Smart Locks: Dumb Security

Dave Lodge and I presented at the BSides Manchester pre-party, aka ‘beersides’ on the subject of not very smart locks.

Doubtless you’ve already seen our work on the Tapplock over BLE and the API, our hardware work on the Fipilock, and maybe even our smart lock security interview with hardware.io.

However, we’ve been testing lots of smart locks of late, so did a talk about the ludicrous claims made by many lock vendors.

Smart locks often get physical security wrong

This is beyond irony: most non-smart lock vendors have spent years trying to make their products resistant to attack. Closed shackle designs can make it very hard to get bolt cutters in close enough to cut effectively:

Decent hardened steel shackles are also much more difficult to cut:

So why do vendors make such ridiculous claims? Here’s one: a very cheap padlock which we weren’t expecting much of, but it claims ‘Good cutting resistance from bolt cutters’. Why make such a stupid claim? It’s like saying that it’s ‘unhackable’ ?

A few seconds later:

In fairness we were using some 120cm bolt cutters, but a 30cm pair would have done the job. We had a lot of fun at BSides Mcr destroying all sorts of locks, shackles, lock bodies and more with these cutters. We got some very odd looks walking through Manchester city centre with the cutters, including from four police officers who saw them, then started laughing. Normal for Manchester?

The Tapplock fared no better than a £3 regular padlock.

Here’s the claim:

Here’s the result:

More bananas attacks

Many smart lock bodies are made from Zinc alloys for ease. Good, secure padlocks are usually made from hardened steel, primarily because the melting point is ~1100C and they’re difficult to cut.

Zinc alloys such as Zamak 3 have a melting point as low as 3-400C, so one can do this:

A blowtorch played over a Zinc alloy lock will melt it quickly. In this case we had removed the LiPo battery to reduce risk of explosion. 60 seconds was enough to melt the body off the shackle. Had we left the battery in and taken a risk, we suspect it would have exploded after 30 seconds or less.

Missing ‘dead’ pins

Better locks will have a ‘dead’ pin at the end of the barrel, or the end of the barrel will have a blanking plate. This is to prevent a pick being inserted all the way through and potentially releasing the latch.

Here’s a smart lock that didn’t have this feature, so a long ‘hook’ pick could be inserted and the lock could be undone.

Bumping, shimming & percussion

We often find the quality of springs in smart locks is not sufficient. We’ve tested locks that can be bumped by hand, or bumped through a hammer drill with a rotation stop feature and also locks that can be trivially shimmed.

Strong springs and mechanisms, as are found in higher quality non-smart locks, appear to be overlooked by many smart lock manufacturers.

Opening the case & driving the motor

Amazingly, smart lock cases can be trivial to open. Here’s a nokelock (note, this isn’t the remarkably similarly named Noke lock!) with a cross head screw holding it together:

And here’s the Uervoton lock, courtesy of @LockPickingLwyr – complete with top-security Torx screw:

Uervoton’s response was comedy joy:

Yes, it’s unhackable, unless you hack it!

Once inside the nokelock, we could extract the wiring, apply a few volts and drive the unlock motor manually:

Magnet attacks

Hall-effect sensors are often used in smart locks to detect the presence of a key and therefore allow new users to be added.

It is sometimes possible to fool the sensor by placing a small magnet on the lock case. The lock now believes that it’s in a position where new user fingerprints can be enrolled. Fail!

Conclusion

Smart lock vendors would be well advised to ensure that they offer similar or better physical security when compared to a non-smart lock of similar price.

We haven’t touched on smart attacks against smart locks here, but the attack surface is usually significant too: USB, BLE, API etc etc

We are looking forward to receiving a smart lock for testing that we can’t hack with dumb attacks, though several vendors are making good progress.

In the meantime, we’ve Kickstartered this: a Blockchain certified smart padlock. What could possibly go wrong! Watch this space, deliveries are expected in November 2018.