Security experts Tobias Bluzmanis, Marc Weber Tobias, and Matt Fiddler speak at Defcon about creating fake keys to high-security locks with credit cards.
(Credit: CNET News.com/Declan McCullagh)LAS VEGAS--Don't have special lock-picking skills or equipment but want to pick a high-security lock?
A security researcher explained at the Defcon hacker conference here how to make a fake key out of a credit card that can open certain types of Medeco M3 locks used in the White House, Pentagon, and high-security areas around the world.
You need to make a picture of a legitimate key to have an image to transpose onto the plastic, which means an insider or someone with access to the key would need to cooperate, said Marc Weber Tobias, a lawyer who has written a book about breaking into high-security Medeco locks called Open in Thirty Seconds.
Basically, someone could grab an image of the key with a camera, cell phone, copy machine or scanner, print the image on a label or sheet of plastic, and cut along the outline with an X-Acto knife.
"Everybody has known about this forever with conventional locks, like Kwikset," Tobias said. "But high-security locks advertise that they have key control, especially Medeco."
Medeco claims they have key control for the high-security locks, which means control of the ability to duplicate or simulate keys with blanks, and only authorized locksmiths are supposed to be able to make duplicates, he said. "We've shown that's all out the window," he said.
More complex cylinder configurations in the Medeco locks will require extra steps, he said.
"So we've demonstrated the ability to simply make keys for this particular high-security lock," Tobias said of a recent live demonstration. "We didn't have to break the cylinder; we were able to look at pictures that were e-mailed to us and determine the angles on the key."
Potentially millions of high-security locks are at risk, according to Tobias. The technique does not work on other types of high-security locks; Medeco locks have an integrated design that makes the technique relatively easy, he said.
A Medeco spokesman did not return an e-mail seeking comment.
Medeco executives have previously complained about Tobias disclosing vulnerabilities with the locks to the public, even though Tobias had contacted the company as well. Tobias and other security researchers defend their actions in publicly disclosing flaws, saying that if they didn't do so the vendors wouldn't fix the products.
Tobias, and the Lock Picking Village organizers, were also showing their skills at the Last HOPE hacker conference in New York last month.
During the first part of the presentation, the panelists criticized the standards that apply to high-security locks, saying that they were not broad enough to encompass the range of possible picking and breaking attacks. In other words, a lock could be perfectly standards-compliant--but able to be bypassed in under a minute.
In 2004, a video circulated on the Internet showing how a standard Bic pen could be used to open the U-shaped Kryptonite bike lock. The company recalled the locks, replaced newer purchases, and changed the design for new locks. Problem solved, right?
Not exactly. Despite the fact that the problem had been revealed 12 years earlier in a British bike magazine, Kryptonite had continued to sell the locks unchanged. Angry customers filed a class action lawsuit that was settled in 2005, with Kryptonite offering to replace all affected locks or provide vouchers, and compensate people whose bicycles were stolen as a result of the lock being picked.
"If you don't make the problems public, the companies don't fix them and the consumers buy shoddy stuff," said Bruce Schneier, chief security technology officer at BT.
Bruce Schneier is chief security technology officer at BT.
(Credit: Schneier.com)There's been plenty written about breaking into the virtual locks that safeguard sensitive data on the Web. But the picking of real-world physical locks is becoming an increasingly popular pastime for some. Enthusiasts have formed sporting clubs and hold regular competitions. Security researchers write books about how locks can be broken into and show how it's done on blogs and videos and at security conferences.
Naturally, lock manufacturers aren't happy. They argue that publicizing the vulnerabilities causes people to panic unnecessarily and puts the public at risk by giving criminals information they can use to break door locks, safes, and other secured assets.
But, just like third-party disclosure of vulnerabilities in software forces manufacturers to acknowledge security holes and patch them quickly, lock manufacturers will find they can't escape the scrutiny and will have to be held accountable for their products, experts say.
... Read more
NEW YORK--I feel much less secure after attending the Last HOPE conference this weekend.
Not only is my personal information at risk every time I log onto the Internet and use a cell phone headset or passport, but even my gym locker, bike, and home can easily be accessed with the proper tools and manual dexterity.
Tools of the lock picking trade.
(Credit: Elinor Mills/CNET News)In the popular Lockpicking Village area at Last HOPE (Hackers on Planet), I watched guys twirl little pins in all types of locking devices. For some, it took less than a minute to get the locks to snap open. One lock picker even showed how to open an ordinary padlock with just a piece of aluminum from a beer can. (See video demo below.)
If I'm worried, how do they feel at the Pentagon and the White House?
Medeco, the lock that secures the doors in those two places and at high-security agencies around the world, had been un-crackable for 40 years--until last year. And now there's a book about the lock's shortcomings called Open in Thirty Seconds.
Marc Weber Tobias, co-author of Open in Thirty Seconds gets freed from a pair of prison transport handcuffs without a key.
(Credit: Elinor Mills/CNET News)"This is all about liability and responsible disclosure," said Marc Weber Tobias, a co-author on the book. "People need to know they are vulnerable, and the manufacturer says it can't be done."
The book doesn't reveal the codes needed to open the locks, he noted.
"The goal is to help people understand how we did it," said Tobias, who has a physical security consultancy called Security.org. "As a lawyer, I believe in full disclosure and I believe manufacturers ought to disclose the vulnerabilities in their products."
Like with software vulnerabilities, manufacturers don't want to acknowledge security flaws, he said. But the difference between software and old-fashioned hardware is that software can be easily upgraded over the Internet while locks must be replaced.
Below is a video that demonstrates just how easy it is to pick a deadbolt lock. "Steve," a member of the Toool Open Organisation of Lockpickers, uses a small tension wrench to hold the pins in place while he jiggles a lock pick tool to set the pins to "open."
Below in this video, "Deviant" shows how to pick an ordinary combination padlock by shimmying the shackle open with a small, folded piece of aluminum or metal.
- prev
- 1
- next
