Archive for the 'OPEN IN THIRTY SECONDS' Category
LECTURE ON HIGH SECURITY MECHANICAL LOCKS AND ELECTRONIC ACCESS CONTROL SYSTEMS: University of Cambridge Computer Security Lab, Cambridge, England on April 28, 2009
MEDECO NEXGEN electronic cylinder utilized in vending machines, parking meters,
cargo containers and other applications where an audit trail is required.
MEDECO NEXGEN cylinder is installed in a specially-designed padlock to secure cargo and other valuables. The lock provides a complete audit trail of all accesses with the Medeco-supplied key. The lock is in the open position.
I will be lecturing at The University of Cambridge Computer Security Lab on April 28, 2009 with regard to security vulnerabilities and legal issues involving both high security mechanical locks and electronic access control systems. This will be a follow-up to my lecture in Dubai earlier in the month.
Information on the Medeco NexGen, Logic, Assa Abloy Cliq and other access control technologies will be presented in detail in the supplement to OPEN IN THIRTY SECONDS.
DUBAI HITB SECURITY CONFERENCE: Protection of Critical Infrastructure and the use of Electronic Access Control Systems
I will be speaking again this year at the Hack in the Box security conference in Dubai, UAE, on April 22, 2009. For the past two years I have participated in this gathering of almost 1000 security experts from Europe and the Middle East who meet to give presentations about wide-ranging cyber and physical security threats. The conference is always well-attended by a diverse group of participants and is again being held at the Sheraton-Creek in Dubai.
The presentation will include a detailed review regarding the protection of high security facilities, including airports and aircraft, power transmission facilities, and computer server rooms. The emphasis will be on liability and security issues that may result from an undue reliance on certain high security locking systems and technology. I will discuss a number of misconceptions and why these facilities may be at risk, even with some of the most sophisticated physical access hardware and software.
Specific problems inherent in conventional locking hardware will be the primary focus, together with an analysis of high security mechanical locks and electronic access control systems produced by many of the Assa Abloy companies. These technologies include, among others, the CliqÂ®, LogicÂ®, and NexGenÂ®. The security representations of certain manufacturers will be analyzed, and potential vulnerabilities in these high-tech systems will be explored, together with the liability that may flow to users if these systems are circumvented.
Since the publication of OPEN IN THIRTY SECONDS, which details the compromise of Medeco high security locks (2008), intensive research has been on-going in the U.S. and Europe regarding the security of different electronic access control systems. The results will be included in the new supplement to our book. These potential security issues will be examined in Dubai and will be explored in depth in the upcoming supplement, and later this year in future presentations.
Material that is being included in the new supplement will include:
Critical security vulnerabilities and inherent design flaws of Electronic Access control systems that are produced by High Security lock manufacturers;
Medeco cam locks and their lack of key control for critical infrastructure protection;
Medeco X4, the second generation of the Keymark product, and its virtual absence of any real key security.
We will also consider potential legal liabilities in connection with the failure of electronic access control systems to perform as represented by the manufacturer, especially with regard to the failure of audit functions in the event of bypass and the ramifications to the protection of critical information. The legal consequences to employers and employees that could result from false audit trail data will also be explored. In this connection, we analyze certain White Papers issued by Medeco in 2008 with regard to Logic, and why we believe this technology (and other systems) may not meet minimum physical security requirements for the protection of critical facilities and infrastructure. We examine potential non-compliance issues with regard to state and federal regulatory standards such as contained in Mass.201 CMR-17.00, Sarbanes-Oxley, Transportation Security Act, HIPAA, and the Federal Energy Regulatory Act.
If you are a dealer or end-user and have implemented electronic access control systems and have experienced technical or security issues with your deployed hardware or software, we would encourage you to contact our office to exchange information in order that the supplement is as current and complete as possible, and to provide input for the upgrade or redesign of certain systems.
We have notified Medeco of preliminary research results and have repeatedly requested the most current lock samples to confirm certain findings. Medeco has refused to provide any locks in order to allow us to conduct any tests involving Logic or Nexgen. The company has stated that it only allows testing laboratories or internal and other experts to evaluate their products, and that any information about their locks in conjunction with such tests would be considered confidential, proprietary, and protected intellectual property. We have therefore contacted certain dealers and implementers of Logic, Cliq, and Nexgen to conduct real-world trials at different venues.
