Author Topic: EEVblog #1014 - Masterlock Bluetooth Padlock Teardown  (Read 24118 times)

0 Members and 1 Guest are viewing this topic.

Offline EEVblogTopic starter

  • Administrator
  • *****
  • Posts: 37661
  • Country: au
    • EEVblog
EEVblog #1014 - Masterlock Bluetooth Padlock Teardown
« on: August 10, 2017, 11:35:56 pm »
What's inside the Masterlock 4400 Bluetooth Padlock?
Dave tests and investigates a particular magnetic attack mode.


 

Offline Cliff Matthews

  • Supporter
  • ****
  • Posts: 1910
  • Country: ca
    • General Repair and Support
Re: EEVblog #1014 - Masterlock Bluetooth Padlock Teardown
« Reply #1 on: August 11, 2017, 01:15:55 am »
This is a refreshing change! A Canadian product at just $51 loony bucks (around 40 USD?) on the amazon-ca site. Masterlock is from Dudley Canada. Go figure, when you live under the shadow of the U.S.ofA, not too many of our products get any mention. Dudley sells directly to schools across Canada, so trendy kids are likely to buy these.

If I were still in high-school, I imagine some thin plastic sheet would open-up the battery contacts.
 

Offline fusionimage

  • Contributor
  • Posts: 13
Re: EEVblog #1014 - Masterlock Bluetooth Padlock Teardown
« Reply #2 on: August 11, 2017, 04:33:25 am »
there was a talk about 'smart' locks at 33c3
jump to ~43:00 for the master lock

 

Offline EEVblogTopic starter

  • Administrator
  • *****
  • Posts: 37661
  • Country: au
    • EEVblog
Re: EEVblog #1014 - Masterlock Bluetooth Padlock Teardown
« Reply #3 on: August 11, 2017, 07:22:25 am »
there was a talk about 'smart' locks at 33c3
jump to ~43:00 for the master lock

Ah, interesting, I tried that at the time and it didn't work, including after it was opened and I couldn't get it to rotate.
Probably some sweet spot with magnet size and strength etc, or maybe they fixed it again?
 

Online Brumby

  • Supporter
  • ****
  • Posts: 12288
  • Country: au
Re: EEVblog #1014 - Masterlock Bluetooth Padlock Teardown
« Reply #4 on: August 11, 2017, 07:26:56 am »
Maybe the cam was magnetically susceptible.  I can see how the rolling motion might cause it to rotate.

If so, then all they needed to do was change that material to something non magnetic.

Edit:
If the magnet was interacting with the armature of the motor, then changing the casing to something like mu metal might do the trick.


Just guessing...
« Last Edit: August 11, 2017, 07:29:28 am by Brumby »
 

Offline EEVblogTopic starter

  • Administrator
  • *****
  • Posts: 37661
  • Country: au
    • EEVblog
Re: EEVblog #1014 - Masterlock Bluetooth Padlock Teardown
« Reply #5 on: August 11, 2017, 07:38:52 am »
Maybe the cam was magnetically susceptible.  I can see how the rolling motion might cause it to rotate.
If so, then all they needed to do was change that material to something non magnetic.

The cam in mine is not magnetically susceptible.

Quote
If the magnet was interacting with the armature of the motor, then changing the casing to something like mu metal might do the trick.

Yes, the problem is fixable.
 

Offline dorin

  • Contributor
  • Posts: 39
  • Country: ro
Re: EEVblog #1014 - Masterlock Bluetooth Padlock Teardown
« Reply #6 on: August 11, 2017, 07:48:57 am »
That's not even the first lock can be opened by rotating a magnet in the suitable direction. I've seen a hotel door lock being susceptible to that some time ago but I can't find the video anymore, perhaps the manufacturer forced them to remove it. :palm:
So no, motors are not inherently safe unless you *know* how to shield them.

