image

Your Gym Locker May Be Hackable

Thousands of electronic lockers found in gyms, offices, and schools could be vulnerable to attacks by criminals using cheap hacking tools to access administrator keys, according to new research.

At the Defcon security conference on Sunday, security researchers Dennis Giese and “braelynn” demonstrated a proof-of-concept attack showing how digital management keys could be extracted from lockers, copied, and then used to open other lockers in the same location. The researchers focused on various models of electronic locks from two of the world’s biggest manufacturers, Digilock and Schulte-Schlagbaum.

Over the past few years, the researchers, who both have backgrounds in lock picking, have been examining various electronic locks that use numerical keypads, allowing people to set and open them with a PIN. The work comes on the back of various examples of hotel door locks being found to be hackable, vulnerabilities in high-security locks, and commercial safes being alleged to have backdoors.

For the research, Giese and braelynn purchased electronic locks on eBay, snapping up those sold after some gyms closed during the Covid-19 pandemic and from other failed projects. Giese focused on Digilock, while braelynn looked at Schulte-Schlagbaum. Over the course of the research, they looked at legacy models from Digilock dating from 2015 to 2022 and models from Schulte-Schlagbaum from 2015 to 2020. (They also purchased some physical management keys for Digilock systems.)

Showing how security flaws could be abused by a prepared hacker, the researchers say they can take the electronic lock apart, then extract the device’s firmware and stored data. This data, Giese says, can contain PINs that have been set, management keys, and programming keys. The manager key ID can be copied to a Flipper Zero or cheap Arduino circuit board and used to open other lockers, Giese says.

“If you access one lock, we can open all of them in whatever the unit is—the whole university, the whole company,” Giese says. “We can clone and emulate keys very easily, and the tools aren’t that complicated.” Whoever owns the lockers manages them, Giese says.

Ahead of developing this proof-of-concept attack, Giese says, it took some time and effort to understand how the locker systems function. They took the locks apart and used cheap debugging tools to access the devices’ erasable, programmable read-only memory, known as EEPROM. Often, in the locks they tested, this was not secured, allowing data to be pulled from the system.

“From the EEPROM, we can pull out the programming key ID, all manager key IDs, and the user PIN/ User RFID UID,” Giese says. “Newer locks erase the set user PIN when the locker is unlocked. But the PIN remains if the locker was opened with a manager key/programming key.”

The researchers say they reported the findings to both impacted companies, adding they had spoken to Digilock about the findings. Digilock tells WIRED it has issued a fix for vulnerabilities found. The researchers say Schulte-Schlagbaum did not respond to their reports; the company did not respond to WIRED's request for comment.

A spokesperson for Digilock told WIRED on August 7 that it takes security seriously and, after Giese got in touch, it added code protection to its products. “Current Digilock products have additional code protection measures to enhance their security further,” the spokesperson says. It is unclear how many locks were impacted by the weaknesses.

“The vulnerabilities the author discusses require significant expertise, time, and access to a specific site’s lock and associated administrative key,” the spokesperson says. They say that any data extracted from their locks needs to be interpreted and understood by a potential attacker.

“Even if a hacker duplicates an administrator key, the duplicated key will only work on locks currently programmed with the duplicated key,” the spokesperson says. “If an administrative key goes missing, it is very easy to reprogram the lock and remove it from the system, ensuring any potential security risk is swiftly mitigated.”

The day before the researchers were due to present their results on August 9, they were hit with a cease-and-desist letter from Digilock. The legal request was subsequently withdrawn following discussions between both sides. The company declined to comment on the letter.

However, a Digilock statement included in the researchers’ presentation says the company “respects” the work, hopes to keep working with Giese on security issues, and details how it is adding encryption to the EEPROM data. “In over 32 years, there have been no reported instances of items being stolen because a Digilock lock was hacked. Digilock is fully committed to providing secure solutions for its customers,” that statement concludes.

“If we do not know about security vulnerabilities, we cannot fix them, and we cannot make better systems in the future,” says Hannah Zhao, a staff attorney at the Electronic Frontier Foundation, who helped Giese ensure the talk could go ahead after the cease-and-desist letter was received. “By discovering and reporting on their findings, security researchers like Mr. Giese help build a safer future for all of us.”

Ultimately, many people may be dubious of how safe a locker in a gym or shopping mall may be—after all, crowbars do exist—but the researchers say that being able to extract a PIN or other information from the digital memory of a locker could lead to more damage than just having your bag and wallet being stolen.

Giese says people should be more cautious about the PINs they use on their devices, and any RFID tokens from a locker could potentially be used elsewhere within an office building, on doors for instance, that would allow an advanced attack greater access to systems. “If you have the choice to choose your own PIN to lock the locker, what PIN do you use? I personally used a PIN which I used everywhere for important things,” Giese says. Using unique PINs can reduce all kinds of risks.