In.Security Home

THE SIDEBAR: MARC WEBER TOBIAS

Archive for the 'Products' Category

DEFCON 18: LOCKS, LIES, AND VIDEOTAPE

See the Wired.com, AFP, and Brickhouse Security articles.

DefCon is the largest hacking/security conference of its kind in the world. For the past six years, our research team has demonstrated vulnerabilities in both high security and conventional locks. This year our team (Marc Tobias, Tobias Bluzmanis, Matt Fiddler) selected five different locking mechanisms that are popular in the consumer sector. We chose a broad cross-section: conventional programmable mechanical lock, electronic “safe”, biometric fingerprint lock, RFID-based deadbolt, and a very sophisticated electro-mechanical lock that requires no batteries in either the lock or key. Three of these locks are imports: two from China, and one from Finland. Notably, the locks from China (BioLock and Amsec), are both sold in the United States, and are prime examples of insecurity engineering at its best. They denote a total lack of competence in design, often typical of the cheap products that are being imported from China. More about this later, but suffice it to say, these are prime examples to support the premise: there are no shortcuts to quality and security.

Three of the five companies refused to comment or return phone calls to Wired. Kwikset and Iloq did make statements, both of which, in my view, were inaccurate or misleading, or demonstrated a basic misunderstanding of their products with regard to security. On previous occasions I had attempted to speak with General Counsel for Kwikset and their VP of Engineering in order to disclose security vulnerabilities. They likewise refused to return phone calls.

None of these locks can be considered as high security, but Kwikset, which sells millions of cylinders a year in the U.S., and has incredible market presence, has a grade 1 security rating for its model 980/985 deadbolt, which we selected to analyze. I have attacked Kwikset for several years because of their poor quality and security. In fact, in 2006, the company flew me out to their corporate facility in California for a pre-release briefing of their Smartkey, after eleven-year old JennaLynn bumped open their locks at DefCon. The irony was that senior engineering and management at Kwikset told me that they were not even aware of bumping, except for what they had seen on the Internet! The Smartkey was not designed to be bump-resistant.

At that meeting, I voiced my opinion that the company was selling junk locks. Their reply was “yes, we know, but we make 20-25 million of them a year.” In my view, nothing much has changed in the past four years, other than their locks are mechanically reprogrammable. Clever, yes. Convenient, yes. Secure and maintenance-free, no.

FALSE SENSE OF SECURITY

Each of the five companies represents their products as secure. This creates a false sense of security in the buying public. In the case of Kwikset, in my view they are perhaps the worst offender because of their market penetration. But the problem and responsibility is shared equally with the standards organization that rates their locks, and specifically with BHMA. I have had many discussions with regard to this issue during the past three years with their executive director in an attempt to modify the standards so they actually mean something. I think we are making progress, but because of the inherent way in which standards are adopted, it is a slow process.

The standards do not adequately address simple methods of bypass. The result is that locks are sold that the consumer relies upon as being secure; and yet they are not. Many of the bypass techniques that we utilize are not even included within the standard. Some companies hide behind the standards, stating that their locks “meet or exceed” them, knowing those same locks can be bypassed by methods not enumerated in the standards they are citing. I would submit that whether a lock is certified under an applicable standard or not has nothing do with the its real security if it can be bypassed in seconds. In such a case, any such statements are illusory and mean nothing with regard to protection of the end-user.

WHAT NEEDS TO BE DONE

There is no substitute for competent security engineering. Unfortunately, some locks are expensive and not secure, but generally, you get what you pay for. I think the critical issue for the consumer to understand is that cheap locks are inherently not secure. In 2006 Kwikset told me their smartkey cylinder would cost them about two dollars to produce. In my view, they are of poor quality, and just about every locksmith in the country knows it. Clever options like being programmable are extremely convenient for the consumer, but unless executed properly, can reduce the overall security of the lock.

Granted, some consumers cannot afford better locks, (or those that carry a high security rating), but at least they should know what they are buying and not be misled by untrue or misleading claims of manufacturers. Kwikset has been aware of the vulnerabilities in their locks, and specifically that they can be opened in seconds with a specially modified key and the application of sufficient torque. They have made changes to prevent this bypass technique, but the locks can still be opened, and they know it. Yet, their employees continue to mislead the public into believing that their deadbolts can only be opened by drilling, breaking the door down, or breaking the door frame. This is simply not true. They continue to focus on their Grade 1 rating. Yes, they are certified, but we do not think they will pass in a re-certification test.

We are filing a challenge with BHMA to ask for a retest, because in my view, the Smartkey deadbolt will not pass, based upon two sections of the BHMA/ANSI 156.5 standard: Sections 12.1 and 12.5.2.

Section 12.1 requires that the cylinder be of the pin tumbler design. The Smartkey is not; it uses tiny sliders, as shown in the photograph below. While they may control a sidebar for locking, which generally is more secure, the sliders themselves are not, and never will be as strong as pin tumblers. The BHMA standard excepts locks that are more secure than pin tumbler designs. In my view, the Smartkey is not, and Kwikset knows it. And they cannot use the fact that they are bump-proof, either, because bumping is not in the standard. Yes, they are pick resistant, but we have picked them as well.

The point is that the locks are not physically secure and can be easily compromised. BHMA should not be certifying a deadbolt Grade 1 cylinder that can be opened in thirty seconds. Further, Kwikset should be forced to place a warning on their packaging denoting this fact to the buyer. If they did, I am quite certain that few persons would choose them for protection.

Section 12.5.2 requires that the plug can withstand a minimum of 300 foot-pounds of torque without turning, or that it cannot be turned by manipulation. We do not believe that the Kwikset Smartkey 980/985 deadbolt can meet this requirement either. To open the lock, we are inserting a portion of a key, cut to specific depths, and applying torque. This procedure, we believe, meets the definition of “manipulation”in the standard.

