top of page
Search

Uncovering Rolling Window Vulnerabilities: A Closer Look at Digital Lock Security

Digital locks have transformed home and business security, providing both advanced features and unparalleled convenience. Yet, with this innovation comes vulnerability. One notable risk is the "rolling window vulnerability." In this article, we will break down this vulnerability, its effects on digital locks, and effective measures to bolster your security.

HuTools Digital Lock
HuTools Digital Lock


What Are Rolling Window Vulnerabilities?


Almost everyone in the world now has used a digital lock, where you have a digital keypad and you enter in a four or five digit code and the lock unlocks.


There are thousands of versions of this lock, from gym lockers to front doors and even some cars have these types of lock.

However as we know in the security field, things are not always built equally.


This post has been two years in the making, the reason being is that responsible disclosure takes time and persistence. Its made worse when the maker of the product in this case HuTools never acknowlege any communications. I discovered this particular locks issue by complete accident two years ago at an air b&b. Whilst the owner had provided a code for us to use, during one late night attempt at putting the code in, my fingers slipped and i pressed too many keys at once.


The code somehow still worked and let me in! The issue? This particular lock suffered what is known as a Rolling Window Vulnerability.


Which begs the question, What is a rolling window and why is it a vulnerability?


What is a Rolling Window Vulnerability


First we have to understand how a digital lock takes and processes imput from the user. Much like a web app a physical lock waits for a digit to be pressed, it then should have a buffer lets say 4 digits. You input 4 digits into that lock and the lock now checks those 4 digits against those it has stored to see if they match. The two sets of numbers match and it opens, or they dont match and the lock remains shut.


The key point here is that there is a limit to the start and the end of the code. if your lock expects 4 digits and you only put in 3 or you try to put in 6 the lock wont work, because it NEEDS 4 digits and 4 digits only.


However Some locks, like this one, have a special key to press after you input your code so it knows the code has been completly entered by the user.


These locks tend to have an open buffer, lets say the buffer can hold 10 numbers, like buckets on a conveyor belt, the first number goes into bucket 0, the next in 1 and so forth until all the buckets are full and it cycles around to bucket 0 again.


There now exists the opportunity for a flaw to creep into some locks that are designed poorly because of how they implement the open buffer with the special key. Because it doesn't check the list of numbers as a whole, but as a fixed window size that moves along the list.


What is a moving or rolling window?


The lock has a opening code of 8240 in its memory, a four digit code.

The window size for the lock is 4 digits.

The user then inputs 8240 and then presses the special button the lock checks its window for the number and so it matches.



User has input the correct pass code
User has input the correct pass code


But what if the user puts in 12 digits! lets say 793284824053 then presses the special key?

Whilst most locks would have only check the last 4 digits entered, flawed locks will move their window along the string of digits checking each set of 4 digits.


So it starts with the window at the first four digits and checks those for a match. in this case it checks 7932, no match so it moves the window along one digit. Now it checks 9328 again no match, it keeps rolling the window along until it comes to 8240 and finds a match and opens the lock.



Window for checking is rolled along the string of numbers
Window for checking is rolled along the string of numbers


Why does this matter... well with some math and some working out an attacker can create a string of numbers to check loads of numbers very quickly.


When we entered in the number 793284824053 we actually checked all of these codes!


7932

9328

3284

2848

8482

4824

8240

2405

4053


As we can see the 8240 code is in the list, we can therefore reduce the number of attempts to get into the lock by a factor of more than a thousand. Rather than checking 10,000 4 digit numbers, we can cleverly construct large strings that contain all 4 digit codes!

For example if we now use the sequence 1111234599990000 we check all of these codes too:

1111

1112

1123

1234

2345

3459

4599

5999

9999

9990

9900

9000

0000


Using just two sequences of numbers we have checked over 20 different codes, a huge time saver!


Here is a video showing the first sequence in action and working.


Video of Rolling Window Vulnerability in HuTools Digital Lock


Some people might consider this a poor vulnerability and not worth fixing, in fact the manufacturer refused to acknowledge this flaw and so we can assume they will not be fixing it.

I reached out to them many times over as many contact channels as I could and so after two years of attempts, I am publicly releasing this particular issue for this lock.


If you have a system like this on any lock, a determined attacker can go up to the door and try a long digit code over a few tries rather than loitering for hours trying all codes. In my line of work a reduction in the time of exposure to being caught is well worth knowing about.


How to Protect Against Rolling Window Vulnerabilities


To prevent rolling window vulnerabilities, consider implementing these best practices:


1. Choose a Lock with Strong Encryption


Select a digital lock from a manufacturer that takes security seriously, the cheaper the lock the more likely it is to have been implemented poorly too. That does not mean an expensive one is better, do your research and work out the best lock for your situation. Remember locks only keep the good guys out, but try to make it harder for the bad guys to break in.


2. Regularly Update Access Codes


Changing access codes periodically limits the chances of unauthorized access. Ensure codes are unpredictable and refrain from using easily recognizable numbers, like birthdays or anniversaries, which could be easily guessed.


3. Educate Yourself and Others on Security Practices


Train all users on the importance of security. Ensure they understand risks and best practices when operating digital locks, such as avoiding code sharing or keeping written codes in unsecured locations.


4. Conduct Regular Security Audits


Regular evaluations of your security measures can identify weaknesses. It's often beneficial to hire professional security experts to assess the effectiveness of your current systems and make necessary adjustments.



Key Takeaways


As digital locks become increasingly commonplace, understanding rolling window vulnerabilities is essential. While these vulnerabilities can pose significant risks, being proactive can enhance your security measures substantially. Make informed choices and apply smart security practices to ensure your digital locks remain secure.


Embrace the benefits of technology while staying cautious. Digital locks offer exceptional advantages, but, like any innovation, they come with challenges. With ongoing diligence and a commitment to security, you can effectively protect your property from unauthorized access.

 
 
 

Comentários

bottom of page