In.Security Home

THE SIDEBAR: MARC WEBER TOBIAS

Archive for the 'Recent Interviews' Category

THREE-IN-ONE BORESCOPES FOR SAFE PENETRATION AND MAINTENANCE

I interviewed Albert Chen at the Three-In_One factory in Taipei to discuss the different video borescopes that they produced. This company has developed technology to place a video chip in the tip of their line of scopes for crisp video. They produce a wide range of optical instruments for government, security, locksmith and automotive applications. I spent three days with the owners of the company and was shown their latest technology including wireless applications.

See my interview with cfh6W_Sh16Q.

Albert Chen at Three-in-One shows different borescopes that his company produces in Taiwan.

This is a wireless borescope with the video chip in the tip of the scope. The unit will record still images and video.

A wireless scope from Three-in-One. The system uses 2.4 Ghz for transmission.

Comments are off for this post

SNEAKEY PROJECT: Capturing key bitting data remotely

The camera system that was utilized to capture an image of a Kwikset key from 200 feet away.

The camera system that was utilized to capture an image of a Kwikset key from 200 feet away.

I interviewed Dr. Stefan Savage, the professor at the University of California San Diego, that directed the research team that developed a prototype for analyzing the images of keys to decode their bitting code.

The team issued a report last week that detailed its findings.

Although remote optical capture of bitting information is not new, the development of software to automatically analyze images of bitting codes may be unique in the commercial sector. You will recall that we were able to scan a Medeco m3 key last summer, email the image, and simulate a key that opened the lock using a piece of credit card plastic. The UCSD technique takes this one step further.

See the complete story on CNET Security.

No comments

SO JUST HOW SECURE ARE MEDECO ARX PINS? Ask 13 Year Old JennaLynn!

Marc Tobias, JennaLynn, and Tobias Bluzmanis at Defcon 16 lock picking village

See the Video that documents JennaLynn opening a five-pin Medeco Biaxial at Defcon 16, in 2008.

See the PowerPoint presentation at Defcon 16.

At Defcon 16 this year, we demonstrated that the high security ARX pins that Medeco may be relying upon to fix the Medecoder problem might not quite be the solution they had hoped for.

Medeco announced in the May, 2008 NDE magazine that they would be implementing a solution to the Jon King Medecoder bypass. We received reliable information that their response to this fifteen-year-old threat would be to implement ARX pins, and that they are in the process of converting their production lines to accommodate the required changes. Three months later, everyone is still waiting.

As we pointed out in our previous editorials about Medeco embracing the Locksport community, ARX pins would likely prevent the use of the Medecoder but they may not be an effective deterrent to our methods of bumping and picking. Whether Medeco understands this is unclear. Given their apparent inability to figure out just how to compromise their own locks, it is probably unlikely that they comprehend all the issues involved, or would ever acknowledge them.

In a recent exchange of emails, we offered to open lines of communications with Medeco, as we had enjoyed up until about eighteen months ago. But of course, that was before we publicly disclosed the serious vulnerabilities in their “key control” or to be more accurate, the lack thereof. Actually, as applies to Medeco m3 cylinders, we believe the more descriptive term should be “key insecurity.”

In our view, Medeco does not have any key security for the m3, and for many of their older Biaxial locks. They continue to represent that they have strong patent protection for their keys. By inference, the facilities that rely upon Medeco can be assured that it is virtually impossible to duplicate a Medeco key. In our view, this is not only untrue, but it is nonsense. We will go into much more depth regarding “key-mail” in a later post, because this issue has far greater implications than just making keys out of plastic for their locks.

Immediately after Defcon, I also let the company know that we had documented the bumping of another Biaxial by thirteen-year-old JennaLynn, and offered to share the pre-release copy of the video with them for any comments they may wish to make.

So, again, Medeco is silent. They are saying nothing about bumping, or our latest attack with plastic, which is so simple that it can be carried out by one with very limited skills. If we are to understand their response in the Slate.com article last month, they believe and firmly embrace the premise of saying nothing about anything regarding the security of their locks, other than touting how secure they are. In other words, Security by Obscurity is definitely the policy. It is, in our view, an irresponsible policy, fraught with danger for the consumer and the lock manufacturer as well. But we will leave that discussion for a later time and venue.

* * *

We return to Defcon 16 and (now) thirteen-year-old Jenna Lynn. Everyone will remember in 2006 when she bumped open the Kwikset cylinder. She was probably the one most responsible for getting everyone’s attention to be focused on this threat because everyone understood the implications of an eleven year old being able to open one of the most widely used pin tumbler locks in America.