RE-WRITE THE STANDARDS AND MAKE THEM REFLECT “REAL-WORLD” ATTACKS

Include real-world testing procedures that are not presently incorporated within the standards. This will insure that what the manufacturer represents as secure actually is.

START TELLING THE TRUTH TO CONSUMERS AND WARM THEM OF KNOWN VULNERABILITIES

I am quite certain that if Kwikset and all of the other manufacturers that were shown at DefCon 18 were to place warnings on their packaging that their locks could be compromised in seconds, nobody would buy them. After watching the videos, would YOU buy any of these locks? Not likely. And that is precisely the point. If a manufacturer is going to produce inferior quality locks, then warn the public, so that they have the information to make an informed decision as to security.

HIRE ENGINEERS THAT UNDERSTAND SECURITY ENGINEERING, NOT JUST MECHANICAL ENGINEERING

In my experience, many manufacturers have no idea how to open their own locks. While their engineers are quite competent to make things work properly, they have little understanding of bypass techniques. And this is precisely the problem. It is a simple principle: you cannot properly design a lock if you do not have a thorough understanding of the methods to break it.

STOP PLACING PROFIT AHEAD OF SECURITY

For a manufacturer, security can be very expensive. Materials, high tolerance, production controls, and competent engineering all come at a price. If a company is to represent their products as secure, then the company has a duty to make sure they in fact are. Many place profit well ahead of security, leaving consumers at potential risk.

VENDORS SHOULD SEND A MESSAGE TO LOCK MANUFACTURERS THAT THEY WILL NOT BUY (OR SELL) PRODUCTS WITH SHODDY QUALITY OR POOR ENGINEERING

Brickhouse Security is the leading vendor of surveillance and security-related hardware to law enforcement and corporate facilities in the U.S. When we notified them of the problems with the BioLock, they took action, as noted in their press release. Notwithstanding that the manufacturer, BioLock refused to accept any responsibility whatsoever for their defective product, Brickhouse has set the standard for vendors in the security hardware sector. Hopefully, others will follow. It is only when the manufacturers get a clear message from vendors that they will not sell their junk, that they will be forced to engineer their products properly and take responsibility for what they make.

LOCKS, LIES, AND VIDEOTAPE

We tested the following locks for DefCon 18:
KWIKSET SMARTKEY
BIOLOCK 333 FINGERPRINT LOCK
KABA SAFLOK IN-SYNC RFID LOCK
AMSEC ES1014 ELECTRONIC SAFE
ILOQ C10S ELECTROMECHANICAL LOCK

Photographs and comments below.

KWIKSET SMARTKEY DEADBOLT OPENED WITH A SCREWDRIVER

Kwikset represents that the Smartkey Model 980 Grade 1 deadbolt is the highest grade of residential security available. This is not, in my view, an accurate statement at all, except perhaps for Kwikset products. it is, in my opinion, misleading, and Kwikset knows it. Such statements are being made by their customer service representatives and in their advertising. If in fact this is the best the consumer can buy, and can be opened in thirty seconds or less, then what does a Grade 2 or Grade 3 rating denote in Kwikset’s world? Ten seconds to open? Perhaps both Kwikset and BHMA would like to answer that question!

KWIKSET Smartkey deadbolt can be opened with simple implements, notwithstanding it is rated as a Grade 1 lock.

KWIKSET SLIDERS
In my view, the critical security vulnerability in the Kwikset Smartkey are the sliders that control the sidebar. They will never be as secure as brass or nickel-silver pin tumblers, even though they tout sidebar security. They can be easily warped, which in my view is the fatal defect in this lock. The macro photograph shows a normal slider (left) and one that has been warped by the application of torque from a 3.5″ screwdriver blade inserted into the keyway and turned with a small vice grip.

OPENING THE KWIKSET SMARTKEY

Kwikset has been aware, for quite some time, that Major Manufacturing has been producing a locksmith tool to open their locks by applying torque with a key blade cut to specific depths. Kwikset has made changes in an attempt to fix this problem, but not very successfully. Yet their representatives continue to state that the only way to open the lock is to drill it. In our tests, we chose to utilize a cut blank key, a screwdriver, and a small vice grip to demonstrate the insecurity of this lock. In their statement to Wired, it would appear that the Kwikset spokesman tried to give the impression they were not aware of this problem. Maybe the spokesman was not, but the engineering division of Kwikset has known about the issue for quite some time.

Opening a Smartkey can be easily accomplished with a portion of a key cut to specific depths, a screwdriver, and vice grip

BIOLOCK is a company based in China, with an office in Los Angeles. They produce a line of biometric locks, including the Model 333, which we tested, and which Brickhouse Security carried until last week.

This very professional-looking fingerprint lock has a bypass cylinder which provides its fatal flaw in its security. As shown in the video and photograph, the locking system can be bypassed within seconds with a piece of wire or paperclip. The design of this lock is completely incompetent and denotes a total disregard and understanding of security issues in lock design.

The BioLock fingerprint lock with bypass cylinder that can be opened in seconds.

The BIOLOCK 333 fingerprint lock can be compromised in five seconds with a paperclip.

AMSEC CONSUMER-LEVEL ELECTRONIC SAFE, MODEL ES1014

AMSEC is a quality safe manufacturer in California, who would, in my opinion, never knowingly market a product with the design defect we demonstrated. Their customer service representatives told me that this safe was a Chinese import and that AMSEC did not test it. That is unfortunate for the consumer who has purchased these. And, just to be clear, we think that to represent this as a “safe” is misleading to the consumer. It is not a safe; it is a container with a lock.

The AMSEC ES1014 consumer-level electronic safe. It is not secure and can be easily compromised.