Translation: Medeco is afraid to have anyone test their locks unless they are one of â€œtheirâ€ experts and that any such testing must be covered by a non-disclosure agreement. For the record, we never asked for any information; just the locks (and we offered to pay for them).
If we had relied on any data from Medeco with regard to the ability to bump or pick their Biaxial or m3, or to develop the technique of code setting keys to open them, we never would have succeeded in doing so, and would continue to believe their locks were still secure as claimed by the manufacturer and others.
OUR QUESTION: if locks that are sold by a manufacturer and represented by them as secure, why would they be afraid for anyone to analyze them independently and attempt to circumvent their security? Isnâ€™t that the point of locksâ€¦to stay locked until the right key or code, or credential is presented? Arenâ€™t locking systems designed specifically to stop people from attempting to open them if they do not have the correct credentials? And isnâ€™t Medeco the undisputed leader in the high security market in North America. So why would they be so wary as to not allow us to test and report on the security of their electronic lock designs? We offered to share some of our research with the company, once we were satisfied with the reliability and repeatability of our findings and conclusions.
WHAT WE ASKED IN RETURN: That they would recall all locks that displayed design defects or deficiencies which could result in security vulnerabilities for their customers. In return we would agree to withhold any publication for at least three months, so long as the company would replace all products at no charge to the consumer.
The response we received from Medeco to this offer? No substantive response at all. We have been told that we have a duty to advise Medeco of any “alleged vulnerabilities.” They reiterated in two recent letters that “they have always been willing to listen.” Yes, that is true, but never willing to share any information, nor confirm any vulnerabilities. It is a one-way street.
After analyzing their latest communications, we remembered their corporate position on locks they have sold and later found to be susceptible to be bypassed: they stated in 2007 that purchasing Medeco locks is not like buying a subscription. If a vulnerability is discovered after purchase, just buy new locks!
Good for Medeco, but not very good for their customer who may have invested in flawed technology.
We guess that one possible answer to their lack of any real response to our request for locks would be that they read our book, or perhaps they are concerned that young JennaLynn might be recruited once again to open their Logic or Nexgen.
August, 2009. â€¦Las Vegas. â€¦DefCon.
Â®Medeco, Logic, Cliq, NexGen, Keymark, and Biaxial are registered trademarks of Medeco Security Locks and Assa Abloy.
Will we have to change the title of our book as a result of what happened this past weekend? Maybe!
Matt Fiddler (right) instructs on bumping open Medeco locks.
As usual, Barry Wels and Han Fey organized an incredible security conference at Sneek, Netherlands, this past weekend. The new name is LOCKCON, which was changed from â€œThe Dutch Openâ€ this year. There were almost 100 participants from all over Europe and the U.S. who interacted for three days of presentations, discussions, and contests to open locks and safes. Drinking beer was optional!
I would like to think that the highlight of the weekend was the four-hour presentation that my co-author, Tobias Bluzmanis and I gave with regard to the complete and total bypass of Medeco Biaxial and m3 high security locks, but at the end of the day, I think the lecture (almost five hours) that Peter Field gave was up to his usual standard of excellence and was the primary attraction. I have known Peter for more than 20 years, and have never been disappointed by one of his mega-presentations! Last Friday was no exception as he detailed the design features of more than fifty locks.
To say that his background and understanding of lock design is extraordinary would be an understatement. In our view, perhaps the most significant point is that Peter participated as the Director of Research and Development for Medeco. They have taken the lead in recognizing the contribution of the lock sport and professional bypass community. It is even more amazing that he (and Medeco) agreed to participate in the same gathering that saw Toby and I teach how to circumvent the security of the their locks.
And that is exactly what we did, both in a detailed Powerpoint presentation and in a workshop where everyone could cut keys for new Biaxial profile cylinders.
