Archive for the 'Products' Category
The SimpliSafe alarm package is a totally wireless system that can detect and transmit an intrusion, fire, or environmental alarm to a 24 hour monitoring center, via cellular connection. For many homeowners and renters, the system is all that is necessary to provide cost-effective detection and competes with the more expensive and traditional alarm reporting companies, such as ADT.
These are DIY systems and can be easily installed by consumers. However, in our view, they are not secure, and dependent upon perceived threats that may be present to homeowners. That means that if burglars are at all knowledgeable as to methods of system attacks, the hardware can be defeated and entry into a residence accomplished without tripping the alarm. Before buying such systems, homeowners should assess the potential for knowledgeable thieves to bypass their systems.
A communications gateway receives signals from all of the wireless trips within the system and then processes that information through the wireless keypad. If an alarm is detected, that will be instantly transmitted to the 24/7 monitoring center via a cellular broadband connection, using Verizon as a carrier. Phone lines can be used as a backup but are not necessary for the system to function.
The gateway also announces alarm status when placed in test mode, so the homeowner can verify that all trips are working properly. The system can be programmed, via the web interface, to send email or text messages for alarms and unusual occurrences, such as radio interference which could be affecting the proper operation of the system.
The gateway is battery backed up and will run for at least 24 hours in the event of a power failure.
The SimpliSafe system can be armed and disarmed with the provided key fob, as well as a panic alarm transmitted.
The SimpliSafe system is supplied with a variety of different alarm sensors. Shown is the entry level kit that was used for testing of the system for this report. It includes a wireless keypad, a motion sensor, a magnetic door trip, and a key fob combination on/off control and panic button. More expensive SimpliSafe systems contain smoke detectors, carbon monoxide detectors and other alarm sensors.
One or more motion sensors are supplied with all systems from SimpliSafe. Shown in the photographs is a standard sensor, and one that has been covered with a white mailing label. The effect of this action is to block any recognition of motion, thereby defeating the sensor completely. This means, for example, that a visitor to the home or business could unobtrusively place a piece of paper over the detector to defeat it later when the alarm is set.
The reason that the action of the sensor can be blocked results from the failure to incorporate anti-masking software or hardware so that the system can determine whether the infrared element within the motion sensor is obstructed. In the more sophisticated alarm systems, blocking of the sensor should not be possible. In our tests, we defeated the sensor with paper, and also by pointing it at a solid object such as a wall, in the case where, for example, the detector was simply placed on a shelf, rather than hard-mounted.
This fact was never detected by the system.
Magnetic trips are based upon simple reed switch technology, are not secure, and can be easily defeated by magnets, as shown in the video.
Kids and burglars have figured out how to circumvent the system by placing a small magnet next to the trip, which blocks the detection of the absence or the removal of the normal magnetic field that occurs when the door is opened.
Parents in Florida have found that after setting the alarm at night, their kids figured out the way to defeat the system and sneak out at night without setting off the alarm. Likewise, burglars can place very small magnets next to the door trip during business hours within a commercial facility, and then enter after hours. If no other detectors are in place for the protected area, then the door trips will not trigger an alarm.
The magnet that we used in the demonstration cost about $.25 at Home Depot. We placed it against the SimpliSafe trip with a piece of Scotch tape.
These photographs show the critical element in all non-high security magnetic trips: a reed switch. This is a sealed glass envelope that contains two metal leaves, spaced closely apart. They are normally biased by a magnetic field which causes them to touch each other and complete an electrical circuit. If the field is interrupted, the two leaves will separate and break the circuit, thereby triggering an alarm. We do not recommend the conventional reed switch magnetic trip for any significant security application because of the ease with which they can be defeated.
SECURITY VULNERABILITIES WITH WIRELESS SYSTEMS
Wireless systems like SimpliSafe and LaserShield can be easily defeated with an inexpensive transmitter, programmed to the operating frequency of the alarm system. If the transmitter is keyed, the receiver in the gateway unit will be blinded and will not detect any signal that is transmitted by the trips within the system.
In our tests of LaserShield and SimpliSafe, we were able to completely defeat these systems by keying a transmitter during our entry into the protected premises. In the case of SimpliSafe, the system detected the transmission after a predetermined period of time, which was easy for us to determined and defeat.
If the transmitter was keyed continually past this timing window that was set by SimpliSafe, a text message would be sent to the homeowner, advising of the detection of RF interference, and when such interference stopped. However, we could totally defeat this timing window and move through the protected premises without tripping any alarm, nor of the system ever knowing we were there. This is a fatal flaw within these types of systems, as shown in the accompanying video.
The security problem results from several factors, including a lack of “supervision” of the wireless trips. Normally, the trips communicate an alarm condition by a one-way transmission to the gateway. Presently, there is no method for the gateway to constantly interrogate all of the trips in the system to determine their operational status. When a radio signal is detected by the gateway, it will not see the transmissions from the individual trips, and thus, no alarm will be detected.
Compounding the problem: the operating frequencies of all of these wireless systems can be easily found on the FCC database on the Internet. It should be noted that even the latest home automation devices, also linked by wireless, can be defeated in similar fashion, or with radio jammers, which are illegal but are sold commercially.
In our view, all security systems should have hard-wired perimeter door trips which cannot be defeated by the transmission of radio frequency (RF) energy. Otherwise, these systems are vulnerable to attack. Unfortunately, even the largest alarm providers are using wireless because of the ease of installation. SimpliSafe has no way to integrate any hardwired trips, nor to connect to already installed alarm systems.
Unless the trips are two way and supervised, this is a prescription for insecurity. We tried contacting ADT repeatedly to discuss this matter, but they refused to return any calls.
