Thousands of electronic lockers in gyms, offices and schools could be vulnerable to attack by criminals using cheap hacking tools to access administrator keys, new research suggests.
At the Defcon security conference on Sunday, security researchers Dennis Giese and “braelynn” demonstrated a proof-of-concept attack showing how digital management keys could be extracted from lockers, copied, and then used to open other lockers in the same location. The researchers focused on various models of electronic locks from two of the world’s largest manufacturers, Digilock and Schulte-Schlagbaum.
In recent years, the researchers, both with experience in lock picking, have been examining various electronic locks that use numeric keypads, allowing people to set and open them with a PIN. The work comes on the heels of several examples of hotel door locks being found to be hackable, vulnerabilities in high-security locks, and commercial safes allegedly equipped with backdoors.
For their research, Giese and braelynn purchased electronic locks on eBay, grabbing ones that had been sold after gyms closed during the Covid-19 pandemic and other failed projects. Giese focused on Digilock, while braelynn looked at Schulte-Schlagbaum. During their research, they looked at legacy Digilock models from 2015 to 2022 and Schulte-Schlagbaum models from 2015 to 2020. (They also purchased some physical management keys for Digilock systems.)
Showing how the security flaws could be exploited by a trained hacker, the researchers say they can disassemble the electronic lock, then extract the device’s firmware and stored data. This data, Giese says, can contain PINs that have been set, management keys, and programming keys. The manager key ID can be copied to a Flipper Zero or a cheap Arduino circuit board and used to open other lockers, Giese says.
“If you get access to one lock, we can open all of them, in any unit—the whole university, the whole company,” Giese says. “We can clone and emulate keys very easily, and the tools are not that complicated.” Whoever owns the lockers operates them, Giese says.
Before developing this proof-of-concept attack, Giese says, it took them some time and effort to understand how locker systems work. They took apart locks and used cheap debugging tools to access the devices’ erasable, programmable read-only memory, known as EEPROM. Often, in the locks they tested, this was unprotected, allowing data to be extracted from the system.
“From the EEPROM, we can extract the programming key ID, all manager key IDs, and the user PIN/user RFID UID,” says Giese. “Newer locks erase the set user PIN when the locker is unlocked. But the PIN remains if the locker was opened with a manager key/programming key.”
The researchers say they have reported the findings to both affected companies, adding that they have spoken to Digilock about the findings. Digilock told WIRED that it has released a fix for the vulnerabilities it found. The researchers say Schulte-Schlagbaum did not respond to their reports; the company did not respond to WIRED’s request for comment.