Your Gym Locker May Be Hackable
Researchers focused on various models of electronic locks from two of the world’s largest manufacturers, Digilock and Schulte-Schlagbaum. The researchers focused on various models of electronic locks from two of the world’s biggest manufacturers, Digilock and Schulte-Schlagbaum.
Over the past few years, the researchers, who both have backgrounds in lock picking, have been examining various electronic locks that use numerical keypads, allowing people to set and open them with a PIN. The work comes on the back of various examples of hotel door locks being found to be hackable, vulnerabilities in high-security locks, and commercial safes being alleged to have backdoors.
For the research, Giese and braelynn purchased electronic locks on eBay, snapping up those sold after some gyms closed during the Covid-19 pandemic and from other failed projects. Giese concentrated on Digilock while braelynn focused on Schulte Schlagbaum. During the research they examined legacy models of Digilock from 2015-2022, and SchulteSchlagbaum models from 2015-2020. They also bought physical keys for Digilock system management. Researchers say that they can disassemble the electronic lock and extract its firmware, which contains the stored data. This shows how security flaws can be exploited by a hacker. Giese claims that this data can include PINs, management keys and programming keys. Giese says that if you can access one lock we can access all the locks in the entire unit, whether it’s the university or the company. Giese says that the tools used to clone keys are not complicated. Whoever manages the lockers is the owner. The researchers took apart the locks and used debugging tools, which are inexpensive, to gain access to the devices’ programmable, read-only, erasable memory. This is known as EEPROM. In many locks, the data could be accessed by using cheap debugging tools. The user PIN is erased when a locker is unlocked by newer locks. The PIN is still present if the locker has been opened using a programmer key or manager key. Digilock has told WIRED that it has released a fix to address the vulnerabilities. The researchers claim that Schulte Schlagbaum has not responded to their reports. The company also did not reply to WIRED’s request for comments.