When selecting an alarm system, it all comes down to what the consumer needs and expects with regard to an acceptable level of security. The SimpliSafe system is a good value to provide minimal protection for premises where wiring is impossible, and the homeowner wants some protection with minimal cost, without the necessity of contracts with an alarm company, and without the need for connection to a telephone line. SimpliSafe offers a viable solution, with several very clever enhancements, especially using their web interface. But all users must be aware of the potential security vulnerabilities that are inherent with such systems.
“Simply Safe” does not necessarily mean a high level of security. Clearly, the system is very simple and straightforward to install and operate. Each consumer must make a determination as to whether the methods of attack that we have demonstrated would be of concern. If they are not, then for many consumers, the system should provide adequate protection. The problem is that thieves may target premises protected with these kinds of wireless systems, especially when a homeowner advertises the use of an alarm by placing stickers on windows or doors or even in front of the residence, as shown in the photograph.
SimpliSafe alarm system normal setup
DefCon is the largest hacking/security conference of its kind in the world. For the past six years, our research team has demonstrated vulnerabilities in both high security and conventional locks. This year our team (Marc Tobias, Tobias Bluzmanis, Matt Fiddler) selected five different locking mechanisms that are popular in the consumer sector. We chose a broad cross-section: conventional programmable mechanical lock, electronic “safe”, biometric fingerprint lock, RFID-based deadbolt, and a very sophisticated electro-mechanical lock that requires no batteries in either the lock or key. Three of these locks are imports: two from China, and one from Finland. Notably, the locks from China (BioLock and Amsec), are both sold in the United States, and are prime examples of insecurity engineering at its best. They denote a total lack of competence in design, often typical of the cheap products that are being imported from China. More about this later, but suffice it to say, these are prime examples to support the premise: there are no shortcuts to quality and security.
Three of the five companies refused to comment or return phone calls to Wired. Kwikset and Iloq did make statements, both of which, in my view, were inaccurate or misleading, or demonstrated a basic misunderstanding of their products with regard to security. On previous occasions I had attempted to speak with General Counsel for Kwikset and their VP of Engineering in order to disclose security vulnerabilities. They likewise refused to return phone calls.
None of these locks can be considered as high security, but Kwikset, which sells millions of cylinders a year in the U.S., and has incredible market presence, has a grade 1 security rating for its model 980/985 deadbolt, which we selected to analyze. I have attacked Kwikset for several years because of their poor quality and security. In fact, in 2006, the company flew me out to their corporate facility in California for a pre-release briefing of their Smartkey, after eleven-year old JennaLynn bumped open their locks at DefCon. The irony was that senior engineering and management at Kwikset told me that they were not even aware of bumping, except for what they had seen on the Internet! The Smartkey was not designed to be bump-resistant.
At that meeting, I voiced my opinion that the company was selling junk locks. Their reply was “yes, we know, but we make 20-25 million of them a year.” In my view, nothing much has changed in the past four years, other than their locks are mechanically reprogrammable. Clever, yes. Convenient, yes. Secure and maintenance-free, no.
FALSE SENSE OF SECURITY
Each of the five companies represents their products as secure. This creates a false sense of security in the buying public. In the case of Kwikset, in my view they are perhaps the worst offender because of their market penetration. But the problem and responsibility is shared equally with the standards organization that rates their locks, and specifically with BHMA. I have had many discussions with regard to this issue during the past three years with their executive director in an attempt to modify the standards so they actually mean something. I think we are making progress, but because of the inherent way in which standards are adopted, it is a slow process.
The standards do not adequately address simple methods of bypass. The result is that locks are sold that the consumer relies upon as being secure; and yet they are not. Many of the bypass techniques that we utilize are not even included within the standard. Some companies hide behind the standards, stating that their locks “meet or exceed” them, knowing those same locks can be bypassed by methods not enumerated in the standards they are citing. I would submit that whether a lock is certified under an applicable standard or not has nothing do with the its real security if it can be bypassed in seconds. In such a case, any such statements are illusory and mean nothing with regard to protection of the end-user.
WHAT NEEDS TO BE DONE
There is no substitute for competent security engineering. Unfortunately, some locks are expensive and not secure, but generally, you get what you pay for. I think the critical issue for the consumer to understand is that cheap locks are inherently not secure. In 2006 Kwikset told me their smartkey cylinder would cost them about two dollars to produce. In my view, they are of poor quality, and just about every locksmith in the country knows it. Clever options like being programmable are extremely convenient for the consumer, but unless executed properly, can reduce the overall security of the lock.
Granted, some consumers cannot afford better locks, (or those that carry a high security rating), but at least they should know what they are buying and not be misled by untrue or misleading claims of manufacturers. Kwikset has been aware of the vulnerabilities in their locks, and specifically that they can be opened in seconds with a specially modified key and the application of sufficient torque. They have made changes to prevent this bypass technique, but the locks can still be opened, and they know it. Yet, their employees continue to mislead the public into believing that their deadbolts can only be opened by drilling, breaking the door down, or breaking the door frame. This is simply not true. They continue to focus on their Grade 1 rating. Yes, they are certified, but we do not think they will pass in a re-certification test.
We are filing a challenge with BHMA to ask for a retest, because in my view, the Smartkey deadbolt will not pass, based upon two sections of the BHMA/ANSI 156.5 standard: Sections 12.1 and 12.5.2.
Section 12.1 requires that the cylinder be of the pin tumbler design. The Smartkey is not; it uses tiny sliders, as shown in the photograph below. While they may control a sidebar for locking, which generally is more secure, the sliders themselves are not, and never will be as strong as pin tumblers. The BHMA standard excepts locks that are more secure than pin tumbler designs. In my view, the Smartkey is not, and Kwikset knows it. And they cannot use the fact that they are bump-proof, either, because bumping is not in the standard. Yes, they are pick resistant, but we have picked them as well.
