In this talk, we present our reverse engineering efforts on DHL’s parcel locker systems, focusing on both the older QR-code-based Packstations and the new Bluetooth-enabled Lean Packstations. These lockers, by design, allow adversaries to perform a full Machine-in-the-Middle attack on all communication between the locker and DHL servers. Can we use this highly privileged position to attack the locker system and perhaps steal parcels? If not, how does DHL protect against such a powerful adversary?
In this talk, we document the protocols used to register devices, retrieve parcels, and interact with the lockers via the "Post & Paket" app. More broadly, we discuss attack vectors that should be considered when building such a system, how DHL protects against them, and discuss risks that are inherent to the system as a whole, regardless of any specific implementation issues. Finally, we will highlight DHL's exemplary response to our research.