Reaction score
The 360lock smart padlock can be opened using a replay attack or a regular hammer.

The "unhackable" 360lock smart lock with a blockchain-based security mechanism can be hacked using a simple replay attack or... a kilogram hammer.

The 360lock smart padlock can be locked and opened using a mobile app via Bluetooth Low Energy. The developers have even implemented “advanced codes” into their device to ensure the “maximum level of security.” Such a pretentious description of the product by its manufacturer attracted the attention of Pen Test Partners specialists.

To open the lock, security researcher David Lodge simply had to record a Bluetooth unlock command and play it again. “After I followed the commands, it (the lock – ed.) opened. The first package is authorization, the second is the opening command. That is, it was vulnerable to replay attacks,” the researcher wrote on the Pen Test Partners blog.

Among other things, Lodge noted that the lock is made of Zamak zinc alloy, which is also used to make zippers for clothing and jewelry. Although Zamak's wear-resistant properties make it suitable for injection molding, it lacks strength.

In order to separate the connector, one blow with a hammer was enough. After unscrewing four exposed screws on the key holder, Lodge reached a plug, which he was able to tear off (according to the researcher, it was held in place only by silicone sealant) and gain access to the internal electronics and the motor that powers the lock.

“A simple security check would identify BLE command replayability and other potential issues. How could they have missed this? Lock bodies must not be made of Zamak or similar alloys. It is easier and less expensive to cast/process compared to steel, but hardened metals are used in locks for a reason,” Lodge concluded.