Archive for the 'Covert Methods of Entry' Category
A RESTRICTED VERSION OF THIS POST IS AVAILABLE TO LOCKSMITHS, SECURITY PROFESSIONALS, RISK MANAGERS, AND CLEARSTAR MEMBERS. THE LINK TO CLEARSTAR IS PROVIDED. IF YOU ARE A SECURITY PROFESSIONAL YOU MAY ALSO CONTACT THE AUTHOR FOR ACCESS AT email@example.com, or the webmaster at ClearStar for clearance.
This post is primarily for locksmiths and security managers of facilities that may have installed the KABA Simplex push-button locks. We will be releasing a second article shortly with regard to mechanical upgrades that KABA appears to have implemented to resolve the security issues that are documented in our video. Every facility that has installed these locks should be aware of the vulnerability and assess their risk and their potential damages.
I would like to address the recent class action lawsuit that has been filed in multiple jurisdictions against KABA-Ilco for the insecure, and I believe defective design of their Simplex push-button locks. This article will discuss the potential liability issues for locksmiths and for the lock manufacturing industry and the profound impact that this litigation may present in the future.
It is likely that millions of Simplex locks (Series 1000, 2000, 3000, 6000, 7000, 9000) have been sold to commercial, government and even residential venues throughout the world and have been an extremely popular push-button lock for at least thirty-five years. Unfortunately, they are, in my opinion, insecure, and demonstrate a critical problem within the lock industry which I have repeatedly addressed and labeled as insecurity engineering.
Our office has produced a detailed video which has been made available to locksmiths and security professionals. It shows the precise security vulnerability of these mechanisms. If you presently utilize these locks, you should view this material to asses your risk, or speak with your local locksmith who is familiar with the locks and their security vulnerability.
Our analysis conclusively demonstrates the vulnerability of locks that were manufactured prior to at least September 19, 2010, and also graphically illustrates what can go wrong when design engineers are not properly trained in bypass techniques, or they fail to use their imagination as to potential methods of entry. While KABA is not the only lock that can be opened with a magnetic field, they are surely the largest target for legal action.
In Locks, Safes, and Security and LSS+, I describe at least fifty methods of bypass, including the use of magnetic fields. Unfortunately most design engineers are clueless with regard to many of these techniques, which mean they are incapable of designing locks that are secure against this and other forms of attack.
This lack of knowledge has and will lead to liability and potentially significant if not catastrophic damages and will likely force some manufacturers out of business. In my view, the KABA lawsuit and what it portends may have a devastating impact on lock manufacturers and the entire industry.
If they do not pay close attention and take steps to insure that their products provide the security which they directly or impliedly represent and which their purchasers rely upon, they will likely find themselves as defendants in similar actions. Any lock manufacturer, foreign of domestic that sells their products within the United States market can be subject to liability.
Be assured that KABA will not be the first to be the target of such litigation. Our office has been investigating several seriously defective or deficient products and will likely be involved in actions in the future for similar design deficiencies that adversely impact security and place consumers at risk.
Several of our legal and consulting clients asked that our law firm set up a testing laboratory to find “real world” vulnerabilities that UL, BHMA, VdS and other standards organizations and their laboratories either do not recognize or are not allowed to test for because of the way the standards are written. As a consequence, in 2009 we set up Security Laboratories to determine the vulnerability to covert and forced entry techniques of both mechanical and electronic locks. We established our lab through my law office to shield our clients from potential discovery of our test results in the event of litigation involving defective products that we may uncover.
As many of you know, I have been an outspoken critic of many lock manufacturers for their lack of competent security engineering skills, especially with regard to high security locks. All of our clients are vitally concerned about making secure products. They want to be certain their locks protect their customers and do not expose either the customer or manufacturer to liability claims, based upon defective or deficient engineering. We have secured several patents to remedy design problems and make the locks that are produced by our clients more secure.
Many of our clients have learned a very painful lesson about lock design: it is far less expensive to find and remedy design deficiencies before a product is released rather than doing it after the fact.
There has been much criticism of the stance I have taken as to my belief that not only should these engineering failures be documented, but the public, locksmiths, and security professionals should be made aware of the vulnerabilities. My rationale is simple: the possession of such knowledge allows them to properly assess and assume (or decline) the risks that may be inherent in utilizing a specific lock or piece of hardware.
Unfortunately, many lock manufacturers will not communicate known defects or vulnerability issues to their dealers or customers unless they are forced to do so. This, in my view, is a very unsound policy and will lead to legal liability and ultimately, potentially serious and damaging public relations problems. Security by Obscurity does not work. Failing to disclose vulnerability does not make it go away; it just places everyone that uses the product at risk when they are not aware of the vulnerability.
In those cases where manufacturers are ignorant of bypass techniques that can render their locks insecure, I believe they may still be held liable. Why? Because ignorance is no excuse, especially if commercial tools, YouTube videos, or lock picking web sites are discussing different techniques to open the locks. One of the first things we do in our lab is to determine if anyone else has figured out how to open locks that are produced by our clients. Often, there is a wealth of information.
My opinion is that any lock manufacturer that ignores such publicly available information is culpable. The problem is that many manufacturers release products, then essentially forget about them and fail to make changes based upon current bypass techniques. If a company represents in its current technical manuals and advertising that a lock is secure, I do not think it matters whether it is a new or old design. I believe this is why KABA will not prevail.
Everyone is aware that we wrote the book about how we cracked the Medeco high security cylinders. Medeco’s response was to implement certain changes to counteract security vulnerabilities that we had discovered and exploited. This is precisely what is required of a manufacturer if they are to avoid liability and costly lawsuits. Other manufacturers, such as we disclosed at DefCon 18 last summer, chose to do nothing, or simply hide from their design defects.
