What's inside the Masterlock 4400 Bluetooth Padlock?
Dave tests and investigates a particular magnetic attack mode.
Forum: http://www.eevblog.com/forum/blog/eevblog-1014-masterlock-bluetooth-padlock-teardown/'>http://www.eevblog.com/forum/blog/eevblog-1014-masterlock-bluetooth-padlock-teardown/
EEVblog Main Web Site: http://www.eevblog.com
The 2nd EEVblog Channel: http://www.youtube.com/EEVblog2
Support the EEVblog through Patreon!
http://www.patreon.com/eevblog
Donate With Bitcoin & Other Crypto Currencies!
https://www.eevblog.com/crypto-currency/
EEVblog Amazon Store (Dave gets a cut):
http://astore.amazon.com/eevblogstore-20
T-Shirts: http://teespring.com/stores/eevblog
๐Ÿ’— Likecoin โ€“ Coins for Likes: https://likecoin.pro/ @eevblog/dil9/hcq3

Hi Hi, Well, you'll take a look at this master. like 4,400 d A bluetooth padlock? Yes, Grown a bluetooth headlock Internet of Things It's hard to manage everything you do, let alone protect the things in your life. Protecting those things is important and should be convenient and easy to do so to help you unlock what matters to you. Master Lock Develop Bluetooth Smart Padlocks No physical key to lose and no combination to protect.

They make life simple. Their phone is the key. Bluetooth Smart Padlocks open upon touch when your phone is with you. If you have to leave your phone in a locker or don't have your phone with you, you can open the lock using a directional code.

anyway. This is yet. You can open this using your phone. it's got Bluetooth built in and you can either unlock it using a combination like this tomorrow.

And it's got some other fancy stuff like tamper alert which locks you out if people are trying the combination too many times. You can monitor the activity apparently and have guest access. Yeah, whoop-dee-doo Anyway, it comes with a yes free smartphone app which by the way, it forces you to register to actually use it and it makes you put in your phone number as well. but it doesn't even activate your phone number, doesn't send you an SMS It actually sends you an email instead of that with a verification code and all that sort of crap.

So stupid Anyway, Can maybe understand why they did it and it. You don't need to pair the device that seemed to detect it just fine and You notice that there it is a 21 UK F but I'm buggered. If I can get the thing to use there, it is Smart Lock Padlock. it's there.

I registered the lock and it says I can press any button. So that's the idea is when this comes into the proximity of the Bluetooth V of your phone which when you set it up by the way you and actually calibrate in quote marks the distance that or roughly the distance that it will actually detect out. Yeah, like it should just work at the tip of the lock and you should just be able to press any button on here at all. And it's supposed to just open if the app if your phone is turned on and your app is running.

but like like I cannot have not been able to get the damn thing to work. so that's a big fat fail right out of the box. Unbelievable. Anyway, even if I could get the thing to work I don't know why you would want to use this product.

a blue two is a padlock because okay, you know you don't have to remember. You know, no combination to remember, no combos. You don't have to remember it. Okay, what happens if your phone dies or yeah, app doesn't work, Bluetooth doesn't work.

there's something else block and I don't know. Someone farts halfway across the room and Bluetooth doesn't work then what do you do? You can't unlock your bike too. Freaking right. Oh more.

Where: Get into your booth, toolshed, or whatever it is you look in this stupid thing with this stupid product. I Don't god you learn a combination for goodness sake. But I'll tell you what as an actual Bluetooth padlock product I don't mind at all. It feels really quite robust and it's got apparently a boron like you know, carbon type hardened steel shackle and things like that.
and I do like the button interface which works quite well. As I said, it comes with a combination which you can actually reset on your phone by the way and it's easy to open and close with the combination. So inside the app, I can actually monitor the battery I can set the relock time that it takes to read, lock the thing laughs. No On location, you can actually get it.

The app asks you, do you wish to track your location so you can find where the padlock was last used? No thank you. I'm already have to give my bloody phone number and email address, so screw that and you can change that primary code which actually comes printed on the top of the instruction sheet as does an activation code. So I'm sure I can show that on camera because it doesn't matter because you don't have this look. hmm and presumably I could show some my history here if I was actually able to open that stupid thing.

Yeah, it just I cannot get the bloody thing to work and you don't have to pair it. but I tried to pair it and it doesn't work like it's supposed to just work. like I'll follow the instructions. it's not a pet CAC so beats me.

