Platon Technologies
not logged in Login Registration
open source software development celebrating 10 years of open source development! Saturday, April 13, 2024
About Us
Open Source
Index  »  Projects  »  phpMyEdit  »  Forum  »  Researcher unveils smart lock hack for fingerprint theft

phpMyEdit General     Researcher unveils smart lock hack for fingerprint theft
Post new topic   Reply to topic    
upamfva     Joined: 05 May 2021   Posts: 918  
Post Posted: 2022-09-08 03:04
Back to top  Reply with quote     

Researcher unveils smart lock hack for fingerprint theft

Consumer smart locks could easily be compromised to allow attackers to steal the fingerprint patterns of targeted users, according to new research.To get more news about bluetooth front door lock , you can visit official website.

A paper published this week from James Cook University Singapore described how an attacker could use off-the-shelf hardware and a bit of hacking know-how to covertly harvest fingerprints via a smart lock hack technique called droplock.
The weakness, according to author and senior cybersecurity lecturer Steven Kerrison, lies in the limitations of the hardware used by IoT smart locks. Unlike smartphones or tablets, which store fingerprint details and other biometric data inside encrypted hardware enclaves, low-end IoT devices like commercial smart locks lack dedicated secure storage.

"These devices generally feature less powerful processors, cheaper sensors and do not provide the same level of security as a smartphone," Kerrison wrote in the paper. "This is usually deemed acceptable based on the value of the product itself, or what the sensor is meant to protect."

To demonstrate the weakness, Kerrison constructed a proof-of-concept device that could connect with a smart lock over Wi-Fi and -- using either an exploit or an exposed debug interface -- modify the lock's firmware with instructions to collect and upload fingerprint data. Alternatively, the lock could be disassembled and wired directly to the controller via on-board debugging pads.
Either way, the result is a lock that, when activated within range of the attacker's controller, would be able to give data on the target's fingerprint that could then be used against other biometric hardware.

In discussing the findings with TechTarget Editorial, Kerrison noted that any sort of real-world attack would likely be carried out against a predetermined target over a set period of time, rather than a scattershot mass harvesting of credentials.

In that case, the attacker would need to be within somewhat close proximity to the lock, such as standard Bluetooth range, to be able to collect the fingerprints when the lock is activated. Once the print data is collected, it could then be used over time to access other devices that use more robust security measures.

"The attacker needs to have a receiving device quite close to the lock -- just a few meters -- during the attack for the fingerprint to be transferred reliably, so that means the attack has to be more targeted than, say, leaving USB sticks lying around and waiting for people to plug them in to deliver malware into a network," Kerrison explained. "That means a viable attack is more likely to be against a specific victim or group of victims, rather than random, and the assets accessible with the biometrics would have to be worth going to that amount of effort."
While the attacks outlined in the paper were limited to IoT-enabled padlocks, Kerrison believes that the underlying weaknesses in biometrics storage will extend into other devices that protect even more valuable items and data.

"I started with smart padlocks because of their portability and how they lend themselves to the droplock idea," Kerrison said. "However, I am very confident that other devices, such as smart door locks, will be vulnerable. The question then is whether the attack is worth performing with such devices."

Post new topic   Reply to topic    

Copyright © 2002-2006 Platon Group
Site powered by Metafox CMS
Go to Top · Feedback form · Application form
Report bug on PLATON.SK website · Terms of use · Privacy policy