McBride, Jack and Hernandez-Castro, Julio and Arief, Budi (2018) Earworms Make Bad Passwords: An Analysis of the Noke Smart Lock Manual Override. In: 2017 International Workshop on Secure Internet of Things (SIoT). IEEE. ISBN 978-1-5386-4542-0. E-ISBN 978-1-5386-4541-3. (doi:10.1109/SIoT.2017.00009) (KAR id:64302)
PDF
Author's Accepted Manuscript
Language: English |
|
Download this file (PDF/3MB) |
Preview |
Request a format suitable for use with assistive technology e.g. a screenreader | |
Official URL: http://dx.doi.org/10.1109/SIoT.2017.00009 |
Abstract
This paper presents a security analysis of the manual override feature of the Noke smart lock. The Noke allows its user to operate, monitor and even share his smart lock with others through a smartphone. To counter the risk of being unable to open the lock when the smartphone is unavailable, it provides an override mechanism. Noke implements this override feature using a quick-click scheme, whereby its user can choose a sequence of eight to sixteen short and long shackle presses (similar to a Morse code). To explore the security implications of this feature, we conducted a study collecting human-generated quick-click codes from 100 participants, and analysed and modelled the resulting dataset. Our analysis shows that the override mechanism, at least in its current implementation, presents a significant opportunity for successful guessing attacks. We demonstrate this by building a mechanical brute force tool that on average can test one quick-click code in under three seconds. We conclude that this speed, together with the low entropy of human-generated passcodes, makes this manual override feature one of the most significant weaknesses of the system and constitutes a promising attack vector. We responsibly disclosed our findings to the Noke manufacturer. We also provide a list of potential countermeasures that can help to address this risk. We believe that alternative authentication methods such as quick-click codes will become increasingly popular in ever-expanding Internet of Things devices, so the weaknesses and the countermeasures discussed in this paper are timely and relevant, as they can also apply to other devices and security systems that rely on unconventional user-generated authentication codes.
Item Type: | Book section |
---|---|
DOI/Identification number: | 10.1109/SIoT.2017.00009 |
Uncontrolled keywords: | security; brute force attack; smart locks; Internet of Things; user study; passcode selection; override mechanism. |
Subjects: | Q Science > QA Mathematics (inc Computing science) |
Divisions: | Divisions > Division of Computing, Engineering and Mathematical Sciences > School of Computing |
Depositing User: | Budi Arief |
Date Deposited: | 07 Nov 2017 18:13 UTC |
Last Modified: | 05 Nov 2024 11:00 UTC |
Resource URI: | https://kar.kent.ac.uk/id/eprint/64302 (The current URI for this page, for reference purposes) |
- Link to SensusAccess
- Export to:
- RefWorks
- EPrints3 XML
- BibTeX
- CSV
- Depositors only (login required):