DHL Hackstation: What's inside?

In this talk, we present our reverse engineering efforts on DHL’s parcel locker systems, focusing on both the older QR-code-based Packstations and the new Bluetooth-enabled Lean Packstations. These lockers, by design, allow adversaries to perform a full Machine-in-the-Middle attack on all communication between the locker and DHL servers. Can we use this highly privileged position to attack the locker system and perhaps steal parcels? If not, how does DHL protect against such a powerful adversary? In this talk, we document the protocols used to register devices, retrieve parcels, and interact with the lockers via the “Post & Paket” app. More broadly, we discuss attack vectors that should be considered when building such a system, how DHL protects against them, and discuss risks that are inherent to the system as a whole, regardless of any specific implementation issues. Finally, we will highlight DHL’s exemplary response to our research.

With over 13,000 autonomous parcel lockers available nationwide, DHL provides quick and easy access to parcels for many people in Germany. Instead of delivering parcels directly to the doorstep, where they may be lost, stolen, or returned to sender if no one is home, DHL customers can have their parcels delivered directly to one of these lockers, where the parcel can be picked up at any time. In 2023, DHL introduced a new system called the Lean Packstation, which eliminates printed labels and direct internet connectivity in favor of Bluetooth Low Energy communication via the “Post & Paket” app. While this system improves convenience, it also introduces new security considerations and risks.

In the past months, we have reverse engineered the internals of the app and the Packstation protocols, and will present our findings in this talk. We’ll discuss the technical aspects of both the older, QR-code-based Packstation, and the new Lean Packstation, and dissect the built-in security mechanisms. The two systems work differently, and provide different security guarantees both to DHL and the users of the system. Both systems provide excellent examples of different approaches for building secure, user-facing embedded devices, which we will outline in this talk. By the end of the talk, attendees will have a deeper understanding of the security challenges in these logistics systems and best practices for securing similar infrastructure.