 |
| Roughly the size of the average luggage lock the eGeeTouch smart luggage lock means you'll never forget your key. |
The eGeeTouch locks are different from older locks in that they don't use keys(other than the TSA master keys) or combination wheels. I've forgotten my combinations and lost or misplaced a key before so I've definitely have an interest in these locks. eGeeTouch promises the ease of key management and easy unlocking through a mobile app. Even without a phone that supports NFC(Near Field Communication, like in touch and pay credit cards ), eGeeTouch also provides separate programmable NFC tags.
 |
| Near Field Communications lets you pay for things by waving your phone. Now you'll be able to unlock your bags too. Credit: Steven Walling |
The locks themselves will have a suggested cost between $20-30 a piece. Larger licensing deals may reduce the cost for the end user. At the moment they're about 3x the price of a non-smart lock. When they're eventually licensed by baggage manufacturers the cost will be included in the price of your new luggage.
The most expensive Smartphones now include NFC support(for use with Google Wallet or Apple Pay), though the average Smartphone is not excluded. The programmable NFC tags can be registered as a keys for your lock using the eGeeTouch Access Manager app.
Attacker's eye view of the eGeeTouch lock
The eGeeTouch locks do look quite interesting, but it's likely attackers will find new ways to access your property.
 |
| The Lock Manager app includes a number of functions: managing password, making a backup, and managing tags. |
 | |
|
There are a number of ways to attack a smart lock or access what it protects:
Physical
1) Cloning smart tags/"keys"
2) TSA approved keyway
3) Zipper tricks
Technological
1) Exploit lost key replacement protocol
2) Extract key from phone app
Physically cloning the NFC smart tags(i.e. the keys) with a tag reader/writer would be the "Hollywood" method. Technically a perfect copy, but requiring an attacker to expend more resources(people, hardware/software, time, money) than the value of whatever is stored in most people's luggage.
Attackers may go after the next most complex physical defense, the TSA bypass lock. The seminal report on TSA compatible locks by security and lock expert Marc Weber Tobias covers the issues quite well. Although legitimate TSA master keys are inventory controlled, restricted, and secured at the end of shifts, it is still possible to create keys or decode combinations. Tobias' report shows how it's possible to pick or bypass luggage locks through the TSA approved keyway. The cost and preparation time may also be too much for the average attacker.
Zippers rather than locks seem to be the real weak point when looking at physical attacks. There are numerous videos on YouTube that show how one can easily open and re-seal the zipper on your bag with a common ballpoint pen. If an attacker is in more destructive mood they could also simply slice into the bag with a knife.
Given the cost and relative difficulty of physical attacks, it can be easier to use the low hanging fruit of mobile apps. Currently the eGeeTouch Manager App is available on the app markets. Per the eGeeTouch FAQ if one loses their phone, one can simply install the Manager App on their new phone and replace/reload a new code on their locks. The attacker would need to disassemble/decompile the app in order to figure out how the keys are managed and how to clone or insert their own.
A slightly easier method is to locate how/where the keys are stored on disk. The attacker would just need to gain access to the password file, decode the stored keys, and exfiltrate them to the attackers server. This attack would be most successful on a rooted device, allowing access to the password file. A plausible attack would have an optional root exploit, knowledge of key storage(e.g. filepaths), and a method to exfiltrate the data.
Smart Luggage Locks: What can go wrong?
Smart Luggage Locks can be attacked. Does that make them insecure? Not necessarily. Attackers face a tradeoff between cost(money + risk) and acquired information or goods(revenue - cost). Since I'm not carrying the formula for Coca-Cola in my luggage it might not be worth the risk for attackers to take on the TSA or other law enforcement just to bypass my Smart locks. For the regular traveller that also doesn't carry state/trade secrets, high end electronics or fancy jewelry the locks may be enough to discourage the casual pilferer.
[1] Once I managed to leave the key in my luggage as I closed the lock. This led to some fiddling with a butter knife and damage to the zippers on my bag. These are the dangers of forgetting where one placed the key.
No comments:
Post a Comment