Security

Once again I made the annual trek to a little town in the northern Netherlands, Sneek, to meet with about 75 colleagues to discuss the latest security issues and bypass techniques for locks, safes, and access control systems. LockCon, the new name for "The Dutch Open" is organized by Barry Wels and Han Fey. For the past six years, they have put together a three-day event, replete with lock picking contests, safe cracking demonstrations, and briefings on new security technologies.

More importantly, the conference provides a forum for serious discussions and presentations about design flaws in security hardware, and new circumvention techniques. Barry Wels is actually a crypto expert for GSM phones, but is perhaps most well known in Europe for focusing attention on lock bumping in the Netherlands, through Toool (The Open Organization of Lock Pickers).

Two significant events occurred at LockConthis year.

On Friday, the director of research and development at Medeco High Security Locks gave a five-hour presentation on lock design. This is important because Medeco has finally recognized the value and contribution of the lock sport and professional bypass community and their ability to develop methods of compromise that manufacturers often seem incapable of determining in their own products. It is a real departure from the traditional approach of most lock makers, and one that I have supported and advocated for quite some time

The following day, a detailed four-hour presentation and workshop was given by my co-author (Tobias Bluzmanis) and I regarding the bypass of Medeco m3 and Biaxial cylinders. For those who may be unfamiliar with the name, Medeco has been the predominant high security lock manufacturer in North America for the past 40 years. It's responsible for protecting residences, commercial locations, and the most secure government facilities in the U.S. and overseas. Its lock design was revolutionary and very secure, until we figured out the embedded design issue.

In our presentation, we examined the theory and practical aspects of compromising these highly respected locks by various methods, including bumping, picking, and bypass of its key control. On Sunday, a contest provided a real-world confirmation of the theories and techniques that were presented in our new book on the subject.

If you thought your locks were secure, check out the details and video links at In.security.org. The best official time to open a five-pin Medeco high security cylinder was 23 seconds. This flies in the face of the requirements of the two primary testing protocols that apply to these locks in the U.S. These standards set the minimum performance criteria for locks, safes, and other security hardware, and define resistance to covert and forced entry techniques.

UL 437 and BHMA/ANSI 156.30 require a minimum of 10 minutes to bypass these mechanisms by picking and other forms of attack. This is precisely why we have challenged these standards as not being representative of real world attacks, with potentially catastrophic results for facilities or critical infrastructure. Security professionals rely upon these same standards by Underwriters Laboratories and the Builders Hardware Manufacturers Association to establish benchmarks for high security locks. In my view, 23 seconds of protection does not quite make it! That was the documented official time. Actually, a participant opened one of the same locks in five seconds, but we did not record it on video.

More in a later post on the concept of standards, and why many security professionals do not feel they are adequate.

A new book, "Open In Thirty Seconds," was recently released by Marc Weber Tobias and Tobias Bluzmanis regarding high security locks and the techniques and theory to bypass all levels of security in Medeco m3 and some Biaxial cylinders. See stories on CNET earlier this summer from Defcon 16 and HOPE regarding these issues. Marc has lectured and written extensively with regard to Medeco and other lock manufacturers.

LAS VEGAS--Don't have special lock-picking skills or equipment but want to pick a high-security lock?

A security researcher explained at the Defcon hacker conference here how to make a fake key out of a credit card that can open certain types of Medeco M3 locks used in the White House, Pentagon, and high-security areas around the world.

You need to make a picture of a legitimate key to have an image to transpose onto the plastic, which means an insider or someone with access to the key would need to cooperate, said Marc Weber Tobias, a lawyer who has written a book about breaking into high-security Medeco locks called Open in Thirty Seconds.

Basically, someone could grab an image of the key with a camera, cell phone, copy machine or scanner, print the image on a label or sheet of plastic, and cut along the outline with an X-Acto knife.

"Everybody has known about this forever with conventional locks, like Kwikset," Tobias said. "But high-security locks advertise that they have key control, especially Medeco."

Medeco claims they have key control for the high-security locks, which means control of the ability to duplicate or simulate keys with blanks, and only authorized locksmiths are supposed to be able to make duplicates, he said. "We've shown that's all out the window," he said.

More complex cylinder configurations in the Medeco locks will require extra steps, he said.

