Read on Twitter
The BBC asked us to look into a range of IoT products.
One of them was a Pineworld lock, from Amazon.
We only had a day; I went for the quickest and most realistic attack.
One of them was a Pineworld lock, from Amazon.
We only had a day; I went for the quickest and most realistic attack.
The lock costs £139.99 - that's not cheap.
It looks quite nice. PIN, WiFi, RFID, and fingerprint? Wow.
That's a lot of electronic attack surface.
It looks quite nice. PIN, WiFi, RFID, and fingerprint? Wow.
That's a lot of electronic attack surface.
Thing is, burglars don't yet carry out electronic attacks.
Let's look at the mechanicals.
Let's look at the mechanicals.
Now - it has some good features here.
The handle disconnects from the drive shaft using a clutch. That means that you can't simply force a lock, the handle just moves pointlessly.
The handle disconnects from the drive shaft using a clutch. That means that you can't simply force a lock, the handle just moves pointlessly.
It uses a motor and gearbox, as opposed to a solenoid. These are harder to attack with magnets.
It also uses non-magnetic components on critical parts.
It also uses non-magnetic components on critical parts.
But what's that silver bit at the bottom?
That's where the backup mechanical lock pushes up on to engage the clutch. It's inside the lock though, so what's the issue?
That's where the backup mechanical lock pushes up on to engage the clutch. It's inside the lock though, so what's the issue?
Well, this is the issue.
I can drill through the side of the die cast housing in 2 seconds.
It's not loud, and it doesn't need special tools.
I can drill through the side of the die cast housing in 2 seconds.
It's not loud, and it doesn't need special tools.
I now have a hole in the lock.
Insert a small screwdriver, and lift.
The door unlocks.
The door unlocks.
Realistically, that's 10s total. It's not at all hard.
Certainly below the level of security I would want on my front door.
Certainly below the level of security I would want on my front door.
Compare it to a decent lock.
That raised part is hardplate. Much, much harder to drill that aluminium.
Other thing... you need to know where to drill.
Which means you need to ID the lock, just from a keyhole. It's not trivial.
Which means you need to ID the lock, just from a keyhole. It's not trivial.
It also has hardened steel rollers in the bolt, to frustrate cutting attempts.
You need to watch out for these electronic locks. A lot of them have TERRIBLE physical security.
Nearly all of them can be drilled in a similar way. Most of them are physically weaker.
Just because it's electronic doesn't mean you get to ignore this.
Nearly all of them can be drilled in a similar way. Most of them are physically weaker.
Just because it's electronic doesn't mean you get to ignore this.
Most recent review on Amazon isn't exactly stellar.
It's also available as "ENER-J".
