IoT Droplocks: Wireless Fingerprint Theft Using Hacked Smart Locks

TL;DR

This paper introduces the droplock attack, a method to covertly harvest fingerprints from hacked smart locks, highlighting security vulnerabilities in IoT devices with fingerprint readers.

Contribution

It demonstrates how off-the-shelf smart locks can be secretly modified to perform fingerprint theft and discusses implications for device security and design.

Findings

Smart locks can be covertly hacked to harvest fingerprints

The attack can be performed invisibly on off-the-shelf devices

Implications for security and privacy in IoT devices

Abstract

Electronic locks can provide security- and convenience-enhancing features, with fingerprint readers an increasingly common feature in these products. When equipped with a wireless radio, they become a smart lock and join the billions of IoT devices proliferating our world. However, such capabilities can also be used to transform smart locks into fingerprint harvesters that compromise an individual's security without their knowledge. We have named this the droplock attack. This paper demonstrates how the harvesting technique works, shows that off-the-shelf smart locks can be invisibly modified to perform such attacks, discusses the implications for smart device design and usage, and calls for better manufacturer and public treatment of this issue.