As far as I can see now, 2009 will be the year of exploits for electronic and electro-mechanical locks. As you can read on Marc Tobias his blog they will talk about some exploits against these kind of locks at Defcon. And so will Han Fey and me (in more detail) at the HAR conference two weeks after Defcon.
And there are others doing the same thing. Take for example a mysterious group calling themselves ‘lockbeepers’. They just published a report about the BurgwÃ¤chter TSE 3000, showing two interesting attack vectors.
The image above shows the heart of the BurgwÃ¤chter TSE 3000. For those unfamiliar with the lock: it is a fully electronic lock that replaces a mechanical lock. Instead of using a key you have to enter a PIN on a keypad.
The lockbeepers seem to have had a hell of a time analyzing it as you can read in their report (PDF).
In the report they explain two possible ways of attacking this lock. The first attack is locating the cable the pin numbers are being transported by (in the clear). Hooking up a small chip on that line would allow anyone to record and replay the pin-numbers captured.
The second attack is more practical: it shows you where to apply power on the circuit board and open the lock. According to the lockbeepers it is not difficult to reach that point.
I would like to thank the lockbeepers for their document and hope to see more work from their hands. If they do you will most likely read it on blackbag …