And also what I like is the design of the battery compartment. here. it's down in here uses a CR 2450 battery but it doesn't let me pull it out when it's locked which is great so that you know little smile ask kids can't come along here to get the battery and they said they won't be able to get back on their bike when they come back. so it's actually locked.

So if I open that, what's the combination there we go, open it. Then the battery comes out full like that and we can pop out the CR 2450. but it's actually got a backup. You can actually see the contacts in there that if you've got a flat battery and it's locked right? Oh, I can't push it back in now.

So anyway, um so I have actually screwed myself because I put that back in without putting the battery and I can't slide it in anymore. So I'm actually going to have to use this feature. You'll see how there's two contacts in there and it's got like a coin cell cut out like that you can put in an external battery. Even so, if it fails when it's in the locked position, you can get in there and supposedly do it.

Hmm, let's give it a try. Oh got it? Jeez, that took a lot of bloody effort. Let me tell you. so I was just about to appraise the design of this and it is actually quite good.

I Like it, but you can, you know, override it a locked thing. So I can now lock that back and get that coin cell in there like that and actually do that. but it's so finicky to hold it and nobody's going to have a bloody coin cell with them if it dies. It's just unbelievable bloody.
Anyway, someone was at least thinking when they designed that, that's for sure. Anyway, one of the things I was interested in is to actually test whether or not you could hack into this thing easily using a rare-earth me. edenia. Make that because you can do this on a really cheap ass.

You know from the local hardware store Electronics Ace, you can just open them with a fairly large one. This is like a 50 by 50 millimeter by 25 millimeter. It's not large as you can get, but I thought it, which should be good enough for this kind of task. You can do that if you know where the electronic solenoid is inside the safe or in this case the lock because this has to have some sort of electronic solenoid in it, then you know I Thought we could maybe see if it was vulnerable to that sort of magnet magnetic attack.

So what you want for this is you want a sock because you have these things are incredibly powerful. Watch where you put them, but just in getting inside a sock so that you can Actually, you know so it's easy to drag back off the surface and we can get that in there. And I've played around with this with for about like half an hour or something trust me and I cannot sort of life and I've tried swiping it, putting in every location orientation things like that and I cannot get it to you know, and to even hear any sort of armor. you know that the solenoid is either you know, feel it, or actually hear it audibly that the solenoid is engaging.

So I haven't been able to crack this thing at all. So I think it is. you know it seems to be fairly fairly resistant to this attack, whether or not that's a deliberate thing by Master Lock. I'm sure they're aware of those, these sort of maintenance taxing they've built that into it, or whether or not it's just by you know, accident of design that they've actually you know prevented that, or whether or not my maintenance not powerful enough.

but you can get bigger ones anyway, so that's a good thing. That's really what I wanted to test, so that's a bit disappointing. I Thought you know that would have been cool if I can just hack into that with a maintenance. but no, just in case you're wondering, no I cannot do anything when it's open ever I can't sort of, uh, you know, audibly hear or see that it's engaging in any way.

So I think now it's worthwhile cracking this thing open and having a look inside and see how it works and does and see if there's any are vulnerabilities internally With you know, I might be able to put the mega in exact location, figure out how the solenoid works or something like that, and and maybe have a look at the to see if there's any power line channel attackers. Technically it can get in there and access the external battery contacts so you might be able to read a signal off that. I could sort of tap into it now, but it's a bit fiddly. but I'm not really overly concerned with like a power line attack on these things because these it's not like a safe where you know you could.
If you had a tool that you could bypass electronic locks on phase with power line attacks, then you know it's worthwhile because people keep real valuables in there. But you know there's something like a padlock that's going to be used on a bike, or you know, a shared, fairly opportunistic type stuff, Then you know you're not going to have you know all, design a power line hacking tool and get in there and stuff like that. But anyway, let's crack her open and have a squeeze. and I've also tried physical bump attacks as well.

by you know, really slamming the thing down hard in various orientations and I cannot get it to do anything. so since fairly impervious to that as well, this is interesting. It seems to have been permanently locked. Well, a green is supposed to be open, but I can't into the code anymore.

I don't know if I've damaged it or I can actually see some sort of interlocking. They're connected to the back piece which goes in. so maybe it's got some sort of, you know, tamper type thing in it. Perhaps Tada and we're in like Flynn and now we can see what's going on here and why.

it was not susceptible to the magnetic attack. because it doesn't use a solenoid. it actually uses a little motor in there. So what we've got is a little piece in there like that.

So when the motor rotates it actually. oh, let me see if I can do it. There we go. It rotates around like that so that drops down and allows the the pin.

the locking pin. I Guess you could call it to move across like that and Bob's your uncle. Now you see down here. There also is another little cut, so when you push that back in, push that back, you know you probably cut.