A flat piece of metal from a hanging file folder is bent and inserted through the top of the door. It is used to make contact with the reset switch to allow the combination to be reset. This is an incredibly inept design.

KABA IN-SYNC LOCK

The Kaba In-Sync is a RFID-based cylinder that is popular for use on military bases, apartment houses, churches and other commercial facilities. Incredibly, the design engineers that are responsible for the security of this device did not understand that a wire could be inserted next to the USB communications port to access the locking pin that provides the security for this lock. We had contacted the lead engineer for Saflok almost a year ago, and then last month to discuss this issue. No response.

The Kaba InSync RFID cylinder can be easily opened with a piece of wire

ILOQ ELECTROMECHANICAL LOCK

The Iloq is an award-winning electromechanical lock that does not use any batteries, but rather generates the needed current through the use of a motor to perform two functions: power generation, and turning a gear to control the primary locking element. These locks are extremely popular in Finland and other Scandinavian countries.

As we note in the video, there are four operating stages for the Iloq. The critical failure of this lock is the ability to circumvent the mechanical re-locking feature. Once this is accomplished, the electronic credentials are neutralized and the Iloq becomes a one-pin conventional lock, which in my view is less secure than the Egyptian pin tumbler lock of 4000 years ago. A senior representative of the company told me that Iloq had made certain changes to prevent our methods of bypass, and that those locks will be available within a couple of months. This is an extremely responsible company who clearly should have understood the ramifications of their design failure, from the security perspective.

ILOQ in Finland produces a very sophisticated electro-mechanical lock that can be easily compromised This photograph shows the Scandinavian profile and the actuating lever at the front of the keyway that can be modified to set the lock to open by any mechanical key.

A cutaway view of the award-winning Iloq, from Finland.

ILOQ KEY TIP MODIFICATION

There are two ways to circumvent the security of this lock: one through an internal attack, and one by externally modifying the actuating lever just inside the keyway. The photographs show the very minimal material removal from the key tip to set this lock so that it can be opened by any other key or even a screwdriver.

All ILOQ keys are mechanically the same configuration. Each key-head contains a unique electronic identifier.

The tip of the ILOQ key is modified for an internal attack. The top photograph shows a normal key (green); the bottom has been modified.

MODIFICATION OF THE ACTUATING LEVER AT THE FRONT OF THE KEYWAY

The actuating lever can also be modified by removing an equivalent amount of material, about 1/32″. When this occurs, the lock is set and can be opened by any key, simulated key, or screwdriver. Note the small amount of lever material (circled in red) that has been removed. This can be accomplished rapidly and will result in the lock being permanently set, requiring only a mechanical key to open.

ILOQ actuating lever showing the modification to permanently set this lock.

Comments are off for this post

THE LASERSHIELD ALARM SYSTEM: Do We Have A Failure to Communicate?

LASERSHIELD BURGLAR AND PANIC ALARM SYSTEM: When locks may not be not enough to protect you.

If your house is only protected by mechanical locks, even high security locks such as Medeco, Mul-T-Lock, Assa or other UL certified cylinders and they are your only security against burglars then you may want to add another layer of security with an alarm system. We analyzed the newest product that can be installed by virtually any consumer and which will provide additional security to those locks that you thought were all you needed.

The LaserShield “plug and go” alarm system is the first practical consumer-level burglar and panic alarm that can be installed in five minutes and requires no technical skill. It is sophisticated and state-of-the-art in its electronic design but is it secure? In our detailed report, we examine the positive and negative aspects of this system and whether it is suitable for use by the consumer to protect them. If you are thinking about purchasing a LaserShield or any other alarm system that utilizes wireless trips you may want to read the accompanying report and watch the video demonstration of just how easy it is to bypass most wireless sensors. If you are only concerned about “casual burglars” and opportunistic break-ins, then LaserShield will definitely do the job. If you are worried about being the target of determined thieves, then you definitely need to learn about certain security vulnerabilities.

See the article on engadget.com

cmu_400.jpg

The Master Alarm Unit is at the heart of the LaserShield system. It contains the wireless receiver, processor and communications electronics that allow you to set up the system quickly and easily. But has security been compromised for convenience? it depends on your individual risk that burglars will target your home, or just decide to break in because of random selection.

cp200_4_350.jpg

Marc Weber Tobias demonstrates the bypass of a wireless alarm system with a simple and very effective technique. This problem is not limited to LaserShield but can be employed with many wireless alarm devices.

DETAILED TECHNICAL REPORT

VIDEO SEGMENTS

Interview Tony Dohrmann, CEO of LaserShield

Bypass of the LaserShield system within a residence

Demonstration of the LaserShield system and bypass

Detailed Technical Specifications Summary

1 comment

MEDECO DEADBOLT DESIGN: What Next?

Medeco is scrambling to fix their deadbolt security problem worldwide. Last week, they were reportedly set to begin manufacture of the modification of their high security cylinders to protect them against a simple method of attack that was disclosed by Marc Weber Tobias and his research team two weeks ago. Medeco was warned for the past two months there was a significant design issue with these cylinders but made no attempt to contact Marc to determine the precise nature of the problem. Now, they have a real problem because many of their customers that have installed single-sided deadbolts may be at risk, especially those that are utilizing the newer m3 technology. We have found that the vulnerability may extend to certain Biaxial® models also.

If you employ these deadbolts we would urge you to contact your locksmith, security consultant or Medeco to determine the proper course of action. A detailed report of the vulnerability is available to security professionals. You may contact the author for details at mwtobias@security.org.

No comments

PART I: THE MEDECO® m3 MEETS THE PERILOUS PAPER CLIP: Is Your Security at Risk?

DETAILED ANALYSIS: THE MEDECO m3 MEETS THE PERILOUS PAPER CLIP

You will need a password to access the detailed report. Please register at www.security.org. The password has also been posted on ClearStar.

