Unlocking Doors Over the Internet

I can think of specific instances where this can be useful, but in most places it's not a good idea.

Posted on September 19, 2008 at 12:39 PM • 22 Comments

Comments

ProhiasSeptember 19, 2008 1:25 PM

For unlocking, isn't this equivalent to those wirelessly controlled key lock boxes latched on to door handles, and widely used by real estate agents?

bobSeptember 19, 2008 1:37 PM

I wonder if there is a delay or a pause after 3 failures or something, because with only a 4-digit code, you could quickly script an attack which would test every possible combination in about 1 minute.

Now LOCKING remotely (for the OCD among us) would be handy.

I wouldn't mind having one if the password was more like 16 digits.

PandaSeptember 19, 2008 2:01 PM

"A lot of places where it isn't a good idea"?

Like anywhere you want security? There are just so many failure points in this scheme. I'd rather keep a key under the mat than use this lock. Cheaper too.

Carlos GomezSeptember 19, 2008 2:20 PM

And for the privilege of using this you get to pay $13 per month. It seems like an expensive solution to a problem that really doesn't exist.

TanukiSeptember 19, 2008 2:26 PM

And someone deliberately with $5 of dirt-cheap pocketable electronics can radiate a sufficient level of field-strength to completely upfuck this system...

It's one of the basic principles of security-intrusion: make a supposedly-secure system malfunction. Repeatedly. Then the system's users turn it off - and you go on to gain access via the (invariably insecure) fallback mechanism.

brasscountSeptember 19, 2008 3:41 PM

I foresee someone being locked in their home during a fire as a result of an improper install and Schlage being sued out of business.

JRRSeptember 19, 2008 3:44 PM

Heck, I don't pay $13/month for my cellphone service. The charge is clearly engineered into the service too; there's no reason for it. Anyone gadget-happy enough to have this would have a wireless router too, and they could just as easily design a system that used that which didn't have a monthly fee.

FWIW, I think it's vaguely possible that this could be at least somewhat secure. They could have a central server that verified that your phone is allowed to send controls, that plus the 4 digit PIN is probably as secure as a normal key, and certainly as secure as a 4 digit keypad entry code. Then the system could transmit a quite long key which could be rotating based on a pseudorandom algorithm which could be seeded at setup time.

Even if an unlock code was intercepted, it wouldn't work again. There's still the problem of DOS by radio jamming, but that's not a huge deal; if the owner is away and you're close enough to jam him trying to lock the door, you could just, you know, open the door.

I'm not saying it IS secure, but it could be better than it seems.

Clive RobinsonSeptember 19, 2008 4:04 PM

Having designed electronic locks for a living, my main concern would not be the four digit code or the fact that you could get access via a radio or other publicaly available network.

No I would be looking at it with a great big magnet and a little patience.

Most electronic locks use very low power solenoid or other form of electromagnetic actuator.

A strong external magnetic field will (unless you take suitable precautions) act in the same way as energising the coil.

Which basicaly means a large magnatron or other powerfull magnet will act as a key to the lock...

As has often been remarked a chain is only as strong as it's weakest link. And in the case of electronic locks it is battery life and the attendent design limitations it imposes...

AndrewSeptember 19, 2008 5:38 PM

I can see applications for this type of technology. Look at Knox boxes, for example.

Remote locking could be quite useful.

Remote unlocking can save lives. Speeds up emergency response, allows access to lifesaving equipment such as AEDs, etc.

Secure? No conventional keyed lock is secure. At least this system creates a time-based audit trail.

wumpusSeptember 20, 2008 11:08 AM

I'm failing to see most of the security issues. While having a 10 bit security key is weak beyond belief, I can't see anyone who buys one not having an equally wimpy garage door opener.

The security problem gets worse if you know a large number of houses with this system. Send the same number to the same house a number of times. If it tells you "you've been locked out due to excessive errors, please use your mechanical key": try another house. If they don't your either in now (or can trivially brute force the thing). If they don't send the message, wait for howling customers to force them to. You might only be able to break .1% of the houses, but you should know in advance where they are.

PS. The audit trail is useless if you don't have a reliable way of tracing the source (using the internet means they don't).

CybergibbonsSeptember 22, 2008 2:11 AM

Yet another case of someone who clearly doesn't know what they are talking about. Clive Robinson - nearly all electromagnetic locks are not vulnerable to attack by a magnet, no matter how strong.

And a mangnAtron? A magnEtron generates microwaves, not a magnetic field.

Clive RobinsonSeptember 22, 2008 3:23 AM

@ Cybergibbons,

"...A magnEtron generates microwaves, not a magnetic field."