I have always believed that full disclosure is the only viable policy, regardless of the possible consequences, and have so counseled my clients. Every lock manufacturer has, in my view, a special responsibility to its locksmith-dealers and to the end-users. Often, the locksmiths are left “twisting in the wind” by not being apprised of known or suspected security issues by the manufacturer. The lack of such information can adversely impact their customers and create an untenable legal and ethical position for the locksmith.
Perhaps the best example of a lock manufacturer taking responsibility for a deficient product is Schlage and their Kryptonite bike locks. When we made public the ball point pen attack in 2004, Schlage made the decision almost immediately to replace every lock, whether they were liable or not. That conduct should serve as a model to every other lock manufacturer. It cost them a great deal of money, but it was the right course of action and has ultimately paid dividends for them in terms of credibility with their customers.
The same course of action recently occurred in Europe by Uhlmann Zacher when their electronic cylinders were attacked with the magnetic ring that allowed them to be opened in seconds. They immediately shut down their production line, recalled all of the locks, and fixed them at no cost to their customers.
About six years ago, I wrote a detailed two-part article for ALOA Keynotes with regard to locksmith liability issues, after becoming involved in the exposure of the insecurity of master key systems in the New York Times. Little attention was paid to the issue at the time in regard to potential liability. The KABA lawsuit has brought the matter to the fore, and now every locksmith and manufacturer should be paying attention because of the potential liability issues involved.
As most of you know, in 2006, my associates and I went public with regard to lock bumping in the United States, and were soundly criticized by most locksmiths for doing so. ALOA in particular said we should not have told the public about the technique and that essentially, it was much ado about nothing. It had already been widely reported in Europe by Toool and others, and I felt the U.S. consumer should be aware of the threat because virtually every potential burglar already knew about it. The irony is that most locksmiths did not, even though many of them claimed otherwise. I thought that full disclosure should be the rule.
As a result of the exposure of lock bumping as a serious method of covert entry, the manufacturers have begun to address the problem, as have the standards organizations. I believe that the public benefited from the disclosure and is better off for it.
I sit on the UL Standards Technical Panel for locks and safes, and have the privilege to be part of the group that analyzes standards as they come up for periodic review. Both UL and BHMA are moving in the proper direction and are adopting bumping protocols. If you think that lock bumping was an insignificant issue, I would submit that we were able to bypass the most respected high security lock in the United States as a direct result of the re-emergence of lock bumping. I am sure you are all familiar with the Wired Magazine article (June, 2009).
ALL SECURITY IS ABOUT LIABILITY: THE KABA CLASS ACTION LAWSUIT
I am constantly asked “why is a lawyer picking locks?” The answer has always been simple for me to explain: All security is about liability. For many years, I have been cautioning about the nexus between security and liability and defective or insecure products. It would appear that now everyone is beginning to understand the connection. If a product is improperly designed and insecure and results in injury, loss, or other damages then the lock manufacturer will likely be held liable.
So, now we come to the crux of the matter: the KABA lawsuit.
In November, 2010, a class action lawsuit was filed by a number of plaintiffs against KABA-Ilco. The basis of the suit is the insecure engineering of the combination chamber that is the critical component within most of the Simplex push-button locks. Some locksmiths were apparently aware of this issue, but evidently nobody paid much attention to it until some very competent lawyers in New York were notified of the problem by their clients.
For everyone wondering if I am connected with this lawsuit, the answer is no. However, I have met with counsel in New York for the Plaintiffs. As a result, our office is working an independent investigation with regard to certain issues that have been raised in this litigation.
As a lawyer, it is my opinion that KABA is in serious trouble on two fronts. If the case is not dismissed based upon a motion for summary judgment for failure to state a legally actionable claim, then I would bet the case will be settled and will never see a courtroom. My opinion is that KABA will not risk a fifty million dollar verdict for what I perceive as their inept design and potential misrepresentation and false statements by their employees.
KABA, in my view, has not only manufactured and marketed a defective product, I believe they knew it or should have known it for quite some time.
As of two weeks ago, KABA technical support staff is continuing to state that this product is secure, and are assuring customers that the locks cannot be opened with magnets. Perhaps this is true for locks manufactured after September 19, 2010; perhaps it is not. The verdict is not in as of yet as to their “fix.”
My opinion: this is a lie, or at best a half-truth, and is liable to cost them dearly.
I find this particularly interesting in light of the Motion that KABA filed with regard to where this case should be heard. They stated that the design has been modified as of September 19, 2010, but there is no information to indicate that the problem has in fact been remedied. Further, one would assume that technical support staff would be warning customers to have their locksmith replace the critical parts, which may include the combination chamber and front housing with the upgraded version. Instead, the individuals I spoke with denied any knowledge of any specific vulnerability.
Perhaps even more troublesome: I spoke with five different major Simplex dealers across the United States to inquire as to the security of the Simplex locks. None of them were aware of the problem, and they stated that the locks were secure and could not be bypassed with magnets. None reported they had received any information from KABA, notwithstanding that KABA has stated they first learned of the problem in August of 2010. If you believe KABA, that means that at least five months have passed and they have not warned their dealers, at least not the ones I spoke with, about the insecurity of their locks. Evidently KABA subscribes to the theory of Security by Obscurity as well.
All but one of the dealers I spoke with was comfortable in recommending these locks for use, even in secure environments, boasting that “the military” uses them. Each of the dealers and locksmiths I spoke with were wrong, and could potentially be held liable for making such statements if a customer relied upon them and were subsequently injured.
DESIGN ISSUES THAT MAY GIVE RISE TO LIABILITY
There are four critical questions that must be answered in relation to the KABA lawsuit: (1) whether the design of the Simplex is defective, (2) if the company misrepresented the security of its product, (3) whether their design engineers, on a continuing basis, should have known or determined whether the lock was subject to a magnetic attack. Even more importantly, (4) did they have prior knowledge of the security vulnerability and failed to correct it and warn their thousands of customers?