It's just rotating. You can see it just rotating down in there, so that would I presume be activating a micro switch or something on the board underneath to know when you pushed it back in and then like, you know, half a second later after you pushed it in, then it activates the motor again, drives it back and then oh, it will push it back up anyway. I've screwed up I got screwed it up a little bit. a couple of our Springs have fallen out of this puppy, but yeah, but you can see you can see how it works.

It is actually quite nice. So when you've got a rotational piece in here that must go through like a half or a full rotation before it will release the you know, the sliding cam, whatever you call it I don't know and then get rid of the pins. There's no way that you can get have a magnetic attack on this because it's not a simple, you know, flappy solenoid like a relay or a, you know, a plunger based off solenoid or something like that. When you've got that rotational component, you can't simulate that with a magnet.
So yep, they've designed that properly. Completely resistant to magnetic attack. If you're curious to see that piece that goes inside there, then that is what it looks like. So yeah, just figure it out.

But anyway, when the flat part is vertical like that, then it just allows that to slide back and forth. Otherwise, when it rotates, it's going to lock that and prevent that from going to go in there. and there's no way you can get that out now. I Had to drill out.

These are steel pins here which were holding this back cover on. so you know, like being it's not hugely difficult to get into it, they require it. You know, a lot of drilling and force to actually get through there. That drill slipped off the pins and always.

Probably should have done some pilot holes or something first. But and it looks like you know, die cast alloy, a case or something. So I'm not sure if like the you know the rotational force I'm not sure of you know the like, the strength of the carbon steel, the bolt cutter attack, and all that sort of stuff. It's probably it's not the world's most secure lock that's for sure, but that's for general use.

It's probably are going to be as good as any other egg, you know. Half-decent padlock on the market like you know. Reasonably cheap one even though this one's much more expensive because it's bluetooth. Unfortunately it seems to a permanently locked on so or locked open sorry like it's giving greens.

There's a blue that I got before. so I'm not sure what's happened to the poor thing I don't know I don't think there's any sort of tamper protection I Can't see any sort of like tamper you know thing in there that it just you know, dies when the back covers are ripped off or something like that. So if we take a little pin out of there and then we can remove that, there were two screws in there I thought oh you might have to why you know, drill out these things. but no, it looks like it's going to come apart so so it's squeezed inside because we want to have a look at the board and tada we're now more in like Flynn Mego That piece that fell out looks like the lock looks like the lock in our piece for the coin cell holder that just pulls out like that.

So you're sort, you know. so before how it only partially pulled out, that's how they did that using this interlock pin. I'll tell you what it looks like. this plastic piece here.

it looks what you can. just like access, but you could just like drill through that really easy. It would actually get some access holes around the outside. But once again, if you have to be like you know, use tools like drills to get into this sort of padlock, then you know you're doing it wrong.

Basically, and there's the micro switch that I suggested would be in here to detect when you've put the shackle back in like that. so it knows. Then once the shuckles back in to turn the motor and lock it and door I figured out why it was going up green before. it's because of the interlock switch on the back.
there wasn't a you know it was open. so if I actually push down on that. so if I put it down on the board. oh, he's a sort of spin.

So now, okay, it locked, it just did its auto locking thing. So now I can do that. Whoo! It actually spins around quite a few times. there you go.

and of course now if I touch the switch on the back here, it will spin and lock. Whoo! Well, that's a neat little board if you take off the rubber back to membrane there. That's nice for a little bit of weather protection. Although this thing is designed for indoor use only, it's not designed for outdoor and rain and all that sort of stuff.

And of course there's our little lower Bluetooth antenna and it seems quite nicely designed and laid out and no surprises for finding. Yes, the Msp430 ultra-low power micro you'd find in this and Assisi 25:41 which is a once again Texas Instruments So Texas Instruments have a big win here the Ble chipset Bluetooth Low Energy which is exactly what you'd expect in a coin cell bluetooth solution like this. You know it's small range, you know, close proximity, lowest power solution possible. So there You go.

that's pretty much all there is to it. external crystal. they're few persons that some are power stuff happening. Of course you need us and diode in there for the external battery context for example.

but yeah, that's about all she wrote. and on the topside of course we've got a little bit of our power reserve and bit of bulk, our capacitance there just to do the business for transmit burst and an FIR that might help also with the in fact I noticed it did when I was fiddling around with that external battery on the contacts and stuff like that because you don't want a little minut littlewiggle, you know. get the battery down onto the contacts and you know, accidentally, just release it for a millisecond or something. You want the bulk capacitance in there to just keep that charge while you're digging around for battery.

