Tuesday, August 8, 2017

BHUSA17: Breaking Electronic Door Locks Like You're on CSI: Cyber

Colin O'Flynn  |  CEO/CTO, NewAE Technology, Inc. – won’t be focusing on “evil maid” problems or commercial locks, just residential. Yes, sometimes it’s easier to just knock down the door – but that’s not this talk. Looked at high security locks (for safes and residential) – high security are $300-$1000, residential are $100-$300.  Inside a keypad, there really isn’t a lot of electronics. From the front side of the lock, it’s hard to do any attacks to the back side.

With residential locks he can sometimes send messages to the back. For vendor A, there’s an easy method to add a new access code. There’s a way to turn that off, but how many people do?  Vendor B did not have this special bypass, but attackers can easily find the existing codes. The lock contained a Zwave radio for IoT, there’s a siren for the alarm (and a transformer to make it loud) and a motor driver. The researcher did not look into the Z-Wave attack vectors, just physical attacks. There is an accelerometer that can detect various levels of tampering. It will also alarm if you enter too many wrong PINs.  So, brute force is not a good plan.

The Vendor B lock has a front panel, so you can use a key or a screwdriver to lift off the front panel. Vendor A’s lock was not susceptible to the same attack. The issue with this attack vector, it would be difficult to replace the panel w/out being detected. There is a cable to send messages to the backend – you can send guesses! No timeout on the backend.  The front end has timers for how often you can put in PINS, no suck protection on the backend.  There is power to the lock – if you short out the power, the alarm will reset the code and disable the alarm.

We were treated to a live demo of the attack.

He built an attack modules – which can do a little over 120 tries/min. Searches 4-digit key space in ~85 minutes. It’s a pretty simple countdown from 9999, does 3 tries then resets lock to continue to try (and thus avoid the alarm).   Think you can set a 6 digit code to prevent this? Think again – once you find the correct first 4 digits, instead of giving you an error or an “okay” it gives you a delay, as it waits for the last 2 digits. Then you only have to brute force the final two.

Fixes: a timeout after wrong guesses, power-on delay, add circuitry to fix in the field.

Future work: look at Z-Wave, power analysis and a variety of other attacks.

Vendors have been very useful on working on a fix, and even doing overall security improvements.  You can check your lock at home by testing if the 30 second bad PIN happens if you reset the power (w/battery disconnect).