An acquaintance of mine contacted me recently, wondering if I was interested in trying to look into the product built by the company he works for. Getting paid to deliberately try to break things or extract data one should not have is not something I will pass on usually.
The product, albeit not finalized neither in HW nor SW, is supposed to be a modular RFID locking system for a multitude of different applications. Gym lockers, work lockers, storage lockers for hotels and the list goes on, you get the idea.
At first glance it doesnt seem to be any direct way to manipulate it from the outside, the only accessible point you have to work with in a “locked” state (i.e. door closed and locked) is the protruding button you have to push in with your RFID tag in order to lock/unlock.
After taking a look at the device itself, there are no easily accessible external entry points at all. However the back cover of the device is only held together with 4 screws. This is easily and relatively quickly removed in order to expose the circuit board inside. Taking a quick peek there are at least a few potential entry points – a NAND chip, an MCU and some strange 7 pin connector – JTAG testing points perhaps? After probing and scoping the outputs during operation nothing showed up – which leads me to believe this was used as testing points during manufacturing and disabled upon release. This was later confirmed to be accurate.
Again, this is only doable while the mechanism is in an unlocked state and visible from the inside of the container it is mounted in – so not exactly a very feasible or easy way to gain access unless there is a way to plant internal mechanisms to override the lock in some way.
//more info on the mechanism itself, actually super clever how it is made
//potentially dumping data from chip – didn’t manage to dump
//write potential external faults, solenoid used to lock, attempts made with magnets to no avail