FB pixel

Researcher demonstrates biometric data theft from smart lock with droplock hack

Researcher demonstrates biometric data theft from smart lock with droplock hack
 

Biometric smart locks used in internet of things deployments can be hacked through their wireless connectivity capabilities, according to a new paper from a researcher with James Cook University in Singapore.

IoT Droplocks: Wireless fingerprint theft using hacked smart locks’ has been accepted for publication in the 2022 IEEE International Conference on Internet of Things (iThings). The paper describes a proof-of-concept device built to connect to the smart lock through Wi-Fi. The attacker then checks for an exposed debug interface to edit the lock’s firmware to collect and upload fingerprint biometric data to the proof-of-concept device. If the interface is not exposed, the firmware can be accessed by running an exploit, according to the research.

If the attacker has physical access to the lock, it can be disassembled and wired into the attack device using its fingerprint chip debugging pads.

Many smart locks store biometric data on drives that are not encrypted and hardened like the secure enclaves used in smartphones and tablets. Further, the researcher started from the perspective of commercial-off-the-shelf biometric locks in many cases being built with cheap IoT components.

Because of this, an attacker with the receiving device within Bluetooth range could capture fingerprints from the device when it is used by an authorized user.

That biometric data could then be input into another authentication system in a presentation attack.

The attack is not scalable or particularly fast, taking approximately 27 seconds according to the paper, so it would be more effective against specific valued targets than as a means of stealing many people’s biometrics from different locks.

The researcher recommends disabling debug function in biometric smart locks, using PKI-signed firmware updates, reducing the portability of the fingerprint templates these locks collect, increasing user awareness. Perhaps most importantly, a standardized method for users to verify the origin and integrity of the device’s firmware could mitigate such an attack.

The popularity of biometric smart locks was demonstrated earlier this year by a Kickstarter campaign that blew past ten times its stated crowdfunding goal, largely by selling pre-orders of video smart locks.

Article Topics

 |   |   |   |   |   |   | 

Latest Biometrics News

 

Secure Technology Alliance launches template for using mobile driver’s licenses

Get used to the idea of your phone as your driver’s license. The ecosystem for mobile driver’s licenses (mDLs) continues…

 

Biometric identity verification launches and deals show diversity of approaches

The biometric identity verification market covers a wide variety of sectors and use cases, but the breadth is not just…

 

Decentralized digital identity is spreading as fresh use cases emerge

A recent post on Forrester’s website, written by VP and Principal Analyst Andras Cser, dips into how travel and mobile…

 

Cameroon building Digital Transformation Center to manage digital consular services

As part of a process launched last year by the government of Cameroon to modernize its consular services including the…

 

UK digital visas to fully replace physical immigration documents by 2025

In the UK, the Home Office has announced that it will invite those with physical immigration documents to create a…

 

iBeta biometric PAD evaluations grow in global prominence

Compliance with biometric presentation attack detection standards has become table stakes for numerous applications of face biometrics in particular, and…

Comments

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Most Read From This Week

Featured Company

Biometrics Insight, Opinion

Digital ID In-Depth

Biometrics White Papers

Biometrics Events