Reconnaissance at Spa World

by The Piano Guy

While on a road trip, I ended up stopping in Centreville, Virginia.  I didn't know it was Koreatown, but I found out as much when I pulled into a local shopping center and saw Spa World.  Billed as the largest Asian-style spa (jjimjilbang) in the United States, it didn't disappoint.

The custom in a jjimjilbang is for people to take off their shoes before entering the spa area, get their uniform, go in the locker room, and either change into the uniform (if you want saunas) or stay naked (if you want steam and whirlpools).  While in the facility, they want to make sure your possessions aren't stolen and they want to make sure you don't leave without paying (if you eat at the restaurant on premises, as I did) - it isn't like naked people have pockets.  Spa World had that covered - electronic lockers.  They can't expect that people are going to remember a combination, so they provide clients with an electronic key that was attached to a wrist band.  Though it is hard to tell from the picture, the key only has two electrical conductors, and a mechanical pawl which moves the lock if the electronics throw the internal servo and allow the lock mechanism to move.

The key goes in the nondescript hole in the lock, turns, and entry to the shoe locker is available.  There are no fancy discernible electronics in the lock hole either.  It too has just two conductors.

The locking mechanism isn't anything all that special, but the doors are wired on the inside.  More on this later.

  

A significant sign that is posted indicates that if a client wants to open their shoe locker without leaving the facility that they first have to check in with the front desk staff.  Apparently, once you lock your shoes in the locker, you are "checked in."  They start a clock, and if you stay longer than 12 hours, your charge card is charged automatically for another 12 hour stay, or if you paid cash, your shoes are now held hostage.  Same if you eat in their restaurant.  (If you go, have the bibim bap it's really good.)

In the locker room, I was a bit surprised to find a broken locker (not my locker, which worked just fine).  This gave me more time to try to understand the product, and do the reconnaissance.

I did check to see if I could find any numbers on the chip, but the top surface of the chip had been marred, so as to make it impossible to read.  What I could tell is that the blue and black wires come from the key, and the red and black wires (look for the word "Motor" on the circuit board) feed the servo motor (see gears lower-right) which permits or denies lock movement.  There was also a jumper off the back side of the door with a Molex connector, which fed the lights on the bezel for the front of the locker.

  

The especially odd thing about this was that while the shoe locker was wired, there was no wiring external to the device in the locker room.  To my eyes, looking at the circuit board, I didn't see anything that made me think that there was a wireless component to this unit either.  And yet, if a person doesn't pay, they don't get into their locker without checking in at the front desk.

There had to be some electronic control.  Seeing that there was an engraved printing on the unit, I took a closer photo and figured that the information might help me learn more.  That, and I was worried that someone would see me taking pictures and wonder what was going on.  Even though I had the ability to physically remove the lock from the locker room, that's just not right to do.

I took time to eat in their restaurant and had paid cash when I entered; they had no charge card information on me.  So, as expected, my shoes were held hostage.  I went to go get them, and my key didn't work.  I went to the desk, paid for my food, went back to the locker, and it now worked.

I got to talking to the front desk clerk and told him that I'd like to buy the broken lock.  He checked with his manager, who told him that this wouldn't be allowed.

For grins and giggles, I then told the clerk that I was a writer for 2600 Magazine, told him it was the "Hacker Quarterly," and that our readers would love to get information on the really cool technology used with their locker system.  I then asked for permission to take a picture of the register.  He agreed.  I am glad that he didn't think to ask his manager again.

The pictures I took of the terminal came out badly, but I was able to figure out that it was an AngelPOS AP-1500.  Look up www.sisnet.co.kr/Eng/m3/m3_s1_1_t2.asp for much better pictures than I would have been able to take.  I was able to get a good picture of the locker key interface to the system.  Note that the characters are in Korean, rather than English.

When home, I went to UNIKEY's website (www.unikey.co.kr) and didn't find any marketing pablum at all.  Instead, I simply found the text and links saying "TEST for UNI_XX Solution," "UniSafeMail Test Site," and "UNIKEY JavaScript obfuscator & encryption."  I was able to find their address in South Korea using Google, but that was about it.

I still don't know how the locks in the locker room actually talk to the control panel, or if they even do.  If you can get more information on this system, please write a letter or article for 2600, so we all can know.