Barry and Han had purchased a Medeco key machine, hundreds of profile cylinders, and thousands of blanks in preparation for LOCKCON. Why did they go to this expense and effort? I believe that it is because of the impact that our bypass techniques could have in the high security community around the world, not just for Medeco but for other lock manufacturers as well. They wanted to let everyone learn the technique from its inventors, and then do their own vetting, rather than simply relying upon what they have heard, or read in our book, or on the web. Virtually none of the participants were familiar with Medeco locks before the conference. Few had actually picked them open, so this was a real learning experience and a test of our techniques with extremely competent technicians.
So, we explained in some detail the theory behind our concepts of â€œcode setting keysâ€ and â€œsetting the sidebar codeâ€ in Medeco locks. We examined Medecoâ€™s total lack of real key control, and the ability to bump and pick their locks in seconds. After our presentation, everyone had the chance to practice and learn the techniques that were required to open these cylinders. Just about everyone got it!
They were able to understand how to set the sidebar code in order to neutralize this vital security layer. Once that was accomplished, cylinders could be picked or bumped open, sometimes in as little as five seconds for a five-pin Biaxial.
The proof, however, was in the lock picking contest on Sunday.
There were several rounds to identify the best lock pickers in the group. By three in the afternoon, there were just a few finalists. It was agreed that the final rounds would require the contestants to pick open Medeco cylinders. Four different sidebar codes that matched our four code setting keys were assigned to five-pin Biaxial locks. Each participant had ten minutes to open their lock. Then, they exchanged cylinders with their opponent. At the end of the contest, there would only be one winner; the person that was able to open the most locks, or in the least amount of time.
Keys with the correct sidebar code, but not the correct bitting, were provided to each lock picker. They were taught how to â€œset the sidebar codeâ€ with this key to make the sidebar irrelevant to the security equation. In order to win the round, the contestant would have to insert his key, set the code, remove it so as not to disturb the rotation angle for each pin, and then pick the lock.
All of the locks were opened during the contest. We proved that if the techniques that we taught in our book were understood and followed, the locks could be picked, sometimes with amazing speed.
See the video links below.
In the four preliminary rounds, the first lock to be opened by a participant was accomplished quickly: 49 seconds (Round 1), 23 seconds (Round 2), 2:07 (Round 3), and 5:46 (Round 4).
Then there were only two contestants.
The Final Round. 31 seconds was all that was required to open the lock to win the contest!
The locks were set to bitting and sidebar codes that were determined by Barry and Han. Neither Toby nor I had anything to do with how the contest was structured, or the configuration of the locks.
What this exercise really showed was that Medeco makes very tough locks if the sidebar cannot be compromised. Although a few of the participants had picked Medeco cylinders without learning our techniques, most could not do this. The locks, as we have always said, present a serious obstacle to covert entry attacks unless you understand how to neutralize the sidebar and other security layers. Then, they can be very simple to open. That fact, compounded by the complete compromise of the vaunted Medeco key control, makes this lock, in our opinion, unsuitable for any high security application where you really have to be sure of its ability to keep intruders out.
So all in all, it was an incredible weekend, and we would like to thank Barry Wels and Han Fey for organizing LOCKCON 2008 and allowing us the opportunity to demonstrate our techniques to compromise perhaps what was once thought of as the most secure lock in America.
Marc Tobias, JennaLynn, and Tobias Bluzmanis at Defcon 16 lock picking village
See the Video that documents JennaLynn opening a five-pin Medeco Biaxial at Defcon 16, in 2008.
See the PowerPoint presentation at Defcon 16.
At Defcon 16 this year, we demonstrated that the high security ARX pins that Medeco may be relying upon to fix the Medecoder problem might not quite be the solution they had hoped for.
Medeco announced in the May, 2008 NDE magazine that they would be implementing a solution to the Jon King Medecoder bypass. We received reliable information that their response to this fifteen-year-old threat would be to implement ARX pins, and that they are in the process of converting their production lines to accommodate the required changes. Three months later, everyone is still waiting.
As we pointed out in our previous editorials about Medeco embracing the Locksport community, ARX pins would likely prevent the use of the Medecoder but they may not be an effective deterrent to our methods of bumping and picking. Whether Medeco understands this is unclear. Given their apparent inability to figure out just how to compromise their own locks, it is probably unlikely that they comprehend all the issues involved, or would ever acknowledge them.