View the video: Security vulnerabilities of the m3

This is the first of a four-part series with regard to Medeco® security. Part II will detail the methodology we developed to bump these cylinders. Part III will examine the procedure that is employed to pick these locks. Part IV will detail what we perceive as design deficiencies that allow certain of the Medeco® deadbolts to be easily bypassed. All of the information is based upon material in the High Security Supplement to the latest edition of LSS+.

The reader should review the cautionary notes regarding statements made within this report. See Legal Issues.

m3_cylinder.gif

A piece of wire or a specially-formed paper clip can be utilized to bypass the slider mechanism in the m3. In combination with other techniques, this can result in a total bypass of the key control for a facility with regard to the acquisition of restricted blanks and the replication or simulation of keys.

The Medeco® m3 cylinder was developed primarily to extend the Biaxial® patent (which expired in 2005) so that the company could continue to dominate the U.S. high security lock market and protect its unique rotating tumbler technology. The m3 is UL 437 and ANSI 156.30 certified which Medeco® represents as a guarantee that its security can be relied upon for the most sensitive of installations such as the Pentagon and the White House. Based upon our research during the past year, there may be some security vulnerabilities relating to key control and the ability to reliably bump and pick some of these locks.

lss_m3-083_key_500.jpg

There are approximately 26 different combinations of steps and keys within the m3 system. This allows for enhanced key control but is the system secure from the standpoint of preventing the ability to replicate or simulate keys, especially for restricted keyways? We do not think so.

In an excerpt from the High Security Supplement of the latest edition of LSS+ we examine the m3 in terms of potential key control issues and the possible susceptability of this lock to other forms of covert bypass. A comprehensive examination of the subject is contained in the third edition of LSS+ (the multimedia edition of Locks, Safes and Security) by the author.

®Medeco is a registered trademark of Medeco Locks.

No comments

MEDECO LOCKS: Are They Secure Enough?

Introduction

Medeco is the predominant high security lock manufacturer in the United States and has been trusted for more than thirty-five years to provide cylinder and hardware security for the private, commercial and government sectors. Their sidebar technology was unique when first introduced and has presented a continuing obstacle to both covert and forced methods of entry. As detailed in the Government version of LSS+ some very sophisticated decoders have been developed for law enforcement and intelligence agencies to bypass the original two layers of security within the Medeco design. As described in the first article of a four part series, Medeco introduced the m3 cylinder which incorporated a third level of security through the implementation of a slider. Their latest product is a modified m3 called the Bilevel. This is a lock that does not utilize the traditional Medeco sidebar design and is a cheapened version that is no more secure than a conventional pin tumbler cylinder and in fact may allow systems that integrate the Bilevel to be more vulnerable because of the limited number of sidebar codes that are available.

When the threat from bumping was made public in the United States last July and August, consumers, risk managers, security experts and locksmiths from both the private and public sectors began to question the real security of the locks that they depend upon to protect people, facilities, and assets. It was more than unsettling to think that perhaps there was little protection against a procedure that a kid could learn and rapidly execute to open a high percentage of pin tumbler locks. At the same time, everyone was led to believe that the threat from bumping did not extend to high security locks.

Beginning last August, high security lock manufacturers were quick to announce the heightened security of their cylinders against bumping. This included Medeco, Mul-T-Lock and Assa: they all produce locks with UL437 or similar high security ratings.

Some announced that their locks were “bump proof” or “virtually bump proof” and that the consumer should have no fear that their security was in jeopardy. In all fairness, many of these manufacturers did not fully understand the threat or techniques that could be applied to bypass their internal security. Some still do not believe that such attacks are possible and continue to publicly decry any who make statements about bumping or picking of their cylinders, stating that any demonstration of bypass was a trick or “smoke and mirrors.”

The accompanying article specifically deals with the Medeco m3 and why we do not believe it provides any significant measure of key control security against a determined attack. In subsequent articles we will describe in detail how we determined that the Medeco and other high security locks could be bumped, picked open, or mechanically bypassed within minutes, if not seconds, thus rendering the ten minute minimum specification for UL 437 or fifteen minute standard for ANSI 156.30 as essentially meaningless. We thought it would be prudent to briefly analyze just what security the Medeco technology does provide against both casual and determined attacks and to hopefully dispel any confusion that may result from these articles as to whether the security provided by these locks is sufficient to protect you.

LOCKS AND THE CONCEPT OF SECURITY

“Security” is a generic term that can mean many things. In the world of locks, its definition has to be qualified by asking several core questions. Specifically, what are you trying to protect, and where? What is the value of the target for which these locks are providing security? Against what threat or whom are these locks designed to stop or delay entry? How sophisticated or determined is the attacker likely to be? Finally, does the lock provide the only barrier or is it one control in a “defense in depth” strategy, meaning that there are other measures of security such as alarms, video, guards, perimeter barriers, or other systems to back up the locks.

Many are surely asking whether their Medeco locks are secure enough, especially after Medeco has repeatedly issued press releases, advertising statements and even a DVD categorically stating that their locks were “bump proof” and lately “virtually bump proof.” Recently we asked a senior representative of Medeco just exactly what “virtually bump proof” exactly meant? We thought it was a fair question especially since the term “virtually bump proof” in my view is like “virtual reality.” It means nothing but is a phrase that my fellow lawyers have devised to shield a manufacturer from potential liability for material misrepresentation. Saying that something is “virtually secure” is a qualification based upon no measurable standard so it is an illusion. And the answer that we were given by Medeco: “Virtually bump proof means that you have about as much chance of opening our locks as you do of winning the lottery!” Well, if that is the case, I will place my bet on collecting from Medeco because my odds are a great deal better in opening their locks than in winning a lottery.

