Thousands of electronic lockers in gyms, offices, schools and more could be vulnerable to attacks by criminals using cheap hacking tools to access administrator keys, according to new research.
At the Defcon security conference on Sunday, security researchers Dennis Giese and “braelynn” demonstrated a proof-of-concept attack showing how a digital custodial key can be removed from a locker and then copied to open another locker at the same location. The researchers looked at different models of electronic locks from Digilock and Schulte-Schlagbaum, two of the world’s largest manufacturers.
Over the past few years, the researchers, who have lock-picking experience, have been studying a variety of electronic locks that use numeric keypads that can be set and opened with a pin code. The research comes after various incidents of hotel door locks being found hackable, high-security locks having vulnerabilities, and industrial safes allegedly having backdoors.
For their research, Gies and Braelin bought electronic locks on eBay, scavenged ones from gyms that had closed during the COVID-19 pandemic or from failed projects. Gies focused on DigiLock, while Braelin looked at Schulte-Schlagbaum. Over the course of their research, they looked at older DigiLock models from 2015 to 2022, as well as Schulte-Schlagbaum models from 2015 to 2020. (They also bought physical control keys for DigiLock systems.)
The researchers say a well-prepared hacker could exploit the security flaws, dismantling the electronic lock and extracting the device’s firmware and stored data. This data could include the set PIN, administrative keys and programming keys, Gheese said. The administrative key ID could be copied onto a Flipper Zero or a cheap Arduino circuit board and used to open other lockers, Gheese said.
“If you have access to one lock, you can open all the locks in any unit, across the university, across the company,” Giese says. “It’s very easy to duplicate or emulate a key, and the tools aren’t that complicated.” Locker owners are in charge, Giese says.
Giese says it took time and effort to understand how locker systems worked before developing this proof-of-concept attack. They disassembled the locks and used inexpensive debugging tools to access the devices’ erasable programmable read-only memory (EEPROM). In the locks they tested, this was often not protected, allowing data to be extracted from the system.
“From the EEPROM we can pull out the programming key ID, all manager key IDs and the user PIN/user RFID UID,” says Giese, “With the new locks, when you unlock the locker it erases the set user PIN, but if the locker is opened with a manager key/programming key the PIN remains.”
The researchers say they reported their findings to both affected companies and discussed their findings with Digilock. Digilock told WIRED it has issued a fix for the vulnerabilities they found. The researchers say Schulte-Schlagbaum did not respond to their report, and the company did not respond to WIRED’s request for comment.