Yes, of course there's our contacts down in there. So yeah, they've developed this. our custom plastic hold a solution you know, completely custom holder with the external contacts and everything. so that's really well designed and put you know quite a lot of thought into that.

Quite impressive see yi-yi-yi hmm extra II and we've got a bit of hot smoke there just to keep the leads from flapping around in the breeze and all of the contacts. Us for the bed of nails, our tester for production and that AB you the programming port for the micro as well. plus the also the Bluetooth chips it and not that I'm really going to go into any detail on a power line analysis attack on this thing, but I've just got like a 12 ohm resistor in series with an external battery pack and we are able to get some activity on there. but I haven't really looked into it at all.
but yeah it is there. so potentially there is a sigh Channel Powerline Attack So that's the data I get if I press the correct key. but it does seem to vary. like like the first very first key I press is correct because what you're basically looking for here is does the data change if you press an incorrect key versus a correct key vice versa so that you can protect.

But look there we go. like. you can potentially figure out which keys are, well, not the correct sequence. but then if you've got a retry penalty on there, it could live.

Even if you were able to do that, it could be impossible. So it looks like these pulses here 132 milliseconds or they're about. you know I'm not going to go in there and fuss and try to decode that. I couldn't be fast because as I think I mentioned before it, even if a power line side channel attack was possible on this padlock like it doesn't matter, you're not going to bring the tools to do this.

He or even if you could design a dongle, you know, the little black box that you go along and plug it in and eventually you know, do this to any of these master Locker padlocks on the market. It's just you don't like it. It's not like that. that story you know, locking up a safe with you know, potentially you know thousands and thousands of dollars inside and they're just not generic and universal enough to warrant you know something like this.

The people who's going to use them on their locker or their, you know, to store their gear or whatever and all, their bike or something. That's it. It's just not worth the effort. So yeah, I'm not going to go any further than that, but technically there's something there.

So yeah. so anyway. I hope you found that interesting. That's a look inside the master lock, bluetooth, whatever models, forty four hundred or something like that.

um, padlock. which it is not cheap. It was like, you know I Think it's like a fifty dollar padlock or it could be cheaper in the US I Don't know, but it's like at the hardware store here. I think at the local Bunnings store is like over a hundred bucks or something so it's a pretty expensive dude at.

and I'm not going to say this is like a pointless product. although it's getting there, there's probably you know some nice users people might have a would use for something like this. You might be able to use the tracking capability or something to see if people are opening things or something like that. Maybe you know, doing some logging stuff like that? perhaps.

but just can't. A regular combination padlock using this thing for your phone Murphy will get you every time the battery will die, something else will go wrong and you'll forget the combination because if you get so used to using the phone the Bluetooth thing that you get close to it and you just press any button, you end up forgetting the combinations. So when ultimately Murphy bites you on the ice and it doesn't work, you don't have the combination, don't have a backup coin cell you know as your phone's not working blue T's know when like it's ridiculous. like just no.
Anyway, it's not bad designed hardware. If you were to design a Bluetooth head like I don't mind it at all. it's yeah, they're pretty much done most things right inside this thing so I rather like it from that aspect. but as a product grown.

Bluetooth Padlock Unbelievable. And of course, the other obvious way to hack into this thing is well, via the Bluetooth can you have they enabled the security and all that correct? I don't know I don't have the experience in that area so I'm not going to go to all that effort to try and learn that and investigate that sort of stuff. I assume that they've done it reasonably well. So me you know, maybe it's possible, maybe it's not I don't know, but anything's possible.

They could have goofed it, but they seem to have designed the Hardware quite well. They seem to know what they're doing. So as always, if you liked the video, please give it a big thumbs up and engage because you choose all about engagement, comment down below and rate and all that sort of stuff. and I'll have some videos here at the end are related.

you can see me also goof like I did with this one accidentally locked myself out I seem to I'm two for two on that now where I locked myself out of a safe that I was working on I had to crack into it the old-fashioned way with a with a microscope and a pair of needle nose pliers to and drill a hole in the side of it. Anyway, that was fun. so check out that video, it'll be here somewhere at YouTube in screen feature. catch you next time you.


Avatar photo

By YTB

20 thoughts on “Eevblog #1014 – masterlock bluetooth padlock teardown”
  1. Avataaar/Circle Created with python_avatars Mappy Land says:

    Yeah, because connecting things to your phone make them "safe".