So, you have spent perhaps three or four times the money to install Medeco cylinders than you would have for conventional non-high security rated mechanisms, believing that the cost difference was worth it. But exactly what security is provided for all that extra money? We will try to answer that question by briefly analyzing what your Medeco cylinders offer in the way of protection.

MEDECO SECURITY: What is it?

So why is Medeco perceived and touted as one of the most secure locks on the planet? Why are they relied upon by the U.S. government for installations such as the White House and Pentagon? The answer is simple: Medeco makes quality products of the highest order. This does not mean they necessarily outperform other high security lock manufacturers or that their sidebar approach is any better or more secure than others who have different design philosophies.

At the end of the day each manufacturer’s design has its strengths and weaknesses but all lock security can be reduced to three issues: forced entry protection, covert and surreptitious attacks, and key control. In fact, these are precisely the criteria and requirements that are addressed in the ANSI 156.30 high security standard.

Medeco locks are secure in part based upon the following features and issues:

• High quality components
• High tolerance mechanisms
• Excellent engineering and design
• Five or six pin tumblers
• Integrated pins that incorporate elevation and rotation
• Sidebar technology
• Slider technology and key control
• Legal protection of keys
• Special cutters are required to duplicate keys
• The ability to utilize multiple sidebar codes within one master key system to separate and protect secure areas
• Difficult to pick
• Impossible to bump without the correct or operable sidebar code
• Availability of the ARX pin for added pick and decoding resistance
• Forced entry protection
• More difficult to progress keys when extrapolating the top level master key

We believe that Medeco locks are secure for most venues but also have certain vulnerabilities that must be addressed in certain locations. Those vulnerabilities may allow certain Medeco cylinders to be rapidly bypassed by bumping and picking and circumvention of key control.

Forced entry

Lets take forced entry first. Medeco, as with most other high security lock manufacturers, implement hardened inserts and components to resist most forms of drilling of the plug, shear line, or sidebar. These are the three vital areas that are most vulnerable. Almost everyone utilizes special steel pins, bearings and other blocking technologies to resist such attacks, at least for a minimum of five minutes. Some of these locks are incredibly tough, although the type of attack and amount of force must always be considered. In Part I of this series, force is not seen as the real threat: covert attacks and compromise of key control are.

Key Control

Key control relates to the protection of keys from duplication, replication, and simulation. It also deals with system expansion, the number of secure key changes, ability to set up large master key systems, and an alternative to the use of sectional keyways.

The Medeco m3 specifically touts its key control as secure, flexible and effective. In fact, the m3 was designed primarily for enhanced key control as a way of extending the Biaxial patent that expired in 2005. In doing so, Medeco also claimed that the security of the cylinder was enhanced with the addition of the internal slider. So exactly what does the m3 and its slider accomplish?

There is no doubt that key control is enhanced to the extent that legal protection applies for the next twenty years, thereby preventing others from commercially manufacturing, selling or distributing blanks for the m3 that contain the patented protrusion on the side of the key. That’s it! There is no more protection against cutting keys with angled cuts, nor for replicating keys for the original or Biaxial locks. No, you cannot go to the local hardware store or Home Depot and obtain m3 blanks or have keys copied. If you have a system with a commercial keyway then your local locksmith may be able to legally replicate your keys. If the keyways are restricted or proprietary, then you are out of luck, but criminals may not be.

The m3 is subject to bypass of its key control features because the slider can be easily defeated with a piece of wire or a paper clip. In addition, restricted blanks can be synthesized or replicated, thereby potentially bypassing all of the key control you thought you had obtained when purchasing the Medeco brand. Is such bypass relevant? Again, it depends if you have a high value target to protect.

If you are a residential customer or own a small business, the likelihood that your locks will be compromised in this manner is pretty remote. Certainly it is not impossible but the chances are slim. What you need to understand is that the third layer of security that is provided by the slider is essentially non-existent given its ease of bypass. And that bypass can make the lock much more insecure to secondary and more advanced forms of attack such as bumping and picking. If you choose to implement Bilevel into an m3 system there is even less security but the locks are also less expensive.

Covert and Surreptitious Methods of Entry

In my view the real threat is from covert methods of entry. Notwithstanding their statements to the contrary, certain Medeco locks can indeed be bumped and picked, some with little difficulty. Did Medeco know this last year when they began their public information campaign of invulnerability to bumping? In fairness, probably they did not. In fact, they went so far as to have their locks tested against bumping attacks by a testing lab in Europe. They were pronounced secure according to Medeco.

Should Medeco have conducted more tests to make certain that their locks were immune to bumping? Probably, because they represent that they are experts in high security locks and that their customers can rely upon their expertise and statements. When Medeco categorically states that their locks are “bump proof” then they are surely believed because of their reputation, customer base, ethics, and expertise during the course of the past third of a century. All in the industry know that Medeco is a prime supplier to the U.S. and some foreign governments and that they did not earn their reputation or win those contracts without being one of the best at what they do. Everyone takes Medeco at their word about security.

So just what protection against covert attack does Medeco provide? In the m3, there are three levels of security, all of which are interrelated. The compromise of one level of protection will not result in the lock being opened. All three separate and parallel systems must be defeated before the lock can successfully be neutralized.

The primary security for a Medeco cylinder has always been its unique sidebar design which is controlled by rotating pin tumblers. This invention can be likened to the modification of the Egyptian pin tumbler lock by Linus Yale. The concept of the rotating pin was revolutionary and had never been done before, which is why Medeco received several ground-breaking patents almost forty years ago.

The requirement that pins be both elevated and lifted in order to align two different locking systems (shear line and sidebar) at one time set Medeco apart from all other high security lock manufacturers. This combination makes picking extremely difficult because pin tumblers must be manipulated at the same time for two different systems (rotation and elevation). Many have tried to reliably defeat Medeco, most with limited or little success. For that reason Medeco has thrived as a primary provider of high security locks.

