Fingerprint Theft Using Smart Padlocks: Droplock Exploits and Defenses

There is growing adoption of smart devices such as digital locks with remote control and sophisticated authentication mechanisms. However, a lack of attention to device security and user-awareness beyond the primary function of these IoT devices may be exposing users to invisible risks. This paper extends upon prior work that defined the "droplock", an attack whereby a smart lock is turned into a wireless fingerprint harvester. We perform a more in-depth analysis of a broader range of vulnerabilities and exploits that make a droplock attack easier to perform and harder to detect. Analysis is extended to a range of other smart lock models, and a threat model is used as the basis to recommend stronger security controls that may mitigate the risks of such as attack.