A presentation at the DEF CON conference in Las Vegas on Sunday highlighted cybersecurity holes that leave keyless electronic door locks vulnerable to getting picked – posing a serious risk to the physical security of individuals. That’s an important discovery – but the talk almost didn’t happen. Here’s an account of the behind the scenes efforts to make the talk happen.
In a scene reminiscent of DEF CONs of the past, the electronic lock maker Digilock issued a dramatic “Cease and Desist” letter to two, independent cybersecurity researchers on Thursday ahead of a planned Friday presentation at the annual hacker conference that promised to expose vulnerabilities affecting keyless locks manufactured by the company, along with Schulte-Schlagbaum AG (SAG), and other keyless lock manufacturers.
The legal maneuver set off a chain of events that recalled controversies over the last two decades surrounding DEF CON and its sister conference, Black Hat, with the Electronic Frontier Foundation coming to the aide of security researchers looking to expose flaws in the cybersecurity of critical hardware and software.
Keyless locks: not so secure
Giese and his collaborator, Braelynn, a security Consultant at Leviathan Security Group, set out to explore the security of keyless lock systems that are widely used to secure everything from lockers and safes to hotel rooms in a DEF CON session dubbed “Open Sesame – or how vulnerable is your stuff in electronic lockers?” What they found was alarming – though not unprecedented.
Keyless locks were vulnerable to tampering and key cloning by hackers with a basic knowledge of electronics, Giese found. His work revealed design weaknesses like exposed debug pins on locks and a lack of protection that made it possible to dump and read data stored flash- and EEPROM memory on the devices.
Among other things, Giese and Braelynn were able to successfully extract the firmware and secrets from the lock models they studied: analyzing the behavior of the devices and revealing flaws that criminals could exploit. That included unencrypted data that could be used to recover user PINs for a given lock, or even clone “master” and “manager” keys that disable any lock in a given location.
Similar flaws were found in locks both by Digilock and SAG, and a range of other keyless lock makers. Giese and Braelynn noted that their choice to focus on Digilock and SAG in their talk was based on the firms’ market positions and reputation, not the uniqueness of the problems they discovered.
An attacker with physical access to a single lock and tools as simple as a screw driver, a custom PCB and a Flipper Zero wireless pen testing device could make short work of keyless locks securing lockers, storage facilities and other sensitive locations, Giese and Braelynn told attendees at DEF CON.
The talk was a reprise of a presentation the two researchers gave at an earlier event: Nullcon in Berlin, in March of this year. That talk garnered little attention – including from the affected manufacturers with which the researchers shared their findings, but which did not respond to the researchers inquiries, Giese told Security Ledger.
Cease and Desist order cites copyright laws
That changed ahead of the planned DEF CON talk – possibly due to inquiries from a journalist at Wired in advance of the talk. Giese said that he received a email containing a Cease & Desist order from attorneys representing Digilock on Thursday afternoon, less than a day before the scheduled talk. The letter cited alleged violations of U.S. federal laws including the Copyright Act, the Defend Trade Secret Acts, the Computer Fraud and Abuse Act, and the Digital Millennium Copyright Act in calling for Giese and Braelynn to call off the talk.
DEF CON organizers responded by postponing the talk until Sunday. In the meantime, Giese and Braelynn sought the assistance of the Electronic Frontier Foundation (EFF) and began discussions with Digilock and its attorneys regarding the talk and the researchers’ findings.
Easy? Trivial? Yep!
“They had a few things which they did not like about the talk,” Giese told The Security Ledger via Signal Messenger. Among the offending content was the claim that the researchers needed only 2 minutes to clone the digital keys from one lock and program it on an emulator, he said. “They were afraid that their non-technical customers might get really mad at them,” he wrote.
According to Giese, Digilock suggested making the attack “look more complicated” in their presentation. He and Braelynn assured the company that the slides and code published at NULLCON or in their planned DEF CON talk would not allow a compromise of Digilock devices without the technical understanding to supply missing elements needed for a successful hack.