Ahh, how interesting you know that a magnetron generates microwaves, but obviously not how or why it is called a magnetron (hint the "ron" part was frequently used in the names of thermionic valves).

A magnetron valve will not work unless it's cavity block sits between the poles of a fairly strong magnet. You can lookup a brief article on magnetrons on the web

http://en.wikipedia.org/wiki/Magnetron

If you are looking for a fairly strong magnet to play with then pulling apart a magnetron block from an old microwave oven is perhaps your cheapest option.

I have one from an old 1960's radar set that when put on an overhead rolled steel joist is strong enough to hold my weight and I'm by no means a light individual.

As you say,

"Yet another case of someone who clearly doesn't know what they are talking about..."

SparkySeptember 22, 2008 3:31 AM

@Cybergibbons: We tend to be polite and respectful around here. Your reply doesn't exactly strike me a polite nor respectful.

Besides that, you're simply wrong. There were (and are, I assume) quite a few electronic locks that are vulnerable to attacks with external magnetic fields, either static fields or strong rotating ones.

Locks using permanent magnet rotor DC motors (like stepper motors or brushless DC motors) can usually be moved using an external rotating field. In some other cases, a magnetic field can induce sufficient current to get the motor to move.

We had a story here some time ago, about a hotel-style smartcard lock that could be opened using a ring with a few strong magnets.

I don't see why this lock can't just always lock the door, unless you specifically tell it not to. It's not like you can forget your keys, you can always get back into your house.

If you need a friend to enter your house when you're away, you could give them a one-time or limited time code, instead of your own code. I don't see why the remote access feature is useful at all.

CybergibbonsSeptember 22, 2008 3:56 AM

Clive: That's like saying "I used the car to fix my DVD player" when you use a piece of wire from a car. You've taken the magnets out of a magnetron and used then. That's not really using a magnetron is it?

There are a few locks that are vulnerable to attack using magnets, but not many. Several methods of protection are used: steel casings, the mechanism is on the protected side of the door, and it's possible to design mechanisms that are not vulnerable to attack, either using multiple methods (a solenoid securing a bolt withdrawn by a motor), or by having an opposing mechanism of the same type that secures the lock when attacked.

One example does not prove the entire system insecure.

Clive RobinsonSeptember 22, 2008 5:46 AM

@ Cybergibbons,

Your other statment of interest,

"nearly all electromagnetic locks are not vulnerable to attack by a magnet, no matter how strong."

Have you actually tested this?

Because I'm very doubtfull that you have.

Less than a year ago I demonstrated to somebody that their battery powered electronic door lock was vulnerable to just this attack. And I advised them to look for one with a UL mark (it's one of the first tests UL used to do on battery powered electronic locks way back in the 1980's when they first started to appear for the Hotel Industry, and I'm assuming they still do it as most electronic locks failed the test).

There are very few experts when it comes to electronic locks and most locksmiths do not have a clue about their vulnarabilities. Usually a locksmith doesn't care either as they fit what has been selected by somebody else like the architect who likewise is not an expert on locks electronic or otherwise.

I don't know where you are but in the U.K. I have looked at quite a few of these battery powered "security locks" with keypads or even fingerprint readers and as I noted in my above post you commented on,

"Most electronic locks use very low power solenoid or other form of electromagnetic actuator."

And having tried the magnetron magnet on a number of them I can say as I did,

"A strong external magnetic field will (unless you take suitable precautions) act in the same way as energising the coil."

You will note I used the expression "suitable precautions". These can be quite expensive to get right if you just go for the obvious solutions.

So often the more cost effective locks do not have them or they are only partialy effective (ie a suitably strong magnet still works).

One of the main reasons they are vulnarable is proximity. That is to reduce costs and increase reliability the lock mechanisum is in the unit on which the keypad or fingerprint reader is mounted. This usually means there is only a small amount of metal between the electromagnetic actuator and the attacker and they can get the magnet around quite a bit of it. Usually the metal casing is made of materials that are low cost to cast/mold and machine. And will have little or no magnetic sheilding ability.

As for magnetic door locks powered of the mains electricity supply these are very few in number and tend to use a different method of operation which often makes them slow to operate.

Due to the fact you don't want to be fried by broken wiring in the lock when touching the handle or using a key to overide the actuator they are quite bulky due to safety segregation distances. Often two bulky to fit inside a standard door or frame and need to be mounted on the back or inset into the wall. Which although it significantly reduces the proximity issue has the unfortunate side effect that they often cannot be used with standard doors frames or door furniture further increasing the expense.

