USB Authenticated Deadbolt Lock

The Makers local 256 sent us this USB authenticated deadbolt prject. For roughly $60 these guys built an authentication system that reads the serial number off of the chip in a USB storage device.  The actual content on the memory in the USB device is not used at all. They are using a Freeduino board to control its behavior. It has a magnetic sensor that keeps it from initiating the lock when the door is open.  They mention that they are using Transparent Aluminum as an enclosure, we assume they mean the Star Trek variety, not Aluminium oxynitride. Be sure to check out the video after the break.

[youtube=http://www.youtube.com/watch?v=JKTXRlaXLDQ]

Also, we received a security certificate warning when going to their wiki. Everything seems fine, just didn’t want you guys to be scared away.

29 thoughts on “USB Authenticated Deadbolt Lock

  1. transparent aluminum… nice… kind of like my platinum tupperware.

    I like the idea, but the housing is gargantuan. Is that an RC servo activating the lock? What happens if I lose my USB key?

  2. Reading the serial number is a neat trick but having an encrypted file in memory would make more sense. How else do you make copies of your “key” without reprogramming the IVR?

  3. >How else do you make copies of your “key”

    maybe with avrusb? in theory you cant implement mass storage with low speed usb profile, but I suspect the lock is too stupid to notice

    btw the lock is a WHOLE PC, so not to revolutionary :(

  4. posted at 10:21 am on oct 22nd, 2008 by rivetgeek: “reading the serial number is a neat trick but having an encrypted file in memory would make more sense. how else do you make copies of your “key” without reprogramming the ivr?”

    You probably can do better: having the computer respond to several different serial numbers (USB devices). You let each person with clearance provide their own device and train the computer to answer to that specific device. You can then log who opened the door when by the serial # used. And if you lose the USB device, have the computer “ban” that one and set you with a new one.

  5. theses guys are dumbs !!!

    OK, i explain myself :
    first of all, there is apparently no certainty that an USB ID is unique.

    Every USB HOST can save IDs of its “slaves” (USB keys for example). If you use you “key” for other stuff, like basic file transferring on my linux, i can save your ID (and so your key).

    This USB HOST can be a linux. Linux can easyly switch between different USB modes. Plug this linux to your door, and with a piece of code, it will try all the IDs it knows.

    I can also implement a brute force attack.

    You can make an analogy with network authentication by MAC adresses, this is EXACTLY the same.

    One word to conclude :

    STUPID

  6. @rivetgeek: Even if the file is encrypted, it can still be copied and moved to another flash drive. If someone were to steal the encrypted file, they would never have to decrypt it to make a working copy of the key.

    This design uses the iSerial information of the device instead of media contents to avoid easy key duplication.

    @rasz is right though, this implementation does require a server to run. Gives me some good improvement ideas for a serverless version.

    ~Omegix (Rocking the Mullet)

  7. Actually chacal, that is exactly how it works. The idea is that if you lose your key, you reregister a new drive. It allows for easy logging as you mentioned but by using a normal computer to drive the system you can tie in many other applications such as remote entry through the phone or over the internet.

  8. @chester: There are ways around every security system. What this is is a cheap keyless system for hackers and makers that they can build themselves from what is essentially junk laying around their shop. Wouldn’t it be easier to just to pick the lock rather than going to the trouble of stealing someone’s key and then trying to open the door by standing outside with your laptop? Or better yet standing outside for how ever long it takes to brute force the thing? An even easier method would be to just kick the door down or break the window.

    My point is this, there is no such thing as perfect security. You can only make it not worth a person’s time to try to break in.

  9. @Gregabyte

    I’m not agree with you:

    I can code this in a microcontroller such as Microchip PIC’s one. It would look like an USB key, but it’ll just brute forcing your door.

    One rule in security: don’t use the low-level layers to secure something. Using usb ids is like securing your wifi network by filtering mac adresses: Just dumb.

  10. Chester,
    That sounds like a challenge. Program a PIC with microchip’s mass storage firmware and ’emulate’ the serial for a known working usb drive. Don’t have to build the lock, just see if the script can be fooled… (which it probably can)

    Though, I can’t remember if microchip’s firmware allow you to specify a serial or not.. (guess I’ll have to check)

  11. Am I the only one to notice that they’re not actually checking the serial number on the microcontroller?

    They do that with the laptop, then output a character via the serial port to get the microcontroller to move the servo.

    Lame…

  12. To the detractors of using a PC:
    I think a lot of people are looking at this as if it was a marketing proposal. These guys aren’t trying to sell this, they’re just showing you that it can be done. I also rather like the potential that it shows, too. You could easily involve a webcam for monitoring all attempts and seeing if people are allowing unauthorized visitors through.
    Yes, there are failings, but I don’t think any of them couldn’t be overcome if these guys decided to take that next step toward commercial applications. Great project.

Leave a Reply to SaraCancel reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.