For the vast majority of users this dual layer of security was and is more than sufficient. Then came the introduction of the m3, with another alleged layer of security: the slider.

I would be the first to acknowledge that for the average thief, whether casual or determined, Medeco provides a significant barrier against any covert form of attack that involves the compromise of the pin tumbler mechanism. But Medeco cylinders are not just employed in “average” installations requiring medium security. They are relied upon everywhere, often to protect incredibly high value targets where criminals, spies, and even insiders will expend a great deal of time, energy and money to defeat these systems. So they have to be secure. In fact, not just secure but very secure, and that is where we believe the problem begins.

I draw an analogy between Medeco (and other high security lock manufacturers) to the communication common carriers and the provision of broadband Internet services. Almost every carrier has fiber optic cable to transport data across the country or across the world. Where the system breaks down is in the last mile where copper wires rather than fiber feed individual locations. It is the last mile that I am most concerned with in high security locks; an equivalent to the last five to ten percent of protection that really matters against competent and determined criminals.

In a nutshell my problem is this: the highly respected Medeco m3 lock, the new star in the Medeco flagship, can be bypassed with a paper clip, followed by a specially designed key which can be used to open it by bumping or picking. For sure, not all of their cylinders can be opened in the manner described in these articles, but many can. And what is a tolerable percentage that can be bypassed? This is a very good question for Medeco. Unfortunately, as will be demonstrated in the Fourth article in this series, the problems with Medeco security does not stop with bypassing the slider or sidebar. It is more basic and involves mechanical bypass which can be far more sinister than manipulating the internal components with bump keys or picks. We believe it is a failure of imagination on the part of Medeco design engineers to perceive of certain threats.

Conclusion

Most of the high security lock manufacturers offer cylinders that will provide more than ample protection and meet the security requirements for the vast majority of their customers. However, if you have what you perceive as high value or critical targets to protect then you just might want to research this matter further. You should not solely rely upon the so called high security standards promulgated by UL, BHMA and ANSI. The reality is that these organizations really do not test for certain forms of bypass. We believe that if they did then many of their “certified” locks would lose such designation.

This article began by asking the question whether your Medeco locks are “secure enough?” In my view there is no question that they are one of the best available cylinders but of course that comes with many caveats. The perceived level of threat should determine whether Medeco or some other vendor produces the locks that will afford the needed protection. The alternative, of course, is to prohibit the possession of paper clips in any facility where the m3 is installed!

® Medeco and Biaxial are registered trademark of Medeco Security Locks, Inc.

No comments

MEDECO® m3 DETAILED ANALYSIS: Obtaining a Password

Part I of a four-part series of articles detailing potential security vulnerabilities in the Medeco Biaxial and m3 is available to locksmiths, security professionals, law enforcement and government agencies. This information is also contained in the new edition of LSS+ and is restricted.

A public summary of the first article will be published on Engadget later this week but will not contain critical information that would be required to bypass Medeco cylinders.

The password for this article will be posted on ClearStar later in the week or you can register on www.security.org for site clearance. When registering, please specifically request the password for this article.

You may also contact the author at mwtobias@security.org for access or further information.

Medeco® is a registered trademark of Medeco Security Locks, Inc.

No comments

Protected: DETAILED ANALYSIS: POTENTIAL SECURITY VULNERABILITIES OF THE MEDECO m3 AND ITS KEY CONTROL

This post is password protected. To view it please enter your password below:


Enter your password to view comments

A Personal Comment about the Gun Lock Story

Two years ago, we posted an alert about the poor quality and insecurity of gun locks. The media reported the story in an in-depth television news story. The result: absolutely nothing changed. The manufacturers continued to produce cheap locks that afforded no protection. Standards were not changed by the State of California which certifies cable and trigger locks as secure to protect kids. Retail outlets continued to sell junk locks. And more alarming, law enforcement agencies throughout the U.S. still offer poor quality gun locks to the public for free, believing that they are designed properly.

There have been many adverse comments to my posting of videos with the article on in.security.org and on engadget.com. Many think that a simple warning would have been sufficient without the videos. History has shown that this is not the case.

The reality is that if you simply warn parents that gun locks are dangerous because they create a false sense of security, the warnings will be largely ignored as they were two years ago. In fact in 2001 a security alert was published by the Consumer Product Safety Commission on this subject. Shortly thereafter, ABC did a television report on the dangers of these locks and how easily they could be compromised. Again, nothing happened. It was business as usual.

A few months ago our local sheriff showed me the gun locks that they distribute as part of the Operation ChildSafe program (funded by the Department of Justice). I decided it was time to revisit this issue. If a police department hands a gun owner a lock then, it impliedly represents that the lock is secure and will keep kids safe from guns. Our Sheriff had no idea that these locks could be so easily compromised. When he learned otherwise he took immediate action to warn every consumer that received these devices through his department.

So, for everyone that feels that our report should not have been published, I respectfully disagree. Simple warnings would accomplish nothing, as borne out by past events. This was reinforced by my conversations with the National Shooting Sports Foundation. They have distributed 35,000,000 of these cable locks and tell people they will protect kids from access to weapons. Worse, they actually believe that the standards that California passed seven years ago are sufficient to keep kids safe up to the age of seventeen. They cite the American Society of Testing and Materials as the ultimate authority on standards and the fact that these locks passed ASTM tests.

Their concern could be paraphrased thusly: “We have never had a problem with these locks so there is no problem.” I don’t question their motives, just their understanding of how these locks work.

Before I released the report I spoke with the California DOJ Firearms Division about their standards. They said that they believed that they were quite sufficient to keep kids from accessing weapons, repeating that the locks had been analyzed by designated testing laboratories and found compliant with the standards. It was the same story line.

