In.Security Home

THE SIDEBAR: MARC WEBER TOBIAS

Archive for the 'Op Ed Comments' Category

DETAILED REPORT ON THE INSECURITY OF GUN SAFES MADE BY LEADING U.S. MANUFACTURERS: STACK-ON, GUNVAULT, AND BULLDOG

All of these gun safes can be easily opened with a variety of simple tools.

See my corresponding article http://blogs.forbes.com/marcwebertobias
in Forbes that was published on Friday, July 27, 2012.

See the applicable disclaimers with regard to the information contained in this report at the end of the Alert.

This security alert provides detailed information about small gun safes that can be easily compromised. We conducted an analysis in our Security Lab of these containers. Some of these containers are utilized by law enforcement agencies. A PowerPoint presentation and video is available through the AFTE website for any agency, and was the subject of my presentation at the Annual Association of Firearms and Tool Marks Examiners conference in Buffalo, New York on June 28, 2012.

We provide information about some of the most popular gun safes that are produced by the leading manufacturers in the United States: Stack-On, GunVault, and Bulldog. We also looked at one of the small safes produced by AMSEC.

We tested safes from these companies to determine their vulnerability to simple, covert attacks. We did not test for forced entry techniques.
Every consumer that owns or is contemplating owning a small gun safe needs to understand that many of these containers are improperly designed, have little real security, and can often be opened in seconds with common implements such as paper clips, drinking straws, wires, and small pieces of brass. Some can also be dropped from a few inches onto a hard surface and opened because of the simple, cheap, and insecure mechanism that is used to block movement of the bolt work until the proper combination is entered.

All of these safes utilize electronic credentials to open them. While these manufacturers would like you to believe that the use of a keypad, push-button sequences, or fingerprint reader will somehow make their containers more secure, it is not accurate and everyone should understand it. It is merely for convenience.

What constitutes security in any container is the way the locking mechanism is designed to keep the container closed or to be opened. The problem is that none of these manufacturers seem to understand even the basics of security engineering and how to defeat their own products. In this report, we will provide detailed videos that demonstrate the problem for many safes that are sold by Walmart, Cabelas, Dicks Sporting Goods, Scheels,
and Amazon.com.

In conjunction with our investigation we contacted and made available these videos to management at all of these companies. Only Walmart would even issue a statement, which essentially says “it is not our problem” and we rely upon the manufacturer and the California DOJ standards.

The other companies, Cabelas, Scheels, and Dicks Sporting Goods had absolutely no response.

All of these companies continue to sell what we are claiming are dangerously security-defective products, but it evidently is all about money, not the safety and security of their customers that is of their primary concern. They have all been placed on notice of the defective security designs and all have chosen to ignore the evidence and instead rely upon what the manufacturer, Stack-On or others have represented to them.
Stack-On is headquartered in Illinois and by their own account, generate about $100,000,000 annually. They also indicated that they do not talk to the media, but they did issue a press release after I demonstrated opening four of their safes on KELO-TV in May, 2012.
Their Public Relations firm issued the following statement on behalf of their client:

“While Stack-On respects Mr. Tobias’s proven ability to pick the most complex of security locks, we strongly stand behind the safety of our products. Stack-On Personal Safes are certified by California Department of Justice (DOJ). This certification involves testing, by an independent laboratory approved by California DOJ, for compliance with adopted standards. We are proud of this designation and the protection we provide. In addition, our Portable Cases comply with TSA airline firearm guidelines.”

Stack-On believes that their safes are secure. While their containers have been approved by California DOJ under their gun safety regulations, they are fully aware that the methods we demonstrated are not addressed in these standards, and thus the standards are not applicable. It is our opinion that Stack-On has chosen to continue to place every buyer of one of these safes at potential risk. Their safes are manufactured in China. While they may appear to be secure, they are not, as we demonstrate in multiple videos.

I spoke with their VP of Marketing, Steve Martin, in April, 2012. I asked to do an interview at their facility and was refused. When I advised him that we had tested several of their safes, he did not ask one question. I offered to send the links of the videos. He offered no response. The company has never followed-up with any inquiry.

Our opinion is that Stack-On should recall every safe that has security vulnerabilities and issue an alert to the public to warn every purchaser. They should also warn every vendor. To our knowledge, they have done neither. What they have done is to continue to sell what we allege are defective products to the public, knowing that many of these containers can be opened by kids.

I spoke with a spokesperson for Walmart and provided links to all videos. After two months, they finally issued the following statement:

“Walmart is committed to providing safe, quality products customers can rely on. After being made aware of your concerns, we reached out to the manufacturer of Stack-On products to discuss their compliance and quality programs. According to Stack-On, the product you mentioned is tested by a third party independent lab and those results are submitted to the California Department of Justice for certification as meeting their safety standards for this category of products.”

It is also our opinion that Walmart is far more concerned about revenue than in protecting the safety and security of their customers, notwithstanding their claims to the contrary. According to their employees, the company has a security and safety testing team that analyzes products. That would indicated that they have the competence and skill to evaluate the claims that we made.

Walmart did not deny our allegations but rather are avoiding responsibility by hiding behind the representations of Stack-On. In our opinion, nobody should believe anything that Stack-On states with regard to the security of any of their products. It is very clear that Stack-On has no competence to design or test a container for security vulnerabilities.

While they may believe that they can avoid liability by claiming they meet the requirements of the California gun statutes, they may find that those standards offer no protection whatsoever. We believe they are producing dangerously defective containers that they are representing as secure for use by the consumer to store weapons. They are not secure, and nobody should rely upon them for any measure of security.

It is my opinion that any retailer, once on notice of the defects we have demonstrated, can and will be held liable if a customer purchases one of these containers and the result is that someone is hurt or killed.

We conducted undercover interviews at Cabelas and Scheels to document what their sales “experts” were telling the public about these safes. It is precisely what you would expect: they are secure, kids cannot get into them, and you can safely store weapons in them without fear that they can be covertly compromised.

Unfortunately, each of these statements is false. The problem is that these sales personnel do not have a clue as to what is secure or is not. What they understand is profits and what sells, and it would appear that is all they care about, based upon the total lack of response from any of these companies to us.

While we only looked at about ten safes, we are quite sure there are dozens, if not hundreds of different models that are similarly insecure. Most of this junk is made in China and peddled by U.S companies. These safes are cheaply made, and the security engineering is essentially non-existent, as you will see in the videos and our detailed analysis.

BACKGROUND

This is a common solenoid design that blocvks the movement of the bolt in many safes. The magnetic pin must retract in order for the bolts to pass. This can be vibrated to an unlocked state.


As a result of another gun death involving a member of the Clark County Sheriff’s Department in 2003, the Sheriff mandated that all deputies keep their weapons in designated Department safes at their homes. The Department, without any testing, initially purchased approximately 200 Stack-On Strong Boxes, shown in the video. It is clear that the CCSO relied upon the representations of Stack-On, and had no independent expertise to evaluate the security of these containers. It is incredible to us that the Department would entrust the lives of their officers and families to a container that reportedly cost $36.00 without any tests being conducted by the Department as to suitability, safety, or security.

Detective Ed Owens was a member of the Clark County Sheriff’s Department since 2004. He was issued a Stack-On safe to store his weapons at home. On September 14, 2010 one of his four children was able to open the Stack-On Strong Box container that was located in the Master Bedroom. At about 9:50 P.M. three year old Ryan was shot and died four hours later.

We were asked by the Owens family and attorney to provide expert analysis of the suspect safe. We conducted an extensive analysis of a container from the same batch that was provided to the Clark County Sheriff’s Office.

It is our opinion that these were defective containers, based upon the testing we performed and the videos we shot from inside the safe. The problem, quite simply, revolves around the solenoid mechanism that controls a locking pin. This pin when in its normal state blocks lateral movement of the bolts thereby preventing their retraction. When the correct code is entered, via the keypad, the blocking pin is retracted and the bolt can be turned to the unlocked position. The problem is the design of the solenoid and spring-biased locking pin. It can be bounced to allow the bolts to pass and leave the safe in an unlocked state. As demonstrated by the three year old in our video, this safe can then be opened by simply turning the knob.

As a result of testing this particular safe, we expanded our inquiry and tested virtually every Stack-On model of small safe. What we found was disturbing. Each could be opened in a variety of ways, as we demonstrate. We also tested similar containers from Bulldog and GunVault. We reached out to these companies as well, but they refused to return phone calls.

Any consumer that owns one of these containers should return it and ask for a model that has been fixed to made it secure, or demand a refund. In our view, no weapons or valuables should be stored in one of these containers.

We provide all of the video segments of our analysis as well as televised news reports and some of the undercover video that we obtained.

Gun safe detailed report by Security Labs

Video of three year old opening four different safes

KELO-TV Sioux Falls, South Dakota

aired the accompanying story

Undercover video from Cabelas store

Security Labs Stack-On safes introduction (for each of the separate video elements)

Stack-On PC 650 gun safe

Stack-On PC-650 Portable Case with Electronic Lock
Electronic lock allows for a 3 to 8 digit combination to be programmed into the case.
Includes a backup trouble key.
Slim line design of the case allows for storage in a briefcase, under the seat
of many cars and trucks. Foam padded bottom protects contents from scratching.
Meets TSA airline firearm guidelines.
Body is designed for safe to be secured with steel cable (1500 lb. test). Cable is included.
SPECS
11” wide (27.9 cm)
8-1/4” deep (21 cm)
2-3/8” high (6 cm)
(dimensions include key pad)

VIDEO OF ANALYSIS OF PC-650

Stack-On PDS 500 gun safe

Stack-On PDS-500 Drawer Safe with Electronic Lock
Tested and listed as a California DOJ Firearm Safety Device.
2 live action locking bolts and concealed hinges.
Fastening hardware is included with each safe.
SPECS
11-13/16” wide (30 cm)
8-5/8” deep (22 cm)
4-3/8” high (11 cm)

VIDEO OF PDS-500

Stack-On biometric safes with fingerprint readers can be easily compromised.

Stack-On PS-5-B Drawer Safe with Biometric Lock,
Stack-On PS-7-B Extra Wide Safe with Biometric Lock and
Stack-On PS-10-B Personal Safe with Biometric Lock
Great security for pistols, ammo and valuables at home, on the road or in the office.
Tested and listed as California Department of Justice firearms safety devices that
conform to the requirements of California Penal Code Section 12088 and the regulations
issued thereunder.
Solid steel, pry resistant, plate steel doors, steel live action locking bolts and concealed
hinges provide greater security.
Biometric lock can be programmed to accept up to 32 different fingerprints–provides
greater security and quicker access to the safe’s contents. Also includes an electronic
lock and hidden trouble key.

PS-5-B SPECS
13-7/8” wide (35.2 cm)
11-1/2” deep (29.2 cm)
4-1/2” high (11.4 cm)

PS-7-B SPECS
17-3/4” wide (45 cm)
14-1/4” deep (36.2 cm)
7-1/8” high (18 cm)

PS-10-B SPECS
13-7/8” wide (35.2 cm)
9-7/8” deep (25 cm)
9-7/8” high (25 cm)

VIDEO OF PS-5B

Stack-On QAS 1200B biometric safe can be easily opened with paperclips.