In a recent exchange of emails, we offered to open lines of communications with Medeco, as we had enjoyed up until about eighteen months ago. But of course, that was before we publicly disclosed the serious vulnerabilities in their â€œkey controlâ€ or to be more accurate, the lack thereof. Actually, as applies to Medeco m3 cylinders, we believe the more descriptive term should be â€œkey insecurity.â€
In our view, Medeco does not have any key security for the m3, and for many of their older Biaxial locks. They continue to represent that they have strong patent protection for their keys. By inference, the facilities that rely upon Medeco can be assured that it is virtually impossible to duplicate a Medeco key. In our view, this is not only untrue, but it is nonsense. We will go into much more depth regarding â€œkey-mailâ€ in a later post, because this issue has far greater implications than just making keys out of plastic for their locks.
Immediately after Defcon, I also let the company know that we had documented the bumping of another Biaxial by thirteen-year-old JennaLynn, and offered to share the pre-release copy of the video with them for any comments they may wish to make.
So, again, Medeco is silent. They are saying nothing about bumping, or our latest attack with plastic, which is so simple that it can be carried out by one with very limited skills. If we are to understand their response in the Slate.com article last month, they believe and firmly embrace the premise of saying nothing about anything regarding the security of their locks, other than touting how secure they are. In other words, Security by Obscurity is definitely the policy. It is, in our view, an irresponsible policy, fraught with danger for the consumer and the lock manufacturer as well. But we will leave that discussion for a later time and venue.
* * *
We return to Defcon 16 and (now) thirteen-year-old Jenna Lynn. Everyone will remember in 2006 when she bumped open the Kwikset cylinder. She was probably the one most responsible for getting everyoneâ€™s attention to be focused on this threat because everyone understood the implications of an eleven year old being able to open one of the most widely used pin tumbler locks in America.
Medeco reaped the benefit of our presentation at Defcon 14 in 2006. In fact, a joint appearance between me and a senior Medeco representative in a widely-aired in-depth TV story surely must have increased their sales. Everyone, it seemed, was concerned about the threat from bumping so all was very well at Medeco. They had a solution to bumping, and announced it in a press release about August 4, 2006.
Now it is 2007, at Defcon 15. Something is terribly wrong! Young JennaLynn has now bumped open a Biaxial cylinder for the news media. How can this be, because Medeco represented to everyone that their locks were bump-proof in 2006! Oh, so much can change in such a short time. By the summer of 2007, they were claiming that their locks were either â€œvirtually bump-proofâ€ or â€œvirtually resistant.â€ It is hard to tell when this precise obfuscation transformed their position of offering the bump-proof solution, to hedging their language as the lawyers got involved to protect them.
Now, Medeco claims that they NEVER said their locks were bump-proof. Rather, they claim, others said it, but surely not them! Well, that argument sounds good, until one considers the slide that was shown in our Powerpoint lecture this year at Defcon. The slide that we believe conclusively proves that Medeco not only claimed that their locks were bump-proof, but made the error of attempting to register the name bump-proof with the Patent and Trademark office about two weeks after they issued their original press release.
I have really tried to understand why they would do that if they were not representing that their locks were indeed bump-proof. I have concluded that the only other logical answer, which only a lawyer could invent, would be that they wanted to prevent all other manufacturers from claiming their locks were bump-proof! Did they do it because they wanted to protect the public from such claims by other manufacturers. Maybe they did this, as the acknowledged leaders of the high security market, because it would be highly misleading to the public to advertise a lock as bump-proof when in fact it was not! They simply wanted to protect the public from such claims!
Surely that must have been their motivation, because there can be no other answerâ€¦unless, of course, they actually were claiming that their locks were bump-proof and wanted to get the jump on every other lock manufacturer. A really great idea, until a twelve-year old showed how to open their cylinders by bumping. Then, of course, Medeco went into spin-mode to make sure that nobody believed what they had seen on the video. After all, if Medeco said it was not true, then everyone would have to believe them. Because they were Medeco!