Further due to this bulk and the substantial wiring involved on the surface of the door, mains powered electronic locks are seen by many architects etc as being to ugly to use. The infrequent use tends to make them quite expensive so their use is further limited by cheaper options (which might further account for their scarcity).

Most doors opened remotly using mains power are either "entry systems" or lashed up using commanly available parts and invariably do not use electronic locks but door or bolt holders mounted in or on the frame of the door. You often see this sort of instalation on server room doors. The unit that actually holds the door closed is mounted at the top or open side of the door on the inside of the room.

Often due to the component parts have been designed for holding doors open and being subject to various statuts, building and fire codes (which ever is appropriate to the area you are in) they often have to fail safe (ie open) under several circumstances. This usually means that they are permanently energised, as such an extra magnetic field will not open them.

Therefor they can (when not properly designed in) sometimes be opened simply by removing the power (as is the case with a lot of server room doors). Quite often the door holders are wired into a seperate mains circuit to that of the server room and simply flipping a fuse in the distrubution board / consumer unit etc is enough to get the door open or even just activating the fire alarm can do it.

Commanly available door entry systems (the sort used to buzz people through from the street to a lobby) do not use electronic locks but bolt holders (or whatever name they go by in your area). That is they are designed to be built into the door frame and hold either a bolt or the locking bolt/tounge from the lock or emergancy door push mechanisum. They are not designed to be used as "security devices" just "nusance prevention devices" to keep uninvited people out of communial areas.

They tend to use a simple solenoid and lever based mechanical system. One big failing they have is that they "bind" easily that is if you push on the door the mechanical system sticks and when the operator presses the button the solenoid cannot pullback the lever so the door remains shut untill the preasure is taken of the door. These are not fail safe devices and are not permantly energised so might be succeptable to a strong magnetic field. I have never tested them with a magnet for three reasons. First I have not seen them used on doors to "secure" areas, secondly as they are hidden away in the door frame they don't need to look pretty and are often in a quite thick steel case which is folded and partialy welded, thirdly usually they are easier to get around another way.

That is due to the fact they bind easily and are designed to be used with many sizes and shapes of lock they are usually sloppy in operation and inserting a piece of not to stiff plastic in the right place usually forces back the lock. Or in some cases a good series of shoves can bounce them or the lock open.

Sometimes when used with emergancy push bars on the door you can simply hook the bar through the gap between the door and the frame.

Designing door systems for secure areas to be safe, reliable and effective is a subject that needs some thought and a little experiance, it is not something an architect, locksmith or security / facilities manager is likley to know much about.

AnonymousSeptember 22, 2008 5:15 PM

Silly comment, I know, but if you're a burglar, why bother futzing with the keyless entry system? Just break a window. (Also, even if there is an alarm system, most are sensitive to broken contacts, i.e. jimmying, not actual breakage.)

Clive RobinsonSeptember 23, 2008 5:40 AM

@ Anonymous,

"Silly comment, I know, but if you're a burglar, why bother futzing with the keyless entry system? Just break a window."

Actually not that silly at all.

In the U.K. it has been found that there is a lot of difference between female and male burglars in the way they go about things, and it appears that as it's related to "risk evaluation" the women have the advantage.

Basicaly your switched on burglar knows that they are going to leave some trace of their activities at some point besides that of the items they take.

Well if you pick your targets and take small but valuable items that are not obviously on display, and providing your entrance and exit are not obvious. Then it might be some considerable time before the loss of the items is discovered. By which time the crime scene is so thoroughly contaminated it would be a rare piece of good fortune if trace evidence of the burglar is discovered.

It appears that a lot of female burglars have thought about this and tend to behave in a cautious manner, and as a result are seldom if ever caught. The exceptions being when "caught in the act", "in possesion" or by being "grassed up" by the people they sell on to.

Which probably accounts for why they do not make a large percentage of "known burglars".

A lot of male burglars however just go in like a bunch of storm troopers and usually shed large amounts of trace evidence as well as taking it away with them.

Usually as the crime scene is fresh due to their obvious activities the trace evidence left by them is easily found collected analysed and saved away for future times. Worse they are also usually "known" to the police therefore a quick visit to their known locations will either give rise to evidence from the crime scene in, on or around them or their clothing or abode. Therefore the chances of getting a conviction is considerably improved.

The thing about trace evidence is you cannot avoid leaving it behind 100% of the time and once it's recorded it hangs over your head like the sword of Damaclease. Just waiting for you to get picked up for something else and then bang you get the whole lot on your head in one go. And in the U.K. we now have "bad charecter" where other evidence that might be otherwise be regarded as hearsay or not relevant is know fully admissable to show a "criminal mind".