QAS-1200-B Quick Access Safe with Biometric Lock
Tested and listed as a California DOJ Firearm Safety Device.
Biometric Lock can accept 28 different fingerprints with back up trouble key.
Biometric reader is easy to use and program.
Biometric locks provide greater security – no combinations to remember.
Holds standard sized pistols and other valuables.
Includes a removable shelf. Foam padded bottom and shelf.
Safe has pre-drilled holes for mounting to the floor, wall or a shelf.
Fastening hardware is included with each safe.
SPECS
10” wide (31.1 cm)
12-1/4” deep (30.5 cm)
8-1/4” high (21 cm)
(dimensions include key pad)

VIDEO OF QAS 1200B

QAS 710 Stack-On safe

Stack-On QAS-710 Drawer Safe with Motorized Electronic Lock
Tested and listed as a California DOJ Firearm Safety Device.
All steel construction and low profile design allows for storage in a drawer.
Lid pops up when the correct security code is entered for instant access.
Safe has pre-drilled holes for mounting in a drawer or on a shelf.
Fastening hardware is included with each safe.
SPECS
10-1/4” wide (26 cm)
16-5/8” deep (42.2 cm)
3-1/2” high (9 cm)

VIDEO OF QAS 710

Stack-On QAS 1000 can be easily opened

Stack-On QAS-1000 Quick Access Drawer Safe with Electronic Lock

Tested and listed as a California DOJ Firearm Safety Device.
Electronic lock allows for a 3 to 8 digit combination to be programmed into the safe.
Includes a backup trouble key.
Drawer pops out when locking mechanism is released.
Ball bearing drawer slide allows the drawer to slide in and out without binding.
Holds standard sized pistol and valuables.
Foam padded bottom protects contents from scratching.
Body is designed for safe to be secured with steel cable (1500 lb. test) or can be
mounted to a shelf or floor.
Cable is secured when drawer is in place.
Cable is included.
SPECS
10” wide (25.4 cm)
12-1/4” deep (31 cm)
4-5/8” high (11.6 cm)
(dimensions include key pad)

VIDEO OF QAS 1000

Stack-On QAS 1200

Stack-On QAS-1200 Quick Access Safe with Electronic Lock
Tested and listed as a California DOJ Firearm Safety Device.
Electronic lock allows for a 3 to 8 digit combination to be programmed into the safe.
Includes a backup trouble key.
Holds standard sized pistols and other valuables.
Includes a removable shelf.
Foam padded bottom and shelf.
Safe has pre-drilled holes for mounting to the floor,wall or a shelf.
Fastening hardware is included with each safe.
SPECS
10” wide (25.4 cm)
12-1/4” deep (31 cm)
8-1/4” high (21 cm)
(dimensions include key pad)

VIDEO OF QAS 1200

GunVault GV2000S gun safe

GunVault MultiVault Standard GV 2000S
Features
•Protective foam-lined interior
• Extra storage capacity and removable interior shelf
• Tamper-resistant spring-loaded door
• 16-gauge steel housing
• Audio and LED low battery warning

Customizable Convenience
•Battery power provides portability
• Optional high-strength security cable secures GunVavult in a home, car, RV, office or hotel
• Mounts almost anywhere in any direction

Foolproof Security
•Precise fittings are virtually impossible to pry open with hand tools
• Built-in computer blocks access after repeated invalid keypad entries (Digital models only)
• Tamper indicator alerts invalid entry attempts (Digital models only)

SPECS
14″ X 10.1″ X 7.9″

VIDEO OF GUNVAULT STANDARD GV2000S

BullDog BD1500 gun safe

Bulldog BD1500 Deluxe Digital Pistol Vault

Bulldog’s “Easy Guide” top pad features raised ribs that lead your fingers to the numbered buttons for quick and easy code entry. After 4 invalid keypad entries the electronics temporarily disable the control panel. In three minutes, the electronics automatically reset and will accept the valid code.

•”Easy Guide” ribbed top pad for quick entry
•”Smart Safe” technology remembers safe combination during power loss or while changing the
batteries.
•More than 1000 combinations available
•Secure cylinder key override
•Pre-drilled mounting holes
•Pre-drilled holes for optional security cable
•Deluxe foam interior with egg-crate bottom pad
•Heavy-duty steel construction
•Durable powder coated black matte finish
•Mounting hardware included
•Interior light when door is open
•Spring loaded door for quick access
•External power supply
SPECS
11.5″ x 8″ x 5.5″ /4″

BULLDOG BD1500 VIDEO

DISCLAIMERS

We tested safes produced by Stack-On, Bulldog, Amsec, and GunVault between February, 2012 and July, 2012. We tested a limited sample of each and produced videos of unaltered containers. A manufacturer may have updated or made changes to a design that would make more difficult or prevent us from opening that container in the method shown. The reader or consumer should replicate the methods shown for any particular container and run their own tests. We have no financial interest in any of the manufacturers that are detailed in this report. See the other http://in.security.org disclaimers contained on this website.

Comments are off for this post

DEFCON 18: LOCKS, LIES, AND VIDEOTAPE

See the Wired.com, AFP, and Brickhouse Security articles.

DefCon is the largest hacking/security conference of its kind in the world. For the past six years, our research team has demonstrated vulnerabilities in both high security and conventional locks. This year our team (Marc Tobias, Tobias Bluzmanis, Matt Fiddler) selected five different locking mechanisms that are popular in the consumer sector. We chose a broad cross-section: conventional programmable mechanical lock, electronic “safe”, biometric fingerprint lock, RFID-based deadbolt, and a very sophisticated electro-mechanical lock that requires no batteries in either the lock or key. Three of these locks are imports: two from China, and one from Finland. Notably, the locks from China (BioLock and Amsec), are both sold in the United States, and are prime examples of insecurity engineering at its best. They denote a total lack of competence in design, often typical of the cheap products that are being imported from China. More about this later, but suffice it to say, these are prime examples to support the premise: there are no shortcuts to quality and security.

Three of the five companies refused to comment or return phone calls to Wired. Kwikset and Iloq did make statements, both of which, in my view, were inaccurate or misleading, or demonstrated a basic misunderstanding of their products with regard to security. On previous occasions I had attempted to speak with General Counsel for Kwikset and their VP of Engineering in order to disclose security vulnerabilities. They likewise refused to return phone calls.

None of these locks can be considered as high security, but Kwikset, which sells millions of cylinders a year in the U.S., and has incredible market presence, has a grade 1 security rating for its model 980/985 deadbolt, which we selected to analyze. I have attacked Kwikset for several years because of their poor quality and security. In fact, in 2006, the company flew me out to their corporate facility in California for a pre-release briefing of their Smartkey, after eleven-year old JennaLynn bumped open their locks at DefCon. The irony was that senior engineering and management at Kwikset told me that they were not even aware of bumping, except for what they had seen on the Internet! The Smartkey was not designed to be bump-resistant.

At that meeting, I voiced my opinion that the company was selling junk locks. Their reply was “yes, we know, but we make 20-25 million of them a year.” In my view, nothing much has changed in the past four years, other than their locks are mechanically reprogrammable. Clever, yes. Convenient, yes. Secure and maintenance-free, no.

FALSE SENSE OF SECURITY

Each of the five companies represents their products as secure. This creates a false sense of security in the buying public. In the case of Kwikset, in my view they are perhaps the worst offender because of their market penetration. But the problem and responsibility is shared equally with the standards organization that rates their locks, and specifically with BHMA. I have had many discussions with regard to this issue during the past three years with their executive director in an attempt to modify the standards so they actually mean something. I think we are making progress, but because of the inherent way in which standards are adopted, it is a slow process.

The standards do not adequately address simple methods of bypass. The result is that locks are sold that the consumer relies upon as being secure; and yet they are not. Many of the bypass techniques that we utilize are not even included within the standard. Some companies hide behind the standards, stating that their locks “meet or exceed” them, knowing those same locks can be bypassed by methods not enumerated in the standards they are citing. I would submit that whether a lock is certified under an applicable standard or not has nothing do with the its real security if it can be bypassed in seconds. In such a case, any such statements are illusory and mean nothing with regard to protection of the end-user.

WHAT NEEDS TO BE DONE

There is no substitute for competent security engineering. Unfortunately, some locks are expensive and not secure, but generally, you get what you pay for. I think the critical issue for the consumer to understand is that cheap locks are inherently not secure. In 2006 Kwikset told me their smartkey cylinder would cost them about two dollars to produce. In my view, they are of poor quality, and just about every locksmith in the country knows it. Clever options like being programmable are extremely convenient for the consumer, but unless executed properly, can reduce the overall security of the lock.

Granted, some consumers cannot afford better locks, (or those that carry a high security rating), but at least they should know what they are buying and not be misled by untrue or misleading claims of manufacturers. Kwikset has been aware of the vulnerabilities in their locks, and specifically that they can be opened in seconds with a specially modified key and the application of sufficient torque. They have made changes to prevent this bypass technique, but the locks can still be opened, and they know it. Yet, their employees continue to mislead the public into believing that their deadbolts can only be opened by drilling, breaking the door down, or breaking the door frame. This is simply not true. They continue to focus on their Grade 1 rating. Yes, they are certified, but we do not think they will pass in a re-certification test.

We are filing a challenge with BHMA to ask for a retest, because in my view, the Smartkey deadbolt will not pass, based upon two sections of the BHMA/ANSI 156.5 standard: Sections 12.1 and 12.5.2.

Section 12.1 requires that the cylinder be of the pin tumbler design. The Smartkey is not; it uses tiny sliders, as shown in the photograph below. While they may control a sidebar for locking, which generally is more secure, the sliders themselves are not, and never will be as strong as pin tumblers. The BHMA standard excepts locks that are more secure than pin tumbler designs. In my view, the Smartkey is not, and Kwikset knows it. And they cannot use the fact that they are bump-proof, either, because bumping is not in the standard. Yes, they are pick resistant, but we have picked them as well.

The point is that the locks are not physically secure and can be easily compromised. BHMA should not be certifying a deadbolt Grade 1 cylinder that can be opened in thirty seconds. Further, Kwikset should be forced to place a warning on their packaging denoting this fact to the buyer. If they did, I am quite certain that few persons would choose them for protection.

Section 12.5.2 requires that the plug can withstand a minimum of 300 foot-pounds of torque without turning, or that it cannot be turned by manipulation. We do not believe that the Kwikset Smartkey 980/985 deadbolt can meet this requirement either. To open the lock, we are inserting a portion of a key, cut to specific depths, and applying torque. This procedure, we believe, meets the definition of “manipulation”in the standard.

RE-WRITE THE STANDARDS AND MAKE THEM REFLECT “REAL-WORLD” ATTACKS

Include real-world testing procedures that are not presently incorporated within the standards. This will insure that what the manufacturer represents as secure actually is.