The point is that the locks are not physically secure and can be easily compromised. BHMA should not be certifying a deadbolt Grade 1 cylinder that can be opened in thirty seconds. Further, Kwikset should be forced to place a warning on their packaging denoting this fact to the buyer. If they did, I am quite certain that few persons would choose them for protection.
Section 12.5.2 requires that the plug can withstand a minimum of 300 foot-pounds of torque without turning, or that it cannot be turned by manipulation. We do not believe that the Kwikset Smartkey 980/985 deadbolt can meet this requirement either. To open the lock, we are inserting a portion of a key, cut to specific depths, and applying torque. This procedure, we believe, meets the definition of “manipulation”in the standard.
RE-WRITE THE STANDARDS AND MAKE THEM REFLECT “REAL-WORLD” ATTACKS
Include real-world testing procedures that are not presently incorporated within the standards. This will insure that what the manufacturer represents as secure actually is.
START TELLING THE TRUTH TO CONSUMERS AND WARM THEM OF KNOWN VULNERABILITIES
I am quite certain that if Kwikset and all of the other manufacturers that were shown at DefCon 18 were to place warnings on their packaging that their locks could be compromised in seconds, nobody would buy them. After watching the videos, would YOU buy any of these locks? Not likely. And that is precisely the point. If a manufacturer is going to produce inferior quality locks, then warn the public, so that they have the information to make an informed decision as to security.
HIRE ENGINEERS THAT UNDERSTAND SECURITY ENGINEERING, NOT JUST MECHANICAL ENGINEERING
In my experience, many manufacturers have no idea how to open their own locks. While their engineers are quite competent to make things work properly, they have little understanding of bypass techniques. And this is precisely the problem. It is a simple principle: you cannot properly design a lock if you do not have a thorough understanding of the methods to break it.
STOP PLACING PROFIT AHEAD OF SECURITY
For a manufacturer, security can be very expensive. Materials, high tolerance, production controls, and competent engineering all come at a price. If a company is to represent their products as secure, then the company has a duty to make sure they in fact are. Many place profit well ahead of security, leaving consumers at potential risk.
VENDORS SHOULD SEND A MESSAGE TO LOCK MANUFACTURERS THAT THEY WILL NOT BUY (OR SELL) PRODUCTS WITH SHODDY QUALITY OR POOR ENGINEERING
Brickhouse Security is the leading vendor of surveillance and security-related hardware to law enforcement and corporate facilities in the U.S. When we notified them of the problems with the BioLock, they took action, as noted in their press release. Notwithstanding that the manufacturer, BioLock refused to accept any responsibility whatsoever for their defective product, Brickhouse has set the standard for vendors in the security hardware sector. Hopefully, others will follow. It is only when the manufacturers get a clear message from vendors that they will not sell their junk, that they will be forced to engineer their products properly and take responsibility for what they make.
LOCKS, LIES, AND VIDEOTAPE
Photographs and comments below.
KWIKSET SMARTKEY DEADBOLT OPENED WITH A SCREWDRIVER
Kwikset represents that the Smartkey Model 980 Grade 1 deadbolt is the highest grade of residential security available. This is not, in my view, an accurate statement at all, except perhaps for Kwikset products. it is, in my opinion, misleading, and Kwikset knows it. Such statements are being made by their customer service representatives and in their advertising. If in fact this is the best the consumer can buy, and can be opened in thirty seconds or less, then what does a Grade 2 or Grade 3 rating denote in Kwikset’s world? Ten seconds to open? Perhaps both Kwikset and BHMA would like to answer that question!
In my view, the critical security vulnerability in the Kwikset Smartkey are the sliders that control the sidebar. They will never be as secure as brass or nickel-silver pin tumblers, even though they tout sidebar security. They can be easily warped, which in my view is the fatal defect in this lock. The macro photograph shows a normal slider (left) and one that has been warped by the application of torque from a 3.5″ screwdriver blade inserted into the keyway and turned with a small vice grip.
OPENING THE KWIKSET SMARTKEY
Kwikset has been aware, for quite some time, that Major Manufacturing has been producing a locksmith tool to open their locks by applying torque with a key blade cut to specific depths. Kwikset has made changes in an attempt to fix this problem, but not very successfully. Yet their representatives continue to state that the only way to open the lock is to drill it. In our tests, we chose to utilize a cut blank key, a screwdriver, and a small vice grip to demonstrate the insecurity of this lock. In their statement to Wired, it would appear that the Kwikset spokesman tried to give the impression they were not aware of this problem. Maybe the spokesman was not, but the engineering division of Kwikset has known about the issue for quite some time.
BIOLOCK is a company based in China, with an office in Los Angeles. They produce a line of biometric locks, including the Model 333, which we tested, and which Brickhouse Security carried until last week.
This very professional-looking fingerprint lock has a bypass cylinder which provides its fatal flaw in its security. As shown in the video and photograph, the locking system can be bypassed within seconds with a piece of wire or paperclip. The design of this lock is completely incompetent and denotes a total disregard and understanding of security issues in lock design.
AMSEC CONSUMER-LEVEL ELECTRONIC SAFE, MODEL ES1014
AMSEC is a quality safe manufacturer in California, who would, in my opinion, never knowingly market a product with the design defect we demonstrated. Their customer service representatives told me that this safe was a Chinese import and that AMSEC did not test it. That is unfortunate for the consumer who has purchased these. And, just to be clear, we think that to represent this as a “safe” is misleading to the consumer. It is not a safe; it is a container with a lock.