In my view, the real issue is the standards and the manufacturers that produce cheap locks that do not even meet the minimal requirements promulgated by the DOJ. So, if this is an important issue (as I believe it is), then how do you get everyone’s attention so that something positive will occur?

Some say it is irresponsible to show how to compromise these locks. I considered very carefully whether to demonstrate the problems with these products or just write about them. I came to the conclusion that perhaps the only way to get the regulators to act was to show them what they apparently did not understand, and at the same time to graphically warn parents about the hazards of using these devices. Perhaps they might put pressure on the agencies to make needed changes.

And yes, there is a risk that kids will see this report. But I thought that would be far outweighed by the potential positive results that might occur. And frankly, it is clear that if a kid wants to access a weapon he will, regardless of whether there is a report showing him how to do it or not. The difficulty in compromising these locks is minimal and that is the entire point of the article.

The fact is that any adult that uses one of these locks as the sole protection of a handgun is grossly negligent. If they compound the problem by either locking a loaded weapon or keeping ammunition close by, then I would submit they could be held criminally liable if a kid uses the weapon.

So the conclusion I reached with regard to airing the videos was based upon the following premise: if the locks are as secure as represented by the DOJ, NSSF, and manufacturers, then why would they be concerned about showing how these locks can be compromised?

After all, they are all saying that the locks WILL protect a weapon against access by a kid, (no matter how ludicrous that argument might be) and that the standards are sufficient.

My contention: Either these locks are secure or they are not. You can’t have it both ways. And if they are not then laws should be changed so that the locks actually do what they are supposed to do.
Finally, the information that was presented has been on the Internet for quite some time as almost everyone knows. An incredible amount of material has been published about bumping, including padlocks. So kids already are aware of that method of bypass. The fact that bump keys are available on the Internet for the Master cable lock should alarm everyone. I and others have been raising this issue for the past year. In fact, I submitted draft legislation to the Postal Inspection Service six months ago to close the loopholes in the postal regulations to stop the trafficking in bump keys on the Internet.

And what about the ability to cut these cables? I would dare say that every reader would look at one of these locks and laugh at the absurdity of the ostensible protection that they afford. A pair of pliers or fourteen inch bolt cutters from Ace Hardware will sever any of these cables and everyone, including kids, knows it. Even Targus figured it out when I wrote the article last year about their much publicized armored computer lock that uses an almost identical approach as the gun cable lock.

So should we just keep quiet and continue to promote the failed concept of “security by obscurity”? I don’t think so, for the same reason that I am challenging the standards set forth by Underwriters Laboratories, BHMA, and ANSI with regard to high security locks and the ability to compromise some of them in well under the minimum time standards set forth for forced and covert entry in UL 437 and ANSI 156.30. I would submit that the risk could be far greater for reliance on some of these standards and for the defective or deficient design of some of these locks than for the compromise of gun locks.

I have never believed it was prudent to publicly demonstrate methods of covert bypass unless there was a valid reason to do so. That material is left to the multimedia edition of my book. I have never once shown such techniques in the media; only to law enforcement and security professionals. But when bypass techniques are so simple that anyone can accomplish them in a few seconds, I believe it is vastly different. In my view it enhances everyone’s security if they have a full understanding of the simplicity of the methods.

The issue raised in the gun lock story is about responsible disclosure with regard to matters of security. There has always been a legitimate debate as to whether disclosure promotes or places security at risk by publishing “secret” or more to the point, “unknown” information. The reality is that there are no more secrets. The Internet took care of all of that. And if I had simply posted a warning about the insecurity of these devices or there had been a news story written about a child that was hurt or killed as the result of his ability to bypass one of these locks, you can be sure that someone would have posted detailed information about the method of compromise. Welcome to the global information world.

There are two sides to every story and if this one has sparked thoughtful debate about the disclosure of security defects, then I would submit that the article has accomplished its purpose. Many parents have written to me after reading this article, not to complain but to voice concern about the locks they have relied upon and to ask what they should replace them with.

If you believe that material on gun locks should not have been released, then you will surely have an opinion regarding the next alert about the insecurity of small Fixed Base Operations at our airports, and the security issues it raises.

MWT

No comments

Gun Locks: Unsafe at any Caliber

A detailed report and videos that demonstrate design deficiencies in gun locks may be found at: http://download.security.org/gunlock_2007.pdf

gunlock-zev.png loganlock2-3_214.jpg

The eleven year old demonstrated the removal of three of the most popular trigger locks from a rifle in just a few seconds. The eighteenth month old examines the Project ChildSafe® cable lock for guns. We do not believe that either of these types of locks are secure as the primary method to protect weapons.

Gunlocks are designed to protect kids and keep them from gaining access to weapons. An extremely successful program was launched several years ago by the National Shooting Sports Foundation to promote gun safety and keep children away from guns. The U.S. Justice Department provided funding so that NSSF could administer a program to provide free gun locks to the public through law enforcement agencies around the country. A total of thirty-five million Project ChildSafe® locks have been produced.

We do not think these locks are secure enough and should not be used to provide the primary protection to immobilize a weapon. Poor quality locks rarely offer any protection, and this is a classic example. These devices are produced in China with cheap pin tumbler mechanisms that can be bumped open in seconds. The cables on some models are easily compromised.

The quality control in the case of at least one model, the GL710N (listed on the California DOJ website as having been produced by PCS) appears to be so poor that two out of three locks that we obtained from the Denver Police Department could be circumvented merely by twisting the cable. That’s right; simply hand twisting the cable caused it to pull loose from the lock housing! Could a kid have done that? Without question the answer is yes.

The real problem is the standards for these devices. NSSF rightfully responded to our concerns about security by stating that the locks meet California and ASTM requirements. In our view, the standards need to be updated so that they take into account real world attempts to open them, which just might involve the use of more than a paper clip or screwdriver! Kids can be clever, especially when it comes to guns.