Btw, since you seem to have a passion for locks, you should consider a teardown of one of the safest commercial door locks in the world, the Simons Voss digital cylinder system. Even big companies like Siemens use it. (Bummer: it's not cheap)



Unfortunately, while it is easy to reach the electronics, it is quite challenging to reach the engaging mechanism without destroying it completely. As far as I know it is using a special type of spring loaded solenoid, which requires active power to both engage and disengage.
« Last Edit: August 11, 2017, 07:54:14 am by dorin »
 

Offline EEVblogTopic starter

  • Administrator
  • *****
  • Posts: 37661
  • Country: au
    • EEVblog
Re: EEVblog #1014 - Masterlock Bluetooth Padlock Teardown
« Reply #7 on: August 11, 2017, 07:54:00 am »
Btw, since you seem to have a passion for locks, you should consider a teardown of one of the safest commercial door locks in the world, the Simons Voss digital cylinder system. Even big companies like Siemens use it.

Meh, this one has never been picked:
http://www.abloy.com.au/en/abloy/abloycomau/abloy-products/padlocks/abloy-pl362/
Keys work.
 

Offline dorin

  • Contributor
  • Posts: 39
  • Country: ro
Re: EEVblog #1014 - Masterlock Bluetooth Padlock Teardown
« Reply #8 on: August 11, 2017, 08:05:48 am »
Meh, this one has never been picked:
Probably not enough incentive to..

Classical keys are still okayish but when you lose them you need to replace the lock.
When we are talking about organizations, where access management is often required, classical locks are a no go. I've seen a case where losing a master key cost the organization 17k to replace all the mechanical locks.
Oh and when you leave the organization they can be sure you didn't clone the key, which is trivial with a mechanical one.

A well designed electronic system is far more difficult to clone, and as long as the cryptography works (your whole life on the internet depends on that already anyways), you just cannot compare the tamper resistance of a wirelessly isolated system with that of a mechanical one that you get to have intimate contact with.
We are in the 21st century Dave :)
« Last Edit: August 11, 2017, 08:14:17 am by dorin »
 

Offline FrankBuss

  • Supporter
  • ****
  • Posts: 2365
  • Country: de
    • Frank Buss
Re: EEVblog #1014 - Masterlock Bluetooth Padlock Teardown
« Reply #9 on: August 11, 2017, 08:09:25 am »
Are the backup battery pins in parallel to the normal battery? This would be bad, because when the battery inside is discharged (maybe by a paper clip from someone else who don't like you), an external battery might not help anymore and the internal battery can't be removed.

Also maybe very easy to brick, by applying some high voltage at the backup pins (electric lighter).
So Long, and Thanks for All the Fish
Electronics, hiking, retro-computing, electronic music etc.: https://www.youtube.com/c/FrankBussProgrammer
 

Offline dorin

  • Contributor
  • Posts: 39
  • Country: ro
Re: EEVblog #1014 - Masterlock Bluetooth Padlock Teardown
« Reply #10 on: August 11, 2017, 08:20:36 am »
Are the backup battery pins in parallel to the normal battery? This would be bad, because when the battery inside is discharged (maybe by a paper clip from someone else who don't like you), an external battery might not help anymore and the internal battery can't be removed.

Also maybe very easy to brick, by applying some high voltage at the backup pins (electric lighter).
Yeah, an external battery might not help but you can still bring a low impedance power supply to the rescue.
Bricking is certainly possible, but also avoidable with some overload protection like diodes and mov's.
 

Offline Halcyon

  • Global Moderator
  • *****
  • Posts: 5631
  • Country: au
Re: EEVblog #1014 - Masterlock Bluetooth Padlock Teardown
« Reply #11 on: August 11, 2017, 08:44:38 am »
Yet another novelty product that really doesn't need to be "smart". Sure, it probably has some niche uses (albeit insecure ones), but meh, anyone really serious about security wouldn't even bother.

 

Offline Blocco

  • Regular Contributor
  • *
  • Posts: 97
  • Country: gb
Re: EEVblog #1014 - Masterlock Bluetooth Padlock Teardown
« Reply #12 on: August 11, 2017, 09:42:31 am »
The mechanical design of this lock and exposed shackle appears to leave it very vulnerable to a well known brute-force attack involving inserting the open ends of two spanners between the shackle and "cam'ing" it apart to break the sides open.
 