A flat piece of metal from a hanging file folder is bent and inserted through the top of the door. It is used to make contact with the reset switch to allow the combination to be reset. This is an incredibly inept design.
KABA IN-SYNC LOCK
The Kaba In-Sync is a RFID-based cylinder that is popular for use on military bases, apartment houses, churches and other commercial facilities. Incredibly, the design engineers that are responsible for the security of this device did not understand that a wire could be inserted next to the USB communications port to access the locking pin that provides the security for this lock. We had contacted the lead engineer for Saflok almost a year ago, and then last month to discuss this issue. No response.
ILOQ ELECTROMECHANICAL LOCK
The Iloq is an award-winning electromechanical lock that does not use any batteries, but rather generates the needed current through the use of a motor to perform two functions: power generation, and turning a gear to control the primary locking element. These locks are extremely popular in Finland and other Scandinavian countries.
As we note in the video, there are four operating stages for the Iloq. The critical failure of this lock is the ability to circumvent the mechanical re-locking feature. Once this is accomplished, the electronic credentials are neutralized and the Iloq becomes a one-pin conventional lock, which in my view is less secure than the Egyptian pin tumbler lock of 4000 years ago. A senior representative of the company told me that Iloq had made certain changes to prevent our methods of bypass, and that those locks will be available within a couple of months. This is an extremely responsible company who clearly should have understood the ramifications of their design failure, from the security perspective.
ILOQ KEY TIP MODIFICATION
There are two ways to circumvent the security of this lock: one through an internal attack, and one by externally modifying the actuating lever just inside the keyway. The photographs show the very minimal material removal from the key tip to set this lock so that it can be opened by any other key or even a screwdriver.
MODIFICATION OF THE ACTUATING LEVER AT THE FRONT OF THE KEYWAY
The actuating lever can also be modified by removing an equivalent amount of material, about 1/32″. When this occurs, the lock is set and can be opened by any key, simulated key, or screwdriver. Note the small amount of lever material (circled in red) that has been removed. This can be accomplished rapidly and will result in the lock being permanently set, requiring only a mechanical key to open.
LASERSHIELD BURGLAR AND PANIC ALARM SYSTEM: When locks may not be not enough to protect you.
If your house is only protected by mechanical locks, even high security locks such as Medeco, Mul-T-Lock, Assa or other UL certified cylinders and they are your only security against burglars then you may want to add another layer of security with an alarm system. We analyzed the newest product that can be installed by virtually any consumer and which will provide additional security to those locks that you thought were all you needed.
The LaserShield “plug and go” alarm system is the first practical consumer-level burglar and panic alarm that can be installed in five minutes and requires no technical skill. It is sophisticated and state-of-the-art in its electronic design but is it secure? In our detailed report, we examine the positive and negative aspects of this system and whether it is suitable for use by the consumer to protect them. If you are thinking about purchasing a LaserShield or any other alarm system that utilizes wireless trips you may want to read the accompanying report and watch the video demonstration of just how easy it is to bypass most wireless sensors. If you are only concerned about “casual burglars” and opportunistic break-ins, then LaserShield will definitely do the job. If you are worried about being the target of determined thieves, then you definitely need to learn about certain security vulnerabilities.
The Master Alarm Unit is at the heart of the LaserShield system. It contains the wireless receiver, processor and communications electronics that allow you to set up the system quickly and easily. But has security been compromised for convenience? it depends on your individual risk that burglars will target your home, or just decide to break in because of random selection.
Marc Weber Tobias demonstrates the bypass of a wireless alarm system with a simple and very effective technique. This problem is not limited to LaserShield but can be employed with many wireless alarm devices.
VIDEO SEGMENTS1 comment
Medeco is scrambling to fix their deadbolt security problem worldwide. Last week, they were reportedly set to begin manufacture of the modification of their high security cylinders to protect them against a simple method of attack that was disclosed by Marc Weber Tobias and his research team two weeks ago. Medeco was warned for the past two months there was a significant design issue with these cylinders but made no attempt to contact Marc to determine the precise nature of the problem. Now, they have a real problem because many of their customers that have installed single-sided deadbolts may be at risk, especially those that are utilizing the newer m3 technology. We have found that the vulnerability may extend to certain BiaxialÂ® models also.
If you employ these deadbolts we would urge you to contact your locksmith, security consultant or Medeco to determine the proper course of action. A detailed report of the vulnerability is available to security professionals. You may contact the author for details at email@example.com.
DETAILED ANALYSIS: THE MEDECO m3 MEETS THE PERILOUS PAPER CLIP
You will need a password to access the detailed report. Please register at www.security.org. The password has also been posted on ClearStar.
View the video: Security vulnerabilities of the m3
This is the first of a four-part series with regard to MedecoÂ® security. Part II will detail the methodology we developed to bump these cylinders. Part III will examine the procedure that is employed to pick these locks. Part IV will detail what we perceive as design deficiencies that allow certain of the MedecoÂ® deadbolts to be easily bypassed. All of the information is based upon material in the High Security Supplement to the latest edition of LSS+.
The reader should review the cautionary notes regarding statements made within this report. See Legal Issues.
A piece of wire or a specially-formed paper clip can be utilized to bypass the slider mechanism in the m3. In combination with other techniques, this can result in a total bypass of the key control for a facility with regard to the acquisition of restricted blanks and the replication or simulation of keys.
The MedecoÂ® m3 cylinder was developed primarily to extend the BiaxialÂ® patent (which expired in 2005) so that the company could continue to dominate the U.S. high security lock market and protect its unique rotating tumbler technology. The m3 is UL 437 and ANSI 156.30 certified which MedecoÂ® represents as a guarantee that its security can be relied upon for the most sensitive of installations such as the Pentagon and the White House. Based upon our research during the past year, there may be some security vulnerabilities relating to key control and the ability to reliably bump and pick some of these locks.