START TELLING THE TRUTH TO CONSUMERS AND WARM THEM OF KNOWN VULNERABILITIES

I am quite certain that if Kwikset and all of the other manufacturers that were shown at DefCon 18 were to place warnings on their packaging that their locks could be compromised in seconds, nobody would buy them. After watching the videos, would YOU buy any of these locks? Not likely. And that is precisely the point. If a manufacturer is going to produce inferior quality locks, then warn the public, so that they have the information to make an informed decision as to security.

HIRE ENGINEERS THAT UNDERSTAND SECURITY ENGINEERING, NOT JUST MECHANICAL ENGINEERING

In my experience, many manufacturers have no idea how to open their own locks. While their engineers are quite competent to make things work properly, they have little understanding of bypass techniques. And this is precisely the problem. It is a simple principle: you cannot properly design a lock if you do not have a thorough understanding of the methods to break it.

STOP PLACING PROFIT AHEAD OF SECURITY

For a manufacturer, security can be very expensive. Materials, high tolerance, production controls, and competent engineering all come at a price. If a company is to represent their products as secure, then the company has a duty to make sure they in fact are. Many place profit well ahead of security, leaving consumers at potential risk.

VENDORS SHOULD SEND A MESSAGE TO LOCK MANUFACTURERS THAT THEY WILL NOT BUY (OR SELL) PRODUCTS WITH SHODDY QUALITY OR POOR ENGINEERING

Brickhouse Security is the leading vendor of surveillance and security-related hardware to law enforcement and corporate facilities in the U.S. When we notified them of the problems with the BioLock, they took action, as noted in their press release. Notwithstanding that the manufacturer, BioLock refused to accept any responsibility whatsoever for their defective product, Brickhouse has set the standard for vendors in the security hardware sector. Hopefully, others will follow. It is only when the manufacturers get a clear message from vendors that they will not sell their junk, that they will be forced to engineer their products properly and take responsibility for what they make.

LOCKS, LIES, AND VIDEOTAPE

We tested the following locks for DefCon 18:
KWIKSET SMARTKEY
BIOLOCK 333 FINGERPRINT LOCK
KABA SAFLOK IN-SYNC RFID LOCK
AMSEC ES1014 ELECTRONIC SAFE
ILOQ C10S ELECTROMECHANICAL LOCK

Photographs and comments below.

KWIKSET SMARTKEY DEADBOLT OPENED WITH A SCREWDRIVER

Kwikset represents that the Smartkey Model 980 Grade 1 deadbolt is the highest grade of residential security available. This is not, in my view, an accurate statement at all, except perhaps for Kwikset products. it is, in my opinion, misleading, and Kwikset knows it. Such statements are being made by their customer service representatives and in their advertising. If in fact this is the best the consumer can buy, and can be opened in thirty seconds or less, then what does a Grade 2 or Grade 3 rating denote in Kwikset’s world? Ten seconds to open? Perhaps both Kwikset and BHMA would like to answer that question!

KWIKSET Smartkey deadbolt can be opened with simple implements, notwithstanding it is rated as a Grade 1 lock.

KWIKSET SLIDERS
In my view, the critical security vulnerability in the Kwikset Smartkey are the sliders that control the sidebar. They will never be as secure as brass or nickel-silver pin tumblers, even though they tout sidebar security. They can be easily warped, which in my view is the fatal defect in this lock. The macro photograph shows a normal slider (left) and one that has been warped by the application of torque from a 3.5″ screwdriver blade inserted into the keyway and turned with a small vice grip.

OPENING THE KWIKSET SMARTKEY

Kwikset has been aware, for quite some time, that Major Manufacturing has been producing a locksmith tool to open their locks by applying torque with a key blade cut to specific depths. Kwikset has made changes in an attempt to fix this problem, but not very successfully. Yet their representatives continue to state that the only way to open the lock is to drill it. In our tests, we chose to utilize a cut blank key, a screwdriver, and a small vice grip to demonstrate the insecurity of this lock. In their statement to Wired, it would appear that the Kwikset spokesman tried to give the impression they were not aware of this problem. Maybe the spokesman was not, but the engineering division of Kwikset has known about the issue for quite some time.

Opening a Smartkey can be easily accomplished with a portion of a key cut to specific depths, a screwdriver, and vice grip

BIOLOCK is a company based in China, with an office in Los Angeles. They produce a line of biometric locks, including the Model 333, which we tested, and which Brickhouse Security carried until last week.

This very professional-looking fingerprint lock has a bypass cylinder which provides its fatal flaw in its security. As shown in the video and photograph, the locking system can be bypassed within seconds with a piece of wire or paperclip. The design of this lock is completely incompetent and denotes a total disregard and understanding of security issues in lock design.

The BioLock fingerprint lock with bypass cylinder that can be opened in seconds.

The BIOLOCK 333 fingerprint lock can be compromised in five seconds with a paperclip.

AMSEC CONSUMER-LEVEL ELECTRONIC SAFE, MODEL ES1014

AMSEC is a quality safe manufacturer in California, who would, in my opinion, never knowingly market a product with the design defect we demonstrated. Their customer service representatives told me that this safe was a Chinese import and that AMSEC did not test it. That is unfortunate for the consumer who has purchased these. And, just to be clear, we think that to represent this as a “safe” is misleading to the consumer. It is not a safe; it is a container with a lock.

The AMSEC ES1014 consumer-level electronic safe. It is not secure and can be easily compromised.


A flat piece of metal from a hanging file folder is bent and inserted through the top of the door. It is used to make contact with the reset switch to allow the combination to be reset. This is an incredibly inept design.

KABA IN-SYNC LOCK

The Kaba In-Sync is a RFID-based cylinder that is popular for use on military bases, apartment houses, churches and other commercial facilities. Incredibly, the design engineers that are responsible for the security of this device did not understand that a wire could be inserted next to the USB communications port to access the locking pin that provides the security for this lock. We had contacted the lead engineer for Saflok almost a year ago, and then last month to discuss this issue. No response.

The Kaba InSync RFID cylinder can be easily opened with a piece of wire

ILOQ ELECTROMECHANICAL LOCK

The Iloq is an award-winning electromechanical lock that does not use any batteries, but rather generates the needed current through the use of a motor to perform two functions: power generation, and turning a gear to control the primary locking element. These locks are extremely popular in Finland and other Scandinavian countries.

As we note in the video, there are four operating stages for the Iloq. The critical failure of this lock is the ability to circumvent the mechanical re-locking feature. Once this is accomplished, the electronic credentials are neutralized and the Iloq becomes a one-pin conventional lock, which in my view is less secure than the Egyptian pin tumbler lock of 4000 years ago. A senior representative of the company told me that Iloq had made certain changes to prevent our methods of bypass, and that those locks will be available within a couple of months. This is an extremely responsible company who clearly should have understood the ramifications of their design failure, from the security perspective.

ILOQ in Finland produces a very sophisticated electro-mechanical lock that can be easily compromised This photograph shows the Scandinavian profile and the actuating lever at the front of the keyway that can be modified to set the lock to open by any mechanical key.

A cutaway view of the award-winning Iloq, from Finland.

ILOQ KEY TIP MODIFICATION

There are two ways to circumvent the security of this lock: one through an internal attack, and one by externally modifying the actuating lever just inside the keyway. The photographs show the very minimal material removal from the key tip to set this lock so that it can be opened by any other key or even a screwdriver.

All ILOQ keys are mechanically the same configuration. Each key-head contains a unique electronic identifier.

The tip of the ILOQ key is modified for an internal attack. The top photograph shows a normal key (green); the bottom has been modified.

MODIFICATION OF THE ACTUATING LEVER AT THE FRONT OF THE KEYWAY

The actuating lever can also be modified by removing an equivalent amount of material, about 1/32″. When this occurs, the lock is set and can be opened by any key, simulated key, or screwdriver. Note the small amount of lever material (circled in red) that has been removed. This can be accomplished rapidly and will result in the lock being permanently set, requiring only a mechanical key to open.

ILOQ actuating lever showing the modification to permanently set this lock.

Comments are off for this post

ASSA CLIQ®, MEDECO LOGIC®, and SECURITY ENGINEERING: A Failure of Imagination

assa_dp_3_edited_5501

The new Assa Solo was recently introduced in Europe and we believe is the latest Cliq design. We were provided with samples and were able to show a reporter for Wired’s Threat Level how to completely circumvent the electronic credentials in less than thirty seconds, which she easily accomplished. This is the latest and most current example of a failure in security engineering at Assa. The photograph has been edited to prevent visual decoding of the bitting in order to protect the dealer who supplied the lock to us.

We believe there are multiple failures in security engineering by some of the world’s most respected lock manufacturers in conjunction with the deployment of the technology that involve electro-mechanical locks. Potential security vulnerabilities in these locks should cause every security officer and risk assessment team to re-evaluate individual facilities to determine their risk in the event of compromise and their inability to meet certain statutory requirements, such as Sarbanes Oxley or HIPAA.

In response to demonstrations and our disclosures about the bypass of Assa Cliq locks at Defcon 17, the product development manager of Assa in the U.S. told Wired Magazine that “From what I know of the CLIQ technology it can’t be done,” … “And until I’ve seen it done, it can’t be done.”

We believe this statement typifies precisely the problem at Assa Abloy companies: a failure of imagination. It prompted our research and subsequent discovery of multiple vulnerabilities in Cliq, Logic, and NexGen locks. It is this attitude that will continue to allow us to break locks that are represented as the ultimate in security by these companies, and which often provide a false sense of security to the locksmiths and customers that rely upon these products.

Security is ultimately about liability, and such liability is about competent security engineering of locks by their designers. Lock manufacturers are very proficient at making locks work properly. That is what we refer to as mechanical engineering. Unfortunately, the engineering groups for some of the world’s most respected companies may not, in our opinion, have the requisite skills when it comes to security engineering (the design of locks and associated hardware to protect against different methods of bypass). In other words, sometimes they cannot figure out how to open their own locks without the correct key. This is a familiar theme that we have addressed previously, especially with regard to Medeco.

If these companies dispute our contention and claim that they in fact do have the experience in security engineering, then let them explain publicly how their locks can be opened with paper clips, wires, magnets, shock, vibration, and relatively simple tools. Did they design the locks with these attacks in mind, or do they simply not understand them? Either way, we think such lapses in security engineering are inexcusable, demonstrate incompetence, and should subject these companies to liability if they will not voluntarily and retroactively remedy such problems.

DefCon 17 was held in Las Vegas the first week in August. It is the largest security and hacking conference of its kind in the world. While some locksmiths still believe it is simply a gathering of criminals and, as ALOA has labeled its attendees as “persons of questionable character” such descriptions are inaccurate and ill-informed. In fact, the vast majority of participants are professional information technology and security specialists, government agents, law enforcement, and investigative teams. It is the best place to learn about the latest vulnerabilities in cyber systems and security hardware, including locks, and to network with other security professionals.

The world of physical security is rapidly changing and will be dominated by Information Security professionals because of the integration of electro-mechanical and electronic locking systems into an overall security plan, controlled by computer servers and multiple systems. If locksmiths do not become educated in both cyber and physical vulnerabilities, they will soon find themselves relegated to repairing mechanical systems, with an adverse impact on their revenue.

