 And this is my 2022 talk about electronic locks. And I see some familiar faces here, but not everybody knows me, so I'll quickly introduce myself. So what is it about this guy and why is he always talking about locks? For me, this lock story goes way, way back when I was like a little boy. My great-grandfather was supposed to make me a key to the apartment, so I can get back into the apartment of the school. And he did not give me a key, he gave me this. This is called Dietrich in German, or Schwerhaken. And it opens more than one lock, of course, and somehow this all started for me. Later, when locksport became a thing, I started to compete in locksport as well, but this will be probably the only picture you'll ever see of me of winning any major prize. I'm not the fast guy, I'm more the analytics guy. So I wrote a number of papers about locks, published them, you can find them there. Obviously, I do conference talks now and then, some of them were recorded, some of those are on YouTube, and I made a playlist for this. And then, yeah, software and electronics. My father often predicted I'd become a locksmith, so I also found that I like to take apart electronics and write software and so on. So I became an engineer, I do my living with software development, and as a personal project, I made an app that may help you if you have an Android device and use this Bluetooth COVID warning app. But now let's look at locks. So to make it a little bit easier to follow this talk, I made like four segments. Obviously, electronic locks are electromechanical systems, so you can attack the mechanics part or the electronics and software part. And also to sort it a little bit, there are generic attacks that work maybe on many locks and then there are also very lock specific attacks. As an example, it would be like what I will show most bumping. It's very generic, it attacks the mechanical part. There are other ways that you can do it. Magnets are typically something. And other attacks. Electronics and software, there's a lot of attack surface, but it is typically very lock specific for one specific system. And yeah, some of the things are generic if RFID keys can be copied and you know that. Okay, I'll start with bumping. You have heard about bumping, I'm very sure. For mechanical locks, there was a patent early in 1926. And then in the early 2000s, it was made public again. And also by some people here in the Netherlands, there was a barrier and drop from tool. There was a paper about it. And what you probably also know is bumping cheap electronic saves. So that is a well-known technique. You can use a potato or a fist or whatever. And here you see ray bumping open or safe at Munich CCC. So you probably have seen that, right? And most of people who know something about locks also know that this is because of the solenoid in these cheap saves. And yeah, they have become an anti-pattern in mechanical lock design or in electronic lock design because they are so easy to manipulate from the outside. So people generally accept that motors are a more secure way to lock something. Okay, but I did find a modern lock with a solenoid. And this is now a lock-specific mechanical attack on a very specific lock. This is a electromechanical lock with mechanical keys. And the keys also have a little chip in there and electrical contacts that you can see here. I actually covered them up with a little bit of tape. And just by the way in this presentation I typically put the left side of the picture is like the secure side on the inside of the door. And on the right side of the picture is like the outside. And in this case you would have the key on the outside and a knob on the inside. This lock works with batteries on the inside knob. And then there is a solenoid. And I think it was designed with a solenoid because solenoids are fast. If you think of a little lead screw that would move this pin up that may take too much time. Yeah, let's try that. So you can see that now, right? Yeah, very good. Okay, so this is the correct key. It will beep once and now I can turn it. This is the modified key with the pins covered. The lock does not know it's in there now. But it doesn't know once I start turning. Well, that was too... demonstration work too early. So basically if I start turning it will now fire the solenoid and I cannot turn any further. Okay, so if I turn it really quickly and I know I can do that, I'm not sure if I can do it live on stage. Let's try. Yes, I can also turn it quickly. I mean it does beep, but it also opens the door. So much for locking out the person you don't trust anymore. Now bumping. Bumping, as we said, the solenoid is bad. Let's use a proper motor. This little key safe, I have it here, actually does have a motor. And this motor pushes down on a spring-loaded latch. So it's convenient you can close it and this latch will close. But yeah, you can also do the same thing as with the cheap safe. And this has a nice time delay thing to it. I like to do that. I can also... well, I don't do it on stage here. To be fair, the manufacturer has... or I'm not sure if there's only one, but they have improved it and there is now a little function that the motor turns the other way around when it senses a close. And then now this attack doesn't work on the new versions of those anymore. So I like that when manufacturers actually improve the product. Okay, but now we know it is the spring as a problem. It's not to have a motor or a solenoid. It is this coupling or this blocking is typically a spring and mass system. And I mean, you know spring and mass or such system like that. If you want to do something from the outside, you can just hit it and now a collision happens. You know, this thing is called Newton's cradle. You hit from the outside and if there are collisions, then this energy will be transferred and it's called conservation of momentum, for example. The other thing that you can do from the outside, if you cannot reach this and it's like isolated, now you can actually use inertia. So you just hit it from the side and it will still start moving. And if you hit it multiple times, there will actually be a resonance frequency and so on. So you may actually be able to hit it even harder. So let's test this theory for this because I cannot zoom. It would be cool if you could switch to the other camera, please. And have a look at this cylinder and this lock. So as you know, these electromechanical lock cylinders work like this. You have on the inside the opportunity to open and close the bolt. But on the outside, you can only do that after authentication because then the motor will move something and it's free-spinning and it's secure. Suppose it's secure. Okay, let's see. I think we can see it on camera, right? Yeah. Okay, so it will be a little bit loud but not only for a short time and you have to watch this to see that it moves in. Yeah, open. Okay. Okay. We