FB pixel

Researcher demonstrates biometric data theft from smart lock with droplock hack

Researcher demonstrates biometric data theft from smart lock with droplock hack
 

Biometric smart locks used in internet of things deployments can be hacked through their wireless connectivity capabilities, according to a new paper from a researcher with James Cook University in Singapore.

IoT Droplocks: Wireless fingerprint theft using hacked smart locks’ has been accepted for publication in the 2022 IEEE International Conference on Internet of Things (iThings). The paper describes a proof-of-concept device built to connect to the smart lock through Wi-Fi. The attacker then checks for an exposed debug interface to edit the lock’s firmware to collect and upload fingerprint biometric data to the proof-of-concept device. If the interface is not exposed, the firmware can be accessed by running an exploit, according to the research.

If the attacker has physical access to the lock, it can be disassembled and wired into the attack device using its fingerprint chip debugging pads.

Many smart locks store biometric data on drives that are not encrypted and hardened like the secure enclaves used in smartphones and tablets. Further, the researcher started from the perspective of commercial-off-the-shelf biometric locks in many cases being built with cheap IoT components.

Because of this, an attacker with the receiving device within Bluetooth range could capture fingerprints from the device when it is used by an authorized user.

That biometric data could then be input into another authentication system in a presentation attack.

The attack is not scalable or particularly fast, taking approximately 27 seconds according to the paper, so it would be more effective against specific valued targets than as a means of stealing many people’s biometrics from different locks.

The researcher recommends disabling debug function in biometric smart locks, using PKI-signed firmware updates, reducing the portability of the fingerprint templates these locks collect, increasing user awareness. Perhaps most importantly, a standardized method for users to verify the origin and integrity of the device’s firmware could mitigate such an attack.

The popularity of biometric smart locks was demonstrated earlier this year by a Kickstarter campaign that blew past ten times its stated crowdfunding goal, largely by selling pre-orders of video smart locks.

Article Topics

 |   |   |   |   |   |   | 

Latest Biometrics News

 

Use mDLs for trust and accountability in financial transactions: report

A new white paper from the Secure Technology Alliance’s Identity and Access Forum (IAF) says mobile driver’s licenses (mDLs) can…

 

Big thinkers to prototype deepfake detection tools in year-long challenge

Germany’s Federal Agency for Jump Innovations (Sprind) has issued a call to action for innovative thinkers to develop “breakthrough innovations…

 

Biometrics regulation under Trump likely to minimize federal overreach

With former President Donald Trump soon to return to the White House for a second term, and Republicans in control…

 

Colorado’s consumer privacy law gets expanded biometric protections in draft rules

The Colorado Attorney General’s Office has filed a set of proposed draft amendments to the  2021 Colorado Privacy Act (CPA),…

 

Iris biometric verification, palm prints tests and cheat sheets coming from NIST

The U.S. National Institute of Standards and Technology has plans to expand its biometrics evaluations and reports into several areas…

 

UK policing minister kicks off debate on live facial recognition

UK policing minister Diana Johnston has announced that the current Labor government will hold a series of discussions on police…

Comments

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Most Viewed This Week

Featured Company

Biometrics Insight, Opinion

Digital ID In-Depth

Biometrics White Papers

Biometrics Events