This year at Black Hat I’m presenting some short work on breaking electronic door locks. This talk focuses on one particular residential door lock. There was a bit of a flaw in the design, where the front panel/keypad can be removed from the outside.
Once the keypad is off, you have access to a connector that goes into the rear side of the device. You can then make a cool “brute force” board, which was basically the point of this presentation. Finally you can have something that looks like your movie electronic lock hacking mechanism, completed with 7-segment LED displays:
This little device does the following:
- Emulates the front-panel keyboard.
- Sends a number of guesses into the lock in quick succession.
- Resets the backend lock to bypass the timeout mechanism when too many wrong guesses are put in.
The last part of the attack is the one that makes this a “vaguely useful” attack. The reset process is a little slow, but fast enough you could brute-force the 4-digit code in about 85 mins.
If you wanted to replace the external keyboard (so the owner didn’t know you were playing with it), it’s potentially possible but it requires very good conditions at best (i.e., good lighting, good angle, proper tools). For my demos I’ve added some restraints around the connector to make it more stationary such I can replace the keyboard without these tools.
As you can image, any “real” attacker is likely to use existing entry methods (bypass door, drill lock, kick down etc) instead of this slow/exotic attack. Despite this low risk the vendor is working on a fix. It sounds to be a VERY robust fix too, this isn’t a small change to stop only my specific board/attack either.
Hopefully this talk helps show various design teams about where people might be probing their products. Sometimes it’s just a little change in perspective is all it takes. Design engineers are often in the mindset of “design within given parameters”, but attackers are going to be looking outside of those design specs for weaknesses. Once you give the design engineer the perspective of considering the front-panel removable & a hostile environment for example, they may come up with all sorts of other attacks I didn’t think of (and thus will improve the products to prevent this).
Ultimately I think it will help consumers win, since they can be more confident that important products (such as these electronic locks) are at least as strong as an old mechanical lock.
10 thoughts on “Breaking Electronic Door Locks Like You’re on CSI: Cyber – Black Hat 2017 Talk”