    *That's sarcasm.

  2. Avataaar/Circle Created with python_avatars Jakub Lulek says:

    I love how Dave is turning into ludite every time IoT is mentioned.

  3. Avataaar/Circle Created with python_avatars ethzero says:

    "OK folks, what Dave has here…"

  4. Avataaar/Circle Created with python_avatars micsky micsky says:

    We use these locks to secure the transport of exams to a examination centre. The great thing about them is that we can provide controlled access to the exam papers. Once the exam centre has the zoom session up, our remote invigilator provides the guest code which is single use to open the exam paper box. Once the exam is complete the put the papers back in and lock the box again. No one can get back in now as the guest code is single use. We put a few single use guest codes in in case it needs to be reopened under supervision.

  5. Avataaar/Circle Created with python_avatars Tyler Earllz says:

    Maybe if you stop pressing all kinds of buttons it probably open ๐Ÿค” just jealous of his master lock made the product

  6. Avataaar/Circle Created with python_avatars scottiebones says:

    Powerline attack?? What..bolt cutters lol

  7. Avataaar/Circle Created with python_avatars Filip Sz says:

    Best padlock I ever had. In the construction place where I work it's unbeaten. Working flawless with new app in 2020.

  8. Avataaar/Circle Created with python_avatars Maks F. says:

    In my country this lock would be the first target to steal. ๐Ÿ˜€

  9. Avataaar/Circle Created with python_avatars Jeffrey Murdock says:

    It has a combination as well as bluetooth capabilities. I used several of these with the same combination and never had problems with the bluetooth part. With that I liked not having to worry about grabbing my keys to get something from the storage areas.

  10. Avataaar/Circle Created with python_avatars Weird World says:

    OK boomer….

  11. Avataaar/Circle Created with python_avatars MATTEUK says:

    dumb

  12. Avataaar/Circle Created with python_avatars David Scott says:

    I think the simplest weakness is the motor pins are on the edge, next to the plastic bushing. A hot soldering iron would put holes in the desired location and then just insert two wires from external battery to energise the motor bypassing the rest

  13. Avataaar/Circle Created with python_avatars Marco Polo says:

    You are Australian and I didnโ€™t know that you are stupid. You probably miss doing some thing here or itโ€™s just dรฉfectifve. You are jumping to fast on conclusion. Look other video about that brand and donโ€™t hav3 any problem what so ever. Itโ€™s obvious that youโ€™re not a Bluetooth fan and try to throw that shit at us. I feel sorry for you.

  14. Avataaar/Circle Created with python_avatars theuncalledfor says:

    "No combination to forget!"
    "You can open it with a directional code!"
    …okay.

  15. Avataaar/Circle Created with python_avatars MrRedstone says:

    The rotating bit that lets the wedge move down and let the lock open seems to be a Geneva drive. The motor rotates and turns it an exact degree every rotation.

  16. Avataaar/Circle Created with python_avatars Gacheru Mburu says:

    ๐Ÿ‘๐Ÿ‘

  17. Avataaar/Circle Created with python_avatars gmonkman says:

    omfg, solutions for problems no one has.

  18. Avataaar/Circle Created with python_avatars xConundrumx says:

    oh look Dave's bias is showing again. You're getting old oldtimer, keep up.

  19. Avataaar/Circle Created with python_avatars Francis Picotte says:

    The big advantage with these connected locks is access control. In our case we're a large student team (soon to be ~60) with small office space in the corner of a large multi-million-dollar university research lab. The University can't afford tracking and crafting keys to the lab for everyone, much less changing locks every time a student leaves the team or graduate. And updating everyone with new combinations is not much more of a hassle-free solution.

    With connected locks, you just edit people's access online. This was a good compromise with the University, going from 3 supervisors cleared for key access to our entire team. We're also planning to buy more for controlling access to equipment and hardware requiring special training.

  20. Avataaar/Circle Created with python_avatars Petr Esakov says:

    I know I am writing this a year later, but I would be curious to find out if it would be susceptible to circuit overload. Of course, if you run a high enough voltage through anything, it will release the magic smoke, but what I mean is transistors usually fail closed, so if the power rail is connected to the motor through a transistor, the transistor would fail closed way before the motor. In that case, you can just zap it with a high enough voltage, and you would be able to control the motor directly through the exposed contacts. I saw a fuse, but even with a fuse, transistors still tend to fail before the fuse fails.

Leave a Reply

Your email address will not be published. Required fields are marked *