heise PlusAbo
Anzeige

Electronic lockers in hotels & co. hacked - difficult to remedy

Security researchers have discovered vulnerabilities in public electronic lockers. They can be unlocked and sensitive data stolen.

listen Print view

Braelynn and Dennis Giese demonstrated live at Def Con 32 how easily unauthorized persons can unlock electronic locks.

(Image: Uli Ries)

5 min. read
Security
By
  • Uli Ries
Contents

Two hardware hackers have tested various locks from Schulte-Schlagbaum AG (SAG), a popular manufacturer in Europe, and Digilock, a widely used provider in the USA, for vulnerabilities. All of the locks tested work offline and date from 2014 to 2023. They can be found in gyms, hospitals, banks, hotels and libraries, among other places.

Theypresented the results at the Def Con 32 hacker conference. The locks are comparatively easy to pick. In an interview with heise security, Dennis Giese emphasized that this is not a problem limited to Digilock and SAG, but also affects other manufacturers.

Videos by heise

Difficult update situation

This is all the more fatal as it may be difficult to eliminate the gateways found. If a manufacturer provides a firmware update at all - as Digilock plans to do in response to the hacks - every lock would have to be unscrewed, connected to a programming device and provided with new software.

Examples of cracked electronic locks that are used in lockers in public facilities, among other things.

(Image: Braelynn & Dennis Giese)

For the time being, therefore, no one should store secrets in such a locker. Giese also advises against locking away smartphones, laptops, tablets or payment cards whose PIN matches that of the lock. In order to minimize the risk for users of such lockers, the security researchers have deliberately not published all the details of their hacks.

Firmware and secrets on a silver platter

According to the researchers, they used various methods to try and read the respective firmware in order to detect the gaps. In the case of the Digilock locks, this was possible without detours, as neither the EEPROM nor the code memory were protected against reading. If the hackers came across a partially protected firmware, they used a dumper specially adapted to the respective model.

Ultimately, however, the researchers did not need the firmware at all, as the read-out EEPROM memory contained all the data that would allow them to unlock any locks without authorization. First and foremost, the ID of the "manager keys". This key comes in the form of a hardware token and is used by the owner of the locker installation to open any lock or to provide it with a new PIN code.

Burglary tool: A screwdriver, a debugger and a Flipper Zero or Arduino are all you need to break into the Digilock locks tested.

(Image: Braelynn & Dennis Giese)

The memory also contains the currently set user PIN or RFID UID. In the interview, Giese points out that each facility with such lockers has its own manager keys and IDs. A universal, cross-location attack is therefore not possible. However, according to Giese, once an ID has been read, it can be easily emulated using a Flipper Zero or Arduino.

Unscrewing necessary

In practice, however, potential attackers need access to an unlocked compartment whose lock they can open with a screwdriver. There was no physical protection against tampering in any of the locks examined.

By plugging the debugger into the respective boards inside the lock, they can read out the ID. The attackers then write the ID to the flipper and open all other lockers - without having to change the victim's PIN, so that the opening goes unnoticed. Since attackers can also change the log data stored in the lock's memory at will, the unauthorized opening would not even be noticed by the owner of the lockers, the researchers explain.

SAG also dispenses with any protection of the EEPROMS or the board. The read-out memory then contains the master key in the form of a PIN or RFID unique ID, which is valid for all locks in the respective facility.

Far-reaching break-ins possible

An explosive aspect: SAG is compatible with Mifare Classic and DESFIRE smart cards, which are also used for door access systems, for example. If a facility uses these cards, hackers can find the unique IDs of previously read cards in the lock's logs, among other things. According to Giese, this is sufficient to clone a card and thus gain access to other parts of the building, depending on the configuration of the overall system.

(Almost) forbidden lecture

The hackers' presentation was briefly put on hold as Digilock wanted to prevent the presentation by issuing a Cease & Desist Letter. However, the researchers were able to negotiate a compromise with the help of the Electronic Frontier Foundation: they refrained from demonstrating the attack in detail on stage and only demonstrated how to unlock the device, but not how to read out the necessary data.

(emw)

Don't miss any news – follow us on Facebook, LinkedIn or Mastodon.

This article was originally published in German. It was translated with technical assistance and editorially reviewed before publication.

Beliebte Bestenlisten

Alle Angebote
Newsletter heise-Bot heise-Bot Push Nachrichten Push Push-Nachrichten