The legal criteria with regard to the question of design defects or deficiencies in the security engineering of locking devices is really not settled and is dependent upon many factors. I think we can identify the two opposite ends of the liability-spectrum with regard to security engineering: clever design and clever exploits, versus stupid designs and simple attacks. My opinion is that the KABA Simplex fiasco falls within the second category.
A manufacturer is clearly not liable for a state-of-the-art attack which could not or should not have been foreseen when the lock was designed and first manufactured. A sophisticated decoding tool, for example, which requires a great deal of skill, expertise, and introduces new methods of bypass technique would not give rise to a cause of action.
An example is the John Falle shim-wire decoder that was introduced about twenty years ago to open high security pin tumbler locks. This was classified as a state-of-the-art attack and used a wire that was a few thousandths of an inch in diameter, delivered through a syringe-type tool to probe and measure the length of each bottom pin within the lock. It was only available to government agencies for many years. No manufacturer would have been deemed to be liable at the time if their locks were attacked in this manner.
A similar and more current and relevant example would be the picking and bumping techniques that we developed to open Medeco cylinders with code-setting keys. These state-of-the-art techniques would not give rise to liability upon the part of Medeco, because the manufacturer clearly could not have foreseen the attacks that we developed, even though the ultimate result constituted a relatively simple method to open many of their locks.
At the other end of the spectrum are attacks that require little to no skill or training, nor the use of sophisticated tools. To be blunt, these types of attacks are based upon stupid engineering by the manufacturer. The KABA attack, (and hundreds of others that we have documented in LSS+ and DAME), are neither sophisticated nor complicated, and certainly not state-of-the-art. In my view, reasonable design competence in security engineering would dictate that a properly educated engineer would understand the vulnerability and design around it. I think the KABA bypass is a classic example and failure in this regard.
Anyone familiar with magnetic attacks would recognize the threat and never use a ferrous material that could be influenced by a magnetic field for a critical component, as was done by KABA in their combination chamber. Reading their Motion, KABA is evidently claiming that a rare-earth magnet was “not commercially feasible” at the time the lock was developed, and thus constitutes a sophisticated or state-of-the-art attack. They further claim that these magnets, (which can be held in the palm of your hand), are not easily transportable, and may cause bodily injury when used. In addition, they represent that opening the Simplex by a magnetic field may be difficult and not a reliable technique, and may not even result in the lock being opened.
Frankly, this is all KABA-legal-mumbo-jumbo because they do not want to admit what everyone knows: the locks can be opened with a magnet because they were not properly designed.
This begs the question, because I believe that a manufacturer has a duty, especially if they are on notice of a technique to bypass the security of their locks (or other locks that may have similar components that control critical functions), to constantly update their current products to prevent or minimize such vulnerability. KABA evidently did neither. I would assume that the concept of magnetism was known to KABA at the time they developed the Simplex lock! Any contention that because rare-earth magnets were not available at the time of the initial design and therefore KABA is not liable is simply nonsense. I would be willing to bet that magnets that could open the locks were available or could have been constructed at the time these locks were first introduced and subsequently.
KABA also believes that all locks are subject to some form of bypass, whether by locksmiths or criminals, and that everyone has access to the same bypass tools so no manufacturer should be held liable for such acts of bypass.
This is a novel theory to be sure, but in my view, it denotes faulty logic. Locks are designed to be attacked and “screwed with” by a variety of techniques, including the use of strong magnets. Any manufacturer that does not understand this premise should not be in the business. The very nature of a lock is to keep bad guys out, and that is the entire theory underlying lock standards, such as UL 437 and ANSI/BHMA 156.5 and 156.30.
Even if you accept KABA’s argument, they fail to address the simplicity of the attack against the Simplex. This, in my view, is their real problem and they confirm the issue in their pleadings by stating that all locks are vulnerable, whether by an expert locksmith, or any thief, “even the most clumsy.”
Locks are security-rated in terms of time, tools, and training and whether specific bypass techniques are reliable and repeatable. We call it the 3T2R rule. They are designed to keep criminals out for a specific period of time and are measured against certain types of attack tools and techniques. Claiming that no liability accrues if a lock is opened with any but the correct key is ludicrous, arrogant, and connotes a total lack of understanding of security. KABA has lumped all locks and their bypass together and has conveniently omitted any mention of standards or the security of their products to resist such attacks.
While I agree that most locks can be opened by one or more techniques, the real questions are “how long does it take, what kind of tools are required, and what is the required expertise?” This summarizes my 3T2R rule in a nutshell.
The magnetic attack on the Simplex fails on all three counts. Claiming that the use of a rare-earth magnet is a sophisticated, unknown, or “not commercially feasible” attack does not, in my view, pass muster either, because the magnets are readily available from several venues today, and have been for some time.
If KABA was correct in its assertion, then why bother spending any money for a more secure lock. Here is my suggested solution for KABA: let them place verbiage on every Simplex that states “Warning: this lock can be opened in two seconds with a strong magnet by an idiot!” How many locks do you think they will sell? The answer is zero!
A FALSE SENSE OF SECURITY
Many lock manufacturers have been getting away with selling seriously deficient or defective products for a long time, and have never been held accountable. Tool makers such as HPC, Lockmasters, Peterson, MBA and Wendt make their living, in large measure, because of incompetent or deficient security engineering by some lock manufacturers. Recent examples that we exposed at DefCon 18 last August underscore the severity of the problem: a consumer level “safe” which is really nothing more than a box with a cheap lock on it (which can be opened with the shim from a hanging file folder), a biometric fingerprint lock (which can be opened in one second with a paper clip), and another KABA product, the InSync, which can be opened with a piece of wire inserted through the USB data port.) Two other cylinders, (Kwikset Smartkey and Iloq) both seriously deficient, completed our presentation.