There was just one small problem. Medeco forgot about the Internet and open and instant access to records. It is the same naivetÃ© that allowed them to believe they would actually get away with modifying their original bump-proof press release, as we presented in another slide at Defcon. Evidently they were not aware of www.archive.org, or that the two different versions of their press release are still available, and are included within the Multimedia edition of our book.
So JennaLynn bumped open the Biaxial cylinder in 2007, and Medeco said it was all a lie. Not publicly, of course, but they said it to many individuals privately. This was their disinformation campaign to discredit myself, my co-author, and others that dared to talk about or teach the techniques to compromise Medeco locks by bumping and picking. They repeatedly claimed that the lock that JennaLynn had opened had to have been modified or altered, because you simply could not bump open a Medeco lock. According to Medeco, not even those independent testing labs could open their locks by bumping. Yes, those very same labs that Medeco recently told Slate.com should be the ones to conduct vulnerability testing of locks.
Actually, the real problem is that Medeco could not bump open their own locks, rather than it not being possible for a twelve-year old to do it! So, for the past year, they have repeated their story about how we manipulated the internal mechanism of the lock to allow JennaLynn to open it. Medeco has represented that they have allegedly spent hundreds of hours internally trying to open their locks, and have been unable to do so. Well, we did suggest to Medeco that they invite young JennaLynn to the factory in order to instruct them how to open their own locks!
Now we come to the best part of this story.
* * *
It is Sunday morning, August 10, 2008, in Las Vegas, and it is Defcon 16. Tobias Bluzmanis, Matt Fiddler, and I are sitting in the lock picking village, watching Deviant Ollam and others giving classes on basic lock design and picking and bumping. It is always the most popular gathering at Defcon, and this year was no exception. The village was packed with enthusiasts from morning until late in the night.
We asked JennaLynn to try to bump open a new, five-pin Biaxial profile cylinder that we acquired in Europe from the stock of a Medeco lock shop. She was eager to try, given her success last year. So, we handed her the lock and the bump key that we prepared. The key had the correct sidebar code for this cylinder, and was cut to all #6 depths. Ten minutes after we gave her the lock, she returns and says she can open it. She is smiling. But she has no idea what she has actually accomplished! As it turns out, it was quite a feat as compared to what she had done last year.
Now we are sitting at a large round table with about 25 other attendees in the village. Matt starts shooting video, and you can see for yourself why this demonstration is different than last year, when she opened the Biaxial at Defcon 15. It is vastly more significant because we inserted four ARX pins and three mushroom top pins into this lock.
Medeco touts the ARX pins as the most secure. You know, these are the very same pins that will prevent the Medecoder from working, and were developed in response to the sophisticated John Falle decoder in the early 1990s. The same pins that were going to become standard in their cylinders, and why they got Jon King to hold off publishing information for two months about his decoder.
Whether these pins become standard in all of their locks is open to speculation. Medeco evidently believes that everyone should pay for this security upgrade, even though they were aware of the problem that prompted the ARX pin development for at least fifteen years.
The bottom line is that we can demonstrate the ability to bump and pick locks with at least one version of ARX. The pins that we used (#4 and #6 depths) were supplied directly by Medeco to us, so we can only assume they are as secure as any they produce.
And to add insult to injury, it appears that the company may want their dealers to bear the cost for the pin kits, which we have been told may run anywhere between $800 and $2,000. Now, how does that work, exactly? We are not quite sure, but any locksmith that is not happy about it is welcome to contact our office for advice and assistance.
As we are detailing in the next edition of OPEN IN THIRTY SECONDS, we believe there is a basic problem with the ARX philosophy and its ability to prevent bumping and picking when the sidebar code is known, as is the case when our four code-setting keys are employed to open their cylinders.
Tobias Bluzmanis disassembles the lock in front of 25 attendees, so an expert can verify the internal components and that the lock has factory-standard pins, springs, and sidebar and that they have not been altered or modified.
What everyone needs to understand is that a thirteen-year old girl was able to repeatedly open a Medeco Biaxial cylinder with four ARX pins. She did it effortlessly. Yes, the lock had been bumped many times before JennaLynn did it. That should not matter, because Medeco has repeatedly claimed that their locks were bump-proof. Well, at least until they realized they were not, and they changed their advertising language so as to make their claim next to meaningless, if not laughable.