There are approximately 26 different combinations of steps and keys within the m3 system. This allows for enhanced key control but is the system secure from the standpoint of preventing the ability to replicate or simulate keys, especially for restricted keyways? We do not think so.
In an excerpt from the High Security Supplement of the latest edition of LSS+ we examine the m3 in terms of potential key control issues and the possible susceptability of this lock to other forms of covert bypass. A comprehensive examination of the subject is contained in the third edition of LSS+ (the multimedia edition of Locks, Safes and Security) by the author.
Â®Medeco is a registered trademark of Medeco Locks.
Medeco is the predominant high security lock manufacturer in the United States and has been trusted for more than thirty-five years to provide cylinder and hardware security for the private, commercial and government sectors. Their sidebar technology was unique when first introduced and has presented a continuing obstacle to both covert and forced methods of entry. As detailed in the Government version of LSS+ some very sophisticated decoders have been developed for law enforcement and intelligence agencies to bypass the original two layers of security within the Medeco design. As described in the first article of a four part series, Medeco introduced the m3 cylinder which incorporated a third level of security through the implementation of a slider. Their latest product is a modified m3 called the Bilevel. This is a lock that does not utilize the traditional Medeco sidebar design and is a cheapened version that is no more secure than a conventional pin tumbler cylinder and in fact may allow systems that integrate the Bilevel to be more vulnerable because of the limited number of sidebar codes that are available.
When the threat from bumping was made public in the United States last July and August, consumers, risk managers, security experts and locksmiths from both the private and public sectors began to question the real security of the locks that they depend upon to protect people, facilities, and assets. It was more than unsettling to think that perhaps there was little protection against a procedure that a kid could learn and rapidly execute to open a high percentage of pin tumbler locks. At the same time, everyone was led to believe that the threat from bumping did not extend to high security locks.
Beginning last August, high security lock manufacturers were quick to announce the heightened security of their cylinders against bumping. This included Medeco, Mul-T-Lock and Assa: they all produce locks with UL437 or similar high security ratings.
Some announced that their locks were â€œbump proofâ€ or â€œvirtually bump proofâ€ and that the consumer should have no fear that their security was in jeopardy. In all fairness, many of these manufacturers did not fully understand the threat or techniques that could be applied to bypass their internal security. Some still do not believe that such attacks are possible and continue to publicly decry any who make statements about bumping or picking of their cylinders, stating that any demonstration of bypass was a trick or â€œsmoke and mirrors.â€
The accompanying article specifically deals with the Medeco m3 and why we do not believe it provides any significant measure of key control security against a determined attack. In subsequent articles we will describe in detail how we determined that the Medeco and other high security locks could be bumped, picked open, or mechanically bypassed within minutes, if not seconds, thus rendering the ten minute minimum specification for UL 437 or fifteen minute standard for ANSI 156.30 as essentially meaningless. We thought it would be prudent to briefly analyze just what security the Medeco technology does provide against both casual and determined attacks and to hopefully dispel any confusion that may result from these articles as to whether the security provided by these locks is sufficient to protect you.
LOCKS AND THE CONCEPT OF SECURITY
â€œSecurityâ€ is a generic term that can mean many things. In the world of locks, its definition has to be qualified by asking several core questions. Specifically, what are you trying to protect, and where? What is the value of the target for which these locks are providing security? Against what threat or whom are these locks designed to stop or delay entry? How sophisticated or determined is the attacker likely to be? Finally, does the lock provide the only barrier or is it one control in a â€œdefense in depthâ€ strategy, meaning that there are other measures of security such as alarms, video, guards, perimeter barriers, or other systems to back up the locks.
Many are surely asking whether their Medeco locks are secure enough, especially after Medeco has repeatedly issued press releases, advertising statements and even a DVD categorically stating that their locks were â€œbump proofâ€ and lately â€œvirtually bump proof.â€ Recently we asked a senior representative of Medeco just exactly what â€œvirtually bump proofâ€ exactly meant? We thought it was a fair question especially since the term â€œvirtually bump proofâ€ in my view is like â€œvirtual reality.â€ It means nothing but is a phrase that my fellow lawyers have devised to shield a manufacturer from potential liability for material misrepresentation. Saying that something is “virtually secure” is a qualification based upon no measurable standard so it is an illusion. And the answer that we were given by Medeco: â€œVirtually bump proof means that you have about as much chance of opening our locks as you do of winning the lottery!â€ Well, if that is the case, I will place my bet on collecting from Medeco because my odds are a great deal better in opening their locks than in winning a lottery.
So, you have spent perhaps three or four times the money to install Medeco cylinders than you would have for conventional non-high security rated mechanisms, believing that the cost difference was worth it. But exactly what security is provided for all that extra money? We will try to answer that question by briefly analyzing what your Medeco cylinders offer in the way of protection.
MEDECO SECURITY: What is it?
So why is Medeco perceived and touted as one of the most secure locks on the planet? Why are they relied upon by the U.S. government for installations such as the White House and Pentagon? The answer is simple: Medeco makes quality products of the highest order. This does not mean they necessarily outperform other high security lock manufacturers or that their sidebar approach is any better or more secure than others who have different design philosophies.
At the end of the day each manufacturerâ€™s design has its strengths and weaknesses but all lock security can be reduced to three issues: forced entry protection, covert and surreptitious attacks, and key control. In fact, these are precisely the criteria and requirements that are addressed in the ANSI 156.30 high security standard.
