![Graham Sutherland [Polynomial^DSS]](data:image/jpeg;base64,/9j/4AAQSkZJRgABAQAAAQABAAD/4gKgSUNDX1BST0ZJTEUAAQEAAAKQbGNtcwQwAABtbnRyUkdCIFhZWiAH4gABAAMADAA6ADNhY3NwQVBQTAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA9tYAAQAAAADTLWxjbXMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAtkZXNjAAABCAAAADhjcHJ0AAABQAAAAE53dHB0AAABkAAAABRjaGFkAAABpAAAACxyWFlaAAAB0AAAABRiWFlaAAAB5AAAABRnWFlaAAAB+AAAABRyVFJDAAACDAAAACBnVFJDAAACLAAAACBiVFJDAAACTAAAACBjaHJtAAACbAAAACRtbHVjAAAAAAAAAAEAAAAMZW5VUwAAABwAAAAcAHMAUgBHAEIAIABiAHUAaQBsAHQALQBpAG4AAG1sdWMAAAAAAAAAAQAAAAxlblVTAAAAMgAAABwATgBvACAAYwBvAHAAeQByAGkAZwBoAHQALAAgAHUAcwBlACAAZgByAGUAZQBsAHkAAAAAWFlaIAAAAAAAAPbWAAEAAAAA0y1zZjMyAAAAAAABDEoAAAXj///zKgAAB5sAAP2H///7ov///aMAAAPYAADAlFhZWiAAAAAAAABvlAAAOO4AAAOQWFlaIAAAAAAAACSdAAAPgwAAtr5YWVogAAAAAAAAYqUAALeQAAAY3nBhcmEAAAAAAAMAAAACZmYAAPKnAAANWQAAE9AAAApbcGFyYQAAAAAAAwAAAAJmZgAA8qcAAA1ZAAAT0AAACltwYXJhAAAAAAADAAAAAmZmAADypwAADVkAABPQAAAKW2Nocm0AAAAAAAMAAAAAo9cAAFR7AABMzQAAmZoAACZmAAAPXP/bAEMABQMEBAQDBQQEBAUFBQYHDAgHBwcHDwsLCQwRDxISEQ8RERMWHBcTFBoVEREYIRgaHR0fHx8TFyIkIh4kHB4fHv/bAEMBBQUFBwYHDggIDh4UERQeHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHv/CABEIADAAMAMBIgACEQEDEQH/xAAbAAACAgMBAAAAAAAAAAAAAAAEBQMGAQIHAP/EABkBAAMAAwAAAAAAAAAAAAAAAAMEBQABBv/aAAwDAQACEAMQAAABvtVtKHn6wLJU1sT9yZpJreafZOVZtKTD6uh0qrDLViMqgWGwOacTRkBomIAF/8QAIBAAAgMAAwACAwAAAAAAAAAAAgMAAQQFERIUMwYjMf/aAAgBAQABBQJ/1VDMKsuxgsuC4o76qqNUnS1erONi/PPkZo6/18pq+LlDPbKATROKYjVNm7UvRraCs+3lh1XocJJQ3wni+QTk5Dewb1/lbDa+uhn9ANTgT6Uyepv13pIOrr1U9DVlYdXP/8QAHhEAAgIBBQEAAAAAAAAAAAAAAAECEQMQEhMhMVH/2gAIAQMBAT8BkLKuWil9Ms9qF7pkn3ZbsUrP/8QAHhEAAgICAgMAAAAAAAAAAAAAAAECAxEhBBIkUWH/2gAIAQIBAT8Br0Tp8ZSOz9HHqc38JLQsplVbUUhwjgcMH//EACUQAAIBAwIGAwEAAAAAAAAAAAECAAMRIRIxEBMiMkFxM1GBcv/aAAgBAQAGPwJvXC9Q2UCA/fFvXAPzl0rg2M0VK1MX2z5nyJPlpxvUuve2Fl2ZV9w6GWovmLSV+XW2OMiPT5gbSSI71GCqBkmGklHoGQzbwKv7OpCV8GUnftPcR4vKxUggubGU3SqWpaRjwDMZPA0UaynMtWDf0DLX2m1lG0uTaWG0+5dT+TUJ/8QAIxAAAgICAQQCAwAAAAAAAAAAAAERITFBUWFxkaEQgdHw8f/aAAgBAQABPyH3Q0COnIdZnRQJaT3sQ5Ej3ArgRNlUjKL3D9TXgdVeYhVq+/iksqa/ryR0/O4ubNEhx3Icm0XYt8D/AN3cTZMNcxQrFlrNcIX809mZvjaWt8GEfe41LGBQkbUjiFTmrev3BK9gmVtTZO89OtfgUSaVKwvJdtGbonyhVqy+p9ypEMlMkcmyQlJS508ijX8D/9oADAMBAAIAAwAAABArRO+D4LHr/8QAGxEBAQEAAgMAAAAAAAAAAAAAAREAIVExQcH/2gAIAQMBAT8QFMxl9x6OvuhhwvOd8sglXAurgk4Bd//EABoRAAMBAQEBAAAAAAAAAAAAAAABESExQeH/2gAIAQIBAT8QbRCfeiZ6EFyp0lyKypgoKkHFWfRzw//EACMQAQADAAICAQQDAAAAAAAAAAEAESExQVGBcWGh0fCRscH/2gAIAQEAAT8Q5H7VGBUbsHlpUAGsassw/Rg/32SvqKelj/W6l4KfxFSK2cpSXeabEzjkly3F1f8AQmwfxG0AeSQqL7TdjNbLG+hb81OWdYN71vve5aQIXYcByk6TiLrzQqS3WjjmAvxCUrS6D6XH7RogPz9OWBUviVydBY8XcG5aPG8HuXCmlUKbb3M2Vx3aWHYFOdTQ/wAoKkR8R0fwrG3LurFrmGOyTyKL+O/crYQ4OWxkBKJutC6OPvKfRXeq+yw/aFqNUdCg/PEHrY4oFU8Mto6tgredWdfggzJfup9QaKM7EPJBHSBTp7i3YLp5fif/2SAgICAgICAgICAgIA==)
