According to a new paper from a researcher at James Cook University in Singapore, biometric smart locks used in Internet of Things deployments can be hacked through their wireless connectivity capabilities.
‘IoT Droplocks: wireless fingerprint theft using hacked smart locks‘ has been accepted for publication at the 2022 IEEE International Conference on the Internet of Things (iThings). The document describes a proof-of-concept device designed to connect to the smart lock via Wi-Fi. The attacker then looks for an exposed debug interface to modify the lock’s firmware to collect and upload biometric fingerprint data on the proof of concept device. If the interface is not exposed, the firmware can be accessed by running an exploit, according to the research.
If the attacker has physical access to the lock, it can be dismantled and hardwired into the attack device using its fingerprint chip debug pads.
Many smart locks store biometric data on drives that aren’t encrypted and hardened like the secure enclaves used in smartphones and tablets. Furthermore, the researcher started from the perspective of off-the-shelf commercial biometric locks, in many cases built with cheap IoT components.
For this reason, an attacker with the receiving device within Bluetooth range could capture the fingerprints of the device when used by an authorized user.
This biometric data could then be entered into another authentication system during a presentation attack.
The attack is not scalable or particularly fast, taking around 27 seconds according to the article, so it would be more effective against specific targets than as a means of stealing the biometric data of many people from different locks.
The researcher recommends disabling the debugging feature in biometric smart locks, using PKI-signed firmware updates, reducing the portability of fingerprint patterns these locks collect, increasing user awareness. Perhaps more importantly, a standardized method for users to verify the origin and integrity of device firmware could mitigate such an attack.
The popularity of biometric smart locks was demonstrated earlier this year by a Kickstarter campaign that exceeded its crowdfunding goal by ten times, primarily by selling pre-orders of video smart locks.
access control | biometric data | biometrics | biometric search | consumer electronics | fingerprint biometrics | smart homes | smart lock