Medeco reaped the benefit of our presentation at Defcon 14 in 2006. In fact, a joint appearance between me and a senior Medeco representative in a widely-aired in-depth TV story surely must have increased their sales. Everyone, it seemed, was concerned about the threat from bumping so all was very well at Medeco. They had a solution to bumping, and announced it in a press release about August 4, 2006.

Now it is 2007, at Defcon 15. Something is terribly wrong! Young JennaLynn has now bumped open a Biaxial cylinder for the news media. How can this be, because Medeco represented to everyone that their locks were bump-proof in 2006! Oh, so much can change in such a short time. By the summer of 2007, they were claiming that their locks were either “virtually bump-proof” or “virtually resistant.” It is hard to tell when this precise obfuscation transformed their position of offering the bump-proof solution, to hedging their language as the lawyers got involved to protect them.

Now, Medeco claims that they NEVER said their locks were bump-proof. Rather, they claim, others said it, but surely not them! Well, that argument sounds good, until one considers the slide that was shown in our Powerpoint lecture this year at Defcon. The slide that we believe conclusively proves that Medeco not only claimed that their locks were bump-proof, but made the error of attempting to register the name bump-proof with the Patent and Trademark office about two weeks after they issued their original press release.

I have really tried to understand why they would do that if they were not representing that their locks were indeed bump-proof. I have concluded that the only other logical answer, which only a lawyer could invent, would be that they wanted to prevent all other manufacturers from claiming their locks were bump-proof! Did they do it because they wanted to protect the public from such claims by other manufacturers. Maybe they did this, as the acknowledged leaders of the high security market, because it would be highly misleading to the public to advertise a lock as bump-proof when in fact it was not! They simply wanted to protect the public from such claims!

Surely that must have been their motivation, because there can be no other answer…unless, of course, they actually were claiming that their locks were bump-proof and wanted to get the jump on every other lock manufacturer. A really great idea, until a twelve-year old showed how to open their cylinders by bumping. Then, of course, Medeco went into spin-mode to make sure that nobody believed what they had seen on the video. After all, if Medeco said it was not true, then everyone would have to believe them. Because they were Medeco!

There was just one small problem. Medeco forgot about the Internet and open and instant access to records. It is the same naiveté that allowed them to believe they would actually get away with modifying their original bump-proof press release, as we presented in another slide at Defcon. Evidently they were not aware of www.archive.org, or that the two different versions of their press release are still available, and are included within the Multimedia edition of our book.

So JennaLynn bumped open the Biaxial cylinder in 2007, and Medeco said it was all a lie. Not publicly, of course, but they said it to many individuals privately. This was their disinformation campaign to discredit myself, my co-author, and others that dared to talk about or teach the techniques to compromise Medeco locks by bumping and picking. They repeatedly claimed that the lock that JennaLynn had opened had to have been modified or altered, because you simply could not bump open a Medeco lock. According to Medeco, not even those independent testing labs could open their locks by bumping. Yes, those very same labs that Medeco recently told Slate.com should be the ones to conduct vulnerability testing of locks.

Actually, the real problem is that Medeco could not bump open their own locks, rather than it not being possible for a twelve-year old to do it! So, for the past year, they have repeated their story about how we manipulated the internal mechanism of the lock to allow JennaLynn to open it. Medeco has represented that they have allegedly spent hundreds of hours internally trying to open their locks, and have been unable to do so. Well, we did suggest to Medeco that they invite young JennaLynn to the factory in order to instruct them how to open their own locks!

Now we come to the best part of this story.

* * *
It is Sunday morning, August 10, 2008, in Las Vegas, and it is Defcon 16. Tobias Bluzmanis, Matt Fiddler, and I are sitting in the lock picking village, watching Deviant Ollam and others giving classes on basic lock design and picking and bumping. It is always the most popular gathering at Defcon, and this year was no exception. The village was packed with enthusiasts from morning until late in the night.

We asked JennaLynn to try to bump open a new, five-pin Biaxial profile cylinder that we acquired in Europe from the stock of a Medeco lock shop. She was eager to try, given her success last year. So, we handed her the lock and the bump key that we prepared. The key had the correct sidebar code for this cylinder, and was cut to all #6 depths. Ten minutes after we gave her the lock, she returns and says she can open it. She is smiling. But she has no idea what she has actually accomplished! As it turns out, it was quite a feat as compared to what she had done last year.