GENERAL LOCKSMITH LIABILITY
Many have asked if locksmiths that have sold these products can be held liable. The answer is not simple and depends upon whether the locksmith was aware of the defect and failed to warn their customers. However, before talking about the KABA Simplex case, there is a threshold issue that must be addressed, and that involves the locksmith holding himself or herself out as a security expert.
If, as a locksmith, you merely install a KABA Simplex or any other lock that is found to be insecure, deficient, or defective, then my opinion is that you have minimal or no liability whatsoever; it would ultimately fall upon the manufacturer. Most locksmiths do not have the skill, tools, or training to find significant design defects in the locks they sell. They rightfully rely upon the expertise of the manufacturer to produce secure products and their representations as to the security of their locks. Normally a locksmith’s job is sales, installation, and maintenance of security products; not testing.
However, if you hold yourself out as an expert in security, recommend a specific lock as secure (either directly or by implication), and as a result the customer relies upon your representations and subsequently suffer a loss, you may be deemed liable.
Once you represent, either directly or by implication, that you have expertise in physical security and that your customers should rely upon your advice, then I believe you also have a duty to be aware of current methods of bypass for the locks you sell. You have a commensurate duty to warn your customers of such issues before they purchase the lock, or, for a reasonable period of time subsequent to the purchase and installation of such products. It is the ethical thing to do, will foster good customer relations, and should shield you from any liability.
LOCKSMITH LIABILITY AND THE KABA SIMPLEX
There are five specific and primary issues of concern: (1) what should locksmiths do now that they are aware of the defect, (2) are locksmiths on notice of the defect, (3) are locksmiths liable for products they have previously sold, (4) what should Simplex dealers tell their clients, and (5) do locksmiths have a duty to warn their present customers that have installed Simplex locks?
What should locksmiths do now that they are aware of the defect?
The answer is simple: advise every customer of the specific problem, so they and not you make the risk assessment and the determination as whether the locks should be replaced or upgraded. In my view, you should stop selling the locks until they are fixed and the manufacturer repairs or replaces every one of them that is in service. You should also demand that KABA upgrade all locks and compensate you for any expense incurred in connection with servicing your customers. If KABA is unwilling or unable to fix their locks, then you should require them to refund the purchase price of your entire inventory.
Are locksmiths on notice of the defect?
If you are reading this article, you are on notice! Further, if you are holding yourself out as a security consultant or expert, then you are presumed to know the current state of the art, which means you have “constructive knowledge” as to the bypass technique. This means that either you knew directly or should have known.
Are locksmiths liable for products they have previously sold?
I do not believe so, unless you were specifically aware of the problem and failed to warn your customer.
What should dealers tell their clients?
You should tell them they are at risk, and apprise them of the specifics of the bypass, as shown in our video. You should also demand that KABA hold you harmless and agree to replace or upgrade every lock you have sold and that is subject to the design problem.
Do locksmiths have a duty to warn their present customers that have installed Simplex locks?
I believe you have an affirmative duty to warn. If you fail to do so, you may be held liable if they (your customers) suffer a loss based upon the bypass of these locks.
The obvious question as to the time period for which KABA could be liable is unclear. Locks that were sold several years ago may not be covered in this lawsuit unless it can be proved that KABA was aware of the problem and failed to warn their customers. If KABA does the right thing, they will replace or upgrade every lock that is at risk, just like Schlage did with the Kryptonite.
THE REAL PROBLEM: THE STANDARDS THAT MEASURE SECURITY AND THE TESTING LABS THAT CERTIFY THE LOCKS AS COMPLIANT
The KABA Simplex lock was evidently rated as Grade 1 security level by ANSI/BHMA at one time (156.20). Unfortunately, these standards, in my view, are woefully deficient in what they cover. They do not adequately protect the consumer. I have been meeting with BHMA for the past two years in an effort to get them to revise ANSI/BHMA 156.5 and 156.30 (the commercial and high security standards) so that they actually test for “real world’ bypass techniques. The KABA case is typical and demonstrates the total failure of standards to determine or measure real security in locks.
In September, 2010, our office filed a very detailed complaint to BHMA, seeking to challenge the certification of the Kwikset Smartkey lock as non-compliant with the standards. This lock, also rated as Grade 1 security, as many of you know can be opened in fifteen seconds with little more than a small screwdriver. I think it is junk security, and I have publicly said so on many occasions. Just about every locksmith in the country knows the Kwikset story. Now, KABA Simplex can be placed in the same class with regard to security, or perhaps it is even worse and more insecure, (at least until secure upgrades are in place to prevent the magnetic attack). At least the Kwikset Smartkey is bump and pick resistant and is not affected by a magnetic field!
In citing these examples, the significant issue is the failure of BHMA, UL and other organizations to protect the public by adopting standards that actually mean something. Presently, many forms of bypass are not in the standards which mean the labs are not testing for them. The result: locks that the public believe to be secure are not. The problem is compounded by what we see as incompetence upon the part of some laboratories to find vulnerabilities.
In my view, the consumer should not rely upon either the standards or the results that are certified by these testing labs with regard to methods of covert and forced entry until the standards are written in such a way as to specify real-world attacks. Testing labs should understand that they may share in liability for defective or deficient products which they certify as compliant and which are not.
On January 24, 2010 I met with BHMA to discuss the current situation with regard to the standards and why they should be upgraded. I suggested that an expedited procedure be adopted by BHMA to address security issues such as KABA, Kwikset and other companies, where locks are certified as compliant with Grade 1 standards but are clearly not secure. I was assured that the issue is now being considered in an effort to further protect the public.
I suspect that the KABA lawsuit will be the first of many to be filed and will set a new standard for security engineering within the industry. Any manufacturer, large or small, that fails to grasp the nexus between liability and security engineering will be subject to potentially lethal lawsuits which ultimately may force them out of business.