will have another demonstration later with the other locks, but let's have a look at them first. So the theory was this. Just so you see what I just did is I attacked this lock cylinder. This is a very complicated system where all the electronics are on the outside of the door including a magnetic override key and you can use a RFID chip and everything. But yeah, it also has a spring-loaded clutch, an actual spring-loaded clutch element. Okay, and there are typically some questions, frequently asked questions. The first one is why test this in the door? Some people in Germany will now be angry with me because locksport ethics say you should not attack a door, you should only attack a lock and this way it doesn't look like we are thieves and want to break in. The only problem with that is you cannot have a real test if you just hold the cylinder in your hand. I want to show you with this cylinder here. This is an electronic locksuner that is not vulnerable to these attacks, at least I didn't fight that yet. But you can see that this cam, that's the thing that operates the bolt, it actually turns even though it didn't put a key here. The thing is though, if I put my finger here, you see it does not turn, so there is a slip clutch and that is now a way to design it in a way that it will not open the door lock if you don't authenticate it, but to test whether this attack works you have to put some, you have to prove that you can really transmit torque to the cam. The other thing that you may think of if you look at this is don't put this into a lock where you don't need much torque. So if you have like a key switch that maybe doesn't need much torque to activate then this is not the right lock for it. If you have like a thing that just blocks based on the cam like a little safe, something like that you can easily know here, you know this type of thing you can easily pull it out if you can just move the cam without torque. But yeah, that's the reason why we have to put it into a simulated door or something like that. The other question is if there is a motor like a heat screw or whatever why is there a spring inside? If it just were like a fixed motor lead screw drive there is no problem with moving that, right? But if you design a system like that you will see that you have to engage the clutch at all the angles even at those where the things don't match like the both sides don't match. So now the motor can actually put the energy into the spring and then once you turn it it will actually engage the clutch and the other way around if you hold the knob and retract for example the latch put much torque on the clutch then it cannot disengage. So that's why there are usually springs the only problem with that is if they are actual then we can use the Rotary Hammer to do that. And then another question would be why are the springs weak? And that's because if they are really strong then it takes a lot of battery power, right? Other things and as I hear from vendors of these locks is yeah it's not a silent attack and if you do it more often you see scratches and stuff like that and that's maybe true if your lock is not meant to secure anything really but just like make sure that honest people stay honest then it may be fine but if I buy some lock that is supposed to have like 10 minutes drill resistance from has a SKG 3 star rating and so on I expect it to resist for some minutes and not a few seconds. And then also the other thing and we have seen that today when we did the dry run if you do it too often maybe you put too much energy until the lock and it will fail and that is really annoying for me as the pen tester but I mean still if it opens the first time somebody wants to attack my lock that's still not a good thing. Okay there is one thing that I think it should be kind of part of the training of lock designers you should not use actually spring loaded clutch elements. Okay I will demo other locks soon and these are the locks that I want to show you this is where the whole thing started this is a really old lock from a manufacturer like I don't know 15 years ago it's really old 20 years ago and they have two more generations in the meantime that are not vulnerable to this but I want to show it briefly and this actually does have a solenoid in here so it's like just if you hit on it it will move and yeah so that's the first one so it has a solenoid base clutch. Then a lock with a weird sorry with a wired electronic key that one when I took it apart and looked at it it looks like the clutch is actually radially coming out of this which would be good could have its own problem if you turn it really fast then like centrifugal force would maybe pull it out but that's not the case they designed it well however there's also a part of the movement is actually and that's why it's also falling to this. Yes but while we look at this lock I promise some other things than bumping other mischief this also has bad crypto and a time penalty bug yeah so the vendor says the key is read and copy protected through cryptologically and crypto dialogue procedure but that was like invented home rolled crypto by somebody 20 years ago and if you look at the key you also see this it's just a little pic microcontroller so what would you expect? Let's have a look right so do a standard reverse engineering procedure would be look use a logic analyzer to record the transactions I use a layer logic and then look and you see the physics layer and the physics layer is really simple it's like a zero and then the bit and then the one and the zero and next bit and the one you can write for this type of logic analyzer you can write a low level analyzer and then you see the bits figure out it's 40 bits, challenge and response then teensy is something like an Arduino but faster made an analyzer, wrote some software for that and then we could actually understand the encryption and we'll look at this on the next slide but once that is done we can also simulate the key and then copy the keys and then while doing that this cylinder has a knob with digits and you can turn it and then you push it and turn and push and turn and push and so you can do four digits, five digits or six digits code that way and it turned out that if the codes were four or five digits and we entered it through the key interface then it wouldn't have a time penalty meaning you could easily brute force it by just trying out all the four digit codes in short time so that one the renderer has fixed in new firmware releases which are, well the whole system is not updateable but if you buy a new cylinder like this now it won't have the time penalty buck anymore let's look at the crypto so I chose this picture people who stare at bits and at this time I also want to thank the nice people from Music CC and SSDF for being such nice sparring partners and inspirations so thank you Ray, Emke, Sek, Robert, Avanti and