66% or better

USB authenticated deadbolt lock

The Makers local 256 sent us this USB authenticated deadbolt prject. For roughly $60 these guys built an authentication system that reads the serial number off of the chip in a USB storage device.  The actual content on the memory in the USB device is not used at all. They are using a Freeduino board to control its behavior. It has a magnetic sensor that keeps it from initiating the lock when the door is open.  They mention that they are using Transparent Aluminum as an enclosure, we assume they mean the Star Trek variety, not Aluminium oxynitride. Be sure to check out the video after the break.

Also, we received a security certificate warning when going to their wiki. Everything seems fine, just didn’t want you guys to be scared away.

Comments

  1. brimstone says:

    The security certificate “warning” is because they’re using CAcert.org on their site.

  2. roooooman says:

    transparent aluminum… nice… kind of like my platinum tupperware.

    I like the idea, but the housing is gargantuan. Is that an RC servo activating the lock? What happens if I lose my USB key?

  3. supernova_hq says:

    Same thing that happens if you lose your metal key, you find a window. Granted it’s hard to make a spare USB key with the same serial…

  4. Sara says:

    Duh. Press the manual override button. :P

  5. spangaroo says:

    Oh my gosh that’s a pretty neat hack. Nice mullet as well!

  6. CodeDrunk says:

    Nice! Very interesting idea at the very least. I also found out these guys are local to my area.

  7. CrazyRabbit says:

    I love this. I didn’t see anything about what Freeduino board they were using. Am I just blind.

  8. Dok says:

    @ crazyrabbit: It looks like a regular Diecimila.

    @ codedrunk: Looks like both of you are local to me also.

  9. rivetgeek says:

    Reading the serial number is a neat trick but having an encrypted file in memory would make more sense. How else do you make copies of your “key” without reprogramming the IVR?

  10. kyle says:

    @ spangaroo: thats not just a nice mullet man thats one sweet mullet!

  11. rasz says:

    >How else do you make copies of your “key”

    maybe with avrusb? in theory you cant implement mass storage with low speed usb profile, but I suspect the lock is too stupid to notice

    btw the lock is a WHOLE PC, so not to revolutionary :(

  12. Chacal says:

    posted at 10:21 am on oct 22nd, 2008 by rivetgeek: “reading the serial number is a neat trick but having an encrypted file in memory would make more sense. how else do you make copies of your “key” without reprogramming the ivr?”

    You probably can do better: having the computer respond to several different serial numbers (USB devices). You let each person with clearance provide their own device and train the computer to answer to that specific device. You can then log who opened the door when by the serial # used. And if you lose the USB device, have the computer “ban” that one and set you with a new one.

  13. chester says:

    theses guys are dumbs !!!

    OK, i explain myself :
    first of all, there is apparently no certainty that an USB ID is unique.

    Every USB HOST can save IDs of its “slaves” (USB keys for example). If you use you “key” for other stuff, like basic file transferring on my linux, i can save your ID (and so your key).

    This USB HOST can be a linux. Linux can easyly switch between different USB modes. Plug this linux to your door, and with a piece of code, it will try all the IDs it knows.

    I can also implement a brute force attack.

    You can make an analogy with network authentication by MAC adresses, this is EXACTLY the same.

    One word to conclude :

    STUPID

  14. Omegix says:

    @rivetgeek: Even if the file is encrypted, it can still be copied and moved to another flash drive. If someone were to steal the encrypted file, they would never have to decrypt it to make a working copy of the key.

    This design uses the iSerial information of the device instead of media contents to avoid easy key duplication.

    @rasz is right though, this implementation does require a server to run. Gives me some good improvement ideas for a serverless version.

    ~Omegix (Rocking the Mullet)

  15. Gregabyte says:

    Actually chacal, that is exactly how it works. The idea is that if you lose your key, you reregister a new drive. It allows for easy logging as you mentioned but by using a normal computer to drive the system you can tie in many other applications such as remote entry through the phone or over the internet.

  16. Gregabyte says:

    @chester: There are ways around every security system. What this is is a cheap keyless system for hackers and makers that they can build themselves from what is essentially junk laying around their shop. Wouldn’t it be easier to just to pick the lock rather than going to the trouble of stealing someone’s key and then trying to open the door by standing outside with your laptop? Or better yet standing outside for how ever long it takes to brute force the thing? An even easier method would be to just kick the door down or break the window.

    My point is this, there is no such thing as perfect security. You can only make it not worth a person’s time to try to break in.

  17. chester says:

    @Gregabyte

    I’m not agree with you:

    I can code this in a microcontroller such as Microchip PIC’s one. It would look like an USB key, but it’ll just brute forcing your door.

    One rule in security: don’t use the low-level layers to secure something. Using usb ids is like securing your wifi network by filtering mac adresses: Just dumb.

  18. byohazrd says:

    @codedrunk
    @Dok

    *Sigh* I guess I’ll join the club too.
    Must be something in the water down here.

  19. dok says:

    ok somebody call 4chan, they let chester out again.

  20. CodeDrunk says:

    @dok
    @byohazrd

    Glad to know there are more of us! ;)

  21. medix says:

    Chester,
    That sounds like a challenge. Program a PIC with microchip’s mass storage firmware and ‘emulate’ the serial for a known working usb drive. Don’t have to build the lock, just see if the script can be fooled… (which it probably can)

    Though, I can’t remember if microchip’s firmware allow you to specify a serial or not.. (guess I’ll have to check)

  22. kurf says:

    What if the power goes out? I would defiantly have a back up power supply.

  23. no wireless. less space than a nomad. lame.

  24. X-Cubed says:

    Am I the only one to notice that they’re not actually checking the serial number on the microcontroller?

    They do that with the laptop, then output a character via the serial port to get the microcontroller to move the servo.

    Lame…

  25. Temporalwar says:

    COME SEE US FOR 2600 Meetings in HUNTSVILLE< WE HAVE MORE TOYS AND LOVE TO SHARE!

  26. BillyBob says:

    C4 will open just about any door…tards! :-D

  27. linoth says:

    To the detractors of using a PC:
    I think a lot of people are looking at this as if it was a marketing proposal. These guys aren’t trying to sell this, they’re just showing you that it can be done. I also rather like the potential that it shows, too. You could easily involve a webcam for monitoring all attempts and seeing if people are allowing unauthorized visitors through.
    Yes, there are failings, but I don’t think any of them couldn’t be overcome if these guys decided to take that next step toward commercial applications. Great project.

  28. busstopgangsta says:

    This would be cooler if the microcontroller board could handle the USB key registration, and read plus the lock unlock. i.e. no pc was used

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s