Forwarding Attack on ASSA ABLOY CLIQ Lock

What This Is

Protocol security analysis of the ASSA ABLOY VERSO® CLIQ mechatronic locking system. I captured and decoded 1-Wire protocol communication between the key and lock, identified plaintext System ID transmission, analyzed encryption weaknesses, and quantified predictable patterns. Full signal captures, CSV data, timing diagrams, and decoder available on GitHub.

System tested: VERSO CLIQ lock with System ID V1004261. The key acts as the master device, lock as the slave, communicating via a single-wire digital protocol.

Why It Matters (Physical Access Control)

Mechatronic locks are widely deployed in enterprise and critical infrastructure for physical access control. Vulnerabilities in their authentication protocols can lead to:

• Unauthorized entry: Replay or forwarding attacks bypass authentication without valid credentials
• Predictable sequences: If communication is largely static, attackers can craft valid unlock commands
• Plaintext exposure: Unencrypted identifiers reveal system architecture and enable targeted attacks

Workflow

1. Signal Capture & Setup

• Connected logic analyzer to ASSA ABLOY CLIQ lock's 1-Wire bus
• Captured voltage traces using PicoScope during unlock events
• Recorded multiple authentication sequences for pattern analysis

2. Binary Protocol Decoding

• Decoded pulse timing: 13.66 µs = 0, 4.33 µs = 1
• Identified 18.75 µs cycle times across 5-6 frames (~98 µs total unlock)
• Extracted structured payloads: System ID, permissions (A1-A3, P1-P3), crypto blocks (Q1-Q21)

3. Vulnerability Analysis

• Discovered System ID "V1004261" transmitted in plaintext
• Confirmed 70%+ identical byte sequences across multiple unlocks
• Found only partial encryption — plaintext fields enable predictable forwarding

4. Documentation & Resources

• Published all signal captures (CSV format) with decoded frames on GitHub
• Documented timing diagrams, protocol structure, and vulnerability analysis
• Implemented Python decoder for 1-Wire pulse sequences and payload extraction

Tooling & Evidence

Tools & Technologies

Defensive Recommendations

1. Full Payload Encryption

Eliminate plaintext System ID transmission — encrypt entire authentication payload including identifiers and permission fields (A1-A3, P1-P3) to prevent traffic analysis.

2. Session Tokens (Nonces)

Implement cryptographically random session tokens for each unlock attempt to prevent replay attacks — ensure each authentication frame is unique and time-bound.

3. Timing Randomization

Add random delays to break predictable timing patterns (current 18.75 µs cycle, ~98 µs total) to make forwarding attacks more difficult to synchronize.

4. Reduce Predictable Sequences

Address the 70%+ byte repetition issue by diversifying encrypted payloads with variable padding and randomized field ordering.

SOC Takeaways

• Plaintext exposure: System ID "V1004261" transmitted unencrypted — immediate detection opportunity for traffic monitoring
• Pattern analysis: 70%+ identical bytes across unlocks indicate weak key diversification — look for repetitive patterns
• Binary protocol analysis: 13.66/4.33 µs pulse decoding reveals structured payloads — timing analysis crucial for IoT/OT security
• Forwarding prevention: Require full payload encryption + session tokens — partial encryption insufficient for physical access control
• Evidence-based approach: Logic analyzer captures + oscilloscope measurements + protocol decoder = quantifiable security findings

Result

Protocol security analysis of the ASSA ABLOY VERSO® CLIQ lock system: captured and decoded 1-Wire protocol traffic revealing System ID "V1004261" in plaintext, 70%+ identical byte sequences across authentication sessions, and partial encryption (only Q1-Q21 blocks encrypted, identifiers in plaintext). Binary pulse timing decoded: 13.66 µs = 0, 4.33 µs = 1. Complete signal captures, CSV data, timing diagrams, and Python decoder available on GitHub.

Additional Resources