Since 2003, we have presented detailed information each year at DefCon about some aspect of locks and physical security. 2009 was no exception. Tobias Bluzmanis and myself (Matt Fiddler was taken ill just before the conference and could not attend) offered a detailed powerpoint presentation regarding electronic access control systems. More specifically, we examined the Assa Abloy Cliq electro-mechanical locking technology and what we perceive as serious security engineering flaws in many of the locks that are produced by AA companies, including those of Medeco, Mul-T-Lock, Ikon, and Assa.

We also think it is time to set the record straight and speak out against what, in our opinion, we believe constitutes various grades of deficient, negligent, defective, or just plain incompetent security engineering with regard to some of these products, and the legal and security ramifications of such designs. We also want to clear the air about why we have refused to provide any information to any Assa Abloy company regarding our findings.

Background: 2007-2008 Research

During the past year, our team (myself, Tobias Bluzmanis, and Matthew Fiddler) have chosen to concentrate on an intensive research program that begun after our book on Medeco was released in July, 2008. We focused on electro-mechanical locks. That is because Medeco and other AA companies are attempting to move their customers to this newer, more sophisticated, and vastly more expensive technology. So, we thought we would take an in-depth look at this new technology to see just how secure, or insecure it really was.

Mechanical v. Security Engineering

We draw a distinction between mechanical and security engineering. Lock designs must incorporate both mechanical and security engineering. One without the other is dangerous, especially for high security locks and more to the point, electro-mechanical locks.

We have no qualms with the mechanical engineering of any of these locks. They all work, and they work well from an operational standpoint. Mechanical engineers go to school to learn how to make things work. Unfortunately, in my experience, most do not have a clue about security and how to break things, nor about even rudimentary rules of security design. I would urge any design engineer to read Ross Anderson’s book entitled “Security Engineering.” It is the classic text, in its second edition, with regard to systems design, and what can and WILL inevitably go wrong. Its lessons, although primarily focused on the cyber world, are equally applicable to physical hardware design, and especially the integration, which is occurring at an accelerated pace, of hardware and software for security solutions in locking and access control systems.

Our latest research, disclosed at DefCon 17, has yielded surprising results which document and spotlight what we feel are incredible lapses in security engineering. We believe that the design engineers at the Assa Abloy companies who have produced locks that we have evaluated either do not consider the vulnerabilities we identify as significant, or they have no idea what they are or their impact. The legal and ethical question is: to what extent is a company liable to the dealer or consumer for design deficiencies or defects that relate solely to security? This is a complex question, because mechanical and security engineering intersect in the finished product. Is a lock defective if it can be bypassed easily with simple techniques or tools? We believe the answer is yes. Should the manufacturer be liable for such lapses in security engineering? We also believe the answer is yes.

The affected lock manufacturers, which include Medeco, Mul-T-Lock, Assa, Ikon, and possibly some or all of the other Assa Abloy companies, as evidenced by the correspondence from their General Counsel in the United States, seem to believe that virtually all security defects occur because of the continuing “security wars” as I call it, between manufacturers, criminals, hackers, locksmiths and others. So, as the logic continues, the manufacturer will, in time, cure the defect, but has no duty to retroactively fix anything they have already sold. At least, that is my understanding of their position, as repeated in several letters from Medeco, Mul-t-Lock, and Assa Abloy during the past year.

If we can follow their rationale, they believe that security engineering defects occur in the normal course of lock design and development, and that state-of-the-art attacks will be dealt with when they occur, and cannot be anticipated in advance. In the main, I cannot disagree with this logic at all, either from an engineering or legal perspective. What we do disagree with is the notion that a foreseeable security design defect or deficiency that should have been anticipated by those responsible for conceiving of and producing these locks should be treated in the same fashion. Such defects are, in my belief, legally actionable and should subject the manufacturer to liability by dealers and end-users if they do not voluntarily and retroactively remedy the problem at no expense to dealers or consumers.

Even more importantly, such design issues place the locksmith dealer in an untenable position, because they are the ones that are consulting, recommending, selling, and installing these products, and will be the likely defendants in any lawsuits that stem from the security compromise of the locks they sell. Many locksmiths do not have the time, and often the expertise to do their own research into potential security vulnerabilities, especially when their locks are rated by Underwriters Labs, Builders Hardware Manufacturers Association, or other rating organizations in Europe and elsewhere.

When a locksmith sells a cylinder like the Assa Cliq or Medeco Logic for more than six hundred dollars, I think it is fair to expect that such a lock has been thoroughly tested against different security threats. Both the locksmith and consumer have a right to rely upon such an implied representation of suitability for its intended purpose, which is security. Medeco has stated publicly that they rely on internal experts as well as UL and BHMA to determine vulnerabilities and whether their locks are compliant with the standards. Their answer sounds good, but its logic is fatally flawed, and they know it.

UL and BHMA are only allowed to test for certain vulnerabilities, which is precisely the problem with standards. They do not contemplate many methods of bypass, some quite elementary, and so to use them as the ultimate benchmark or authority as to security is not responsible and in our view, can be misleading and reckless. Few if any of the methods that we have disclosed to bypass Medeco, Assa, Ikon, or Mul-T-Lock are addressed in the standards, which is precisely why these companies must have competent security engineers involved in every phase of lock design and testing. Medeco, for example, claims that its locks meet or exceed all applicable high security standards. So what, if the locks can easily be opened by methods not contemplated within the standards?

mtl_simulated_110_500

mtl_simulated_112_500

We were able to simulate the mechanical bitting for Mul-T-Lock Cliq keys. In this photograph, the factory original key that opens the Mul-T-Lock Cliq is shown, together with our simulate key that was cut on a standard interactive blank that should never, according to representations by Mul-T-Lock, open this cylinder. It does, and with no electronic credentials whatsoever, nor audit trail. See quotes from their advertising, below.


Mul-T-Lock, in its latest correspondence of July 30, 2009, stated that their warranty and liability would only extend to locks that are found to be defective “In normal use.” Well, at least that is what I think it said. You can judge for yourself, because in this case, it is unclear whether they will or will not stand behind their products and protect the locksmith and end-user if their locks are found “wanting” with regard to security. Based upon the statements of the General Counsel for Mul-T-Lock in Israel, reprinted below, my question to them and all other companies is quite simple: just what constitutes “normal use” and do you actually believe that you have no liability whatsoever if the lock can be opened with simple techniques, regardless of whether the attack is by insiders or outsiders, and with or without advanced intelligence?

Specifically, do you believe that any bypass techniques that allow your locks to be opened should not be covered by your warranty or that you are not responsible to fix, repair, or replace such deficiencies? Do you not think that the primary purpose of high security locks is to resist attack, as you have stated in prior correspondence to me? Do you not believe, to put it very bluntly, that locks are designed to be screwed with, attacked, tampered with, and that their primary purpose is to resist multiple and different method of attacks?

It would appear that these companies believe that they have no responsibility to retroactively fix anything dealing with security. Yes, they may make changes going forward, and will be glad to sell their customers new locks (and make more money by selling the lock again that should have been designed properly in the first place). But what about all those customers that spent $600 or more for each Cliq or Logic cylinder, and it can be shown to be easily bypassed or set so virtually anyone with the properly bitted (or synthesized) key can open the lock, with or without an audit trail? As Medeco so arrogantly stated in the Slate.com article, “when you buy a Medeco lock, you are not buying a [magazine] subscription.” And what about the locksmiths and dealers that have to answer to their customers? Should they be liable to repair or replace locks with significant security defects, or should they have to tell their customers to throw them away and buy new ones! We don’t think so.

Liability and Security Engineering

The concept of liability, as it applies to locks, is about the requirement that manufacturers disclose to their dealers and end-users any security flaws or potential vulnerabilities that they know, or become aware of. It should follow that a manufacture should immediately notify its dealers and stop selling locks that it knows, or has reason to believe, have significant vulnerabilities that could be exploited by criminals, terrorists, foreign intelligence agencies, or those that would cause harm by exploiting such weaknesses. Similarly, we think that a manufacturer has a duty to understand and find and remedy non state-of-the-art vulnerabilities before they release a product.

We believe that a failure to adhere to this policy constitutes what we call “irresponsible non-disclosure.” It is precisely what occurred, repeatedly, by Medeco and its security engineering with regard to its deadbolt design that we exposed in 2007. They fixed the problem twice, but did they ever tell their dealers to refrain from selling what we demonstrated as defective locks. Nor did they tell their customers that it was a potential threat, as evidenced by several interviews that we conducted and documented with senior customer service technicians at Medeco in 2007. Nor have they ever admitted the problems with bumping, picking, and the ability to compromise their locks through the use of any key within a system that contained the same sidebar code. It is my opinion that they have intentionally misled their dealers and customers with regard to the security vulnerabilities that exist in their locks.
We also believe that a manufacturer should repair or replace locks that they have sold and which contain serious security deficiencies, and they should do so at their expense. Such design deficiencies should not result in the locksmith or end-user being required to purchase new and upgraded locks. Unfortunately, it appears that Assa Abloy, as one of the world’s largest lock conglomerates, and at least some of its companies do not share in this philosophy, as they have so eloquently noted in correspondence and public statements, noted at the end of this article.

Rather, it appears that they believe that lock exploits, such as we have disclosed at DefCon during the past five years, are inherent in the natural progression of lock design and engineering, and that a manufacturer is not liable, either legally or ethically, to fix or replace such defects retroactively. While I believe this is a nice legal theory which has been put forth by the General Counsel for Assa Abloy in the United States, we think it is only partially true, and not responsible. While we concur that new, state-of-the-art attacks that were unknown when a lock was designed and manufactured generally do not subject the manufacturer to liability, I would submit that the result is and should be quite different when the security vulnerability could and should have been discovered by competent engineers that are responsible for security engineering of a product. Example: a design defect that allows a paper clip to bypass the entire audit control feature and credentials security for a Mul-T-Lock or Assa Cliq, or a two-dollar screwdriver to bypass a Medeco deadbolt mortise cylinder.

Electro-Mechanical Lock Design and Cliq Technology

Many lock manufacturers have been touting the advantages of electro-mechanical and electronic access control systems. There is no question that, if properly designed, they can offer the end-user an incredible array of options. The advantages of electronic credentials are obvious, but again, only if the security engineering has been done competently. Otherwise, these locks can create, in my opinion, huge security and liability issues for the manufacturer, dealers, and end-users.

Cliq technology was developed and introduced about 2002. It appears that the system was initially introduced by Ikon, and then adopted by many of the Assa Abloy companies. The core technology consists of a key that contains mechanical bitting and a processor and battery, which communicates with the microprocessor and sidebar-control motor within the lock. When the proper mechanical and electronic credentials are simultaneously presented to the lock, an internal motor is activated, a rotor turns, and a sidebar is allowed to be pushed into the plug. If the key is properly bitted, then the lock can open.

