Skip to main content

Earworms Make Bad Passwords: An Analysis of the Noke Smart Lock Manual Override

McBride, Jack and Hernandez-Castro, Julio and Arief, Budi (2018) Earworms Make Bad Passwords: An Analysis of the Noke Smart Lock Manual Override. In: 2017 International Workshop on Secure Internet of Things (SIoT). IEEE. ISBN 978-1-5386-4542-0. E-ISBN 978-1-5386-4541-3. (doi:10.1109/SIoT.2017.00009) (KAR id:64302)

PDF Author's Accepted Manuscript
Language: English
Download (615kB) Preview
[thumbnail of EarwormsMakeBadPasswords.pdf]
This file may not be suitable for users of assistive technology.
Request an accessible format
Official URL


This paper presents a security analysis of the manual override feature of the Noke smart lock. The Noke allows its user to operate, monitor and even share his smart lock with others through a smartphone. To counter the risk of being unable to open the lock when the smartphone is unavailable, it provides an override mechanism. Noke implements this override feature using a quick-click scheme, whereby its user can choose a sequence of eight to sixteen short and long shackle presses (similar to a Morse code). To explore the security implications of this feature, we conducted a study collecting human-generated quick-click codes from 100 participants, and analysed and modelled the resulting dataset. Our analysis shows that the override mechanism, at least in its current implementation, presents a significant opportunity for successful guessing attacks. We demonstrate this by building a mechanical brute force tool that on average can test one quick-click code in under three seconds. We conclude that this speed, together with the low entropy of human-generated passcodes, makes this manual override feature one of the most significant weaknesses of the system and constitutes a promising attack vector. We responsibly disclosed our findings to the Noke manufacturer. We also provide a list of potential countermeasures that can help to address this risk. We believe that alternative authentication methods such as quick-click codes will become increasingly popular in ever-expanding Internet of Things devices, so the weaknesses and the countermeasures discussed in this paper are timely and relevant, as they can also apply to other devices and security systems that rely on unconventional user-generated authentication codes.

Item Type: Book section
DOI/Identification number: 10.1109/SIoT.2017.00009
Uncontrolled keywords: security; brute force attack; smart locks; Internet of Things; user study; passcode selection; override mechanism.
Subjects: Q Science > QA Mathematics (inc Computing science)
Divisions: Divisions > Division of Computing, Engineering and Mathematical Sciences > School of Computing
Depositing User: Budi Arief
Date Deposited: 07 Nov 2017 18:13 UTC
Last Modified: 16 Feb 2021 13:49 UTC
Resource URI: (The current URI for this page, for reference purposes)
Hernandez-Castro, Julio:
Arief, Budi:
  • Depositors only (login required):


Downloads per month over past year