If you are a manufacturer, it will be incumbent upon you to understand different methods of bypass that are not covered in the standards, and to guard against them. You must develop the expertise to design secure locks. As I meet with engineers throughout the world at different manufacturing facilities, I am constantly amazed at their lack of knowledge with regard to security engineering, and more importantly their potential exposure to liability for such deficiencies.
While most engineers are competent to make mechanical locks function properly, few understand how to circumvent their security. The premise is simple: you cannot design secure locks unless you understand the methods to break them. Most manufacturers only have a cursory familiarity with the latter.
As a manufacturer you may claim that you rely upon the standards and are compliant with them. Such an argument may not shield you from liability, however. If your lock can be opened in fifteen seconds by a kid, I think you will be deemed to be liable. More importantly, if members of a jury can open your locks in seconds, it is over! End of story.
If you are on notice of a significant vulnerability and fail to act upon it, both in terms of design changes and notification to critical customers, you may suffer the consequences. That means that if there are tools on the market to open your locks, or verifiable accurate YouTube or web videos that illustrate how to break them, then you have a problem. I can assure you that the legal community will take note, and where appropriate, pursue such design issues in expensive lawsuits.
KABA has stated that modifications were completed on or about September 19, 2010 in order to minimize the security vulnerability to the Simplex. However, this does not mean that locks which were purchased after that date are in fact secure. This is because old stock may still be sold by dealers. You should determine whether any locks that were purchased after that date have been modified to thwart the threat from strong magnetic fields.
Our investigation into this matter is continuing and we will have a technical update shortly.
If you have specific questions or relevant information regarding Simplex locks, please feel free to contact me at firstname.lastname@example.org, or at Investigative Law Offices, 1.605.334.1155.
Please note that I am not offering legal advice to any specific locksmith in this article, unless I am specifically asked to do so. You should seek the advice of your own counsel with regard to the issues I address in this article. All opinions are those of the author.
I interviewed Dr. Stefan Savage, the professor at the University of California San Diego, that directed the research team that developed a prototype for analyzing the images of keys to decode their bitting code.
The team issued a report last week that detailed its findings.
Although remote optical capture of bitting information is not new, the development of software to automatically analyze images of bitting codes may be unique in the commercial sector. You will recall that we were able to scan a Medeco m3 key last summer, email the image, and simulate a key that opened the lock using a piece of credit card plastic. The UCSD technique takes this one step further.
See the complete story on CNET Security.No comments
HOPE 2008: Three separate lectures that discussed Medeco vulnerabilities
The Usual Suspects, together for a discussion of different vulnerabilities of Medeco Biaxial and m3 cylinders. From left to right, Matt, Toby, Marc, and Jon.
This past weekend there were three different presentations at the HOPE security confernece in New York regarding different potential security vulnerabilities involving Medeco locks.
Jon King, inventor of the Medecoder picking tool, lectured on the use of his tool and demonstrated its use in picking a Medeco m3 in under three minutes.
Jon King demonstrates the use of the Medecoder picking tool.
We discussed bumping and picking and the different methods of defeating Medeco cylinders, including the defeat of ARX pins, which Medeco apparently plans to implement in their new cylinders to combat the King Attack. While they probably will prevent the use of the Medecoder in new locks, they may not be effective in stopping the use of code setting keys for bumping and picking, as described in our new book. We have repeatedly demonstrated the bypass of some of these pins to bumping and picking, so it remains to be seen just how effective they will be. Evidently Medeco will not be paying for any upgrades to currently installed locks. The company was quoted in an article today on Slate.com, saying that “when you buy a lock, you don’t buy a subscription.” I guess that means that everyone is on their own!
Matt Fiddler, Tobias Bluzmanis and I provided an hour briefing to an overflow audience on the Medeco case example and how we methodically developed bypass techniques for the different Medeco products. This research formed the basis of our new book, “OPEN IN THIRTY SECONDS: Cracking One of the Most Secure Locks in America.”
Then, on Saturday, Barry Wels and Han Fey offered a two-hour lecture on keys; how they work and how they can be simulated and copied. Their lecture was also to an overflow crowd and extremely well received. Barry, as usual, provided excellent background on how mechanical keys work and why they are not secure, even for certain high security locks.
Matt Fiddler, Toby, and myself will be going into much greater detail at Defcon with regard to the vulnerability of Medeco locks and their key control, and what we perceive as a particularly serious security issue with regard to certain Medeco cylinders.
We will also be addressing the concept of Responsible Disclosure and Irresponsible Non-Disclosure. The photograph below is of Han Fey, replete with Medeco shirt!
Han Fey and Marc Tobias at HOPE 2008.
You can view the short video of our discussion with myself, Tobias Bluzmanis, Matt Fiddler, and John King.No comments
CLICK THE “ORDER” TAB to purchase the book or CD.
Our new book, entitled “THE COMPROMISE OF MEDECO HIGH SECURITY LOCKS: New Methods of Forced, Covert, and Surreptitious Entry” will be available in the multimedia edition on June 15, 2008. This version will only be sold to Government and Locksmiths. The softbound book will be released about July 15, 2008.
The book presents an extensive analysis of Medeco locks and different methods to bypass them by covert and forced entry techniques. This photograph shows four keys that can be used to bump and pick Medeco Biaxial and m3 cylinders, sometimes in less than one minute. These keys will theoretically simulate the sidebar codes for all non-master keyed Biaxial and m3 cylinders that were pinned prior to December, 2007.
This photograph shows a specially-prepared six-pin mortise cylinder which we used in several macro-videos that are contained in the book, to demonstrate how we neutralize the sidebar prior to picking this lock. The key with the correct sidebar code is shown to the left of the keyway. Note how the angles match those of the bottom pins. The view is from the bottom of the plug, looking up at the chisel-points of each pin. Their angles are noted on the cylinder.
The book took more than eighteen months of research and has resulted in three separate patent filings that detail multiple methods of bypass, certain technology to prevent these attacks, and mechanical modifications to secure Medeco deadbolt cylinders against certain forms of forced entry to which they are still vulnerable.