Each lock and key maintains an audit trail of each access or access attempt. This data can be retrieved by a special programming tool and uploaded into a computer for review. Any key in the system can be added or deleted for any lock.

mtl_simulated_103_500
A macro photograph showing how the Mul-T-Lock Cliq mechanical bitting can be easily simulated with a specially prepared blank with a plastic insert.

Assa Abloy companies are representing this technology as highly secure, and the “ultimate security solution.” Mul-T-Lock states in its advertising video, which they refused to allow us to show the attendees at DefCon, (claiming it would violate their intellectual property rights, notwithstanding it is on the Internet) “Where security is an issue, compromise is simply not an option.”

Medeco claims in its advertising that its Logic provides “superior protection against unauthorized key copying.”
M
ul-T-Lock also says, “In a world increasingly challenged my mounting security threats, the need for comprehensive locking systems has become an essential requirement in virtually every conceivable market sector.” “Each interactive Cliq key contains a unique electronic ID code. It is designated for one individual only, and cannot be duplicated, altered, or corrupted. “

“If the key is not authorized, the mechanical element in the locking system will simply remain locked.”
“Interactive Cliq: unprecedented benefits. The dual patent-protected technologies employed in interactive Cliq represent a truly successful marriage of electrical and mechanical locking systems offering a double layer of impenetrable security.”

“Audit trail control is an absolute necessity if you hope to keep tabs on the efficacy of your locking network…. Interactive Cliq’s control key enables you to easily access precise data from every cylinder in your facility…each key is designated for use by one individual only. If the key is lost, it is simply made obsolete…This enables total control of every key issued to personnel. “

“Interactive Cliq: launching electro-mechanical locking systems to the ultimate level of security.”
We believe such claims are false and misleading and publicly challenge any Assa Abloy company that is making such claims to dispute our findings. We demonstrated that each claim is only partially true, and we believe leaves a false impression with the consumer.

Cliq Technology and Security Engineering

So now we answer our own question: why haven’t we offered to share our research with Medeco, Mul-T-Lock, Ikon, and Assa, with regard to our ability to bypass their Cliq and Logic cylinders by various techniques? The fact is, we offered to do just that. Not once, but many times, but with the following requirements: (1) that the companies would provide us with current lock samples to confirm our research findings, (2) that we would refrain from publishing any information in order that they might confirm and fix the security engineering defects we identify, and (3) we would require that once they confirm the defects, they repair or replace, at their own expense, every lock they have sold to their dealers and end-users that contains the design defects.

And what was the response from Assa Abloy, Medeco, and Mul-T-Lock?

First, they never addressed the issue of supplying samples. Ever. In fact, when I was at the Mul-T-Lock factory in October, 2008, they said they did not have any Cliq locks. End of discussion!

As to agreeing to retroactively fix or replace locks that had security defects, they said that was not going to happen and was unreasonable to require as a precondition for our cooperation.

Finally, they advised that only their internal experts and UL and BHMA were allowed to test their locks. And they said they were not responsible for security defects, because, you know, this is an ongoing issue in lock manufacturing, and, well, nobody really retroactively fixes locks.

This is not quite true. Several companies, both in the U.S. and Europe have done precisely that, and at great cost to themselves. It is the responsible way to do business as a lock manufacturer.

Cliq Technology: What we did and Why it is a Problem

Cliq locks are employed in commercial, government, and residential applications. They are relied upon to protect critical infrastructure and to comply with statutory requirements involving financial institutions, airports, railway, and power generation facilities. If you are a dealer or end-user, you need to understand that we identified several significant vulnerabilities in Cliq and Logic locks which could adversely impact security.

Potential Security Vulnerabilities

OOur research allows us to bypass the security of some Cliq and Logic cylinders to accomplish the following:

Simulate the mechanical portion of the key for Medeco Logic, Assa and Mul-T-Lock Cliq, and Ikon Verso. Plastic keys can be utilized for the Assa Twin and their latest lock, the Solo, which was just released in Europe. Blanks can be modified to simulate Mul-T-Lock keys and allow any number of special blanks to be cut to any bitting;

Utilize a discarded, stolen, or lost key from an Ikon system to compromise other locks in that system, as well as cylinders within a Medeco Logic system, and in similar fashion, to utilize a key from a Medeco Logic system to compromise an Ikon Cliq system;

Change the bitting on a key for an Ikon Cliq or Medeco Logic system to activate the mechanical bitting portion of other systems;

Allow the use of standard Mul-T-Lock non-interactive blanks to open Mul-T-Lock Cliq, because the interactive element is not operable and the mechanical security of the lock is reduced;

Simulate and bypass the electronic credentials for each of the locks listed above;

Trivially bypass the audit trail for each of the locks so that the use of a key is not logged;

Bump open certain of these locks;

Allow an employee to easily bypass a cylinder so that it will accept a key with any credentials. This can occur in certain Mul-T-Lock and Assa versions of Cliq.

We have posted an edited video showing different versions of the Medeco Logic, Assa Cliq, Ikon Cliq, and Mul-T-Lock Cliq being compromised by different attacks. The video does not show the precise techniques to open the locks for obvious reasons. We are sharing that data with affected government agencies and critical customers who are using these locks.

Each of our attacks requires access, at least briefly, to a properly bitted key. However, we have been able to simulate the mechanical bittings for all of these locks.

Admittedly, these attacks all require access to a key with the correct mechanical bitting. However, in many applications, especially government and commercial, a greater threat level exists and is to be expected. Further, the majority of attacks are likely to occur from within an organization, or with the cooperation of an employee, or a person having access.

Summary

Lock manufacturers and consumers appear to believe that just because electronic credentials are utilized to open locks, that somehow these locks are inherently more secure. The problem, in our view, is that everyone has forgotten basic security engineering principles: these are still mechanical locks. Although they may employ the additional security layer with the use of electronic credentials, they are still just mechanical locks that rely on moving components to allow them to open.

In our opinion, it is clear that the engineers at Medeco, Mul-T-Lock, Ikon, and Assa have ignored basic security engineering principles, are ignorant of them, or do not understand the potential for compromise of their locks. They clearly have a failure of imagination when it comes to lock design and testing.

While each of these locks are very clever and sophisticated in design, and clearly integrate mechanical and electronic locking systems to a new level, there are, in our opinion, serious deficiencies in each of these technologies that could potentially result in theft, sabotage, vandalism, compromise of critical information, and even loss of life. For that reason, the industry should re-evaluate the efficacy and design of any electronic cylinder and make certain that the essential and critical components of such systems are secure against different methods of attack. While Cliq and other technologies offer the end-user incredible advantages and options, they also offer a prescription for disaster if they are compromised.

We believe these companies should remedy the design issues that we have identified and which will allow their locks to be compromised, and that they should do so retroactively and at their own expense. As a dealer or end-user, we would encourage you to contact the manufacturer and demand to know the following information:

What version of locks do you have installed at your facility, and have they recently been upgraded? We just learned that Mul-T-Lock will be, for at least the fourth time, revising the design of their Cliq. Ask them if the upgrades have been implemented into any new locks that your company is receiving;

What security vulnerabilities have been identified that would allow these locks to be compromised?

What remedies have been taken by the manufacturer to cure the defects?

What does the manufacturer intend to do to insure the security of presently installed cylinders?

How long has the manufacturer been aware of specific methods of bypass of their Cliq or Logic cylinders?

Have the manufacturers notified any dealer, end-user, or government agency with regard to known or potential security vulnerabilities of Cliq or Logic systems?

Has the manufacturer advised their dealers and end-users that in certain keyed-alike systems, the compromise of one key can render the entire facility vulnerable, which would require a replacement of every cylinder in the system?

If you are a dealer or end-user of Cliq or Logic locks, you may contact our office for further information as to the security deficiencies of these locks, possible statutory ramifications for non-compliance, and your legal rights with regard to locks that you have purchased and which have been found to be easily bypassed.

DISCLAIMERS

We have tested a limited number of Assa, Mul-T-Lock, Ikon, and Medeco electro-mechanical locks. One or more of these companies may have remedied certain design issues that we have identified in different versions or generations of locks. Each individual customer should determine specific vulnerabilities for the version and brand of lock that they have in service.

QUOTES FROM CORRESPONDENCE THAT WE RECEIVED IN THE PAST YEAR

MUL-T-LOCK GENERAL COUNSEL
“You have misrepresented that Mul-T-Lock’s policy is not to consider replacing or repairing a product which proves to be defective in normal use. This is a gross misrepresentation and not true.”
(7/31/2009)

ASSA ABLOY GENERAL COUNSEL
“All of your accusations and unreasonable demands seem to stem from your mistaken or feigned belief that because a product may under certain limited circumstances be susceptible to a new form of attack. it is somehow rendered “defective.“
(5/15/2009)

® Cliq, Logic, Keymark, and Nexgen are registered trademarks of Assa Abloy companies.

Comments are off for this post

PART II: RESPONSIBLE DISCLOSURE v. IRRESPONSIBLE NON-DISCLLOSURE

PART II: LOCKS AND THE CONCEPT OF RESPONSIBLE DISCLSOURE v. IRRESPONSIBLE NON-DISCLOSURE
© 2008 Marc Weber Tobias
mwtobias@security.org

You may download Part I and Part II in pdf format.

This is Part II of an editorial that was prompted by the open letter in the May, 2008 issue of NDE magazine by Peter Field.

Introduction
According to Peter Field, Medeco has now embraced and enlisted the support of the Locksport community. He cites their adherence to the concept of Responsible Disclosure as the principle reason for this apparent shift in attitude by the leading high security lock manufacturer in the United States.

In Part I, I examined the possible rationale behind this decision, and suggested that it was not done for purely altruistic motives. Jon King developed a wire pick and decoder to manipulate Medeco pins and open some of their locks. The public disclosure of this tool would constitute yet another attack on the “virtually resistant” security of Medeco locks. I believe the company decided to use this event as an opportunity to possibly re-introduce the implementation of special security pins (ARX) to prevent picking, decoding, and other forms of attack. They have been aware of these techniques for at least fifteen years, but have become timely and more relevant because of the Medecoder, as well as the release of our new book.

ARX PINS: Background

ARX pins, as I noted in Part I, were developed and introduced more than fifteen years ago, in response to a very sophisticated decoder that John Falle made available to government agencies. It used a fine wire to probe the channel at the base of each bottom pin. We believe that Medeco will be implementing certain changes in their locks to combat the Medecoder. It would be most logical that they begin using a form of ARX in their standard production line to accomplish this, because of the way in which the pick tool works, and their limited options to deal with this vulnerability.

If, in fact, Medeco supplies ARX pins, or a modified version, as standard in their cylinders, there are three important questions that need to be asked. First, why have they waited for fifteen years to do this? Second, will the pins make the locks secure against the Jon King attack, and more importantly, against the techniques we describe in our new book? Third, and perhaps most relevant, are they going to retrofit older locks to this “new” level of security, and if so, who is going to pay for it?

