Open, Sesame! On the Security of Electronic Locks

by David Oswald

Electronic locking systems are becoming increasingly prevalent for both corporate and private buildings. This talks deals with the security of such systems, demonstrating attacks that allow an adversary to bypass the security mechanisms and "electronically pick the lock".

To this end, we present case studies with increasing complexity of the utilized attacks. After introducing “trivial” weaknesses (e.g., wrong installation, cabling available from the outside etc), we continue with locks using RFID (Radio Frequency Identification). Using our custom emulator, the ChameleonMini [1], numerous types of such RFID cards can be cloned in seconds, giving an adversary full access. In this context, we summarize the relevant security research of the last five years, which has led to many commercial (RFID) systems being broken by various groups around the world.

As the second part of the talk, we focus on a wide-spread proprietary locking system using a custom wireless interface. To understand the inner workings of the system, numerous steps were required the analysis of circuit boards, the reverse-engineering of a full-custom IC, the circumvention of the read-out protection of a microcontroller, and the disassembly of the obtained embedded code. Based on this analysis, both mathematical and implementation attacks can be mounted, ultimately allowing an adversary to open any door within an entire installation.

The talk includes a live demonstration of the ChameleonMini (and possibly also of attacks on other selected systems).