, employees, assignees, and any individual, subsidiary,
division, or other entity through which the company may now or hereafter act, as well as any
successors?in-interest, and Ryan Hyde, as an individual.

9. Respondents shall comply with Executive Law 63( 12), and GBL 349 and
350, and shall not misrepresent, expressly or by implication, the security of its locks, or the
security, con?dentiality, or integrity of any data these devices transmit via Bluetooth or other
radio frequencies.

10. Respondents shall all passwords, electronic keys or other credentials
(?Security Information?) in their locks and other Bluetooth-enabled devices that Respondents

market or sell to individual consumers and the general public. Respondents? Bluetooth-enabled

Page 3 of 9

devices shall prompt users to change the default password upon the customer?s initial setup of
wireless communication.

11. Within 30 days of the execution of this Assurance, Respondents shall establish
and implement, and thereafter maintain, a comprehensive security program that is reasonably
designed to (1) address security risks related to the deve10pment and management of new and
existing devices that use Security Information, and (2) protect the privacy, security,
con?dentiality, and integrity of Security Information. Such program, the content and
implementation of which must be fully documented in writing, must contain administrative,
technical, and physical safeguards appropriate to company?s size and complexity, the nature and
scope of the company?s activities, and the sensitivity of the device?s function or the information
it collects, transmits or processes, including:

a. The designation of an employee or employees to coordinate and be accountable for

the security program;

b. The identi?cation of material internal and external risks to (1) the security of the
devices that could result in unauthorized access to or unauthorized modi?cation of the
device and (2) the privacy, security, con?dentiality, and integrity of Security
Information;

c. The risk assessments required by subpart must include consideration of risks in
each area of relevant operation, including, but not limited to: (1) employee training
and management, including in secure engineering and defensive programming; (2)
product design, deve10pment, and research; (3) secure software design, development,

and testing; (4) review, assessment, and response to third party security vulnerability

Page 4 of 9

reports, and (5) prevention, detection, and response to attacks, intrusions, or systems
failures;

The design and implementation of reasonable safeguards to control the risks
identi?ed through risk assessment;

Regular testing or monitoring of the effectiveness of the safeguards? key controls,
systems, and procedures including reasonable and appropriate security testing
techniques such as vulnerability and penetration testing, security architecture reviews
and code reviews;

The development and use of reasonable steps to select and retain service providers (if
any are hired) capable of maintaining security practices consistent with this
Assurance, and requiring service providers by contract to implement and maintain
appropriate safeguards consistent with this Assurance; and

The evaluation and adjustment of Respondents? security program in light of the
results of the testing and monitoring required by subpart e, any material changes to
Respondents? operations or business arrangements, or any other circumstances that
Respondents? knows or has reason to know may have a material impact on the
effectiveness of the security program.

Respondents shall, within 10 business days of receiving a written request from

NYAG, make available for NYAG review a copy of Respondents? written policies and

procedures adopted pursuant to this Assurance or otherwise.

Miscellaneous

NYAG has agreed to the terms of this Assurance based on, among other things,

the representations made to NYAG by Respondents and its counsel and own factual

Page 5 of 9

investigation as set forth in Findings above. To the extent that any of Respondents?
representations are later found to be inaccurate or misleading, this Assurance is voidable by the
NYAG in its sole discretion.

14. If the Assurance is voided or breached, Respondents agree that any statute of
limitations or other time-related defenses applicable to the subject ofthe Assurance and any
claims arising from or relating thereto are tolled from and after the date of this Assurance. In the
event the Assurance is voided or breached, Respondents expressly agree and acknowledge that this
Assurance shall in no way bar or otherwise preclude NYAG from commencing, conducting or
prosecuting any investigation, action or proceeding, however denominated, related to the
Assurance, against the Respondents, or from using in any way any statements, documents or other
materials produced or provided by Respondents prior to or after the date of this Assurance.

15. No representation, inducement, promise, understanding, condition, or warranty not
set forth in this Assurance has been made to or relied upon by Respondents in agreeing to this
Assurance.

l6. Respondents represent and warrant, through the signatures below, that the terms
and conditions of this Assurance are duly approved, and execution of this Assurance is duly
authorized. Respondents shall not take any action or make any statement denying, directly or
indirectly, the propriety of this Assurance or expressing the view that this Assurance is without
factual basis. Nothing in this paragraph affects Respondents? testimonial obligations or (ii)
right to take legal or factual positions in defense of litigation or other legal proceedings to which
NYAG is not a party. This Assurance may not be used and is not intended for use by any third
party in any other proceeding.

17. This Assurance may not be amended except by an instrument in writing signed on

Page 6 of 9

behalf of all the parties to this Assurance.

18. This Assurance shall be binding on and inure to the bene?t of the parties to this
Assurance and their respective successors and assigns, provided that no party, other than NYAG,
may assign, delegate, or otherwise transfer any of his rights or obligations under this Assurance
without the prior written consent of NYAG.

19. In the event that any one or more of the provisions contained in this Assurance
shall for any reason he held to be invalid, illegal, or unenforceable in any respect, in the sole
discretion of the NYAG such invalidity, illegality, or unenforceability shall not affect any other
provision of this Assurance.

20. To the extent not already provided under this Assurance, Respondents shall, upon
request by NYAG, provide documentation and information necessary for NYAG to verify
compliance with this Assurance.

21. All notices, reports, reqUests, and other communications to any party pursuant to
this Assurance shall be in writing and shall be directed as follows:

If to Respondents:
SafeTech Products, LLC
TheQuickLock LLC

1601 North State Street]
Lehi, Utah 84043

If to the NYAG, to:

Attorney General of the State of New York

120 Broadway

New York, New York 10271

Attention: Chief, Bureau of Internet and Technology

22. Acceptance of this Assurance by NYAG shall not be deemed approval by NYAG

of any of the practices or procedures referenced herein, and Respondents shall make no

Page 7 of 9

representation to the contrary.

23. Pursuant to Executive Law 63(15), evidence of a violation of this Assurance
shall constitute primafacie proof of violation of the applicable law in any action or proceeding
thereafter commenced by NYAG.

24. If a court of competent jurisdiction determines that Respondents have breached
this Assurance, Respondents shall pay to NYAG the cost, if any, of such determination and of
enforcing this Assurance, including without limitation legal fees, expenses, and court costs.

25. The NYAG ?nds the relief and agreements contained in this Assurance appropriate
and in the public interest. The NYAG is willing to accept this Assurance pursuant to Executive
Law 63( 15), in lieu of commencing a statutory proceeding.

26. This Assurance shall be governed by the laws of the State of New York without
regard to any con?ict of laws principles.

27. Nothing contained herein shall be construed as to deprive any person of any private

right under the law.

Page 8 of 9

28. This Assurance may be executed in counterparts, each of which shall be deemed to

be an original, but all of which, taken together, shall constitute one and the same agreement.

WHEREF ORE, THE SIGNATURES EVIDENCING ASSENT TO THIS Assurance have been

af?xed hereto on the dates set forth below.

ERIC T. SCHNEIDERMAN
NEW YORK ATTORNEY GENERAL
BUREAU OF INTERNET AND

 

 

:Clark ussell
Deputy Bureau Chief



Date

New York Attorney General?s Of?ce
120 Broadway

New York, NY 10271-0332

Phone: (212) 416-8433

Fax: (212) 416-8369

ft

SAFETECH PRODUCTS LLC AND RYAN
HYDE


?v/lez 
By: 9

2/2

#61
Date 

73/;

Page 9 of 9