Archive for the 'In the Media' Category
DEFCON 18: LOCKS, LIES, AND VIDEOTAPE
See the Wired.com, AFP, and Brickhouse Security articles.
DefCon is the largest hacking/security conference of its kind in the world. For the past six years, our research team has demonstrated vulnerabilities in both high security and conventional locks. This year our team (Marc Tobias, Tobias Bluzmanis, Matt Fiddler) selected five different locking mechanisms that are popular in the consumer sector. We chose a broad cross-section: conventional programmable mechanical lock, electronic “safe”, biometric fingerprint lock, RFID-based deadbolt, and a very sophisticated electro-mechanical lock that requires no batteries in either the lock or key. Three of these locks are imports: two from China, and one from Finland. Notably, the locks from China (BioLock and Amsec), are both sold in the United States, and are prime examples of insecurity engineering at its best. They denote a total lack of competence in design, often typical of the cheap products that are being imported from China. More about this later, but suffice it to say, these are prime examples to support the premise: there are no shortcuts to quality and security.
Three of the five companies refused to comment or return phone calls to Wired. Kwikset and Iloq did make statements, both of which, in my view, were inaccurate or misleading, or demonstrated a basic misunderstanding of their products with regard to security. On previous occasions I had attempted to speak with General Counsel for Kwikset and their VP of Engineering in order to disclose security vulnerabilities. They likewise refused to return phone calls.
None of these locks can be considered as high security, but Kwikset, which sells millions of cylinders a year in the U.S., and has incredible market presence, has a grade 1 security rating for its model 980/985 deadbolt, which we selected to analyze. I have attacked Kwikset for several years because of their poor quality and security. In fact, in 2006, the company flew me out to their corporate facility in California for a pre-release briefing of their Smartkey, after eleven-year old JennaLynn bumped open their locks at DefCon. The irony was that senior engineering and management at Kwikset told me that they were not even aware of bumping, except for what they had seen on the Internet! The Smartkey was not designed to be bump-resistant.
At that meeting, I voiced my opinion that the company was selling junk locks. Their reply was “yes, we know, but we make 20-25 million of them a year.” In my view, nothing much has changed in the past four years, other than their locks are mechanically reprogrammable. Clever, yes. Convenient, yes. Secure and maintenance-free, no.
FALSE SENSE OF SECURITY
Each of the five companies represents their products as secure. This creates a false sense of security in the buying public. In the case of Kwikset, in my view they are perhaps the worst offender because of their market penetration. But the problem and responsibility is shared equally with the standards organization that rates their locks, and specifically with BHMA. I have had many discussions with regard to this issue during the past three years with their executive director in an attempt to modify the standards so they actually mean something. I think we are making progress, but because of the inherent way in which standards are adopted, it is a slow process.
The standards do not adequately address simple methods of bypass. The result is that locks are sold that the consumer relies upon as being secure; and yet they are not. Many of the bypass techniques that we utilize are not even included within the standard. Some companies hide behind the standards, stating that their locks “meet or exceed” them, knowing those same locks can be bypassed by methods not enumerated in the standards they are citing. I would submit that whether a lock is certified under an applicable standard or not has nothing do with the its real security if it can be bypassed in seconds. In such a case, any such statements are illusory and mean nothing with regard to protection of the end-user.
WHAT NEEDS TO BE DONE
There is no substitute for competent security engineering. Unfortunately, some locks are expensive and not secure, but generally, you get what you pay for. I think the critical issue for the consumer to understand is that cheap locks are inherently not secure. In 2006 Kwikset told me their smartkey cylinder would cost them about two dollars to produce. In my view, they are of poor quality, and just about every locksmith in the country knows it. Clever options like being programmable are extremely convenient for the consumer, but unless executed properly, can reduce the overall security of the lock.
Granted, some consumers cannot afford better locks, (or those that carry a high security rating), but at least they should know what they are buying and not be misled by untrue or misleading claims of manufacturers. Kwikset has been aware of the vulnerabilities in their locks, and specifically that they can be opened in seconds with a specially modified key and the application of sufficient torque. They have made changes to prevent this bypass technique, but the locks can still be opened, and they know it. Yet, their employees continue to mislead the public into believing that their deadbolts can only be opened by drilling, breaking the door down, or breaking the door frame. This is simply not true. They continue to focus on their Grade 1 rating. Yes, they are certified, but we do not think they will pass in a re-certification test.
