Lock Picking in the Era of Internet of Things

Smart locks are a recent development in the Internet of Things that aim to modernise traditional keybased padlock systems. They allow users to operate the lock with their smartphone instead of carrying around a physical key. Typically, smart locks have a cloud system for sharing access with other people, which makes them ideal for schemes such as communal lockers or bike sharing. One of the smart locks available on the market is that produced by Master Lock. They are an established brand, and unlike many of the single product companies that have provided insecure offerings, Master Lock have so far shown that their locks are reasonably secure and resistant to known attacks such as shimming, fuzzing, and replay attacks. This paper provides a security analysis of the Master Lock Bluetooth padlock. More importantly, it reveals that there were several security vulnerabilities, including a serious one in the Application Programming Interface used by Master Lock to provide a crucial feature for managing access. We carried out a responsible disclosure exercise to Master Lock, but communication proved to be quite a challenge. In the end we managed to establish contact, and as a result the most serious vulnerabilities have now been patched. This indicates that responsible disclosure is a valuable exercise, but we still need better report-and-response mechanisms.