Oh and another difference between careful burglers who get caught and those that don't is "bigging it up" or talking about their exploits to their mates. Dumb I know but somethiing like 95% of most police leads come from this activity...

CybergibbonsSeptember 23, 2008 4:03 PM

Firstly, apologies to you Clive. I read the word "magnatron" and jumped to the conclusion that you were the same as the people who believe freezer spray makes it possible to shatter locks and that adding some capacitors to a walkie talkie makes it into a "transmitting scanner". It's clear this is something you've looked into a lot.

I've been scavenging for different types of locks, mainly from refurbishments and the like, for many years. The recent rash of work in the City has meant that there have been numerous electronic locks binned from financial institutes.

I'm not talking about either magnetic strikes often found in conjuction with a latch, or mag locks used with card entry systems. The first are simply devices to assist entry, the other can normally be opened either by a sharp tug, bending the door (peeling the armature away from the magnet), or as you say, by either setting off the fire alarm or operating the break-glass emergency button.

I think the most common application for electronic locks, at least in the UK, is hotel room doors. Second to that, it seems to be internal doors in banks, post offices, and other places dealing with large sums of cash.

This page (http://www.blackbag.nl/?p=204) details an attack that has been found to work on certain locks. It only seems to work when the drive axis of the motor is directly away from you (such as it would be if the motor was mounted in the cylinder)

Simply rotating the motor through 90 degrees will prevent this attack from working, and is used in several models of hotel door lock.

A substatial number of these locks also seem to have a cast frame which is magnetically soft and prevents external attacks greatly.

Frequently there are other methods to prevent the lock being attacked - the use of two counter-rotating motors, small magnets which will block the movement of the bolt on application of an external field, and even electronic detection.

I've yet to find a model of lock that relies on a solenoid only, bar the large bolts which tend to be mounted on the reverse side of the door. If fail-secure, these tend to have a substantial spring holding them shut, and installation advice is to have them on the secure side of the door.

It may be the case that there is an entire segment of the market I have missed - rubbish electronic locks. This may be the case - my brief look at the electronic "safes" available in B&Q showed that only one out of the 7 available could not be opened in under 2 minutes.

Clive RobinsonSeptember 24, 2008 7:43 AM

@ Cybergibbons,

For my sins I used to design electronic locks for the Hotel Industry.

The design limitations can be put simply as,

1, They must work with existing doors / furniture.

2, They must be estheticaly pleasing so that architects etc will design them in.

3, They must be cheap to manufacture (BOM < $30).

4, The Hotel should see a ROI within 3 years against "key loss".

5, The maintance cost must be low.

6, The locks should be "guest proof" and the front desk unit should be "blond proof" (I know it's un-pc but that's what it was called in the industry and it's still in use).

There are four main reasons why electronic locks in Hotels fail to work once installed,

A, Mistakes by front desk staff, or guests not understanding how to use the lock (or being incapable due to being "tired and emotional" ;)

B, Static from soft furnishings carpets etc.

C, Abuse / misuse by Guests.

D, Battery life.

When a guest cannot get access to their room they usually use a phone to call the front desk or visit in person (which is bad news for the hotel as it's one of the biggest gripes on CustSat forms). Due to this speed of entry is the name of the game, a member of front desk or security staff will be at the room within five minutes, and if they cannot get in maintanence is called.

If you have met the avarage hotel maintanence man you will know that the solution to a door lock not working is to "drill it" and "replace it". As the former gets an existing guest into the room quickly and the latter keeps room occupancy high, this policy is usually supported by managment.

So the lock mechanisum either must be a "throw away item" or have a way to stop either the front desk or security staff calling maintanence when a guest / staff can not get in the room.

There are two ways one is electrical the other is mechanical. Unfortunatly the high tech electrical way is often the designers choice. That is there is a small connector socket at the bottom of the lock (RJ11 etc) into which security can plug the "override device" and enter a security code.

Of the mechanical methods the most sensible is simply to have an ordinary mechanical key. Other times it is the removal of the knob a finishing plate which hides a small hole that alows access to the clutch mechanisum. In the case of some locks the hole might start life as a mark or slight depression in the hidden part of the lock casing so the maintanence man knows where to drill with his 5mil drill. In some early locks it was an odd shaped screw head that had to be turned a set number of times with a special screwdriver.

Basicaly appart from the key these are all usually "security theater". Esspecialy in the electronic case as all the "override device" usually does is supply power and reset the internal micro before actuating the electromagnetic actuator.

In some locks this works directly by powering the actuator, others by putting a logic voltage on the micro, some rare ones by sending a data comand to the micro to open. The "security" for this is usually not in the lock but the override device. Even where a data command is used it will be standard to all the locks...

