Fingerprint Theft Using Smart Padlocks: Droplock Exploits and Defenses
Steve Kerrison
TL;DR
This work extends the droplock concept by performing a comprehensive analysis of vulnerabilities in smart locks, including a survey of multiple COTS devices and a threat-model-based set of defenses. It demonstrates that OTA DFU-based, non-intrusive, and hardware/firmware weaknesses can be exploited to harvest biometric data, turning a lock into a fingerprint harvester with limited user awareness. The paper provides concrete exploitation details (A–H) and prescribes mitigations such as stronger crypto ($AES$-$GCM$/ $ChaCha$), per-session key establishment, PKI-signed firmware, and tamper-evident, user-aware designs, while stressing supply-chain and trust considerations. Overall, the findings highlight a nontrivial risk of biometric theft via vulnerable smart locks and propose practical, multi-layer defenses with implications for both device design and consumer security practices.
Abstract
There is growing adoption of smart devices such as digital locks with remote control and sophisticated authentication mechanisms. However, a lack of attention to device security and user-awareness beyond the primary function of these IoT devices may be exposing users to invisible risks. This paper extends upon prior work that defined the "droplock", an attack whereby a smart lock is turned into a wireless fingerprint harvester. We perform a more in-depth analysis of a broader range of vulnerabilities and exploits that make a droplock attack easier to perform and harder to detect. Analysis is extended to a range of other smart lock models, and a threat model is used as the basis to recommend stronger security controls that may mitigate the risks of such as attack.