We are filing a challenge with BHMA to ask for a retest, because in my view, the Smartkey deadbolt will not pass, based upon two sections of the BHMA/ANSI 156.5 standard: Sections 12.1 and 12.5.2.
Section 12.1 requires that the cylinder be of the pin tumbler design. The Smartkey is not; it uses tiny sliders, as shown in the photograph below. While they may control a sidebar for locking, which generally is more secure, the sliders themselves are not, and never will be as strong as pin tumblers. The BHMA standard excepts locks that are more secure than pin tumbler designs. In my view, the Smartkey is not, and Kwikset knows it. And they cannot use the fact that they are bump-proof, either, because bumping is not in the standard. Yes, they are pick resistant, but we have picked them as well.
The point is that the locks are not physically secure and can be easily compromised. BHMA should not be certifying a deadbolt Grade 1 cylinder that can be opened in thirty seconds. Further, Kwikset should be forced to place a warning on their packaging denoting this fact to the buyer. If they did, I am quite certain that few persons would choose them for protection.
Section 12.5.2 requires that the plug can withstand a minimum of 300 foot-pounds of torque without turning, or that it cannot be turned by manipulation. We do not believe that the Kwikset Smartkey 980/985 deadbolt can meet this requirement either. To open the lock, we are inserting a portion of a key, cut to specific depths, and applying torque. This procedure, we believe, meets the definition of “manipulation”in the standard.
RE-WRITE THE STANDARDS AND MAKE THEM REFLECT “REAL-WORLD” ATTACKS
Include real-world testing procedures that are not presently incorporated within the standards. This will insure that what the manufacturer represents as secure actually is.
START TELLING THE TRUTH TO CONSUMERS AND WARM THEM OF KNOWN VULNERABILITIES
I am quite certain that if Kwikset and all of the other manufacturers that were shown at DefCon 18 were to place warnings on their packaging that their locks could be compromised in seconds, nobody would buy them. After watching the videos, would YOU buy any of these locks? Not likely. And that is precisely the point. If a manufacturer is going to produce inferior quality locks, then warn the public, so that they have the information to make an informed decision as to security.
HIRE ENGINEERS THAT UNDERSTAND SECURITY ENGINEERING, NOT JUST MECHANICAL ENGINEERING
In my experience, many manufacturers have no idea how to open their own locks. While their engineers are quite competent to make things work properly, they have little understanding of bypass techniques. And this is precisely the problem. It is a simple principle: you cannot properly design a lock if you do not have a thorough understanding of the methods to break it.
STOP PLACING PROFIT AHEAD OF SECURITY
For a manufacturer, security can be very expensive. Materials, high tolerance, production controls, and competent engineering all come at a price. If a company is to represent their products as secure, then the company has a duty to make sure they in fact are. Many place profit well ahead of security, leaving consumers at potential risk.
VENDORS SHOULD SEND A MESSAGE TO LOCK MANUFACTURERS THAT THEY WILL NOT BUY (OR SELL) PRODUCTS WITH SHODDY QUALITY OR POOR ENGINEERING
Brickhouse Security is the leading vendor of surveillance and security-related hardware to law enforcement and corporate facilities in the U.S. When we notified them of the problems with the BioLock, they took action, as noted in their press release. Notwithstanding that the manufacturer, BioLock refused to accept any responsibility whatsoever for their defective product, Brickhouse has set the standard for vendors in the security hardware sector. Hopefully, others will follow. It is only when the manufacturers get a clear message from vendors that they will not sell their junk, that they will be forced to engineer their products properly and take responsibility for what they make.
LOCKS, LIES, AND VIDEOTAPE
We tested the following locks for DefCon 18:
KWIKSET SMARTKEY
BIOLOCK 333 FINGERPRINT LOCK
KABA SAFLOK IN-SYNC RFID LOCK
AMSEC ES1014 ELECTRONIC SAFE
ILOQ C10S ELECTROMECHANICAL LOCK
Photographs and comments below.
KWIKSET SMARTKEY DEADBOLT OPENED WITH A SCREWDRIVER
Kwikset represents that the Smartkey Model 980 Grade 1 deadbolt is the highest grade of residential security available. This is not, in my view, an accurate statement at all, except perhaps for Kwikset products. it is, in my opinion, misleading, and Kwikset knows it. Such statements are being made by their customer service representatives and in their advertising. If in fact this is the best the consumer can buy, and can be opened in thirty seconds or less, then what does a Grade 2 or Grade 3 rating denote in Kwikset’s world? Ten seconds to open? Perhaps both Kwikset and BHMA would like to answer that question!