Therefor If you have access to the override device the or a lock you can easily come up with an analoge to the override device.

On examining a lock circuit (diagram) it is often illuminating to see just how simple the override can be. In some locks simply connecting a battery the wrong way around energises the actuator through the snuber protection diode...

The actuator can be of a number of types but it boils down to battery life and speed of of operation (and sometimes noise). Essentialy for a number of locks the actuator acts as a clutch to link human mechanical power to the traditional lock mechanisum in the door.

Battery life is a vital consideration and in modern systems >95% is used by the actuator. Realisticaly it should last a minimum of six months on ten actuations a day (five if inside handle is directly connected to the traditional lock mechanisum).

Motors are usually seen as being slow and power hungry but importantly resistant to a magnet (they are not).

Solenoid type actuators are seen as fast and low power but suceptable to magnets (true in all respects).

So broadly the solenoid wins on power and the motor wins on low susceptability to magnets. Further the solenoid wins outright on mechanical simplicity and reliability and cost. But a lot of designers are scared off by "the problem of magnets".

This is silly as even motors are susceptable and often the mechanics following the motor have considerably more issues as well.

The clasic one being "jiggling" whereby spinning or jerking the handle might, using inertia or transmitting sufficient mechanical energy as a pulse overcome the clutch (I've actually seen this being done in a very large Hotel in China).

The real problems with motors are they are not mechanicaly simple to operate requiring cams / switches and all sorts of other gubbins depending on just how inventive or knowledgable the deigner is. They are of lower reliability and have all sorts of attendant problems over and above a solenoid design.

The simplest motor system to think of uses a gear train with a final drive wheel with teeth missing on part of it's circumfrance this pulls a toothed pin back against a spring and stops part way, after a time interval it turns the wheel around further to the part with no teeth and the pin returns under the spring. The pin is used to activate the clutch mechanisum.

Although it's easy to describe and visualise it's full of Gotchas, as are all the motor mechanical trains and some (if not nearly all) clutches.

The first problem is what sort of motor to use?

Traditionaly it would have been a simple DC "brush" motor but they have realy horible charecteristics such as the current required when they start under load or stall (this caused some early locks with lithium batteries to catch fire releasing large amounts of toxic and acrid smoke as well as burn significant amounts of the door).

Due to their reliability issues DC "brush" motors are not used much. Even in low cost PC's the fans these days are contactless and in some cases have ac inverters built in and use AC "squirl cage" motors.

Stepper motors have been used but these are quite expensive and require extra control circuitry and still have most of the problems other motors have.

If using a DC "brush" motor a first thought would be to start the motor when there are no teath engaged with the pin, thus getting over the high start on load current problem. Also you could use inertia etc to get you over the teeth engage bump.

Unfortunatly this is gotcha number two, if you do not have the teeth engaged on the pin and it is metal containing iron chromium etc then a magnet can be used to draw it back. If not made of magnetic material but of sufficient mass then it might be possible to vibrate it back (the same way an electric pick gun works on traditional barrel and pin locks).

There are a whole load of others gotchas such as what position is the toothed wheel in. As the battery wears out a simple time based system will not work. Mechanical switches require force to be operated which means more energy from the batter, they also have reliability issues. Optical switches are energy hungry and have other issues. A smart deigner might use a micro with an analoge input and monitor the motor current to determin when the teeth engage / disengage thus obviating the switches and their problems but this has other issues.

I could go on at considerable length but

A, it's duller than watching paint dry.

B, The Moderator might well block it on length / suitability.

C, It might be seen by the industry as giving away "trade secrets" (the old security via law suit game).

In reality the big issue with most of these battery operated locks is that they have design compromises or deficiencies that can be exploited by a knowledgable attacker. Usually the more low tech it is the more likley it is to succede and much worse be virtually undetectable...

Magnets, Vibrators / Shakers and jiggling attack the clutch mechanics and are therefore virtually undetectable post attack. Likewise attacks against the override port might not be detectable post attack. Even the reversed battery power trick might not damage the lock electronics so again be undetectable post attack.

My original point was that it was not realy worth discussing high tech theoretical attacks against a new lock when the older and well proven low tech attacks might well work even better and from the attackers point of view less detectably.

Clive RobinsonSeptember 24, 2008 7:54 AM

Opps I've read it back an a big chunk of my above post has disappeared on my browser between

BOM and 95%

I guess this is due to using the "less than symbol" to say

BOM less than $30

and "greater than symbol" to talk about battery usage.

Not sure if my browser, all browsers or the server is at fault ho hum.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..