According to expert and senior cybersecurity instructor Steven Kerrison, the issue lies in the hardware constraints of IoT smart locks. In contrast to smartphones and tablets, which store fingerprint information and other biometric data within encrypted hardware enclaves, low-end IoT devices such as commercial smart locks lack dedicated safe storage.
Hackers Use Smart Lock Hack for Fingerprint Theft: Researcher
Kerrison stated in the report, “These devices often include less powerful CPUs and cheaper sensors, and they do not offer the same level of security as a smartphone.” Typically, this is considered acceptable based on the value of the product or what the sensor is intended to safeguard. To demonstrate the vulnerability, Kerrison built a proof-of-concept device that could connect to a smart lock over Wi-Fi and, use either an attack or an accessible debug interface to change the lock’s software to collect and submit fingerprint data. Alternately, the lock might be taken apart and hooked directly to the controller using on-board debugging pads. In either case, it is able to provide fingerprint data that can be used against other biometric devices. In addressing the findings with TechTarget Editorial, Kerrison remarked that any real-world attack would likely be conducted against a planned target over a predetermined length of time, as opposed to a random bulk collection of credentials. To gather fingerprints while the lock is enabled, the attacker would need to be in close vicinity to the lock, such as the Bluetooth range. Once the print data has been acquired, it might eventually be used to get access to other devices with more stringent security measures. While providing an explanation, Kerrison said, Check out? SRD and IoT Services Regulatory Framework Issued by PTA