KWIKSET Smartkey deadbolt can be opened with simple implements, notwithstanding it is rated as a Grade 1 lock.
KWIKSET SLIDERS
In my view, the critical security vulnerability in the Kwikset Smartkey are the sliders that control the sidebar. They will never be as secure as brass or nickel-silver pin tumblers, even though they tout sidebar security. They can be easily warped, which in my view is the fatal defect in this lock. The macro photograph shows a normal slider (left) and one that has been warped by the application of torque from a 3.5″ screwdriver blade inserted into the keyway and turned with a small vice grip.
OPENING THE KWIKSET SMARTKEY
Kwikset has been aware, for quite some time, that Major Manufacturing has been producing a locksmith tool to open their locks by applying torque with a key blade cut to specific depths. Kwikset has made changes in an attempt to fix this problem, but not very successfully. Yet their representatives continue to state that the only way to open the lock is to drill it. In our tests, we chose to utilize a cut blank key, a screwdriver, and a small vice grip to demonstrate the insecurity of this lock. In their statement to Wired, it would appear that the Kwikset spokesman tried to give the impression they were not aware of this problem. Maybe the spokesman was not, but the engineering division of Kwikset has known about the issue for quite some time.
Opening a Smartkey can be easily accomplished with a portion of a key cut to specific depths, a screwdriver, and vice grip
BIOLOCK is a company based in China, with an office in Los Angeles. They produce a line of biometric locks, including the Model 333, which we tested, and which Brickhouse Security carried until last week.
This very professional-looking fingerprint lock has a bypass cylinder which provides its fatal flaw in its security. As shown in the video and photograph, the locking system can be bypassed within seconds with a piece of wire or paperclip. The design of this lock is completely incompetent and denotes a total disregard and understanding of security issues in lock design.
The BioLock fingerprint lock with bypass cylinder that can be opened in seconds.
The BIOLOCK 333 fingerprint lock can be compromised in five seconds with a paperclip.
AMSEC CONSUMER-LEVEL ELECTRONIC SAFE, MODEL ES1014
AMSEC is a quality safe manufacturer in California, who would, in my opinion, never knowingly market a product with the design defect we demonstrated. Their customer service representatives told me that this safe was a Chinese import and that AMSEC did not test it. That is unfortunate for the consumer who has purchased these. And, just to be clear, we think that to represent this as a “safe” is misleading to the consumer. It is not a safe; it is a container with a lock.
The AMSEC ES1014 consumer-level electronic safe. It is not secure and can be easily compromised.
A flat piece of metal from a hanging file folder is bent and inserted through the top of the door. It is used to make contact with the reset switch to allow the combination to be reset. This is an incredibly inept design.
KABA IN-SYNC LOCK
The Kaba In-Sync is a RFID-based cylinder that is popular for use on military bases, apartment houses, churches and other commercial facilities. Incredibly, the design engineers that are responsible for the security of this device did not understand that a wire could be inserted next to the USB communications port to access the locking pin that provides the security for this lock. We had contacted the lead engineer for Saflok almost a year ago, and then last month to discuss this issue. No response.
The Kaba InSync RFID cylinder can be easily opened with a piece of wire
ILOQ ELECTROMECHANICAL LOCK
The Iloq is an award-winning electromechanical lock that does not use any batteries, but rather generates the needed current through the use of a motor to perform two functions: power generation, and turning a gear to control the primary locking element. These locks are extremely popular in Finland and other Scandinavian countries.
As we note in the video, there are four operating stages for the Iloq. The critical failure of this lock is the ability to circumvent the mechanical re-locking feature. Once this is accomplished, the electronic credentials are neutralized and the Iloq becomes a one-pin conventional lock, which in my view is less secure than the Egyptian pin tumbler lock of 4000 years ago. A senior representative of the company told me that Iloq had made certain changes to prevent our methods of bypass, and that those locks will be available within a couple of months. This is an extremely responsible company who clearly should have understood the ramifications of their design failure, from the security perspective.
ILOQ in Finland produces a very sophisticated electro-mechanical lock that can be easily compromised This photograph shows the Scandinavian profile and the actuating lever at the front of the keyway that can be modified to set the lock to open by any mechanical key.
A cutaway view of the award-winning Iloq, from Finland.
ILOQ KEY TIP MODIFICATION
There are two ways to circumvent the security of this lock: one through an internal attack, and one by externally modifying the actuating lever just inside the keyway. The photographs show the very minimal material removal from the key tip to set this lock so that it can be opened by any other key or even a screwdriver.
