According to a new study, consumer smart locks are easily vulnerable, making it possible for attackers to steal the fingerprint patterns of specific individuals. This week, research from James Cook University in Singapore showed how a hacker might utilise common hardware and very basic hacking skills to quietly gather fingerprints using a smart lock hacking method called drop lock. Author and senior cybersecurity instructor Steven Kerrison claims that the problem is caused by the hardware constraints of IoT smart locks. Low-end Internet of Things devices like commercial smart locks lacks dedicated safe storage, in contrast to smartphones or tablets that store fingerprint information and other biometric data inside protected hardware enclaves.
In the report, Kerrison stated that “these devices often contain less powerful Processor cores, cheaper sensors, and do not provide the same level of security as a smartphone.” This is typically regarded as acceptable based on the product’s worth or what the sensor is intended to safeguard. In order to show the flaw, Kerrison created a proof-of-concept device that could establish a Wi-Fi connection with a smart lock and, through the use of an exploit or an exposed debug interface, replace the firmware of the lock with instructions to gather and upload fingerprint data. A different option would be to disassemble the lock and connect it directly to the controller using onboard debugging pads.
In any case, the lock would be able to provide information about the target’s fingerprint when activated within the attacker’s controller’s range, which could then be applied to additional biometric hardware.