It is all about Cost

As to the first and second questions, I would submit that it is all about cost. Until now, Medeco did not believe they had to supply these pins, other than to customers with special needs, who were willing to pay extra for them. These pins are expensive to manufacture. In fact, Medeco management wanted to drop the ARX pin from production, but was wisely convinced by senior technical staff not to do so. The high security lock market is very competitive, so added manufacturing cost will likely be passed on to the consumer. Customers have many choices, and they may decide that other equivalent locks will meet their needs as well as Medeco. So, if the company chooses to implement these pins as their response to the Medecoder, why did they do so at this time?

The answer, I believe, is quite simple. The company is under attack from many quarters. Jon King is only the latest. More and more information is appearing on the Internet and other sources with regard to bypass techniques. So, Medeco needed to do something when Jon contacted them. I believe they used this opportunity to try to address not only the King attack, but the multiple bypass techniques that we developed and which may pose a far greater threat to Medeco. This may be especially true with regard to certain U.S. and foreign government contracts, and their specific requirements with regard to resistance against forced as well as covert and surreptitious entry.

If they do implement the ARX pin, or a pin that blocks access to the true gate channel at the tip of the pin, they will succeed in stopping the attack by the Medecoder. However, everyone should understand that the ARX pin may not be effective in stopping other attacks; including bumping and picking when using code setting keys.

The problem, as we discuss in the book, is that the ARX pin can provide positive feedback that will allow the lock to be opened, once the sidebar code has been set. This is the reason that we filed for a patent for the development of a pin to deter the very same bypass methods that we developed. We now can repeatedly demonstrate the vulnerability of these pins to bumping and picking attacks. Some locks with multiple ARX pins and varying depth increments can be reliably opened in as little time as thirty seconds. Sound impossible? We have already demonstrated certain bypass techniques for ARX pins to representatives of some U.S. and foreign government agencies.

Maybe the current Medeco description for their security, of “virtually resistant,” actually defines the opposite of what this meaningless phrase connotes: virtually not resistant to attack!

Responsible Disclosure v. Irresponsible Non-Disclosure

The third question (fixing installed products) is perhaps the most important, and relates to the concept of responsible disclosure and the counterpart to that, which we identify as Irresponsible Non-Disclosure.

I would submit that the concept of Responsible Disclosure, with regard to a manufacturer, is not quite the same in the world of mechanical locks as it is in the cyber world, when a serious software flaw is discovered. A security vulnerability in software can be instantly “patched” without any direct material cost or requirement to take apart the affected computer. This is not the case with mechanical hardware.

For locks, it depends upon a number of factors as to whether it even applies, and how. I believe there are two scenarios that must be considered. The first is the discovery of a flaw prior to or a very short time after the introduction of a new lock or design. The other is a vulnerability that has existed for some time, and is present in a significant embedded base of locks that have already been sold and installed.

In my view, the real discussion should focus on full disclosure to the public. The relevant question is when they should be warned that a vulnerability exists, and the extent of that vulnerability. Peter clearly linked the concept of responsible disclosure with the fact that Jon King came to Medeco with his specialized bypass tool prior to making it available to the public. It apparently is this rationale that prompted Medeco to recognize the Locksport community and work with them, rather than simply acknowledging the contributions they have been making for quite some time in finding flaws in locks.

The clear inference is that the King attack was a new threat and that he and the Locksport community acted responsibly by (1) disclosing the issue to Medeco, and (2) waiting to publish full details or offering the tool for sale until Medeco could take remedial action to protect everyone with Medeco locks. So I repeat my initial question: where has Medeco been for at least the past fifteen years with regard to this vulnerability, unless they claim it never existed before?

I agree that once a vulnerability is found in a new lock design, prior to, or just after its introduction, the manufacturer should be notified and given time to effect a remedy before its publication or the sale of bypass tools to exploit the flaw. This can be easily accomplished with the execution of a mutual non-disclosure agreement between those that found the problem, and the manufacturer. Then, everyone is protected.

A defect in a new lock does not affect the consumer because there is no significant implementation of the lock with the vulnerability. This is vastly different than discovering a problem with locks that are currently installed, especially if the manufacturer enjoys a significant market penetration for its products, as does Medeco.

The second scenario is a bit more complicated and subtle, and involves the disclosure of a flaw or vulnerability in locks that are presently installed. The relevant issue has little to do with notification of the manufacturer of such a problem, other than for allowing them to fix it, going forward. In this event, I think that the public has a right to know precisely what the problem is, so they can make their own assessment of its seriousness. If the vulnerability currently exists in their installed base, it matters little whether the manufacturer is notified or not, unless the manufacturer is willing to fix the problem at the dealer and consumer level. The end-user can decide to accept the risk, or take some action, such as attempting to remedy the threat, or replacing the locks. And herein lays the crux of the problem: who is responsible for the costs in such event?

I do not believe that the notion of Responsible Disclosure applies in this instance, but that such a concept is really a legal dodge by the manufacturer to shield themselves from liability, rather than protecting the consumer. In the end analysis, it is all about money and liability. Manufacturers will claim that “new methods of bypass” are always discovered. In such event, a fix is implemented, but the lock maker claims no responsibility to retroactively remedy the problem. Their typical answer: either don’t admit the problem, or tell the consumer to buy new locks. Rarely will they bear the cost associated with a recall or other remedy because such costs could be prohibitive.

In this event, both the dealer and consumer may be left without a remedy, and even worse, may be vulnerable to a breach in security. Is the dealer supposed to continue to sell deficient or defective locks to their customers until they deplete current stock? Will the manufacturer tell the dealer of security flaws? These questions can also present serious liability issues for dealers, which most manufacturers would rather not address.

Some may argue with a philosophy of full disclosure, but once locks are pinned and installed, they are quite different than software. They can be fixed prospectively, but not retroactively without expense. So not publishing a vulnerability will not help the consumer, unless the manufacturer recalls every lock with the deficiency or defect, and fixes it. And even if a manufacturer were to agree to remedy a defect in every lock they have sold, it would be impossible to do so without notifying the affected consumers. In that event, everyone would know about the problem anyway. So we have returned to where we began: full disclosure so everyone is altered to the security issue.

There are very few manufacturers that will admit publicly there is a problem. It has far more to do with their potential exposure than it does with their fear of “educating criminals.” So, manufacturers use language like “incremental improvements” or “enhancements” to cover what they may perceive as design defects that could result in liability. There is no doubt that every lock manufacturer whishes to produce locks that cannot be bypassed. And when they discover problems, they will usually make those “incremental improvements” to deal with these issues to protect themselves and their customers. But again, this has nothing to do with locks they have already sold.

Medeco alludes to the fact that they will be sending out letters to all of their dealers and customers, once their “enhancement” is implemented with regard to the Medecoder. Will they claim that a “new” vulnerability has been “discovered” which, they may suggest, requires the implementation of ARX pins or other changes? If that is the case, then we would expect Medeco to pay all costs associated with the repining of all locks so affected, because it definitely is not a new threat. Otherwise, it becomes a marketing ploy to sell more products, based upon a new version of an old bypass technique.

I would submit that there is another side of Responsible Disclosure, and that is the immediate duty of a lock manufacturer to advise their dealers and customers of vulnerabilities that can directly affect their liability, safety, and security. If Medeco is “in business to protect people and property, and not to compromise their security,” then one would expect them to immediately notify their customers when they are aware of a serious risk that could affect many customers, especially those that that have purchased their locks to protect high value targets and critical infrastructure. The failure to do so, in my view, constitutes Irresponsible Non-Disclosure, and can have significant legal and ethical consequences.

The Medeco Deadbolt: A Classic Example

Last summer, we disclosed a serious vulnerability in Medeco deadbolts. We did not tell the public the precise method to open these locks, but did issue a detailed report to the security community. We notified Medeco almost three months prior to the release of our report that there was a serious problem with their lock design. They never asked what that problem was.

When we disclosed the problem (but not the details) at Defcon last August, Medeco then implemented certain fixes to make their locks more secure. According to several dealers, they never told anyone what the nature of the problem was, or why certain “incremental improvements” were made. Their customer service representatives downplayed the issue and stated there was no real security threat. They said that Medeco had made certain “enhancements” to fix a problem that did not exist, because they were the leaders in the market, and then had the temerity to state that now they were the only one in the industry that did not have this “problem.”

We detail this issue in our book, because the flip side of responsible disclosure is the responsibility of lock manufacturers to tell the truth to all who rely upon both their expertise in lock design and in their integrity to do so. The fundamental question is whether the end-user has a right to know the precise nature of a vulnerability. Consider the alternatives: perhaps they should be told that there is a problem, but not what it is. Or, maybe they should be told nothing at all, adhering to the old concept of Security by Obscurity. Neither of these alternatives, in my view, is acceptable, either from an ethical or legal standpoint.

Unfortunately, in our world of instant communications and the Internet, simply advising that there may be a problem will likely prompt a discovery and full disclosure of that problem in a very short period of time. So, why not properly advise everyone at the outset, unless the issues can impact upon national security? I find it rather disingenuous of Medeco to use the Medecoder as their rationale for embracing the Locksport community. While I applaud their decision, they should be forthright in their disclosure of multiple vulnerabilities in their locks, not only from the Medecoder, but to other forms of attack. Telling a customer the truth is always the best policy. Half-truths, innuendo, and misrepresentations will ultimately backfire and will lead to mistrust, placing consumers in jeopardy, and liability upon the part of the manufacturer.

While the company may effectively prevent the Jon King tool from being used in picking attacks, by the introduction of ARX pins or similar measures, there are other techniques, both old and new, that can completely compromise the security of these locks. Medeco is fully aware of these issues, and has chosen to artfully dodge them by denials and half-truths, by misleading advertising, by being less than candid in admitting to potential security vulnerabilities, and engaging in a disinformation campaign aimed at those that have dared to publish information about bumping and picking their high security cylinders.

We will squarely address these issues at Defcon, beginning with their attempt to retroactively alter their prior statements and press releases. These issues are fully documented in our book.

We will also specifically address and present information with regard to what we perceive as other very serious vulnerabilities that exist in Medeco locks, which have been discovered as a result of our research. Medeco has been supplied with this information months ago. They should publicly address the ability to bypass their forty-year old technology by bumping, picking, forced entry attacks, and the compromise of their key control. Their customers deserve to know and understand how these locks can be compromised, especially when they are used to protect high value targets and critical infrastructure. To do less, in my view, constitutes Irresponsible Non-Disclosure upon their part.

As we have done for the past three years, we again invite representatives of Medeco to take part in our presentation at Defcon 16, and to set the record straight, from their perspective, as to the security or insecurity of their locks. It would be a perfect forum for them to address specific issues that relate to key control, forced entry, and surreptitious entry of their various products, and to explain exactly what the term “virtually resistant” really means, and how they intend on making their locks more secure against the Medecoder and more sophisticated forms of bypass that use code setting keys.