All ILOQ keys are mechanically the same configuration. Each key-head contains a unique electronic identifier.
The tip of the ILOQ key is modified for an internal attack. The top photograph shows a normal key (green); the bottom has been modified.
MODIFICATION OF THE ACTUATING LEVER AT THE FRONT OF THE KEYWAY
The actuating lever can also be modified by removing an equivalent amount of material, about 1/32″. When this occurs, the lock is set and can be opened by any key, simulated key, or screwdriver. Note the small amount of lever material (circled in red) that has been removed. This can be accomplished rapidly and will result in the lock being permanently set, requiring only a mechanical key to open.
ILOQ actuating lever showing the modification to permanently set this lock.
ASSA CLIQ®, MEDECO LOGIC®, and SECURITY ENGINEERING: A Failure of Imagination
The new Assa Solo was recently introduced in Europe and we believe is the latest Cliq design. We were provided with samples and were able to show a reporter for Wired’s Threat Level how to completely circumvent the electronic credentials in less than thirty seconds, which she easily accomplished. This is the latest and most current example of a failure in security engineering at Assa. The photograph has been edited to prevent visual decoding of the bitting in order to protect the dealer who supplied the lock to us.
We believe there are multiple failures in security engineering by some of the world’s most respected lock manufacturers in conjunction with the deployment of the technology that involve electro-mechanical locks. Potential security vulnerabilities in these locks should cause every security officer and risk assessment team to re-evaluate individual facilities to determine their risk in the event of compromise and their inability to meet certain statutory requirements, such as Sarbanes Oxley or HIPAA.
In response to demonstrations and our disclosures about the bypass of Assa Cliq locks at Defcon 17, the product development manager of Assa in the U.S. told Wired Magazine that “From what I know of the CLIQ technology it can’t be done,” … “And until I’ve seen it done, it can’t be done.”
We believe this statement typifies precisely the problem at Assa Abloy companies: a failure of imagination. It prompted our research and subsequent discovery of multiple vulnerabilities in Cliq, Logic, and NexGen locks. It is this attitude that will continue to allow us to break locks that are represented as the ultimate in security by these companies, and which often provide a false sense of security to the locksmiths and customers that rely upon these products.
Security is ultimately about liability, and such liability is about competent security engineering of locks by their designers. Lock manufacturers are very proficient at making locks work properly. That is what we refer to as mechanical engineering. Unfortunately, the engineering groups for some of the world’s most respected companies may not, in our opinion, have the requisite skills when it comes to security engineering (the design of locks and associated hardware to protect against different methods of bypass). In other words, sometimes they cannot figure out how to open their own locks without the correct key. This is a familiar theme that we have addressed previously, especially with regard to Medeco.
If these companies dispute our contention and claim that they in fact do have the experience in security engineering, then let them explain publicly how their locks can be opened with paper clips, wires, magnets, shock, vibration, and relatively simple tools. Did they design the locks with these attacks in mind, or do they simply not understand them? Either way, we think such lapses in security engineering are inexcusable, demonstrate incompetence, and should subject these companies to liability if they will not voluntarily and retroactively remedy such problems.
DefCon 17 was held in Las Vegas the first week in August. It is the largest security and hacking conference of its kind in the world. While some locksmiths still believe it is simply a gathering of criminals and, as ALOA has labeled its attendees as “persons of questionable character” such descriptions are inaccurate and ill-informed. In fact, the vast majority of participants are professional information technology and security specialists, government agents, law enforcement, and investigative teams. It is the best place to learn about the latest vulnerabilities in cyber systems and security hardware, including locks, and to network with other security professionals.
The world of physical security is rapidly changing and will be dominated by Information Security professionals because of the integration of electro-mechanical and electronic locking systems into an overall security plan, controlled by computer servers and multiple systems. If locksmiths do not become educated in both cyber and physical vulnerabilities, they will soon find themselves relegated to repairing mechanical systems, with an adverse impact on their revenue.
Since 2003, we have presented detailed information each year at DefCon about some aspect of locks and physical security. 2009 was no exception. Tobias Bluzmanis and myself (Matt Fiddler was taken ill just before the conference and could not attend) offered a detailed powerpoint presentation regarding electronic access control systems. More specifically, we examined the Assa Abloy Cliq electro-mechanical locking technology and what we perceive as serious security engineering flaws in many of the locks that are produced by AA companies, including those of Medeco, Mul-T-Lock, Ikon, and Assa.