all the others we did GC sessions GC session during the pandemic and stared at bits so on the left side you see the challenge on the right side you see the response bits and what you can already see is like if you look at cases where only one bit flips here not much happens on the right side and Claude Shannon wrote about cryptography called as diffusion the single bit change should change more bits on the right side you see this already after an idea there's something that doesn't seem to be right and if you look more closely and I'm not sure if you can see it here but I highlighted the change bits in bold print you can see that it is six bits changing and they are always at the same side and that is very much looking like a linear feedback shift register and it's actually a little bit more complicated than that and it's two linear LFSRs and that's it so now that we understand it you just need to have one single transaction and you can get the secret of this key good, so that was about cryptography attacks if you want to call it like that bumping again, another lock this is a very strong smart lock cylinder and it is designed very well because all the electronics parts are on the inside of the door and there's only some strong metal on the outside of the door in strong drill protection and you see the SKG 3 star sign here so yeah, that was a strong lock taken at the part you can see that there are actually spring loaded pins clutch pins yeah, that's the problem of course if you look at this knob you see there is like on the left picture these pins are not engaged but on the right side they came out zooming in, so now they are out in, out, now it's coupled in, out you can see that yeah, and that's the problem that we'll see when we bump it okay, there's a very similar design by another manufacturer this one even has a mechanical override down here, it's a really neat design but same problem okay, then the locks I've shown before they are quite expensive like a few hundred euros per piece there's also cheap electronic lock cylinders that you can import from Asia typically and yeah, this one has a lead screw based clutch mechanism again but spring loaded and all the electronics in the outside of the knob there are actually four, sorry, two generations of them pretty similar but slightly different and then a completely different next generation has actually two little motors in here it's really nice, like a redundant thing there's two of them one can be activated through Bluetooth and the other one you have to connect a USB override thing but I mean both of them actually have the problem we've seen I took one apart it's turned around now and made a slow motion sequence so you can at the right side of the picture I'm not sure if you can see it here but there is this clutch part and you can even see that the little pin stuck out from last attempt here and here you can see that it painted as black and when the pin jumps out you'll see this black covered yeah, let's see how much we can there's another hammer comes from the left and the whole thing moves and you see the pin coming out now and now it is back again but it's jumping a little bit back and forth so that is what's happening in there, obviously and now let's have the camera switch again please and we just do it live again on these locks so number two is the very basic one with the solenoid let's see so one thing I want to tell you I didn't make many of these little mini doors I made little demonstrating things instead and you can see here's a white wheel with a black tooth and this is to prove that the clutch or the cam was actually transmitting enough force to turn it so after the attack the little black tooth will not be at the top but will be moved and then you know that it would have opened the door okay let's try open this one I didn't put the expensive knob with the key interface and this coat entry on there but just a little brass piece so don't destroy the expensive knob open that's the strong one with the SKG three stars and it is really strong maybe let's see oh yeah okay I should have there's a screw to keep that in let's try once more open okay then we have this other very similar one open now we come to the cheaper versions open open okay getting there one last open okay so I have a feeling like there was a German TV show called Wettendass and I just okay if you want to try it yourself what you need is a strong rotary hammer it needs to be a rotary hammer not just a hammer drill so there's this electro pneumatic thing that really puts some jewel of energy into each of the hits so this one does two jewels a very cheap one imported to Banggood or Aliexpress or whatever it does about 1.5 although they claim more and this one is also you get it at Aldi or Lidl and so on it has like one jewel and for many of them it works you would need something like an adapter because if you just use the typical hammer like the typical drill bit you will drill a hole but you need something that distributes the force of a more surface and I made TPU covers with 3mm TPU and then you can either use duct tape to tape it to the knob or what I did is I did some adapters with different diameters and some little other machine I promised I wanted to buy a time lock for a certain reason I will show you but it turned out this is a sex toy but anyway the attack is called fault injection and the thing is you can reset some very cheap electronics with this EMP device that is sold to as an advertiser the device that makes slot machines pay out money but it can really only disturb or reset only the cheapest of electronics like this lock it doesn't work and obviously maybe there are some others some ad side there are some Chinese locks that it is effective against and then there's a lot of ads where it says it's not effective against this something that is effective sometimes is a rotating magnet and if you look at how to influence the motor from the outside what you could do is if you have a really strong magnetic field you can really superimpose that over the existing magnetic field and then the motor will turn the other way around the other thing you can do is pull the iron core of the magnet of the motor so I got this time lock now it's set to 33 minutes still so it doesn't open you cannot push this button in but here I have a magnet it's north post-houseball on these sides diametrically magnetized and if I just put this here and turn it I can now open the lock and I can also close it again what else this was pulling if the motor is inside the knob and you turn it really fast you may be able to use centrifugal force or if you do acceleration to actually turn something okay I think we made it thank you very much for your attention there is a lock-picking village here next to the stage C, Clairvoyance you can also reach me over deck and I will be at lock-on this year again there is an email thank you very much