Medeco locks are secure in part based upon the following features and issues:
â€¢ High quality components
â€¢ High tolerance mechanisms
â€¢ Excellent engineering and design
â€¢ Five or six pin tumblers
â€¢ Integrated pins that incorporate elevation and rotation
â€¢ Sidebar technology
â€¢ Slider technology and key control
â€¢ Legal protection of keys
â€¢ Special cutters are required to duplicate keys
â€¢ The ability to utilize multiple sidebar codes within one master key system to separate and protect secure areas
â€¢ Difficult to pick
â€¢ Impossible to bump without the correct or operable sidebar code
â€¢ Availability of the ARX pin for added pick and decoding resistance
â€¢ Forced entry protection
â€¢ More difficult to progress keys when extrapolating the top level master key
We believe that Medeco locks are secure for most venues but also have certain vulnerabilities that must be addressed in certain locations. Those vulnerabilities may allow certain Medeco cylinders to be rapidly bypassed by bumping and picking and circumvention of key control.
Lets take forced entry first. Medeco, as with most other high security lock manufacturers, implement hardened inserts and components to resist most forms of drilling of the plug, shear line, or sidebar. These are the three vital areas that are most vulnerable. Almost everyone utilizes special steel pins, bearings and other blocking technologies to resist such attacks, at least for a minimum of five minutes. Some of these locks are incredibly tough, although the type of attack and amount of force must always be considered. In Part I of this series, force is not seen as the real threat: covert attacks and compromise of key control are.
Key control relates to the protection of keys from duplication, replication, and simulation. It also deals with system expansion, the number of secure key changes, ability to set up large master key systems, and an alternative to the use of sectional keyways.
The Medeco m3 specifically touts its key control as secure, flexible and effective. In fact, the m3 was designed primarily for enhanced key control as a way of extending the Biaxial patent that expired in 2005. In doing so, Medeco also claimed that the security of the cylinder was enhanced with the addition of the internal slider. So exactly what does the m3 and its slider accomplish?
There is no doubt that key control is enhanced to the extent that legal protection applies for the next twenty years, thereby preventing others from commercially manufacturing, selling or distributing blanks for the m3 that contain the patented protrusion on the side of the key. Thatâ€™s it! There is no more protection against cutting keys with angled cuts, nor for replicating keys for the original or Biaxial locks. No, you cannot go to the local hardware store or Home Depot and obtain m3 blanks or have keys copied. If you have a system with a commercial keyway then your local locksmith may be able to legally replicate your keys. If the keyways are restricted or proprietary, then you are out of luck, but criminals may not be.
The m3 is subject to bypass of its key control features because the slider can be easily defeated with a piece of wire or a paper clip. In addition, restricted blanks can be synthesized or replicated, thereby potentially bypassing all of the key control you thought you had obtained when purchasing the Medeco brand. Is such bypass relevant? Again, it depends if you have a high value target to protect.
If you are a residential customer or own a small business, the likelihood that your locks will be compromised in this manner is pretty remote. Certainly it is not impossible but the chances are slim. What you need to understand is that the third layer of security that is provided by the slider is essentially non-existent given its ease of bypass. And that bypass can make the lock much more insecure to secondary and more advanced forms of attack such as bumping and picking. If you choose to implement Bilevel into an m3 system there is even less security but the locks are also less expensive.
Covert and Surreptitious Methods of Entry
In my view the real threat is from covert methods of entry. Notwithstanding their statements to the contrary, certain Medeco locks can indeed be bumped and picked, some with little difficulty. Did Medeco know this last year when they began their public information campaign of invulnerability to bumping? In fairness, probably they did not. In fact, they went so far as to have their locks tested against bumping attacks by a testing lab in Europe. They were pronounced secure according to Medeco.
Should Medeco have conducted more tests to make certain that their locks were immune to bumping? Probably, because they represent that they are experts in high security locks and that their customers can rely upon their expertise and statements. When Medeco categorically states that their locks are â€œbump proofâ€ then they are surely believed because of their reputation, customer base, ethics, and expertise during the course of the past third of a century. All in the industry know that Medeco is a prime supplier to the U.S. and some foreign governments and that they did not earn their reputation or win those contracts without being one of the best at what they do. Everyone takes Medeco at their word about security.
So just what protection against covert attack does Medeco provide? In the m3, there are three levels of security, all of which are interrelated. The compromise of one level of protection will not result in the lock being opened. All three separate and parallel systems must be defeated before the lock can successfully be neutralized.
The primary security for a Medeco cylinder has always been its unique sidebar design which is controlled by rotating pin tumblers. This invention can be likened to the modification of the Egyptian pin tumbler lock by Linus Yale. The concept of the rotating pin was revolutionary and had never been done before, which is why Medeco received several ground-breaking patents almost forty years ago.
The requirement that pins be both elevated and lifted in order to align two different locking systems (shear line and sidebar) at one time set Medeco apart from all other high security lock manufacturers. This combination makes picking extremely difficult because pin tumblers must be manipulated at the same time for two different systems (rotation and elevation). Many have tried to reliably defeat Medeco, most with limited or little success. For that reason Medeco has thrived as a primary provider of high security locks.
For the vast majority of users this dual layer of security was and is more than sufficient. Then came the introduction of the m3, with another alleged layer of security: the slider.
I would be the first to acknowledge that for the average thief, whether casual or determined, Medeco provides a significant barrier against any covert form of attack that involves the compromise of the pin tumbler mechanism. But Medeco cylinders are not just employed in â€œaverageâ€ installations requiring medium security. They are relied upon everywhere, often to protect incredibly high value targets where criminals, spies, and even insiders will expend a great deal of time, energy and money to defeat these systems. So they have to be secure. In fact, not just secure but very secure, and that is where we believe the problem begins.
