Caribou is an Android-based application written by security researcher Ian Robertson as a proof-of-concept demonstration of the incredibly poor security controls in use on widely popular cardkey door control systems.

By providing Caribou only with the IP address of the target cardkey device, a single-button "Unlock" will access the cardkey system, unlock all available doors in sequence, allow 30 seconds for entry, and then re-lock all those same doors. Caribou has the capability of performing a brute-force of any customized security PIN used with the system.

If you have a cardkey access system, or any other security system which is accessible on the Internet, check out the important tips on the Safeguarding your Homeowners Association and Common Areas page.

Credit is given to fellow security researcher Michael Gough who identified the initial vulnerabilities in the cardkey systems. Both security researchers are actively engaged with US-CERT and the manufacturers in order to improve the security of the products and provide better documentation and instructions to system installers.

Caribou is a proof-of-concept and is not available to the public.

Check out Michael Gough's security blog at for more great security news and information.