USB authenticated deadbolt lock

posted Oct 22nd 2008 7:27am by Caleb Kraft
filed under: daily, security hacks

The Makers local 256 sent us this USB authenticated deadbolt prject. For roughly $60 these guys built an authentication system that reads the serial number off of the chip in a USB storage device. The actual content on the memory in the USB device is not used at all. They are using a Freeduino board to control its behavior. It has a magnetic sensor that keeps it from initiating the lock when the door is open. They mention that they are using Transparent Aluminum as an enclosure, we assume they mean the Star Trek variety, not Aluminium oxynitride. Be sure to check out the video after the break.

Also, we received a security certificate warning when going to their wiki. Everything seems fine, just didn’t want you guys to be scared away.

Comments [28]

tagged: deadbolt, entry, freeduino, lock

Reader Comments

The security certificate “warning” is because they’re using CAcert.org on their site.

Posted at 7:31 am on Oct 22nd, 2008 by brimstone

transparent aluminum… nice… kind of like my platinum tupperware.

I like the idea, but the housing is gargantuan. Is that an RC servo activating the lock? What happens if I lose my USB key?

Posted at 8:04 am on Oct 22nd, 2008 by roooooman

Same thing that happens if you lose your metal key, you find a window. Granted it’s hard to make a spare USB key with the same serial…

Posted at 8:07 am on Oct 22nd, 2008 by supernova_hq

Duh. Press the manual override button. :P

Posted at 8:09 am on Oct 22nd, 2008 by Sara

Oh my gosh that’s a pretty neat hack. Nice mullet as well!

Posted at 8:19 am on Oct 22nd, 2008 by spangaroo

Nice! Very interesting idea at the very least. I also found out these guys are local to my area.

Posted at 8:20 am on Oct 22nd, 2008 by CodeDrunk

I love this. I didn’t see anything about what Freeduino board they were using. Am I just blind.

Posted at 8:28 am on Oct 22nd, 2008 by CrazyRabbit

@ crazyrabbit: It looks like a regular Diecimila.

@ codedrunk: Looks like both of you are local to me also.

Posted at 8:58 am on Oct 22nd, 2008 by Dok

Reading the serial number is a neat trick but having an encrypted file in memory would make more sense. How else do you make copies of your “key” without reprogramming the IVR?

Posted at 10:21 am on Oct 22nd, 2008 by rivetgeek

@ spangaroo: thats not just a nice mullet man thats one sweet mullet!

Posted at 10:42 am on Oct 22nd, 2008 by kyle

>How else do you make copies of your “key”

maybe with avrusb? in theory you cant implement mass storage with low speed usb profile, but I suspect the lock is too stupid to notice

btw the lock is a WHOLE PC, so not to revolutionary :(

Posted at 11:04 am on Oct 22nd, 2008 by rasz

posted at 10:21 am on oct 22nd, 2008 by rivetgeek: “reading the serial number is a neat trick but having an encrypted file in memory would make more sense. how else do you make copies of your “key” without reprogramming the ivr?”

You probably can do better: having the computer respond to several different serial numbers (USB devices). You let each person with clearance provide their own device and train the computer to answer to that specific device. You can then log who opened the door when by the serial # used. And if you lose the USB device, have the computer “ban” that one and set you with a new one.

Posted at 11:09 am on Oct 22nd, 2008 by Chacal

theses guys are dumbs !!!

OK, i explain myself :
first of all, there is apparently no certainty that an USB ID is unique.

Every USB HOST can save IDs of its “slaves” (USB keys for example). If you use you “key” for other stuff, like basic file transferring on my linux, i can save your ID (and so your key).

This USB HOST can be a linux. Linux can easyly switch between different USB modes. Plug this linux to your door, and with a piece of code, it will try all the IDs it knows.

I can also implement a brute force attack.

You can make an analogy with network authentication by MAC adresses, this is EXACTLY the same.

One word to conclude :

STUPID

Posted at 11:24 am on Oct 22nd, 2008 by chester

@rivetgeek: Even if the file is encrypted, it can still be copied and moved to another flash drive. If someone were to steal the encrypted file, they would never have to decrypt it to make a working copy of the key.

