Researcher demonstrates biometric data theft from smart lock with droplock hack
Biometric smart locks used in internet of things deployments can be hacked through their wireless connectivity capabilities, according to a new paper from a researcher with James Cook University in Singapore.
‘IoT Droplocks: Wireless fingerprint theft using hacked smart locks’ has been accepted for publication in the 2022 IEEE International Conference on Internet of Things (iThings). The paper describes a proof-of-concept device built to connect to the smart lock through Wi-Fi. The attacker then checks for an exposed debug interface to edit the lock’s firmware to collect and upload fingerprint biometric data to the proof-of-concept device. If the interface is not exposed, the firmware can be accessed by running an exploit, according to the research.
If the attacker has physical access to the lock, it can be disassembled and wired into the attack device using its fingerprint chip debugging pads.
Many smart locks store biometric data on drives that are not encrypted and hardened like the secure enclaves used in smartphones and tablets. Further, the researcher started from the perspective of commercial-off-the-shelf biometric locks in many cases being built with cheap IoT components.
Because of this, an attacker with the receiving device within Bluetooth range could capture fingerprints from the device when it is used by an authorized user.
That biometric data could then be input into another authentication system in a presentation attack.
The attack is not scalable or particularly fast, taking approximately 27 seconds according to the paper, so it would be more effective against specific valued targets than as a means of stealing many people’s biometrics from different locks.
The researcher recommends disabling debug function in biometric smart locks, using PKI-signed firmware updates, reducing the portability of the fingerprint templates these locks collect, increasing user awareness. Perhaps most importantly, a standardized method for users to verify the origin and integrity of the device’s firmware could mitigate such an attack.
The popularity of biometric smart locks was demonstrated earlier this year by a Kickstarter campaign that blew past ten times its stated crowdfunding goal, largely by selling pre-orders of video smart locks.