Digilock’s cease and desist letter cited “a raft of legal theories,” but may have misunderstood on the facts of Giese’s research and the law, Kurt Opsahl, Special Counsel at EFF told Security Ledger. Allegations that Giese violated Digilock’s trademark by including the company’s logo in his slide overlooked the context of that use: that Giese was simply identifying the lock manufacturer, which is covered under “fair use” exceptions. Similarly, allegations that he violated the Computer Fraud and Abuse Act (CFAA) by hacking into the locks overlooked the fact that Giese purchased the locks that he analyzed. “The CFAA bars unauthorized access to a computer without the consent of the owner, Opsahl said. “If you own a computer, you can hack it.” References to the DMCA in the cease and desist letter were countered by exemptions to the DMCA’s prohibition on breaking software locks for the purposes of doing research, he said.
With Giese’s talk delayed from Friday to Sunday, however, Opsahl and his colleagues were able to talk through the planned talk and reach a resolution.
In the end, Giese and Braelynn agreed to small changes to their presentation: removing the Digilock logo from their slides and the claims about timing, as well as words like “easy” and “trivial” that described the process of exploiting the locks flaws. They also included a statement from the company thanking Giese for delaying the talk and saying that the company had prior communications with Giese and was working on improvements to its products in response to his findings, including the implementation of code protection on all data blocks to address issues uncovered by Giese’s research, the addition of encryption for key values sent back and forth between keys and locks as well as read-only EEPROM memory.
The statement also claimed that “In over 32 years, there have been no reported instances of items being stolen because a Digilock lock was hacked.” The company is “fully committed to providing secure solutions for its customers,” the statement read. It was unclear how the company arrived at that conclusion, or whether it is possible for it to detect a local compromise of a lock or locks deployed by a customer.
Digilock did not reply to email and social media requests for comment on this story. “From my legal understanding, we did not have to do that, but we wanted to be nice,” Giese told Security Ledger, noting that Digilock also suggested he blur some slide content which “we did not do.”
Kicking it like its 2005!
The drama surrounding Giese’s talk recalled years past, when efforts by vendors to silence security researchers were more common. In 2005, the security researcher Michael Lynn famously quit his job at the legendary firm Internet Security Systems (ISS) under pressure by Cisco to cancel at talk at Black Hat on a serious flaws he discovered in Cisco’s IOS operating system – an incident known as “Ciscogate.”
Talks on hacks of digital locks and keys seem particularly prone to such a response.
In 2007, the secure card maker HID succeeded in getting a talk by IOActive security researcher Kristin Paget pulled from a Black Hat Federal event in Washington D.C. Paget had planned to discuss the discovery of RFID flaws in HID products, but gave an expurgated presentation instead highlighting the threatening letters sent by HID. (Here’s my story on that from 2007!)
Then, in 2008, The Massachusetts Bay Transportation Authority (MBTA) filed a suit in federal court on seeking a temporary restraining order to prevent three MIT undergrads from presenting a talk at the DefCon hacker conference this weekend about security vulnerabilities in the “Charlie Card” payment systems used on Boston’s subway.
Beware: The Streisand Effect
Security and public relations experts note that such actions usually work against the interests of the affected vendor: drawing more attention and scrutiny to the talk the vendor is hoping to squelch. That’s a phenomenon known, outside of information security, as The Streisand Effect – after actress Barbara Streisand whose effort to legally suppress a photo of her Malibu home in 2003 ended up drawing intense scrutiny of the property from the media and public.
Giese said Digilock may have reacted “hastily” with the cease and desist order, without realizing what effects it would have. “If they would not have done that, the whole thing would have blown over after the weekend and no-one would care anymore,” he wrote. By issuing the cease and desist and forcing a delay in the talk “a lot of chatter started.”
As it turned out, after a conversation with Giese and the EFF attorneys and slight modifications to the presentation, the cease and desist letter was withdrawn and the Sunday talk went ahead as planned.
Companies facing the prospect of unflattering talks like Giese should take note, said Opsahl of EFF. “If you’re a company that has not had software involved in its products previously – and now do- you should have security point of contact on your website. That’s the most important thing,” he said. “That’s one of the greatest challenges – just getting in touch with the company to report the vulnerability.”
Editor’s note: an earlier version of this story misspelled the last name of EFF Special Counsel Kurt Opsahl. The story has been corrected. 8/22/2024
Thanks! Nice and informative blog.
Insider security threats