The book is about 350 pages and contains more than 400 images, tables, charts, and graphics. There are more than thirty video segments to demonstrate all forms of bypass of these cylinders. A detailed discussion of conventional and high security locks is presented, as well as an analysis of UL 437 and BHMA/ANSI 156.30 standards, and what they fail to protect against.
We believe this is the most comprehensive book ever written about Medeco locks. It discloses methods of bypass that are completely new and unique, and can allow the circumvention of all layers of security within these cylinders, often in seconds. If you have security responsibility in the commercial or government sectors, you will need to understand the vulnerabilities of high security locks to attacks against key control, bumping, picking, extrapolation of the top level master key, and forced entry. This information is provided in the book, with significant supporting documentation.
For additional information, see www.security.org.
We hope everyone enjoys the book, as much as we did in its production. We are already working on the next edition, and will provide detailed information on the bypass of the ARX pin in greater depth than we have, to date. The ARX is the Medeco high security pin that is supposed to prevent picking, bumping, and decoding attacks. We anticipate an announcement from Medeco, based upon information that we have obtained, that would indicate that they will be supplying these pins as standard in their locks, beginning later this summer, in an effort to make them more secure against the methods of attack that are described in our book, and other methods described in a recent article with regard to the bypass of Medeco locks.
Although the various ARX pin designs make bypass much more difficult, they also can provide excellent feedback with regard to our techniques of covert entry. It should indeed be an interesting year.
Matt Fiddler and I will be lecturing at Defcon 16 again this year, to provide an in-depth analysis of Medeco locks and how we broke their security. We hope everyone can attend the conference, to be held the first week in August in Las Vegas.
And for everyone who has asked what is next in the LSS+x series? The second high security supplement will describe the bypass of Mul-T-Lock cylinders and why we do not believe they are secure against a variety of attacks, or should carry a UL 437 rating.
If you have any questions, feel free to contact us. We appreciate your feedback and look forward to seeing many of you during different conferences this summer, and at Toool at Sneek in October.
Marc and TobyNo comments
Medeco is scrambling to fix their deadbolt security problem worldwide. Last week, they were reportedly set to begin manufacture of the modification of their high security cylinders to protect them against a simple method of attack that was disclosed by Marc Weber Tobias and his research team two weeks ago. Medeco was warned for the past two months there was a significant design issue with these cylinders but made no attempt to contact Marc to determine the precise nature of the problem. Now, they have a real problem because many of their customers that have installed single-sided deadbolts may be at risk, especially those that are utilizing the newer m3 technology. We have found that the vulnerability may extend to certain Biaxial® models also.
If you employ these deadbolts we would urge you to contact your locksmith, security consultant or Medeco to determine the proper course of action. A detailed report of the vulnerability is available to security professionals. You may contact the author for details at email@example.com.No comments
DETAILED ANALYSIS: THE MEDECO m3 MEETS THE PERILOUS PAPER CLIP
You will need a password to access the detailed report. Please register at www.security.org. The password has also been posted on ClearStar.
View the video: Security vulnerabilities of the m3
This is the first of a four-part series with regard to Medeco® security. Part II will detail the methodology we developed to bump these cylinders. Part III will examine the procedure that is employed to pick these locks. Part IV will detail what we perceive as design deficiencies that allow certain of the Medeco® deadbolts to be easily bypassed. All of the information is based upon material in the High Security Supplement to the latest edition of LSS+.
The reader should review the cautionary notes regarding statements made within this report. See Legal Issues.
A piece of wire or a specially-formed paper clip can be utilized to bypass the slider mechanism in the m3. In combination with other techniques, this can result in a total bypass of the key control for a facility with regard to the acquisition of restricted blanks and the replication or simulation of keys.
The Medeco® m3 cylinder was developed primarily to extend the Biaxial® patent (which expired in 2005) so that the company could continue to dominate the U.S. high security lock market and protect its unique rotating tumbler technology. The m3 is UL 437 and ANSI 156.30 certified which Medeco® represents as a guarantee that its security can be relied upon for the most sensitive of installations such as the Pentagon and the White House. Based upon our research during the past year, there may be some security vulnerabilities relating to key control and the ability to reliably bump and pick some of these locks.
There are approximately 26 different combinations of steps and keys within the m3 system. This allows for enhanced key control but is the system secure from the standpoint of preventing the ability to replicate or simulate keys, especially for restricted keyways? We do not think so.
In an excerpt from the High Security Supplement of the latest edition of LSS+ we examine the m3 in terms of potential key control issues and the possible susceptability of this lock to other forms of covert bypass. A comprehensive examination of the subject is contained in the third edition of LSS+ (the multimedia edition of Locks, Safes and Security) by the author.
®Medeco is a registered trademark of Medeco Locks.No comments
Medeco is the predominant high security lock manufacturer in the United States and has been trusted for more than thirty-five years to provide cylinder and hardware security for the private, commercial and government sectors. Their sidebar technology was unique when first introduced and has presented a continuing obstacle to both covert and forced methods of entry. As detailed in the Government version of LSS+ some very sophisticated decoders have been developed for law enforcement and intelligence agencies to bypass the original two layers of security within the Medeco design. As described in the first article of a four part series, Medeco introduced the m3 cylinder which incorporated a third level of security through the implementation of a slider. Their latest product is a modified m3 called the Bilevel. This is a lock that does not utilize the traditional Medeco sidebar design and is a cheapened version that is no more secure than a conventional pin tumbler cylinder and in fact may allow systems that integrate the Bilevel to be more vulnerable because of the limited number of sidebar codes that are available.
When the threat from bumping was made public in the United States last July and August, consumers, risk managers, security experts and locksmiths from both the private and public sectors began to question the real security of the locks that they depend upon to protect people, facilities, and assets. It was more than unsettling to think that perhaps there was little protection against a procedure that a kid could learn and rapidly execute to open a high percentage of pin tumbler locks. At the same time, everyone was led to believe that the threat from bumping did not extend to high security locks.