1 comment

PART I: MEDECO EMBRACES THE LOCKSPORT COMMUNITY: Analysis and Response to NDE article #3, May, 2008

Part I
© 2008 Marc Weber Tobias

I read with interest the May, 2008, edition of Non-Destructive Entry Magazine (#3). What immediately caught my attention was the emphasis on Medeco locks, and an open letter from the company, written by Peter Field. The article addresses two primary issues: the recognition of Locksport contribution to security, and the fact that Medeco is taking steps to correct what they evidently perceive as a “new” vulnerability in their locks, occasioned by the development of a picking tool by Jon King.

I have known Peter for a long time, and from my perspective, he is one of the brightest engineers on the planet, with regard to lock design and innovation. He has been the chief architect of Medeco products almost forever, and the company has flourished because of his talents, insight, and creativity.

For many years, I have consulted with lock manufacturers in the United States and Europe with regard to the analysis of bypass techniques for their locks, and how to prevent or deter such attacks. This is often a complex problem, involving technical, legal and ethical issues. As a lawyer, I have advised clients as to how to protect them from liability for deficient and defective lock designs, and related corporate policies. Specifically relevant to the NDE article and the concept of responsible disclosure, I have counseled that my clients adopt a policy of full disclosure about vulnerabilities unless the release of such information would impact national security. Many have subscribed to this philosophy.

Four years ago, I began speaking publicly about the need for the lock industry to embrace, listen to, and exploit the talents of Locksport members. ALOA referred to them as hackers, criminals, persons of questionable character, and other derogatory and mostly uninformed and inaccurate descriptions. The HOPE 2006 conference that Schuyler Towne refers to was one of the hacker forums wherein Matt Fiddler and I specifically addressed this issue. In 2004 at HOPE, we did the same thing, and solicited feedback from the participants of the conference with regard to cooperation between the hacker community, manufacturers, and law enforcement. The response in 2004 and 2006 was mainly positive, but went largely ignored by manufacturers.

This prompted ALOA to advise me that I had violated their Code of Ethics, which forbids associating with “persons of questionable character.” They were referring specifically to the attendees at HOPE, which included representatives of federal law enforcement agencies, the Department of Defense, and other security professionals.

They sent the message that if I spoke at any more conferences, I would no longer be a member of ALOA. I appealed their ruling, and they never responded. I am still a member, and have been so for more than fifteen years. And I have continued to support Locksport groups in the media and lectures, and have repeatedly advocated full disclosure upon the part of lock manufacturers as the best means to insure the security of the public and improve the quality of products. As Schuyler aptly points out, Security by Obscurity does not work, and is an inherently flawed premise. There are no more secrets: the Internet and the instant proliferation of information are responsible for that fact. Some in the locksmith community still will not accept this fact, nor will they accept the premise that the consumer has a right to know and understand security vulnerabilities in the locks that they purchase and rely on to protect them.

When Barry Wels and I gave our presentation at HOPE in 2006, and then Matt Fiddler and I spoke at Defcon the following month, we all introduced bumping to the American consumer. That, as everyone knows, caused an instant furor. The public was concerned, the locksmiths were dismayed, and ALOA was furious. That organization made their views known in an editorial in August, 2006, to which I responded. Those editorials can be found on my blog at http://in.security.org.

As an aside, now that Medeco has recognized the Locksport community, I am wondering if the fundamental thinking by ALOA will change. Will the trade organization and its members now agree with one of their major supporters (Medeco) and acknowledge the Locksport community and the valuable contributions they can offer?

Schuyler Towne and Peter Field are quite correct in what they wrote in NDE: the issue is responsible disclosure. But I would submit that this concept is different in the world of physical security, than it is in the cyber world. That principle has always guided how and when I have written about security vulnerabilities in locks and related hardware. But there are variables and distinguishing issues that exist with regard to deficiencies or defects in locks, in comparison to bugs or vulnerabilities in software code. As a lawyer and technician, I may have a different and broader perspective with regard to such issues, and the legal and moral right of the public to understand vulnerabilities that can directly impact their lives and property.

Based upon Peter’s open letter, it would appear that Medeco has now embraced working with the Locksport community. As we noted in our book, it is actually not the first time they have done so. I laud them for publicly adopting this policy, but in my view, such a decision does not stem entirely from altruistic motives.

Medeco is well aware that their locks are vulnerable to attack by many different techniques, including bumping, picking, decoding, and the compromise of their key control. Just look at how Medeco has modified their disclaimers in the past eighteen months with regard to bumping and picking. They have gone from “bump proof” to “virtually bump proof” to “virtually resistant.”
We documented how they subtly changed their advertising and retroactively altered their press releases because they knew their locks were vulnerable. The real question is whether this knowledge translated into what I would refer to as the other side of Responsible Disclosure? Did they notify their dealers or customers, especially those in the federal or state government, of such vulnerabilities? The answer, from our investigation, is no.

For the past eighteen months, my associates and I have been involved in a detailed and comprehensive research project to develop entirely new methods of forced, covert, and surreptitious methods of entry for the Biaxial and m3 cylinders. The result of that research, and every detail along the way, has been provided to Medeco, (other than copies of our three separate patent filings). This “full disclosure” has taken the form of video, locks, keys, code tables, diagrams, charts, and demonstrations at the factory and in the field to management at Medeco. We even provided an advanced copy of our book at least four months ago for their engineers and counsel to review. We repeatedly encouraged them to seek an injunction to block publication, or to have the government classify the information, if they believed that it would be contrary to national security.

Of even more interest is the inference that Medeco was unaware of this “new” method of compromise that Jon King developed to pick their cylinders. I had a long discussion with Jon last month with regard to his decoder and technique. I credit him with being very creative in solving the problem of how to control and manipulate the chisel-point pins within a Medeco cylinder. This allows them to be rotated in order to align the sidebar leg to the true gate channel. It is a clever solution to a forty year old problem. But it is not unique, and Medeco knows it.

There have been several variations of tools for decoding and manipulating Medeco pins that have been patented or available to government agencies. Jon just made it a lot simpler to accomplish. According to Medeco, its use can potentially affect perhaps twenty percent of their locks. So, Medeco used the NDE forum to announce that they would be improving the security against picking, for locks that they have been advertising as “virtually resistant” to such attack!

In 1976, the company sued Lock Technology Company to stop them from producing a pick tool and technique to reproduce Medeco keys. Medeco lost this lawsuit, although most in the industry believe they won it. In 1994, the company, in response to the development of another decoding tool that was produced by John Falle in England, introduced the ARX pin. ARX is an acronym for Attack Resistance Xtended. The Lock Technology case and the development of the ARX pin are significant because they both relate to security vulnerabilities in Medeco locks that stem from the ability to probe and manipulate the bottom pins by using the true gate channel. This is the same method of attack that Jon is employing to feel-pick these locks.

This specially-designed ARX bottom pin was designed to prevent John and others from decoding the true gate channel by probing the tip of the bottom pin with a fine wire. The government and some commercial customers employ these pins to add another layer of protection against pick and decoding resistance. As we have documented, they are only partially effective in preventing certain methods of bypass that we discuss in our book.

So for Medeco to now claim that they are making incremental improvements to their locks to protect against this “new” threat is not quite the full story. We believe that Medeco will shortly announce the implementation of the ARX pin for all of its m3 cylinders in an attempt to prevent the use of the bypass methods developed by Jon, and those that are disclosed in our new book.

If Medeco claims that they were not aware of the method to pick their locks that Jon King developed, then I would suggest that you read the Lock Technology patents and other prior art and draw your own conclusions. If they in fact implement ARX pins in all of their cylinders, then they are doing so fifteen years after the fact. The significant question is why and why now?

Peter talks about standards. As we note in our book, we believe that the standards, those enumerated in UL 437 and BHMA/ANSI 156.30, are precisely the problem. In our detailed analysis, we talk about why we feel that these standards do not go far enough in protecting high value targets or critical infrastructure.

Manufacturers, such as Medeco, tout these standards as an assurance that their locks are secure against defined threats, especially for high security applications. “Defined’ is the operative word, because the standards do not protect against many threats that can allow Medeco and other high security cylinders to be opened in seconds. They only protect against “defined” standards that do not contemplate many forms of attack.

For those of you that may be unaware of BHMA/ANSI 156.30, this is the civilian high security standard for locks. In discussions with BHMA, I have pointed out what we perceive as the deficiencies in their current standard. We have asked them to look at our methods of bypassing Medeco and other cylinders, with the view to addressing these methods of compromise in a new standard that is based upon “real world testing” rather than specifically defining each method of bypass.

Finally, Peter and Schuyler address the concept of Responsible Disclosure. While I certainly agree that we should not be educating criminals as to techniques to bypass locks, there is a problem in this logic, which Schuyler correctly identifies. The consumer has a right to know of deficiencies or defects that can affect their security. The problem is that locks are quite different than software. Code errors can be fixed with updates that can be instantly implemented without any cost of materials. Patches can be effected remotely to fix a security vulnerability. This is not the case with locks.

And often the criminals are far ahead of the consumer in their knowledge, so is it wise to keep that knowledge from the consumer, commercial security officer, or government agency? The real problem, and the irony of embracing the Locksport and hacking community, is that Medeco and other manufacturers often do not know how to bypass their own locks! That is very obvious, for if they did, they would have taken the necessary steps to properly design their cylinders against such techniques. This fact can be no more graphically illustrated than by Medeco’s insistence that their locks cannot be bumped or picked by the methods we developed and attempted to explain to Medeco since 2006. The fact that Medeco could not open their own locks does not mean that they cannot be opened by others, using those same techniques!

So it often falls upon the Locksport enthusiasts, hackers, or security professional, outside of the lock manufacturing community, to demonstrate vulnerabilities that should have been discovered by the manufacturer before offering their products for sale. In my experience, design engineers learn how to make things work quite well; they rarely are educated in how to break them. That is a fundamental problem. If locks were designed properly, hackers and others would not be able to circumvent security. It is about time that manufacturers recognized that the more minds that are evaluating their products, the better.

So, when Peter says that Medeco and other lock manufacturers are reluctant to publicize potential threats to their products, primarily because they do not want to teach criminals how to decipher their mechanical puzzles, I would submit that this statement is not quite correct, nor does it tell the whole story. While there is no question that every lock manufacturer is “genuinely concerned with the security of their customers,” there is another side to this issue, and that is money and liability. And at the end of the day, there should be no illusion as to why lock makers are in business: it is to make money, first and foremost.

Advising a manufacturer of a design defect is the right course of action. Unfortunately, most manufacturers have been unwilling to listen to the Locksport community, instead calling them hackers and criminals. This is clearly changing. In Europe, Toool has been responsible for a shift in attitude, primarily upon the part of some major manufacturers. And the realization by Medeco that they can have a valuable ally by using individuals with diverse backgrounds, to test their locks, is an important step forward. The question is the effect of advising a manufacturer of a problem, and when to notify the public. This is the real issue.

While I completely embrace responsible disclosure, thus giving a manufacture time to fix a problem in a new design, I do not quite subscribe to the theory of giving a manufacturer time to address all problems, especially if they have existed for quite awhile, the locks have achieved significant market penetration, and the issue likely will not be remedied by the manufacturer without cost to the consumer.

