Earworms Make Bad Passwords: An Analysis of the Nokē Smart Lock Manual Override

This paper presents a security analysis of the manual override feature of the Nokē smart lock. The Nokē allows its user to operate, monitor and even share his smart lock with others through a smartphone. To counter the risk of being unable to open the lock when the smartphone is unavailable, it provides an override mechanism. Nokē implements this override feature using a quick-click scheme, whereby its user can choose a sequence of eight to sixteen short and long shackle presses (similar to a Morse code). To explore the security implications of this feature, we conducted a study collecting human-generated quick-click codes from 100 participants, and analysed and modelled the resulting dataset. Our analysis shows that the override mechanism, at least in its current implementation, presents a significant opportunity for successful guessing attacks. We demonstrate this by building a mechanical brute force tool that on average can test one quick-click code in under three seconds. We conclude that this speed, together with the low entropy of human-generated passcodes, makes this manual override feature one of the most significant weaknesses of the system and constitutes a promising attack vector. We responsibly disclosed our findings to the Nokē manufacturer. We also provide a list of potential countermeasures that can help to address this risk. We believe that alternative authentication methods such as quick-click codes will become increasingly popular in ever-expanding Internet of Things devices, so the weaknesses and the countermeasures discussed in this paper are timely and relevant, as they can also apply to other devices and security systems that rely on unconventional user-generated authentication codes. Keywords-security; brute force attack; smart locks; Internet of Things; user study; passcode selection; override mechanism.