Beginning last August, high security lock manufacturers were quick to announce the heightened security of their cylinders against bumping. This included Medeco, Mul-T-Lock and Assa: they all produce locks with UL437 or similar high security ratings.
Some announced that their locks were “bump proof” or “virtually bump proof” and that the consumer should have no fear that their security was in jeopardy. In all fairness, many of these manufacturers did not fully understand the threat or techniques that could be applied to bypass their internal security. Some still do not believe that such attacks are possible and continue to publicly decry any who make statements about bumping or picking of their cylinders, stating that any demonstration of bypass was a trick or “smoke and mirrors.”
The accompanying article specifically deals with the Medeco m3 and why we do not believe it provides any significant measure of key control security against a determined attack. In subsequent articles we will describe in detail how we determined that the Medeco and other high security locks could be bumped, picked open, or mechanically bypassed within minutes, if not seconds, thus rendering the ten minute minimum specification for UL 437 or fifteen minute standard for ANSI 156.30 as essentially meaningless. We thought it would be prudent to briefly analyze just what security the Medeco technology does provide against both casual and determined attacks and to hopefully dispel any confusion that may result from these articles as to whether the security provided by these locks is sufficient to protect you.
LOCKS AND THE CONCEPT OF SECURITY
“Security” is a generic term that can mean many things. In the world of locks, its definition has to be qualified by asking several core questions. Specifically, what are you trying to protect, and where? What is the value of the target for which these locks are providing security? Against what threat or whom are these locks designed to stop or delay entry? How sophisticated or determined is the attacker likely to be? Finally, does the lock provide the only barrier or is it one control in a “defense in depth” strategy, meaning that there are other measures of security such as alarms, video, guards, perimeter barriers, or other systems to back up the locks.
Many are surely asking whether their Medeco locks are secure enough, especially after Medeco has repeatedly issued press releases, advertising statements and even a DVD categorically stating that their locks were “bump proof” and lately “virtually bump proof.” Recently we asked a senior representative of Medeco just exactly what “virtually bump proof” exactly meant? We thought it was a fair question especially since the term “virtually bump proof” in my view is like “virtual reality.” It means nothing but is a phrase that my fellow lawyers have devised to shield a manufacturer from potential liability for material misrepresentation. Saying that something is “virtually secure” is a qualification based upon no measurable standard so it is an illusion. And the answer that we were given by Medeco: “Virtually bump proof means that you have about as much chance of opening our locks as you do of winning the lottery!” Well, if that is the case, I will place my bet on collecting from Medeco because my odds are a great deal better in opening their locks than in winning a lottery.
So, you have spent perhaps three or four times the money to install Medeco cylinders than you would have for conventional non-high security rated mechanisms, believing that the cost difference was worth it. But exactly what security is provided for all that extra money? We will try to answer that question by briefly analyzing what your Medeco cylinders offer in the way of protection.
MEDECO SECURITY: What is it?
So why is Medeco perceived and touted as one of the most secure locks on the planet? Why are they relied upon by the U.S. government for installations such as the White House and Pentagon? The answer is simple: Medeco makes quality products of the highest order. This does not mean they necessarily outperform other high security lock manufacturers or that their sidebar approach is any better or more secure than others who have different design philosophies.
At the end of the day each manufacturer’s design has its strengths and weaknesses but all lock security can be reduced to three issues: forced entry protection, covert and surreptitious attacks, and key control. In fact, these are precisely the criteria and requirements that are addressed in the ANSI 156.30 high security standard.
Medeco locks are secure in part based upon the following features and issues:
• High quality components
• High tolerance mechanisms
• Excellent engineering and design
• Five or six pin tumblers
• Integrated pins that incorporate elevation and rotation
• Sidebar technology
• Slider technology and key control
• Legal protection of keys
• Special cutters are required to duplicate keys
• The ability to utilize multiple sidebar codes within one master key system to separate and protect secure areas
• Difficult to pick
• Impossible to bump without the correct or operable sidebar code
• Availability of the ARX pin for added pick and decoding resistance
• Forced entry protection
• More difficult to progress keys when extrapolating the top level master key
We believe that Medeco locks are secure for most venues but also have certain vulnerabilities that must be addressed in certain locations. Those vulnerabilities may allow certain Medeco cylinders to be rapidly bypassed by bumping and picking and circumvention of key control.
Lets take forced entry first. Medeco, as with most other high security lock manufacturers, implement hardened inserts and components to resist most forms of drilling of the plug, shear line, or sidebar. These are the three vital areas that are most vulnerable. Almost everyone utilizes special steel pins, bearings and other blocking technologies to resist such attacks, at least for a minimum of five minutes. Some of these locks are incredibly tough, although the type of attack and amount of force must always be considered. In Part I of this series, force is not seen as the real threat: covert attacks and compromise of key control are.
Key control relates to the protection of keys from duplication, replication, and simulation. It also deals with system expansion, the number of secure key changes, ability to set up large master key systems, and an alternative to the use of sectional keyways.
The Medeco m3 specifically touts its key control as secure, flexible and effective. In fact, the m3 was designed primarily for enhanced key control as a way of extending the Biaxial patent that expired in 2005. In doing so, Medeco also claimed that the security of the cylinder was enhanced with the addition of the internal slider. So exactly what does the m3 and its slider accomplish?
There is no doubt that key control is enhanced to the extent that legal protection applies for the next twenty years, thereby preventing others from commercially manufacturing, selling or distributing blanks for the m3 that contain the patented protrusion on the side of the key. That’s it! There is no more protection against cutting keys with angled cuts, nor for replicating keys for the original or Biaxial locks. No, you cannot go to the local hardware store or Home Depot and obtain m3 blanks or have keys copied. If you have a system with a commercial keyway then your local locksmith may be able to legally replicate your keys. If the keyways are restricted or proprietary, then you are out of luck, but criminals may not be.