And if you have any questions as to the authenticity of the demonstration, or that the cylinder was somehow modified, check to see who verified the internal components of the lock immediately after the demonstration, on the video.
From our perspective, nobody is more qualified to confirm what we demonstrated with JennaLynn than one of the individuals that Medeco selected in 2007 to help them in an attempt to debunk and discredit our findings. As you will see on the video, Han Fey, one of the most respected cylinder security engineers in Europe, was able to confirm exactly what occurred at Defcon. And if you are still skeptical about the 2007 JennaLynn demonstration, it might be interesting to hear from ALOA senior staff because ultimately they may be required to weigh in on this matter and present evidence as to the ability to bump Medeco cylinders. Yes, the same ALOA that issued their famous press release in 2006 about bumping, and how the publication of this information had â€œunduly raised the alarm.â€
We think it is about time for Medeco to start leveling with their customers and the public. They should candidly address the security vulnerabilities of their locks to bumping, picking, and what we perceive as their total failure of key control and key security in the m3. If significant research involving bumping had not been conducted, nobody would have been aware of the security threat that existed, especially in high security locks, with regard to bumping and picking.
Medeco locks are certified by UL and BHMA as meeting minimum criteria to protect the public from different forms of attack. As we note in our book, BHMA 156.30, (the true high security standard), does not specify many forms of attack that can be critical to the protection of a facility, so the value of such certifications are diminished.
We believe that Medeco does not and cannot comply with certain requirements of this standard, to the potential detriment of the public, commercial, and government sectors. We are actively pursuing this issue regarding Medeco and other certified high security lock manufacturers with BHMA. It is our position that they should not continue to be certified, because their locks can be compromised in well under the minimum specified times that are enumerated in both UL 437 and 156.30.
We would urge Medeco and other manufacturers to join us in a thorough review of the standards and to insure that the requirements are comprehensive, realistic, and complied with. Presently, we can show that some high security locks will simply not meet the standards and should be de-certified.
See my interview with Matthew Myers. He read the book and picked open a Medeco Biaxial in 55 seconds. Not bad at all! Toby’s best time is 27 seconds for a six-pin m3. Will Matthew beat this record? It is up to you Matthew!
Last week, on my way back from Defcon 16, I stopped in Fort Collins, Colorado to interview eighteen-year old Matthew Myers. He is a college freshman at Colordo State University, and also works for the lock shop in Fort Collins. The shop services many facilities in Larimer County that utilize Medeco locks. He told me that Medeco is the predominant high security lock that is sold in the area.
About three weeks ago, Matthew purchased a copy of OPEN IN THIRTY SECONDS. Two days after receiving it, he contacted me and sent me an email containing what he believed were the correct codes for the four code-setting keys that could be used to bump and pick Medeco cylinders. He used the data from a Medeco code book to almost figure it out. The codes were close, but not quite correct.
He told me that after reading the book, he was able to open an off-the-shelf Biaxial cylinder in 55 seconds, by using a key with the correct sidebar code to set the angles. He then picked it with conventional picks. He said that othe lMedeco cylinders took longer.
He confessed that he has been picking locks for about five years, so he was quite profficient, but he was amazed that he was able to compromise the security of the lock in such a short period of time.
Matthew described his experience and his views on the book in our interview.
We thought that the ability to compromise Medeco cylinders by picking could be told much better by an eighteen-year old who had never been able to reliably pick one of these locks prior to reading the book. It should be noted that Matthew agreed not to release the code data that he developed.
We congratulate Matthew for acquiring the skills that we describe in our book. He will surely excell in college.
Matthew is a regular contributor on LP101.
Great work, Matthew!
OPEN IN THIRTY SECONDS: Cracking One of the Most Secure Locks in America is now available. You can order at a discount on LP101 if you are a member.
I met with Josh Nekrep of Lockpicking101.com in Winnipeg, Canada on Tuesday to record an in-depth interview about our new book, OPEN IN THIRTY SECONDS. The one-hour discussion can be found on the LP101 site.
We have posted a special order form for LP101 members only, which provides for a 20% discount on the printed version of the book for pre-publication orders. Please check the LP101 site for details.