Now we are sitting at a large round table with about 25 other attendees in the village. Matt starts shooting video, and you can see for yourself why this demonstration is different than last year, when she opened the Biaxial at Defcon 15. It is vastly more significant because we inserted four ARX pins and three mushroom top pins into this lock.


JennaLynn attempts to open the five-pin Biaxial cylinder by bumping

Medeco touts the ARX pins as the most secure. You know, these are the very same pins that will prevent the Medecoder from working, and were developed in response to the sophisticated John Falle decoder in the early 1990s. The same pins that were going to become standard in their cylinders, and why they got Jon King to hold off publishing information for two months about his decoder.


In just a few seconds, JennaLynn bumps open the five-pin Biaxial lock

Whether these pins become standard in all of their locks is open to speculation. Medeco evidently believes that everyone should pay for this security upgrade, even though they were aware of the problem that prompted the ARX pin development for at least fifteen years.

The bottom line is that we can demonstrate the ability to bump and pick locks with at least one version of ARX. The pins that we used (#4 and #6 depths) were supplied directly by Medeco to us, so we can only assume they are as secure as any they produce.

And to add insult to injury, it appears that the company may want their dealers to bear the cost for the pin kits, which we have been told may run anywhere between $800 and $2,000. Now, how does that work, exactly? We are not quite sure, but any locksmith that is not happy about it is welcome to contact our office for advice and assistance.

As we are detailing in the next edition of OPEN IN THIRTY SECONDS, we believe there is a basic problem with the ARX philosophy and its ability to prevent bumping and picking when the sidebar code is known, as is the case when our four code-setting keys are employed to open their cylinders.


Tobias Bluzmanis disassembles the lock in front of 25 attendees, so an expert can verify the internal components and that the lock has factory-standard pins, springs, and sidebar and that they have not been altered or modified.

What everyone needs to understand is that a thirteen-year old girl was able to repeatedly open a Medeco Biaxial cylinder with four ARX pins. She did it effortlessly. Yes, the lock had been bumped many times before JennaLynn did it. That should not matter, because Medeco has repeatedly claimed that their locks were bump-proof. Well, at least until they realized they were not, and they changed their advertising language so as to make their claim next to meaningless, if not laughable.


Han Fey examines the internal components

Han verifies that the lock contains four ARX pins and three mushroom pins, and has a sidebar that is functioning properly.

And if you have any questions as to the authenticity of the demonstration, or that the cylinder was somehow modified, check to see who verified the internal components of the lock immediately after the demonstration, on the video.


The lock has been disassembled, showing the ARX pins and mushrooms.

From our perspective, nobody is more qualified to confirm what we demonstrated with JennaLynn than one of the individuals that Medeco selected in 2007 to help them in an attempt to debunk and discredit our findings. As you will see on the video, Han Fey, one of the most respected cylinder security engineers in Europe, was able to confirm exactly what occurred at Defcon. And if you are still skeptical about the 2007 JennaLynn demonstration, it might be interesting to hear from ALOA senior staff because ultimately they may be required to weigh in on this matter and present evidence as to the ability to bump Medeco cylinders. Yes, the same ALOA that issued their famous press release in 2006 about bumping, and how the publication of this information had “unduly raised the alarm.”


Han compares the change key and bump key for this lock to confirm the bitting and verify the sidebar codes are the same.

We think it is about time for Medeco to start leveling with their customers and the public. They should candidly address the security vulnerabilities of their locks to bumping, picking, and what we perceive as their total failure of key control and key security in the m3. If significant research involving bumping had not been conducted, nobody would have been aware of the security threat that existed, especially in high security locks, with regard to bumping and picking.


Han Fey gives his opinion about the lock and its ability to be bumped open.

Medeco locks are certified by UL and BHMA as meeting minimum criteria to protect the public from different forms of attack. As we note in our book, BHMA 156.30, (the true high security standard), does not specify many forms of attack that can be critical to the protection of a facility, so the value of such certifications are diminished.

We believe that Medeco does not and cannot comply with certain requirements of this standard, to the potential detriment of the public, commercial, and government sectors. We are actively pursuing this issue regarding Medeco and other certified high security lock manufacturers with BHMA. It is our position that they should not continue to be certified, because their locks can be compromised in well under the minimum specified times that are enumerated in both UL 437 and 156.30.


