33C3: Breaking IoT Locks

Fast-forward to the end of the talk, and you’ll hear someone in the audience ask [Ray] “Are there any Bluetooth locks that you can recommend?” and he gets to answer “nope, not really.” (If this counts as a spoiler for a talk about the security of three IoT locks at a hacker conference, you need to get out more.)

btle_lockUnlocking a padlock with your cellphone isn’t as crazy as it sounds. The promise of Internet-enabled locks is that they can allow people one-time use or limited access to physical spaces, as easily as sending them an e-mail. Unfortunately, it also opens up additional attack surfaces. Lock making goes from being a skill that involves clever mechanical design and metallurgy, to encryption and secure protocols.

master_jtagIn this fun talk, [Ray] looks at three “IoT” locks. One, he throws out on mechanical grounds once he’s gotten it open — it’s a $100 lock that’s as easily shimmable as that $4 padlock on your gym locker. The other, a Master lock, has a new version of a 2012 vulnerability that [Ray] pointed out to Master: if you move a magnet around the outside the lock, it actuates the motor within, unlocking it. The third, made by Kickstarter company Noke, was at least physically secure, but fell prey to an insecure key exchange protocol.

Along the way, you’ll get some advice on how to quickly and easily audit your own IoT devices. That’s worth the price of admission even if you like your keys made out of metal instead of bits. And one of the more refreshing points, given the hype of some IoT security talks these days, was the nuanced approach that [Ray] took toward what counts as a security problem because it’s exploitable by someone else, rather than vectors that are only “exploitable” by the device’s owner. We like to think of those as customization options.

16 thoughts on “33C3: Breaking IoT Locks

  1. The expression, “locks keep honest people out,” becomes more and more evident as my life marches on. No matter how secure the protocol, no matter how shim-, bump-, and pick-proof the lock is, there are always side-channel attacks like bolt cutters or guns to let the crooks in. The best we can hope for is getting the attention of someone honest when they do.

    1. What about the expression “forced entry”? Don’t know about the US, but in the U.K. It’s a big deal for insurance purposes. Break my lock with a gun or 4×4 or crowbar, or whatever, and there’s plenty of proof, and my insurance is happy. Break it with an IoT vulnerability and I’m gonna have a hard time proving it happened.

      1. But seriously, to rummage through jewelry, consumer electronics, tools, guns, are hackers using sophisticated means to breaking your lock more worrisome than a desperate drug user/petty criminal/bored teenager with a bolt cutter? HaD users seem to be obsessed with IoT insecurity and the imminent dangers they may face, I wonder are they as worried about more realistic threats to their life and property? or do they instead find solace in their ignorance?

  2. LOL Until now I wasn’t aware of commercially available locks that use an app as the key. At the moment entry to my shop is unsecured because I can’t get a contractor out here to give me an estimate as to how much it will cost for someone to do what I no longer can do. My dad’s stubborn poor boy ways are catching up with his family. In that shop there ar old school lockers that can be padlocked. At the moment only hardware in inside them. I’m thinking of moving more expensive tools from the unlockable wood cabinet to the lockers using keyed alike padlocks on them. at best that would secure them from curious and unmotivated trespassers; at worst it would be clue to to actual thieve that something valuable is inside. Given how it’s almost always too bright outside to view a phone screen easily.

  3. I’m still waiting for a viable electronic deadbolt for my garage/shop/cave.

    It isn’t finished yet and so I just have a doorknob on it with no lock. I have already reinforced the (steel) entry door with 4″ screws every 3″ into double studs and I recessed a diy 0.25″ x 24″ steel strike plate into a triple 2×6 jackstud. I am confident entry through this door will not happen without unlocking it.

    However I was hoping to get some kind of bluetooth / NFC thing deadbolt thing. The consumer stuff feels cheap. I have only seen commercial numpad locks come close to what I have in mind. I hate keys. I hate fobs less. Implantable fob is kind of scary but… I don’t really like the idea of using my phone as a key either. So I haven’t found something that works yet. Stainless steel without buttons or penetrations with nfc and numpad would be best… Haven’t seen that yet, seems like it could be had reasonbly at $200. Even potentially cheaper than a regular deadbolt with extra stainless parts. Outbound notification on entry may be ok, but I get that with motion activated camera at the door.. so I don’t see much IoT utility here, but I could be convinced otherwise.

    I am not worried about neck beards breaking into my shop, I am interested in convenience and some nerd factor. My existing building has 2 unlockable doors that have not seen unauthorized entry in the 8 years I’ve lived here. I have always found that strange given their orientation and my neighborhood (petty property crimes abound).

        1. Be sure to check your load ratings as well. Most of those <$200 kits use a 12V-24v magnet, most serious installs use a 48v. I've seen reasonably priced chinese 36v setups as well. A 12v will hold up to about 125 lb pressure, 250lb on a 24v and then things go up quickly from there. Security contractor I spoke with a couple years ago had seen a truck used to attack a door with one of the 48v locks on it. The door was an aluminum and glass getup as is common in retail. It was twisted beyond usability with a small entry at the bottom, but the mag lock held tight throughout (again a 48v rated at about 3/4 ton+ holding power).

Leave a Reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.