Electronic locks can provide security- and convenience-enhancing features,
with fingerprint readers an increasingly common feature in these products. When
equipped with a wireless radio, they become a smart lock and join the billions
of IoT devices proliferating our world. However, such capabilities can also be
used to transform smart locks into fingerprint harvesters that compromise an
individual's security without their knowledge. We have named this the droplock
attack. This paper demonstrates how the harvesting technique works, shows that
off-the-shelf smart locks can be invisibly modified to perform such attacks,
discusses the implications for smart device design and usage, and calls for
better manufacturer and public treatment of this issue.Comment: Submitted and accepted into 2022 IEEE International Conferences on
Internet of Things (iThings) and IEEE Green Computing & Communications
(GreenCom) and IEEE Cyber, Physical & Social Computing (CPSCom) and IEEE
Smart Data (SmartData) and IEEE Congress. Submitted version: 10 pages, 8
figure