Researcher steals fingerprints by hacking smart lock

Technology News | September 5, 2022

By Nick Flaherty

Authentication & Encryption

A researcher in Singapore has hacked the current generation of smart locks that use fingerprint readers.

“I wanted to find out how easy it would be to turn one into something evil: a device that can steal the fingerprint of a victim by beaming an image of it wirelessly to someone nearby,” said Dr Steve Kerrison, Senior Lecturer in Cybersecurity at James Cook University in Singapore.

“I targeted smart padlocks, because they’re the most portable kind of smart lock,” said Kerrison. “I call it a ‘droplock’ because the idea is to leave it on the ground for a curious victim to find and pick up, a bit like when USB sticks containing malware are left for people to discover.”

The proof of concept, presented at the IEEE iThings 2022 conference, used a commercial lock reprogrammed with compromising firmware. If somebody picks it up and presses their finger onto the reader, it sends a copy over Bluetooth to a nearby receiver.

“This was easier than it should have been, but it requires some embedded systems and reverse engineering skills to pull it off the first time around,” he said. There are existing features and technologies that the device could have used to make the conversion harder, but they weren’t used. This kind of threat probably never crossed the mind of the designers or engineers.

Kerrison is interested in talking to a device manufacturers. The paper is at arxiv.org/abs/2208.13343

csb.stevekerrison.com