Offline tigrou

  • Regular Contributor
  • *
  • Posts: 71
  • Country: be
Re: EEVblog #1014 - Masterlock Bluetooth Padlock Teardown
« Reply #13 on: August 11, 2017, 10:17:52 am »
I'm wondering what is sent by the phone during lock/unlock operation.
The whole conversation is probably encrypted. However, if the password is sent plain text, it might be vulnerable to a replay attack.

Ideally the padlock would have a public key that the phone would use to encrypt the password (then the padlock would decrypt it using the private key)
But it's probably simpler than that (eg : symmetric encryption)
 

Offline isometrik

  • Regular Contributor
  • *
  • Posts: 54
  • Country: ca
Re: EEVblog #1014 - Masterlock Bluetooth Padlock Teardown
« Reply #14 on: August 11, 2017, 12:25:32 pm »
Youtuber bosnianbill has made numerous videos lockpicking Masterlock brand padlocks, and from these videos, it appears that this brand's products are subpar.

Here is his Masterlock playlist for those of you who would like to judge by themselves:

 

Offline T3sl4co1l

  • Super Contributor
  • ***
  • Posts: 21608
  • Country: us
  • Expert, Analog Electronics, PCB Layout, EMC
    • Seven Transistor Labs
Re: EEVblog #1014 - Masterlock Bluetooth Padlock Teardown
« Reply #15 on: August 11, 2017, 02:11:24 pm »
I've worked with the local Masterlock guys before.  Definitely MSP430 people. :)  I don't remember if this lock was anything we were ever asked about, but we've worked with them before.

Usual reviews seem to apply: their design priorities are geared more towards appearance and feel, than strict security.  But what do you expect, business is business.

Tim
Seven Transistor Labs, LLC
Electronic design, from concept to prototype.
Bringing a project to life?  Send me a message!
 

Online Brumby

  • Supporter
  • ****
  • Posts: 12288
  • Country: au
Re: EEVblog #1014 - Masterlock Bluetooth Padlock Teardown
« Reply #16 on: August 11, 2017, 04:32:36 pm »
I am reminded of this scene from TBBT...

Howard: Okay, picture’s up. Looks like the camera’s working.

Raj: That’s good quality video.

Howard: It better be. It’s the spare camera for the Mars rover.

Raj: How did you get your hands on that?

Howard: Million dollar camera, ten dollar lock.
 
The following users thanked this post: SeanB, dorin

Offline TheDane

  • Regular Contributor
  • *
  • Posts: 209
  • Country: dk
Re: EEVblog #1014 - Masterlock Bluetooth Padlock Teardown
« Reply #17 on: August 11, 2017, 07:16:33 pm »
I like your retake in the beginning Dave  :-+
- what a job..


(And no, my last name isn't Olsen....)

I don't know if this is a prick'ing forum  :-//
- I think that only two hot needle pricks into the plastic frame (and the spare coin battery, or some wire) might be all that's needed to 'whack' the motor around to release the lock mech. Timing might be of utmost importance, or a somewhat flatter battery  :-DD

See attachment for illustration.

The rubber/plastic front seems quite vulnerable to a screwdriver attack exposing the electronics - don't jump spark it, lithium batteries are dangerous! Quite a visible crack too, where as two small holes in one side is less noticeable.

//Egon  :popcorn:
 

Offline ebastler

  • Super Contributor
  • ***
  • Posts: 6202
  • Country: de
Re: EEVblog #1014 - Masterlock Bluetooth Padlock Teardown
« Reply #18 on: August 11, 2017, 09:16:19 pm »
Are the backup battery pins in parallel to the normal battery? This would be bad, because when the battery inside is discharged (maybe by a paper clip from someone else who don't like you), an external battery might not help anymore and the internal battery can't be removed.

It seemed to me that you could pull out the battery slider a bit even in locked state. (And actually had to pull it out to access the "emergency" power contacts.) I assume that this will also disconnect the internal battery. So they got the batter locking and backup fallback right, it seems.
 

Offline pigrew

  • Frequent Contributor
  • **
  • Posts: 680
  • Country: us
Re: EEVblog #1014 - Masterlock Bluetooth Padlock Teardown
« Reply #19 on: August 12, 2017, 05:05:43 am »
Why do they have both a CC2541 and a MSP430?

