Attacking the Keypad

As electronics have become cheaper, and thereby more prolific machinery which use to be strictly mechanical are being replaced with electronic equivalents. Locks are no different. Electronic locks are both simpler to manufacture and offer features which are very hard to achieve with mechanical systems. One of the major benefits to electronic locks is the ability to use proofs of knowledge to quickly open a lock.  Knowledge based locks are nothing new, the earliest known combination lock dates back to roman times. As with mechanical locks it is important that electronic locks do not allow an attacker to easily remove bypass the lock by removing the dial, keypad or lock from the door. However, electronic combination locks presented a new challenge that earlier combination locks did not face. Namely that of supplying magic pixies (electrons) to the circuitry powering the lock.

Powering electronic locks

As mechanical locks did not require electricity, mains power is not readily available when switching from a mechanical lock to a electronic lock. As such batteries are often used to power these devices. For the problem of where to place the batteries one solution is behind the door, on the secure side. In order to avoid owners getting locked out due to dead batteries this requires there be another way to open the door, or some assurance the user can be alerted the batteries are dying in time to replace them. As locks are often used on doors which are rarely opened, like summer homes, and safes providing a secondary way to open the door tends to be the more attractive option. However, having two ways to open a lock means the lock will cost more than a strictly mechanical lock of equivalent security. The other solution is to place the batteries on the insecure side of the door and it is this solution which I will be focusing on in this article.

UL 2058

Safe locks with batteries on the insecure of the door are typically UL 2058 listed as type 1 high security electronic locks. According to haymansafe.com this listing requires the following criteria be met.

  • The lock must store and check the combination on the secure side of the door.
  • The combination must be stored in non-volatile memory. That is to say, the combination must not be forgotten when the battery is removed from the lock, even for extended periods of time.
  • The locking mechanism on the secure side of the door must initiate the retraction of the bolt.
  • Batteries must be stored in the keypad of the lock on the insecure side of the door.
  • The lock must support a minimum of 1,000,000 combinations.

These requirements are a good starting place for anyone looking to design an electronic locking system with a keypad option. When vendors [1] [2]  implement these requirements they often arrive on a design with a removable keypad. As the keypad is dumb and not actually involved in making the unlock decision it maybe tempting to assuming there is nothing useful an attacker can do by removing the keypad. This is maybe true (assuming no vulnerabilities in the lock’s code) if an attacker can only access the insecure side of the door once.

The heist

In general when we put a lock on a door we assume that people will be able to access the outside of said door. This after all, is why we use locks in the first place. Imagine you have secured a safe (or a door) with a keypad equipped lock similar to the type 1 high security electronic locks described above. Malice the evil maid occasionally has unsupervised access to the keypad but does not know the combination to open the door. On one of these occasions she swaps the keypad, replacing the original keypad with one she brought with her of the same model.  The owner not being able to distinguish between Malory’s keypad and the original uses it with out suspicion. It unlocks and locks the door just as before but because it has been modified by Malory it also silently records the combination. Later Malory returns and extracts the combination from her bugged keypad. She opens the door with the recovered combination and steals everything. When she leaves she locks the door and replaces her bugged keypad with the original one. Sometime later the owner returns and opens their safe (door) only to find they have been robbed.

Demo

Defenses

Malory was able to pull this heist off because she was able to switch the keypad without the owner’s knowledge. In order to hinder her there is several strategies one can employ. Anything which prevents Malory from being able to access the insecure side of the lock more than once would be very effective, but probably not very practical.

Another option would be to use two factor authentication and require the owner to provide both the combination and a second factor like a smart-card, or bio-metric. This solution while more practical than the first requires a far more complicated system and almost certainly will be less convenient. However, it is the only solution I will be mentioning which is capable of stopping other attacks Malory may attempt which do not require tampering with the keypad. For example if Malory instead hid a camera near the keypad to record the user’s combination a two factor authentication system would make the captured code insufficient to open the door.

Still another approach would be to implement tamper detection mechanisms which inform the owner the keypad has been messed with. Creating tamper evident systems which are not easily bypassed is fairly tricky. However, even if the system did detect tampering 100% of the time when the owner came back to the lock they would see the keypad had been tampered with but unless they knew Malory was the only one with access there would be very little they could do besides closely inspect the keypad. Furthermore, if Malory regularly messed with the keypad in harmless ways the owner would likely grow numb to these alerts.

Finally, the owner could deploy a camera to see if anyone was at the keypad, but not which keys were being pressed. If the camera had the ability to alert the owner when someone as at the keypad this would be even better. With the camera in place the owner would able to see Malory swapping the keypad and taken action. This solution is by far my favorite, as it can be implemented by the owner without having to buy new locks, and has minimal impact on convince. Additionally it is the only solution which provides insight into who tampered with the keypad. However, it does not help with any attack where Mallory is able to see or record the key presses from a distance.

Know your hazards

Removable keypads can be very convenient, but convenience comes with risks. The decision if these risks are acceptable ultimately lies with the end-user. If you have or are thinking about getting a lock with a removable keypad I hope you have found this useful.

What do you think? Would you be comfortable with an electronic lock with a removable keypad?