I draw an analogy between Medeco (and other high security lock manufacturers) to the communication common carriers and the provision of broadband Internet services. Almost every carrier has fiber optic cable to transport data across the country or across the world. Where the system breaks down is in the last mile where copper wires rather than fiber feed individual locations. It is the last mile that I am most concerned with in high security locks; an equivalent to the last five to ten percent of protection that really matters against competent and determined criminals.
In a nutshell my problem is this: the highly respected Medeco m3 lock, the new star in the Medeco flagship, can be bypassed with a paper clip, followed by a specially designed key which can be used to open it by bumping or picking. For sure, not all of their cylinders can be opened in the manner described in these articles, but many can. And what is a tolerable percentage that can be bypassed? This is a very good question for Medeco. Unfortunately, as will be demonstrated in the Fourth article in this series, the problems with Medeco security does not stop with bypassing the slider or sidebar. It is more basic and involves mechanical bypass which can be far more sinister than manipulating the internal components with bump keys or picks. We believe it is a failure of imagination on the part of Medeco design engineers to perceive of certain threats.
Most of the high security lock manufacturers offer cylinders that will provide more than ample protection and meet the security requirements for the vast majority of their customers. However, if you have what you perceive as high value or critical targets to protect then you just might want to research this matter further. You should not solely rely upon the so called high security standards promulgated by UL, BHMA and ANSI. The reality is that these organizations really do not test for certain forms of bypass. We believe that if they did then many of their â€œcertifiedâ€ locks would lose such designation.
This article began by asking the question whether your Medeco locks are â€œsecure enough?â€ In my view there is no question that they are one of the best available cylinders but of course that comes with many caveats. The perceived level of threat should determine whether Medeco or some other vendor produces the locks that will afford the needed protection. The alternative, of course, is to prohibit the possession of paper clips in any facility where the m3 is installed!
Â® Medeco and Biaxial are registered trademark of Medeco Security Locks, Inc.
Part I of a four-part series of articles detailing potential security vulnerabilities in the Medeco Biaxial and m3 is available to locksmiths, security professionals, law enforcement and government agencies. This information is also contained in the new edition of LSS+ and is restricted.
A public summary of the first article will be published on Engadget later this week but will not contain critical information that would be required to bypass Medeco cylinders.
The password for this article will be posted on ClearStar later in the week or you can register on www.security.org for site clearance. When registering, please specifically request the password for this article.
You may also contact the author at firstname.lastname@example.org for access or further information.
MedecoÂ® is a registered trademark of Medeco Security Locks, Inc.
Protected: DETAILED ANALYSIS: POTENTIAL SECURITY VULNERABILITIES OF THE MEDECO m3 AND ITS KEY CONTROL
Two years ago, we posted an alert about the poor quality and insecurity of gun locks. The media reported the story in an in-depth television news story. The result: absolutely nothing changed. The manufacturers continued to produce cheap locks that afforded no protection. Standards were not changed by the State of California which certifies cable and trigger locks as secure to protect kids. Retail outlets continued to sell junk locks. And more alarming, law enforcement agencies throughout the U.S. still offer poor quality gun locks to the public for free, believing that they are designed properly.
There have been many adverse comments to my posting of videos with the article on in.security.org and on engadget.com. Many think that a simple warning would have been sufficient without the videos. History has shown that this is not the case.
The reality is that if you simply warn parents that gun locks are dangerous because they create a false sense of security, the warnings will be largely ignored as they were two years ago. In fact in 2001 a security alert was published by the Consumer Product Safety Commission on this subject. Shortly thereafter, ABC did a television report on the dangers of these locks and how easily they could be compromised. Again, nothing happened. It was business as usual.
A few months ago our local sheriff showed me the gun locks that they distribute as part of the Operation ChildSafe program (funded by the Department of Justice). I decided it was time to revisit this issue. If a police department hands a gun owner a lock then, it impliedly represents that the lock is secure and will keep kids safe from guns. Our Sheriff had no idea that these locks could be so easily compromised. When he learned otherwise he took immediate action to warn every consumer that received these devices through his department.
So, for everyone that feels that our report should not have been published, I respectfully disagree. Simple warnings would accomplish nothing, as borne out by past events. This was reinforced by my conversations with the National Shooting Sports Foundation. They have distributed 35,000,000 of these cable locks and tell people they will protect kids from access to weapons. Worse, they actually believe that the standards that California passed seven years ago are sufficient to keep kids safe up to the age of seventeen. They cite the American Society of Testing and Materials as the ultimate authority on standards and the fact that these locks passed ASTM tests.
Their concern could be paraphrased thusly: â€œWe have never had a problem with these locks so there is no problem.â€ I donâ€™t question their motives, just their understanding of how these locks work.
Before I released the report I spoke with the California DOJ Firearms Division about their standards. They said that they believed that they were quite sufficient to keep kids from accessing weapons, repeating that the locks had been analyzed by designated testing laboratories and found compliant with the standards. It was the same story line.
In my view, the real issue is the standards and the manufacturers that produce cheap locks that do not even meet the minimal requirements promulgated by the DOJ. So, if this is an important issue (as I believe it is), then how do you get everyoneâ€™s attention so that something positive will occur?
Some say it is irresponsible to show how to compromise these locks. I considered very carefully whether to demonstrate the problems with these products or just write about them. I came to the conclusion that perhaps the only way to get the regulators to act was to show them what they apparently did not understand, and at the same time to graphically warn parents about the hazards of using these devices. Perhaps they might put pressure on the agencies to make needed changes.