"So we've demonstrated the ability to simply make keys for this particular high-security lock," Tobias said of a recent live demonstration. "We didn't have to break the cylinder; we were able to look at pictures that were e-mailed to us and determine the angles on the key."

Potentially millions of high-security locks are at risk, according to Tobias. The technique does not work on other types of high-security locks; Medeco locks have an integrated design that makes the technique relatively easy, he said.

A Medeco spokesman did not return an e-mail seeking comment.

Medeco executives have previously complained about Tobias disclosing vulnerabilities with the locks to the public, even though Tobias had contacted the company as well. Tobias and other security researchers defend their actions in publicly disclosing flaws, saying that if they didn't do so the vendors wouldn't fix the products.

Tobias, and the Lock Picking Village organizers, were also showing their skills at the Last HOPE hacker conference in New York last month.

During the first part of the presentation, the panelists criticized the standards that apply to high-security locks, saying that they were not broad enough to encompass the range of possible picking and breaking attacks. In other words, a lock could be perfectly standards-compliant--but able to be bypassed in under a minute.

Click here for more coverage from Defcon.

In 2004, a video circulated on the Internet showing how a standard Bic pen could be used to open the U-shaped Kryptonite bike lock. The company recalled the locks, replaced newer purchases, and changed the design for new locks. Problem solved, right?

Not exactly. Despite the fact that the problem had been revealed 12 years earlier in a British bike magazine, Kryptonite had continued to sell the locks unchanged. Angry customers filed a class action lawsuit that was settled in 2005, with Kryptonite offering to replace all affected locks or provide vouchers, and compensate people whose bicycles were stolen as a result of the lock being picked.

"If you don't make the problems public, the companies don't fix them and the consumers buy shoddy stuff," said Bruce Schneier, chief security technology officer at BT.

There's been plenty written about breaking into the virtual locks that safeguard sensitive data on the Web. But the picking of real-world physical locks is becoming an increasingly popular pastime for some. Enthusiasts have formed sporting clubs and hold regular competitions. Security researchers write books about how locks can be broken into and show how it's done on blogs and videos and at security conferences.

Naturally, lock manufacturers aren't happy. They argue that publicizing the vulnerabilities causes people to panic unnecessarily and puts the public at risk by giving criminals information they can use to break door locks, safes, and other secured assets.

But, just like third-party disclosure of vulnerabilities in software forces manufacturers to acknowledge security holes and patch them quickly, lock manufacturers will find they can't escape the scrutiny and will have to be held accountable for their products, experts say.

... Read More

NEW YORK--I feel much less secure after attending the Last HOPE conference this weekend.

Not only is my personal information at risk every time I log onto the Internet and use a cell phone headset or passport, but even my gym locker, bike, and home can easily be accessed with the proper tools and manual dexterity.

In the popular Lockpicking Village area at Last HOPE (Hackers on Planet), I watched guys twirl little pins in all types of locking devices. For some, it took less than a minute to get the locks to snap open. One lock picker even showed how to open an ordinary padlock with just a piece of aluminum from a beer can. (See video demo below.)

If I'm worried, how do they feel at the Pentagon and the White House?

Medeco, the lock that secures the doors in those two places and at high-security agencies around the world, had been un-crackable for 40 years--until last year. And now there's a book about the lock's shortcomings called Open in Thirty Seconds.

"This is all about liability and responsible disclosure," said Marc Weber Tobias, a co-author on the book. "People need to know they are vulnerable, and the manufacturer says it can't be done."

The book doesn't reveal the codes needed to open the locks, he noted.

"The goal is to help people understand how we did it," said Tobias, who has a physical security consultancy called Security.org. "As a lawyer, I believe in full disclosure and I believe manufacturers ought to disclose the vulnerabilities in their products."

Like with software vulnerabilities, manufacturers don't want to acknowledge security flaws, he said. But the difference between software and old-fashioned hardware is that software can be easily upgraded over the Internet while locks must be replaced.

Below is a video that demonstrates just how easy it is to pick a deadbolt lock. "Steve," a member of the Toool Open Organisation of Lockpickers, uses a small tension wrench to hold the pins in place while he jiggles a lock pick tool to set the pins to "open."

Below in this video, "Deviant" shows how to pick an ordinary combination padlock by shimmying the shackle open with a small, folded piece of aluminum or metal.