***

In Part II, I shall address this issue, and why the concept of responsible disclosure is a technical, logistical, legal and financial minefield for lock manufacturers.

No comments

UL TAKES UP LOCK BUMPING: Task Force Appointed

On Tuesday, September 18, I attended a Standards Technical Panel meeting at Underwriters Laboratories in Northbrook, Illinois. This particular STP is charged with reviewing and updating eleven different standards dealing with safes, vaults, ATMs, locks and alarm systems. Representatives from industry, trade associations, standards organizations, hardware manufacturers, and concerned citizen groups are members of the STP that provide input into the standards process.

UL, which has been in existence for more than a century, is responsible for about 900 standards for fire, electrical and security related products. The non-profit organization was originally established by insurance underwriters. Its purpose was to determine and reduce the potential risk and thus the financial exposure for products for which insurance coverage was offered to the public. UL has been instrumental in discovering design defects and being the impetus for engineering improvements that result in safer and more efficient designs.

Today, UL deals with an incredible array of products and has a world-class testing facility to insure the safety and security of thousands of different pieces of hardware. Virtually every consumer item that is related to the risk of fire or powered by electricity or can in any way create a hazard is designed, manufactured, regulated and performs to designated standards. The process to develop these standards is quite complex and requires a broad range of input and consensus from all affected groups.

On the agenda for this STP was lock bumping. I met earlier this summer with the chairman of the panel to discuss the inclusion of this topic at the meeting and it was agreed that it was important for UL to look at this issue in the context of UL437. For those of you that are not familiar with UL437, this is the “higher security” standard for cylinders that are employed in government, business and by some consumers. These cylinders are by definition supposed to be resistant to covert and forced methods of entry for specified minimum times. UL437 is touted by high security lock manufacturers as one of the primary criteria to assure certain minimum levels of physical security in their rated cylinders.

Resistance against forced entry is a minimum of five minutes for specified tools and techniques. However, as I noted at the meeting, some UL certified locks can be opened in significantly less time and I suggested that this issue also needed to be addressed if the public is to rely upon these standards as a selection criteria for physical security protection.

Resistance against covert entry under UL437 is specified at a minimum of ten minutes. This means that the lock should resist picking and related attacks for at least this period of time. As many readers are aware, some UL certified locks do not meet this specification and can be opened in one or two minutes notwithstanding the requirements of the standard. This is one of the reasons that I felt it was important to provide input at the meeting.

The ANSI/BHMA high security lock standard, 156.30 is even more stringent in its requirements and also refers to UL437 with regard to pick resistance. Neither standard presently addresses bumping although one might argue that bumping is a form of picking which of course is covered. In Europe, bumping has been incorporated into testing protocols because of the widespread recognition of the security risk posed by the technique.

UL437 and ANSI/BHMA 156.30 are important because most organizations are not capable of testing the security products that they employ to protect their facilities, assets and personnel. They rely upon the standards organizations to determine levels of security for specified products and to insure that they meet those standards with regard to performance criteria. In this way, all affected sectors can deploy such hardware with the understanding and assurance that specified criteria will be met by the specific product or system. The insurance industry can also confidently provide insurance based upon defined security standards. The problem is when a product or system, although certified to a certain security performance level, does not actually meet those expectations. Then any entity that relies upon such performance criteria may be at risk. This is precisely the issue with lock bumping and related attacks especially in high security facilities or critical targets which have been the basis of recent articles in the media and on this website.

In my brief presentation, I explained to the panel members that certain high security locks could be compromised by bumping and that I thought this issue needs to be addressed. After some discussion about bumping attacks there was a consensus that a task force should be formed to analyze the current standard and determine if it would be appropriate to add bumping as a test for high security locks. ASTM is also working on standardized performance tests to assess the bump resistance of cylinders.

At present the task force is comprised of ten members (including myself) that represent several lock manufacturers, a standards organization, special trade organization that deal with security and insurance interests of their members, and a representative of government. The first meeting of the task force has not been scheduled as yet. Industry and consumers alike should welcome this decision because it should lead to the adoption of relevant guidelines for manufacturers to insure that their locks are secure against bumping attacks.

No comments

A Personal Comment about the Gun Lock Story

Two years ago, we posted an alert about the poor quality and insecurity of gun locks. The media reported the story in an in-depth television news story. The result: absolutely nothing changed. The manufacturers continued to produce cheap locks that afforded no protection. Standards were not changed by the State of California which certifies cable and trigger locks as secure to protect kids. Retail outlets continued to sell junk locks. And more alarming, law enforcement agencies throughout the U.S. still offer poor quality gun locks to the public for free, believing that they are designed properly.

There have been many adverse comments to my posting of videos with the article on in.security.org and on engadget.com. Many think that a simple warning would have been sufficient without the videos. History has shown that this is not the case.

The reality is that if you simply warn parents that gun locks are dangerous because they create a false sense of security, the warnings will be largely ignored as they were two years ago. In fact in 2001 a security alert was published by the Consumer Product Safety Commission on this subject. Shortly thereafter, ABC did a television report on the dangers of these locks and how easily they could be compromised. Again, nothing happened. It was business as usual.

A few months ago our local sheriff showed me the gun locks that they distribute as part of the Operation ChildSafe program (funded by the Department of Justice). I decided it was time to revisit this issue. If a police department hands a gun owner a lock then, it impliedly represents that the lock is secure and will keep kids safe from guns. Our Sheriff had no idea that these locks could be so easily compromised. When he learned otherwise he took immediate action to warn every consumer that received these devices through his department.

So, for everyone that feels that our report should not have been published, I respectfully disagree. Simple warnings would accomplish nothing, as borne out by past events. This was reinforced by my conversations with the National Shooting Sports Foundation. They have distributed 35,000,000 of these cable locks and tell people they will protect kids from access to weapons. Worse, they actually believe that the standards that California passed seven years ago are sufficient to keep kids safe up to the age of seventeen. They cite the American Society of Testing and Materials as the ultimate authority on standards and the fact that these locks passed ASTM tests.

Their concern could be paraphrased thusly: “We have never had a problem with these locks so there is no problem.” I don’t question their motives, just their understanding of how these locks work.

Before I released the report I spoke with the California DOJ Firearms Division about their standards. They said that they believed that they were quite sufficient to keep kids from accessing weapons, repeating that the locks had been analyzed by designated testing laboratories and found compliant with the standards. It was the same story line.

In my view, the real issue is the standards and the manufacturers that produce cheap locks that do not even meet the minimal requirements promulgated by the DOJ. So, if this is an important issue (as I believe it is), then how do you get everyone’s attention so that something positive will occur?

Some say it is irresponsible to show how to compromise these locks. I considered very carefully whether to demonstrate the problems with these products or just write about them. I came to the conclusion that perhaps the only way to get the regulators to act was to show them what they apparently did not understand, and at the same time to graphically warn parents about the hazards of using these devices. Perhaps they might put pressure on the agencies to make needed changes.

And yes, there is a risk that kids will see this report. But I thought that would be far outweighed by the potential positive results that might occur. And frankly, it is clear that if a kid wants to access a weapon he will, regardless of whether there is a report showing him how to do it or not. The difficulty in compromising these locks is minimal and that is the entire point of the article.

The fact is that any adult that uses one of these locks as the sole protection of a handgun is grossly negligent. If they compound the problem by either locking a loaded weapon or keeping ammunition close by, then I would submit they could be held criminally liable if a kid uses the weapon.

So the conclusion I reached with regard to airing the videos was based upon the following premise: if the locks are as secure as represented by the DOJ, NSSF, and manufacturers, then why would they be concerned about showing how these locks can be compromised?

After all, they are all saying that the locks WILL protect a weapon against access by a kid, (no matter how ludicrous that argument might be) and that the standards are sufficient.

My contention: Either these locks are secure or they are not. You can’t have it both ways. And if they are not then laws should be changed so that the locks actually do what they are supposed to do.
Finally, the information that was presented has been on the Internet for quite some time as almost everyone knows. An incredible amount of material has been published about bumping, including padlocks. So kids already are aware of that method of bypass. The fact that bump keys are available on the Internet for the Master cable lock should alarm everyone. I and others have been raising this issue for the past year. In fact, I submitted draft legislation to the Postal Inspection Service six months ago to close the loopholes in the postal regulations to stop the trafficking in bump keys on the Internet.

And what about the ability to cut these cables? I would dare say that every reader would look at one of these locks and laugh at the absurdity of the ostensible protection that they afford. A pair of pliers or fourteen inch bolt cutters from Ace Hardware will sever any of these cables and everyone, including kids, knows it. Even Targus figured it out when I wrote the article last year about their much publicized armored computer lock that uses an almost identical approach as the gun cable lock.

So should we just keep quiet and continue to promote the failed concept of “security by obscurity”? I don’t think so, for the same reason that I am challenging the standards set forth by Underwriters Laboratories, BHMA, and ANSI with regard to high security locks and the ability to compromise some of them in well under the minimum time standards set forth for forced and covert entry in UL 437 and ANSI 156.30. I would submit that the risk could be far greater for reliance on some of these standards and for the defective or deficient design of some of these locks than for the compromise of gun locks.

I have never believed it was prudent to publicly demonstrate methods of covert bypass unless there was a valid reason to do so. That material is left to the multimedia edition of my book. I have never once shown such techniques in the media; only to law enforcement and security professionals. But when bypass techniques are so simple that anyone can accomplish them in a few seconds, I believe it is vastly different. In my view it enhances everyone’s security if they have a full understanding of the simplicity of the methods.

The issue raised in the gun lock story is about responsible disclosure with regard to matters of security. There has always been a legitimate debate as to whether disclosure promotes or places security at risk by publishing “secret” or more to the point, “unknown” information. The reality is that there are no more secrets. The Internet took care of all of that. And if I had simply posted a warning about the insecurity of these devices or there had been a news story written about a child that was hurt or killed as the result of his ability to bypass one of these locks, you can be sure that someone would have posted detailed information about the method of compromise. Welcome to the global information world.

There are two sides to every story and if this one has sparked thoughtful debate about the disclosure of security defects, then I would submit that the article has accomplished its purpose. Many parents have written to me after reading this article, not to complain but to voice concern about the locks they have relied upon and to ask what they should replace them with.

If you believe that material on gun locks should not have been released, then you will surely have an opinion regarding the next alert about the insecurity of small Fixed Base Operations at our airports, and the security issues it raises.

MWT

No comments

Response to ALOA editorial about Bumping

RESPONSE TO ALOA PRESS RELEASE

By Marc Weber Tobias

On August 28, ALOA posted a press release regarding recent publicity about the vulnerability of pin tumbler locks through the use of the bump key. Although not named, ALOA was clearly pointing the finger at myself and my associates who have made public the security issues from bumping that affect most mechanical cylinders, including those employed by the U.S. Postal Service and Mail Boxes Etc.. Although I have always supported the goals of the organization, because of the position taken by ALOA, I felt obligated to respond.

First, their press release, see: http://aloa.org/pdf/bumpkeys.pdf
The ALOA Position Read more

No comments