Shouldn't the CC2541 should have enough computing power to implement all of the software?

Unless it was to make the firmware easier to write (using the host processor mode of the BLE MCU?).

EDIT: Or maybe they ran out of GPIO ports on the 2541? Is the MSP430+crystal as cheap as an IO extender?

And for that matter, why do they use a surface-mount antenna? It looks like there's nearly enough space for an inverted-F PCB antenna or a dipole.
« Last Edit: August 12, 2017, 05:29:42 am by pigrew »
 

Online Fungus

  • Super Contributor
  • ***
  • Posts: 16561
  • Country: 00
Re: EEVblog #1014 - Masterlock Bluetooth Padlock Teardown
« Reply #20 on: August 12, 2017, 09:04:31 am »
Lose your phone, get locked out!

Phone runs out of battery, get locked out!

Lock runs out of battery, get locked out!

Number of failure modes is fail.  :palm:

Looks like a iPod, it'll probably sell millions!
« Last Edit: August 12, 2017, 09:10:28 am by Fungus »
 

Offline TheDane

  • Regular Contributor
  • *
  • Posts: 209
  • Country: dk
Re: EEVblog #1014 - Masterlock Bluetooth Padlock Teardown
« Reply #21 on: August 12, 2017, 09:05:37 am »
Why do they have both a CC2541 and a MSP430?


I thought about it too, the CC2541 should be running at all times anyway in order for the Bluetooth lock to be visible, and lock/unlock when the owners phone comes into range.
I hope the MSP430 is a security checking device, as the CC2541 is updatable over the air.
http://processors.wiki.ti.com/images/8/82/OAD_for_CC254x.pdf

Perhaps some hot pins through the upper side, hitting the 'bed of nails test area' as pointed out by Dave, and an external programmer to reprogram the CPU's can make the lock a great Bluetooth beacon with blinking lights and bzzzz vibes, etc.
Of course not something to be done, as a school hall with lockers buzzing and blinking would be a huge distraction - and have a bad environmental effect as the battery would need to be replaced more often...

« Last Edit: August 12, 2017, 09:08:50 am by TheDane »
 

Offline denverpilot

  • Regular Contributor
  • *
  • Posts: 74
Re: EEVblog #1014 - Masterlock Bluetooth Padlock Teardown
« Reply #22 on: August 12, 2017, 09:34:18 am »
Youtuber bosnianbill has made numerous videos lockpicking Masterlock brand padlocks, and from these videos, it appears that this brand's products are subpar.

Here is his Masterlock playlist for those of you who would like to judge by themselves:


Beat me to it.

He does not often do electronic locks, but most have proven to be sub-par as far as locks go.
 

Offline ebastler

  • Super Contributor
  • ***
  • Posts: 6202
  • Country: de
Re: EEVblog #1014 - Masterlock Bluetooth Padlock Teardown
« Reply #23 on: August 12, 2017, 11:10:02 am »
Lose your phone, get locked out!
Phone runs out of battery, get locked out!
Lock runs out of battery, get locked out!

I can certainly agree that this gadget is expendable. But two of your failure modes are non-issues (there is a keypad for phone-less opening), and the third has been reduced to an inconvenience (contacts for external backup battery -- which you need to obain first, of course). Have you actually watched the video or just the still image?
 

Offline max_torque

  • Super Contributor
  • ***
  • Posts: 1272
  • Country: gb
    • bitdynamics
Re: EEVblog #1014 - Masterlock Bluetooth Padlock Teardown
« Reply #24 on: August 12, 2017, 11:49:34 am »
I assume the lock/unlock motor is driven by an H bridge, because it must be able to rotate in both directions.  I wonder what would happen if you put an "excessive" amount of voltage on the external battery contacts?  IE enough to breakdown the fets in the H bridge?  With the correct polarity a short burst of a hundred or so volts might be enough to unlock it??

 


Share me

Digg  Facebook  SlashDot  Delicious  Technorati  Twitter  Google  Yahoo
Smf