The m3 is subject to bypass of its key control features because the slider can be easily defeated with a piece of wire or a paper clip. In addition, restricted blanks can be synthesized or replicated, thereby potentially bypassing all of the key control you thought you had obtained when purchasing the Medeco brand. Is such bypass relevant? Again, it depends if you have a high value target to protect.
If you are a residential customer or own a small business, the likelihood that your locks will be compromised in this manner is pretty remote. Certainly it is not impossible but the chances are slim. What you need to understand is that the third layer of security that is provided by the slider is essentially non-existent given its ease of bypass. And that bypass can make the lock much more insecure to secondary and more advanced forms of attack such as bumping and picking. If you choose to implement Bilevel into an m3 system there is even less security but the locks are also less expensive.
Covert and Surreptitious Methods of Entry
In my view the real threat is from covert methods of entry. Notwithstanding their statements to the contrary, certain Medeco locks can indeed be bumped and picked, some with little difficulty. Did Medeco know this last year when they began their public information campaign of invulnerability to bumping? In fairness, probably they did not. In fact, they went so far as to have their locks tested against bumping attacks by a testing lab in Europe. They were pronounced secure according to Medeco.
Should Medeco have conducted more tests to make certain that their locks were immune to bumping? Probably, because they represent that they are experts in high security locks and that their customers can rely upon their expertise and statements. When Medeco categorically states that their locks are “bump proof” then they are surely believed because of their reputation, customer base, ethics, and expertise during the course of the past third of a century. All in the industry know that Medeco is a prime supplier to the U.S. and some foreign governments and that they did not earn their reputation or win those contracts without being one of the best at what they do. Everyone takes Medeco at their word about security.
So just what protection against covert attack does Medeco provide? In the m3, there are three levels of security, all of which are interrelated. The compromise of one level of protection will not result in the lock being opened. All three separate and parallel systems must be defeated before the lock can successfully be neutralized.
The primary security for a Medeco cylinder has always been its unique sidebar design which is controlled by rotating pin tumblers. This invention can be likened to the modification of the Egyptian pin tumbler lock by Linus Yale. The concept of the rotating pin was revolutionary and had never been done before, which is why Medeco received several ground-breaking patents almost forty years ago.
The requirement that pins be both elevated and lifted in order to align two different locking systems (shear line and sidebar) at one time set Medeco apart from all other high security lock manufacturers. This combination makes picking extremely difficult because pin tumblers must be manipulated at the same time for two different systems (rotation and elevation). Many have tried to reliably defeat Medeco, most with limited or little success. For that reason Medeco has thrived as a primary provider of high security locks.
For the vast majority of users this dual layer of security was and is more than sufficient. Then came the introduction of the m3, with another alleged layer of security: the slider.
I would be the first to acknowledge that for the average thief, whether casual or determined, Medeco provides a significant barrier against any covert form of attack that involves the compromise of the pin tumbler mechanism. But Medeco cylinders are not just employed in “average” installations requiring medium security. They are relied upon everywhere, often to protect incredibly high value targets where criminals, spies, and even insiders will expend a great deal of time, energy and money to defeat these systems. So they have to be secure. In fact, not just secure but very secure, and that is where we believe the problem begins.
I draw an analogy between Medeco (and other high security lock manufacturers) to the communication common carriers and the provision of broadband Internet services. Almost every carrier has fiber optic cable to transport data across the country or across the world. Where the system breaks down is in the last mile where copper wires rather than fiber feed individual locations. It is the last mile that I am most concerned with in high security locks; an equivalent to the last five to ten percent of protection that really matters against competent and determined criminals.
In a nutshell my problem is this: the highly respected Medeco m3 lock, the new star in the Medeco flagship, can be bypassed with a paper clip, followed by a specially designed key which can be used to open it by bumping or picking. For sure, not all of their cylinders can be opened in the manner described in these articles, but many can. And what is a tolerable percentage that can be bypassed? This is a very good question for Medeco. Unfortunately, as will be demonstrated in the Fourth article in this series, the problems with Medeco security does not stop with bypassing the slider or sidebar. It is more basic and involves mechanical bypass which can be far more sinister than manipulating the internal components with bump keys or picks. We believe it is a failure of imagination on the part of Medeco design engineers to perceive of certain threats.
Most of the high security lock manufacturers offer cylinders that will provide more than ample protection and meet the security requirements for the vast majority of their customers. However, if you have what you perceive as high value or critical targets to protect then you just might want to research this matter further. You should not solely rely upon the so called high security standards promulgated by UL, BHMA and ANSI. The reality is that these organizations really do not test for certain forms of bypass. We believe that if they did then many of their “certified” locks would lose such designation.
This article began by asking the question whether your Medeco locks are “secure enough?” In my view there is no question that they are one of the best available cylinders but of course that comes with many caveats. The perceived level of threat should determine whether Medeco or some other vendor produces the locks that will afford the needed protection. The alternative, of course, is to prohibit the possession of paper clips in any facility where the m3 is installed!
® Medeco and Biaxial are registered trademark of Medeco Security Locks, Inc.No comments
Part I of a four-part series of articles detailing potential security vulnerabilities in the Medeco Biaxial and m3 is available to locksmiths, security professionals, law enforcement and government agencies. This information is also contained in the new edition of LSS+ and is restricted.
A public summary of the first article will be published on Engadget later this week but will not contain critical information that would be required to bypass Medeco cylinders.
The password for this article will be posted on ClearStar later in the week or you can register on www.security.org for site clearance. When registering, please specifically request the password for this article.
You may also contact the author at firstname.lastname@example.org for access or further information.
Medeco® is a registered trademark of Medeco Security Locks, Inc.No comments