And yes, there is a risk that kids will see this report. But I thought that would be far outweighed by the potential positive results that might occur. And frankly, it is clear that if a kid wants to access a weapon he will, regardless of whether there is a report showing him how to do it or not. The difficulty in compromising these locks is minimal and that is the entire point of the article.
The fact is that any adult that uses one of these locks as the sole protection of a handgun is grossly negligent. If they compound the problem by either locking a loaded weapon or keeping ammunition close by, then I would submit they could be held criminally liable if a kid uses the weapon.
So the conclusion I reached with regard to airing the videos was based upon the following premise: if the locks are as secure as represented by the DOJ, NSSF, and manufacturers, then why would they be concerned about showing how these locks can be compromised?
After all, they are all saying that the locks WILL protect a weapon against access by a kid, (no matter how ludicrous that argument might be) and that the standards are sufficient.
My contention: Either these locks are secure or they are not. You canâ€™t have it both ways. And if they are not then laws should be changed so that the locks actually do what they are supposed to do.
Finally, the information that was presented has been on the Internet for quite some time as almost everyone knows. An incredible amount of material has been published about bumping, including padlocks. So kids already are aware of that method of bypass. The fact that bump keys are available on the Internet for the Master cable lock should alarm everyone. I and others have been raising this issue for the past year. In fact, I submitted draft legislation to the Postal Inspection Service six months ago to close the loopholes in the postal regulations to stop the trafficking in bump keys on the Internet.
And what about the ability to cut these cables? I would dare say that every reader would look at one of these locks and laugh at the absurdity of the ostensible protection that they afford. A pair of pliers or fourteen inch bolt cutters from Ace Hardware will sever any of these cables and everyone, including kids, knows it. Even Targus figured it out when I wrote the article last year about their much publicized armored computer lock that uses an almost identical approach as the gun cable lock.
So should we just keep quiet and continue to promote the failed concept of â€œsecurity by obscurityâ€? I donâ€™t think so, for the same reason that I am challenging the standards set forth by Underwriters Laboratories, BHMA, and ANSI with regard to high security locks and the ability to compromise some of them in well under the minimum time standards set forth for forced and covert entry in UL 437 and ANSI 156.30. I would submit that the risk could be far greater for reliance on some of these standards and for the defective or deficient design of some of these locks than for the compromise of gun locks.
I have never believed it was prudent to publicly demonstrate methods of covert bypass unless there was a valid reason to do so. That material is left to the multimedia edition of my book. I have never once shown such techniques in the media; only to law enforcement and security professionals. But when bypass techniques are so simple that anyone can accomplish them in a few seconds, I believe it is vastly different. In my view it enhances everyoneâ€™s security if they have a full understanding of the simplicity of the methods.
The issue raised in the gun lock story is about responsible disclosure with regard to matters of security. There has always been a legitimate debate as to whether disclosure promotes or places security at risk by publishing â€œsecretâ€ or more to the point, â€œunknownâ€ information. The reality is that there are no more secrets. The Internet took care of all of that. And if I had simply posted a warning about the insecurity of these devices or there had been a news story written about a child that was hurt or killed as the result of his ability to bypass one of these locks, you can be sure that someone would have posted detailed information about the method of compromise. Welcome to the global information world.
There are two sides to every story and if this one has sparked thoughtful debate about the disclosure of security defects, then I would submit that the article has accomplished its purpose. Many parents have written to me after reading this article, not to complain but to voice concern about the locks they have relied upon and to ask what they should replace them with.
If you believe that material on gun locks should not have been released, then you will surely have an opinion regarding the next alert about the insecurity of small Fixed Base Operations at our airports, and the security issues it raises.
A detailed report and videos that demonstrate design deficiencies in gun locks may be found at: http://download.security.org/gunlock_2007.pdf
The eleven year old demonstrated the removal of three of the most popular trigger locks from a rifle in just a few seconds. The eighteenth month old examines the Project ChildSafeÂ® cable lock for guns. We do not believe that either of these types of locks are secure as the primary method to protect weapons.
Gunlocks are designed to protect kids and keep them from gaining access to weapons. An extremely successful program was launched several years ago by the National Shooting Sports Foundation to promote gun safety and keep children away from guns. The U.S. Justice Department provided funding so that NSSF could administer a program to provide free gun locks to the public through law enforcement agencies around the country. A total of thirty-five million Project ChildSafeÂ® locks have been produced.
We do not think these locks are secure enough and should not be used to provide the primary protection to immobilize a weapon. Poor quality locks rarely offer any protection, and this is a classic example. These devices are produced in China with cheap pin tumbler mechanisms that can be bumped open in seconds. The cables on some models are easily compromised.
The quality control in the case of at least one model, the GL710N (listed on the California DOJ website as having been produced by PCS) appears to be so poor that two out of three locks that we obtained from the Denver Police Department could be circumvented merely by twisting the cable. Thatâ€™s right; simply hand twisting the cable caused it to pull loose from the lock housing! Could a kid have done that? Without question the answer is yes.
The real problem is the standards for these devices. NSSF rightfully responded to our concerns about security by stating that the locks meet California and ASTM requirements. In our view, the standards need to be updated so that they take into account real world attempts to open them, which just might involve the use of more than a paper clip or screwdriver! Kids can be clever, especially when it comes to guns.
The NSSF statement in their literature that the locks will not stop a â€œdetermined attackâ€ does not really address the issue. Is their position really that anyone that wants to remove a lock from the gun will succeed, as opposed to the kid that half-heartedly pulls on the cable and if it does not come apart, then he gives up. Of course, in the case of the GL710N models that we tested that may be good enough!
We take an in-depth look at gun locks and the standards that are supposed to make them safe.