The lock was disassembled to show all the top and bottom pins and springs.

We would urge Medeco and other manufacturers to join us in a thorough review of the standards and to insure that the requirements are comprehensive, realistic, and complied with. Presently, we can show that some high security locks will simply not meet the standards and should be de-certified.

No comments

DEFCON 16: Plastic Keys; and JennaLynn Does it Again!

We just returned from DEFCON 16 in Las Vegas. The conference organizers report the largest attendance ever, and that was evident at our two-hour presentation on Friday afternoon. Matt Fiddler, Tobias Bluzmanis, and I did a three-part presentation on Medeco high security locks, demonstrating how all of their security layers have been compromised.

You would expect to be able to simulate a plastic key for a Kwikset cylinder, but not for a high security lock like Medeco. This key easily opens the Kwikset. We accomplished the same result with a Medeco m3. So much for key security!

A credit card was cut to form a key for a Medeco m3. It incorporated both the vertical bitting and angles needed to open the lock.

A Medeco mortise m3 cylinder can be easily compromised with a plastic key. We graphically demonstrated this vulnerability to a Wired Magazine reporter, both with a credit card, and Shrinky Dinks plastic. The full story of how this key was emailed by the reporter to us prior to Defcon will be posted shortly, and documents the threat that is posed by a lack of key control.

An inexpensive HP copier/scanner was used to produce a replica of an m3 key on Shrinky Dinks plastic. We demonstrated the ability to compromise the security of a mortise cylinder using this key.

We also discussed the security threat that is posed by a camera within a cell phone. In this case, we used the image of a Medeco key that was captured by a Blackberry Curve.

JennaLynn did it again this year. At age 13, she opened a five-pin Biaxial profile cylinder. But this was not an ordinary lock, as you will see in the interview.

WIRED MAGAZINE, August 8, 2008

CNET, August 8, 2008

Agence France Presse, August 10, 2008

SLASHDOT, August 9, 2008

SECURITY PODCAST #13

We will post our Powerpoint presentation together with all of the video files from Defcon.

At our Defcon presentation, we talked about the methodology that we employed to break the locks and the lessons that should be learned from our experience. Then, we discussed the ability to totally compromise the key control of the m3, and many Biaxial cylinders, using plastic or Shrinky Dinks keys. We introduced the concept of Key-Mail, and warned of the threat from emailing restricted keys from within a high security facility.

Finally, we discussed the concept of Responsible Disclosure v. Irresponsible Non-Disclosure upon the part of a lock manufacturer. We took many questions from the overflow audience at the end of our presentation.

JennaLynn demonstrated her ability to bump open a Medeco Biaxial cylinder once again this year. You will recall that she did the same thing at Defcon 15. Medeco claimed that the demonstration was not true, and that the locks had been modified or altered so that she could open them. This, of course, was not true, and the cylinder was subsequently verified by independent experts a few weeks later that it conformed to factory standards, and indeed could be repeatedly bumped open. To our knowledge, Medeco has never admitted publicly that this is possible.

So, the lock that JennaLynn, at age 13, bumped open was no ordinary cylinder. And this year we decided to have her do the demonstration in front of about 25 participants at the lock picking village, where both amateurs and experts converged to try their skills at openeing a wide variety of locks. Not only did she open the lock twice in a few seconds, but we had an indpendent expert immediately confirm that the lock was configured as we represented, which would prevent Medeco from claiming that this was a staged demonstration.

Han Fey, as he examines the Biaxial lock that JennaLynn easily bumped open in a few seconds.

We asked Han Fey to be our independent observer. Han is from the Netherlands and works with Barry Wels and Toool, and is recognized as an expert in his field. More importantly, if you read our book, he is also recognized by Medeco as an expert. We offered a pre-release copy of the video to Medeco last week, so that they could include comments when it was posted. We have not heard from them since that offer.

Han and Barry came to Defcon 16 this year, in part to view our presentation on key security, as a follow-up to a detailed presentation that Barry gave at HOPE a few weeks before in New York.

Stay tuned for the demonstration by JennaLynn, and a discussion of how we compromised Medeco key control. Both topics should be of interest to security professionals who are responsible for insuring the integrity of their locks and keys.

1 comment

MATTHEW MYERS: Medeco Biaxial Open in 55 Seconds!

