Poster: Power Replay Attack in Electronic Door Locks

Electronic door locks have recently become popular since they have many benefits compared with traditional mechanical locks. For example, in the case of keyless locks which are the most popular types of electronic door locks, a physical key is not needed anymore. They might also be invulnerable to the existing physical attacks against mechanical door locks[1]. Despite these known benefits of electronic door locks, we question whether electronic door locks are really secure enough against any possible intrusion and alterations. Manufacturers often claim that their electronic door locks are secure and against a wide range of attacks despite the fact that several flaws have been recently discovered (e.g, [2] and [3]), but the current focus was only directed to one particular type of adversary attacks by a stranger who tries to open doors from outside — ignoring an insider attacker with temporal access to the inside of a lock. However, the second type of adversary models can also be found in many real life scenarios. For example, a thief who sojourns in a hotel room protected by an electronic door, obtains complete physical access for a prolonged period of time to the electronic door lock. Hence, the thief would have plenty of time to modify some parts of the lock in the room or implement a hidden backdoor switch that could be used to steal the belongings of future guests who will stay later in the same hotel room. We found that the most popular and commercially endorsed electronic door locks cannot cope with this type of threats. An insider attacker can covertly insert malicious hardware components into an electronic door lock to replay a valid DC voltage pulse to illegally open the door. We name this attack the “Power Replay” attack since the inserted component replays a power supplement irrespective of the central processing unit in the target door lock. Our experiments with the four electronic door locks showed the feasibility of power replay attacks: all door locks that we investigated were vulnerable to power replay attacks.