Black Hat 2017 – Hacking the electronic locks to open the doors could be easy

Pierluigi Paganini August 08, 2017

Many times we have seen in movies hackers and spies breaking electronic locks with any kind of electrical equipment. Is it possible?

Many times, we have seen in movies hackers and spies breaking electronic locks with any kind of electrical equipment.

A pocket device that in a few seconds is able to try all the possible combination and find the correct one to open the door.

At Black Hat 2017 hacker conference, the expert Colin O’Flynn presented an interesting report on breaking electronic door locks.

O’Flynn focused his analysis on two samples of home electronic locks and he found the first model vulnerable to so-called Evil Maid attacks. The attacker needs the physical access to the lock’s internal component to add their own code to open the door whenever he needs.

The curious thing is that step-by-step instructions on how to add the code are reported right inside the battery compartment.

electronic locks attack

The expert noticed that the systems lack of authentication to enter the code, no user code or master code is requested.

The second model is vulnerable to a different attack from the outside. The outer part of the lock contains a module with a touch-screen for entering a PIN code that can be easily extracted by the attacker with a common knife to access the connector.

O’Flynn analyzed the way the external and internal components the lock interact and devised a device that appears exactly like the one used by hackers in the movie.

After studying how the external and internal parts of the lock interact,

The device could be used to brute-force the combination by directly connecting it to the connector. The attack works because there is no authentication in place to check with component communicates with the connector.

electronic locks hacking

The expert noticed a security measure implemented by the electronic lock manufacturer against brute-force attacks, after more than three incorrect tries the device triggers the alarm.

Nevertheless, O’Flynn discovered that it was possible to reset the counter of the failed-attempts by applying a certain voltage to the external connector’s contacts and causing the system reboot.

O’Flynn created a device that can check toughly 120 codes per minute, trying all possible four-digit PIN combinations for the electronic lock the entire process can take about 85 minutes in the worst case. The experts explained that in most cases, a half-hour to an hour is the time necessary to the hack.

O’Flynn also devised a method to discover the six-digits master code with an improved brute-force attack. Normally to discover a six-digit code it is necessary a week, but the expert noticed that when you enter the first four of six numbers of the master code, the system either shows an error message or waits for the other two numbers to be entered, confirming to the attacker that the first four digits are correct.

This method requires 85 minutes to brute-force the first four numbers of the master code and one minute more for the remaining two numbers. The attacker can then use the master code to reset the access code.

O’Flynn reported the issues to the electronic lock manufacturer, who confirmed that they will be fixed as soon as possible.

Electronic locks are still not totally secure!

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – electronic locks, hacking)

[adrotate banner=”13″]



you might also like

leave a comment