See my interview with Matthew Myers. He read the book and picked open a Medeco Biaxial in 55 seconds. Not bad at all! Toby’s best time is 27 seconds for a six-pin m3. Will Matthew beat this record? It is up to you Matthew!

Last week, on my way back from Defcon 16, I stopped in Fort Collins, Colorado to interview eighteen-year old Matthew Myers. He is a college freshman at Colordo State University, and also works for the lock shop in Fort Collins. The shop services many facilities in Larimer County that utilize Medeco locks. He told me that Medeco is the predominant high security lock that is sold in the area.

About three weeks ago, Matthew purchased a copy of OPEN IN THIRTY SECONDS. Two days after receiving it, he contacted me and sent me an email containing what he believed were the correct codes for the four code-setting keys that could be used to bump and pick Medeco cylinders. He used the data from a Medeco code book to almost figure it out. The codes were close, but not quite correct.

He told me that after reading the book, he was able to open an off-the-shelf Biaxial cylinder in 55 seconds, by using a key with the correct sidebar code to set the angles. He then picked it with conventional picks. He said that othe lMedeco cylinders took longer.

He confessed that he has been picking locks for about five years, so he was quite profficient, but he was amazed that he was able to compromise the security of the lock in such a short period of time.

Matthew described his experience and his views on the book in our interview.

We thought that the ability to compromise Medeco cylinders by picking could be told much better by an eighteen-year old who had never been able to reliably pick one of these locks prior to reading the book. It should be noted that Matthew agreed not to release the code data that he developed.

We congratulate Matthew for acquiring the skills that we describe in our book. He will surely excell in college.

Matthew is a regular contributor on LP101.

Great work, Matthew!

No comments

IDG NEWS SERVICE: Hope 2008 Snippets

The IDG News Service, Network World TV, posted this video this past week, reflecting some of the events at HOPE 2008 in New York.

No comments

EXCLUSIVE INTERVIEW FOR LP101: Josh Nekrep and Marc Tobias discuss the new book about Medeco locks

OPEN IN THIRTY SECONDS: Cracking One of the Most Secure Locks in America is now available. You can order at a discount on LP101 if you are a member.

I met with Josh Nekrep of Lockpicking101.com in Winnipeg, Canada on Tuesday to record an in-depth interview about our new book, OPEN IN THIRTY SECONDS. The one-hour discussion can be found on the LP101 site.

You can listen to the interview, or download the file. To download, right click on the link and select “save target as”.

We have posted a special order form for LP101 members only, which provides for a 20% discount on the printed version of the book for pre-publication orders. Please check the LP101 site for details.

No comments

INTERVIEW WITH EMMANUEL GOLDSTEIN: WBAI New York

I hope that many of you had a chance to listen to Emmanuel Goldstein’s radio program, Off The Hook, on WBAI in New York last Wednesday, May 23, 2008. We had a good discussion of security and high security locks, especially relating to Medeco cylinders.

If you missed the interview, it is available on in.security.org, or at WBAI-FM.

I have received quite a few emails with regard to our new book on Medeco. We anticipate releasing the extremely detailed multimedia edition on June 15, 2008. The Government and Locksmith editions are entitled “The Compromise of Medeco High Security Locks: New techniques of forced, covert, and surreptitious entry.”

The softbound edition is scheduled for limited release in New York during the second week of July, with full release the first week in August. The printed edition is entitled, “OPEN IN THIRTY SECONDS: Cracking one of Americas most secure locks.”

We will be posting the chapter outline and video content shortly.

Stay tuned for more details.

No comments

TOOOL USA: The Most Popular Exhibit at HITB Kuala Lumpur, Malaysia

The HITB Security Conference that was held in Kuala Lumpur the first week in September, 2007 featured speakers from around the world presenting detailed information about cyber and physical security. Marc Tobias gave a presentation on high security locks and discussed the security vulnerabilities of the Medeco® m3 cylinder. Marc shared the podium with representatives of Toool.US..

kl_2_350.jpg

kl_4_350.jpg
Eric Michaud at the Toool exhibit.

kl_3_350.jpg
Close to 1000 attendees participated in the security conference
last week in Kuala Lumpur

kl_1_350.jpg
Members of Toool USA (Eric Michaud, Deviant, and Q) demonstrated
lock opening skills for a very enthusiastic audience and also
lectured on bypass techniques and biometrics system vulnerabilities.

Attendees were primarily security professionals and law enforcement technical specialists.

®Medeco is a registered trademark of Medeco Security Locks

No comments