The lock costs £139.99 - that's not cheap. It looks quite nice. PIN, WiFi, RFID, and fingerprint? Wow. That's a lot of electronic attack surface.pic.twitter.com/8zKfoBDqhh
Show this thread
The BBC asked us to look into a range of IoT products. One of them was a Pineworld lock, from Amazon. We only had a day; I went for the quickest and most realistic attack.pic.twitter.com/QUKFQUyChO
-
-
-
Thing is, burglars don't yet carry out electronic attacks. Let's look at the mechanicals.pic.twitter.com/gUKIz084jh
Show this thread -
Now - it has some good features here. The handle disconnects from the drive shaft using a clutch. That means that you can't simply force a lock, the handle just moves pointlessly.
Show this thread -
It uses a motor and gearbox, as opposed to a solenoid. These are harder to attack with magnets. It also uses non-magnetic components on critical parts.
Show this thread -
But what's that silver bit at the bottom? That's where the backup mechanical lock pushes up on to engage the clutch. It's inside the lock though, so what's the issue?pic.twitter.com/KgpaVpXsJF
Show this thread -
Well, this is the issue. I can drill through the side of the die cast housing in 2 seconds. It's not loud, and it doesn't need special tools.pic.twitter.com/nZy9rBtEbz
Show this thread -
-
-
Realistically, that's 10s total. It's not at all hard. Certainly below the level of security I would want on my front door.
Show this thread -
-
That raised part is hardplate. Much, much harder to drill that aluminium.pic.twitter.com/YmWuzPQIEv
Show this thread -
Other thing... you need to know where to drill. Which means you need to ID the lock, just from a keyhole. It's not trivial.pic.twitter.com/owB7wEU5Ta
Show this thread -
It also has hardened steel rollers in the bolt, to frustrate cutting attempts.pic.twitter.com/POxCwTaoQ5
Show this thread -
You need to watch out for these electronic locks. A lot of them have TERRIBLE physical security. Nearly all of them can be drilled in a similar way. Most of them are physically weaker. Just because it's electronic doesn't mean you get to ignore this.
Show this thread -
-
New conversation -
-
-
Interesting. Presumably it’s odd to be paid to look at devices without a non-disclosure? Maybe there’s a model in businesses paying for open testing of competitors products... raise everybody’s game
-
I used to (when I was operating by myself) do "competitor intelligence" to give someone an idea of what the competition was like. (but, no payment was made for the BBC work, anyway)
-
Useful thought. I shall file that away
End of conversation
New conversation -
-
-
Wow, that's even worse than I expected. Did these people never actually look at a real lock?Thanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.