16.08.2024

Statement and corrections by Schulte-Schlagbaum AG in response to the article ‘Electronic lockers in hotels etc. hacked – remedy difficult’ on heise.de

  • On 14 August 2024, heise.de published an article stating that two well-known hardware hackers had scrutinised various cabinet locks from two manufacturers for vulnerabilities, including locks from Schulte-Schlagbaum AG (SAG).
  • However, some key claims in the article do not apply to the SAG locks.
  • With this position statement, SAG actively responds to the report and corrects these inaccurate, or only partially accurate, statements regarding the discovered security vulnerabilities.
  • The vulnerabilities only affect certain specialised locker system configurations at SAG.

Additionally, only locks from the manufacturers Digilock and SAG were tested. The article expressly pointed out that the uncovered security vulnerabilities do not only affect these two companies, but also many other manufacturers of electronic locking systems.

Unfortunately, unlike the second manufacturer scrutinised by the hackers, Digilock from the USA, SAG was not given the opportunity to comment in advance. We were unable to contact the authors. The company would have greatly appreciated this opportunity to correct individual claims before the article was published.

Cabinet locks from SAG’s SAFE-O-TRONIC® access LS series 100, 300 and 400 were tested.

The attack scenario described in the article requires the attacker to take possession of a lock. This lock must be removed and dismantled for the attack. The attacker must gain access to the circuit board. Consequently, the attack cannot be carried out without leaving a trace. However, it is critical that security information for other locks in the same system could be derived from a stolen lock.

Statement and correction to worrisome claims in the heise.de article

The article talks about a ‘difficult update situation’. It specifically states that ‘this is all the more fatal as the identified gateways may be difficult to eliminate.’ This allegation does not apply to almost all SAG locks. Only the firmware of the cheapest series (100 series) cannot be directly updated. Instead, it would have to be disassembled, which is precisely what the hackers mean by ‘difficult update situation’. All other SAG locks can be easily updated with a corresponding firmware update.

The article also claimed that the ID of the manager key can be read from the EEPROM. This may apply to the locks of other manufacturers, but this type of attack is impossible with any SAG lock. MasterKeys (referenced as ‘Manager Keys’ in the article) at SAG are always dependent on the transponder data. No transponder information is stored in the lock for this purpose. This means that the necessary information cannot be read from the lock.

The statement that UIDs from the log are sufficient to clone a card is also incorrect, at least with regard to SAG locks. It is true that the UID can be cloned from the log and that a card can be created with the same UID. However, in data mode, the UID from the log is not enough to open another lock. This requires additional data that is not contained in the log. However, in serial number mode, the UID from the log would actually be sufficient for the scenario described in the article. Therefore, SAG recommends that its customers switch any affected systems from serial number mode to data mode.

The article also states that the EEPROM contains the UID and the PIN code. This is correct. The UID of the transponder or the PIN code that locked the lock is stored in the EEPROM. However, in ‘open locker selection’ mode, the information is only saved when the lock is locked. As a locked lock cannot be removed, any potential attackers would only be able to read the code/UID with the code/UID they just used to lock the lock. UIDs are only saved in the fixed assignment if the serial number mode is applied. The attack is not as easy in ‘locking group’ or ‘badge number’ mode.

Measures initiated by SAG

SAG takes every security vulnerability seriously and will review all products to further enhance security.

The company is already working on a corresponding update for its SAFE-O-TRONIC® access locks, which will be made available with the next firmware version.

The update will make it significantly more difficult or impossible to read data from the EEPROM and/or to read the firmware. It will thus severely hinder or completely rule out he attack scenario described in the article, which is already very complex to begin with.

Bottom line und recommendations for action

An attack such as the one described in the heise.de article always requires the attacker to grapple intensively with the lock. For this scenario, the attacker must be able to completely dismantle the lock. Basically, the attacker would have to steal a lock to complete the task at hand. In a real-life scenario, this means that, while such an attack is technically possible, it would be very cumbersome. Furthermore, it only works for the system from which the lock was stolen.

With regard to SAG products, this only affects RFID/transponder systems that are operated with a fixed locker assignment in serial number mode. These systems can simply be switched to data mode, a configuration that SAG generally recommends.

Additionally, an attack via the master functions of SAG cabinet locks can only occur in systems using PIN code locks. For this scenario, SAG recommends paying close attention to theft of cabinet locks. In case of theft, the remaining systems should be reprogrammed immediately to make an attack much more difficult.

Both potential security vulnerabilities will be fixed with the next firmware update.

Cookie settings

We use cookies to give you the best possible experience when you visit our website. These include cookies that are essential for the operation of the website and cookies that are used solely for anonymous statistical purposes or for notifications by a third-party provider on our website. You can decide which categories you would like to enable. Please note that if you disable cookies, you may not be able to use the full functionality of this website. For more information, see Privacy policy.

Please select the cookies you wish to enable