This design uses the iSerial information of the device instead of media contents to avoid easy key duplication.

@rasz is right though, this implementation does require a server to run. Gives me some good improvement ideas for a serverless version.

~Omegix (Rocking the Mullet)

Posted at 11:25 am on Oct 22nd, 2008 by Omegix

Actually chacal, that is exactly how it works. The idea is that if you lose your key, you reregister a new drive. It allows for easy logging as you mentioned but by using a normal computer to drive the system you can tie in many other applications such as remote entry through the phone or over the internet.

Posted at 11:27 am on Oct 22nd, 2008 by Gregabyte

@chester: There are ways around every security system. What this is is a cheap keyless system for hackers and makers that they can build themselves from what is essentially junk laying around their shop. Wouldn’t it be easier to just to pick the lock rather than going to the trouble of stealing someone’s key and then trying to open the door by standing outside with your laptop? Or better yet standing outside for how ever long it takes to brute force the thing? An even easier method would be to just kick the door down or break the window.

My point is this, there is no such thing as perfect security. You can only make it not worth a person’s time to try to break in.

Posted at 11:39 am on Oct 22nd, 2008 by Gregabyte

@Gregabyte

I’m not agree with you:

I can code this in a microcontroller such as Microchip PIC’s one. It would look like an USB key, but it’ll just brute forcing your door.

One rule in security: don’t use the low-level layers to secure something. Using usb ids is like securing your wifi network by filtering mac adresses: Just dumb.

Posted at 11:50 am on Oct 22nd, 2008 by chester

@codedrunk
@Dok

*Sigh* I guess I’ll join the club too.
Must be something in the water down here.

Posted at 11:53 am on Oct 22nd, 2008 by byohazrd

ok somebody call 4chan, they let chester out again.

Posted at 12:04 pm on Oct 22nd, 2008 by dok

@dok
@byohazrd

Glad to know there are more of us! ;)

Posted at 12:15 pm on Oct 22nd, 2008 by CodeDrunk

Chester,
That sounds like a challenge. Program a PIC with microchip’s mass storage firmware and ‘emulate’ the serial for a known working usb drive. Don’t have to build the lock, just see if the script can be fooled… (which it probably can)

Though, I can’t remember if microchip’s firmware allow you to specify a serial or not.. (guess I’ll have to check)

Posted at 12:21 pm on Oct 22nd, 2008 by medix

What if the power goes out? I would defiantly have a back up power supply.

Posted at 1:31 pm on Oct 22nd, 2008 by kurf

no wireless. less space than a nomad. lame.

Posted at 2:23 pm on Oct 22nd, 2008 by Daniel J. Pritchett

Am I the only one to notice that they’re not actually checking the serial number on the microcontroller?

They do that with the laptop, then output a character via the serial port to get the microcontroller to move the servo.

Lame…

Posted at 2:29 pm on Oct 22nd, 2008 by X-Cubed

COME SEE US FOR 2600 Meetings in HUNTSVILLE< WE HAVE MORE TOYS AND LOVE TO SHARE!

Posted at 2:40 pm on Oct 23rd, 2008 by Temporalwar

C4 will open just about any door…tards! :-D

Posted at 11:39 am on Oct 24th, 2008 by BillyBob

To the detractors of using a PC:
I think a lot of people are looking at this as if it was a marketing proposal. These guys aren’t trying to sell this, they’re just showing you that it can be done. I also rather like the potential that it shows, too. You could easily involve a webcam for monitoring all attempts and seeing if people are allowing unauthorized visitors through.
Yes, there are failings, but I don’t think any of them couldn’t be overcome if these guys decided to take that next step toward commercial applications. Great project.

Posted at 12:21 pm on Oct 24th, 2008 by linoth

This would be cooler if the microcontroller board could handle the USB key registration, and read plus the lock unlock. i.e. no pc was used

Posted at 2:27 pm on Oct 28th, 2008 by busstopgangsta

USB authenticated deadbolt lock

Recent Posts

Reader Comments

Leave a Reply

hacks

resources

rss newsfeeds

Most Commented On (30 days)

Recent Comments