Thousands of electronic lockers found in gyms, offices and schools could be vulnerable to attacks by criminals using cheap hacking tools to access administrator passwords, according to new research.
To the Deconfinement Security conference on Sunday, security researchers Dennis Giese and “braelynn” Demonstrated a proof-of-concept attack This study shows how digital management keys can be extracted from lockers, copied and used to open other lockers at the same location. The researchers focused on various models of electronic locks from two of the world’s largest manufacturers, Digilock and Schulte-Schlagbaum.
In recent years, the researchers, both with experience using lockpicks, have been examining various electronic locks that use numeric keypads, allowing people to set and open them with a PIN. The work comes in the wake of several examples of hotel door locks that have been found to be hackable, vulnerabilities in High security locksand commercial safes It is alleged to have back doors.
For the research, Giese and braelynn bought electronic locks on eBay, acquiring ones that were sold after some gyms closed during the Covid-19 pandemic and those from other failed projects. Giese focused on Digilock, while braelynn focused on Schulte-Schlagbaum. Throughout the research, they looked at older Digilock models dating from 2015 to 2022 and Schulte-Schlagbaum models from 2015 to 2020. (They also purchased some physical management keys for Digilock systems.)
Demonstrating how a trained hacker can exploit the security flaws, the researchers say they can disassemble the electronic lock and extract the device’s firmware and stored data. This data, Giese says, can contain PINs that have been set, management keys, and programming keys. The management key ID can then be copied to a Flipper Zero or a cheap Arduino circuit board and used to open other lockers, Giese says.
“If we can access one lock, we can open all the locks in any unit — the entire university, the entire company,” Giese says. “We can clone and emulate keys very easily, and the tools aren’t that complicated.” Whoever owns the lockers manages them, Giese says.
Giese says that before developing this proof-of-concept attack, it took some time and effort to understand how locker systems work. They took apart the locks and used cheap debugging tools to access the devices’ erasable programmable read-only memory, known as EEPROM. Often, in the locks they tested, this memory was not protected, allowing data to be exfiltrated from the system.
“From the EEPROM, we can extract the programming key ID, all the administrator key IDs, and the user PIN/user RFID UID,” says Giese. “Newer locks erase the configured user PIN when the locker is unlocked. But the PIN remains if the locker was opened with an administrator key/programming key.”
The researchers say they reported the findings to both affected companies and had spoken to Digilock about the findings. Digilock told WIRED that it has released a fix for the vulnerabilities found. The researchers say Schulte-Schlagbaum did not respond to their reports; the company did not respond to WIRED’s request for comment.