The NSSF statement in their literature that the locks will not stop a “determined attack” does not really address the issue. Is their position really that anyone that wants to remove a lock from the gun will succeed, as opposed to the kid that half-heartedly pulls on the cable and if it does not come apart, then he gives up. Of course, in the case of the GL710N models that we tested that may be good enough!

We take an in-depth look at gun locks and the standards that are supposed to make them safe.

No comments

HIGH TECH MODULAR STRONG ROOMS: When they are really after you or your valuables!

citysafe_0507_1.jpg

Marc Tobias interviews CitySafe’s CEO Karl Alizade at their facility in New Jersey in May, 2007 about their portable strong rooms and vaults and why they are sought after by the military, banks, diamond merchants, cash handling facilities, foreign diplomats, VIPs and even drug dealers.

http://video.security.org/forced_entry/citysafe_interview_2007.wmv

CitySafe is a small innocuous company located in New Jersey, about an hour south of Newark airport. Their CEO has thirty years of experience in designing, building and opening safes and vaults. Karl routinely consults with major insurance companies in the U.S., UK, and other venues with regard to protection and burglary prevention of high value assets, and the analysis of burglaries and the resultant failure of safes and vaults.

His company produces a modular strong room, built around individual concrete panels for which CitySafe holds several patents. These safes can be transported on palates and easily constructed in the field in a matter of hours by two or three men. They can be much more economical than traditional construction techniques because of their cost and versatility and are the only type of strong room enclosure that can be installed within an existing structure such as an embassy, royal palace or private home.

citysafe_0507_10.gif

The heart of the system is a special mixture of cement that is produced in Germany then refined in the United States. The compound will withstand pressures of up to 30,000 pounds per square inch. In layman terms, that is a lot! The concrete is set around an extremely strong re bar matrix, shown in the photographs below. If you need protection against rocket propelled grenades (RPG), small and large arms fire (like fifty caliber machine guns), explosives (including shaped charges), twenty-pound sledge hammers and gas-powered grinders, then this is definitely what you need for your government facility, power plant, business or private residence.

citysafe_0507_5.gif citysafe_0507_8.gif

CitySafe produces custom-sized safes and strong rooms for a wide array of users including diamond mines, third world dictators (who are always worried about their safety and that of their family in a coup), military organizations, public utilities, large jewelry stores and precious stone processing facilities, banks, CEOs of large corporations, diplomats, embassies, cash handling facilities and residences of the wealthy, including drug dealers. Even they have families that they need to be concerned about in the event of a hostile attack or vendetta raid by the competition!

citysafe_0507_7_200.jpgcitysafe_0507_3_200.jpg
citysafe_2_200.jpgcitysafe_0507_4_200.jpg

These photographs show methods of attack and the results. Note the matrix of re bar that fortifies the concrete liner.

The company has a large manufacturing facility and because the size of the enclosure is based upon the use of a standardized modular panel, they can produce strong rooms, personal safe rooms and vaults to any requirement with short delivery times. The company is also negotiating licensing arrangements in several foreign locations that will allow local military and security personnel to meet their needs on a more urgent and local basis.

Normally strong rooms are constructed of concrete which is the most secure against attack and does not degrade with age. The problem with this type of construction is that strong rooms and vaults must generally be created at the time of building construction and very expensive vault doors must be set, often with cranes. Obviously, once installed these strong rooms are not movable. In addition, at least thirty days is required for the concrete to set.

The alternative (and less secure) construction technique (and also less expensive) is to employ several layers of wood, surrounded by relatively thin sheet-metal walls. Wood has been used as an insulator for both burglary and fire proofing for hundreds of years. From the security perspective it can lead to real problems. Over a period of twenty years all of the moisture can disappear and the wood will virtually disintegrate, leaving no real protection whatsoever. Some of New York’s Fifth Avenue jewelry stores might want to pay attention to this issue, as Karl Alizade and other experts can attest after evaluating successful burglaries. Many are at risk and do not know it.

sany0008.gif

The photograph shows wood material that was virtually worthless in a UL listed strong room that was the subject of a burglary of a jewelry store in New York. Karl analyzed the crime scene and was utilized as an expert witness. UL rated this material and certified that it would resist penetration of a ninety-six square inch hole for thirty minutes. According to Karl, it took the New York City Fire Department about four minutes to cut a large hole through the material, as shown in the video.

The CitySafe platform have been tested against a number of threats, including small arms fire, thirty rounds from a Russian Kalashnikov 4.45mm automatic rifle AK74, Kalashnikov SVD super rifle 7.62 APmm, GP25 grenade launcher, 40mm (Russian military), Laws type anti-tank weapon (Russian military), Rocket propelled grenade RPG7, and a variety of explosives and super-attack tools like gas-powered grinders, long crowbars, and twenty-pound sledge hammers.

Conclusion
If you need a strong room, vault, or personal safe room for your family or staff that is impervious to most forms of attack and can be transported to meet individual requirements, then you might want to look at this unique system. The firepower that this concrete will stop is unreal.

During the final firefight, Al Pacino screamed at his attackers in the 1983 movie Scarface “come and get me.” If he had been in a CitySafe enclosure I imagine the movie would have turned out quite differently. But then, we would not have been able to enjoy the farewell plunge of his bullet-riddled body into his swimming pool.

See also

http://video.security.org/forced_entry/citysafe_dvd.wmv
This video describes how the safes are constructed.

http://video.security.org/forced_entry/citysafe_russia.wmv
This video was shot in Russia and documents the tests that were conducted by the Russian army.

Detailed information about the CitySafe technology can be found in LSS+. You may also contact me if you have questions regarding the security of these enclosures.

1 comment

Next Page »