We also think it is time to set the record straight and speak out against what, in our opinion, we believe constitutes various grades of deficient, negligent, defective, or just plain incompetent security engineering with regard to some of these products, and the legal and security ramifications of such designs. We also want to clear the air about why we have refused to provide any information to any Assa Abloy company regarding our findings.
Background: 2007-2008 Research
During the past year, our team (myself, Tobias Bluzmanis, and Matthew Fiddler) have chosen to concentrate on an intensive research program that begun after our book on Medeco was released in July, 2008. We focused on electro-mechanical locks. That is because Medeco and other AA companies are attempting to move their customers to this newer, more sophisticated, and vastly more expensive technology. So, we thought we would take an in-depth look at this new technology to see just how secure, or insecure it really was.
Mechanical v. Security Engineering
We draw a distinction between mechanical and security engineering. Lock designs must incorporate both mechanical and security engineering. One without the other is dangerous, especially for high security locks and more to the point, electro-mechanical locks.
We have no qualms with the mechanical engineering of any of these locks. They all work, and they work well from an operational standpoint. Mechanical engineers go to school to learn how to make things work. Unfortunately, in my experience, most do not have a clue about security and how to break things, nor about even rudimentary rules of security design. I would urge any design engineer to read Ross Anderson’s book entitled “Security Engineering.” It is the classic text, in its second edition, with regard to systems design, and what can and WILL inevitably go wrong. Its lessons, although primarily focused on the cyber world, are equally applicable to physical hardware design, and especially the integration, which is occurring at an accelerated pace, of hardware and software for security solutions in locking and access control systems.
Our latest research, disclosed at DefCon 17, has yielded surprising results which document and spotlight what we feel are incredible lapses in security engineering. We believe that the design engineers at the Assa Abloy companies who have produced locks that we have evaluated either do not consider the vulnerabilities we identify as significant, or they have no idea what they are or their impact. The legal and ethical question is: to what extent is a company liable to the dealer or consumer for design deficiencies or defects that relate solely to security? This is a complex question, because mechanical and security engineering intersect in the finished product. Is a lock defective if it can be bypassed easily with simple techniques or tools? We believe the answer is yes. Should the manufacturer be liable for such lapses in security engineering? We also believe the answer is yes.
The affected lock manufacturers, which include Medeco, Mul-T-Lock, Assa, Ikon, and possibly some or all of the other Assa Abloy companies, as evidenced by the correspondence from their General Counsel in the United States, seem to believe that virtually all security defects occur because of the continuing “security wars” as I call it, between manufacturers, criminals, hackers, locksmiths and others. So, as the logic continues, the manufacturer will, in time, cure the defect, but has no duty to retroactively fix anything they have already sold. At least, that is my understanding of their position, as repeated in several letters from Medeco, Mul-t-Lock, and Assa Abloy during the past year.
If we can follow their rationale, they believe that security engineering defects occur in the normal course of lock design and development, and that state-of-the-art attacks will be dealt with when they occur, and cannot be anticipated in advance. In the main, I cannot disagree with this logic at all, either from an engineering or legal perspective. What we do disagree with is the notion that a foreseeable security design defect or deficiency that should have been anticipated by those responsible for conceiving of and producing these locks should be treated in the same fashion. Such defects are, in my belief, legally actionable and should subject the manufacturer to liability by dealers and end-users if they do not voluntarily and retroactively remedy the problem at no expense to dealers or consumers.
Even more importantly, such design issues place the locksmith dealer in an untenable position, because they are the ones that are consulting, recommending, selling, and installing these products, and will be the likely defendants in any lawsuits that stem from the security compromise of the locks they sell. Many locksmiths do not have the time, and often the expertise to do their own research into potential security vulnerabilities, especially when their locks are rated by Underwriters Labs, Builders Hardware Manufacturers Association, or other rating organizations in Europe and elsewhere.
When a locksmith sells a cylinder like the Assa Cliq or Medeco Logic for more than six hundred dollars, I think it is fair to expect that such a lock has been thoroughly tested against different security threats. Both the locksmith and consumer have a right to rely upon such an implied representation of suitability for its intended purpose, which is security. Medeco has stated publicly that they rely on internal experts as well as UL and BHMA to determine vulnerabilities and whether their locks are compliant with the standards. Their answer sounds good, but its logic is fatally flawed, and they know it.
UL and BHMA are only allowed to test for certain vulnerabilities, which is precisely the problem with standards. They do not contemplate many methods of bypass, some quite elementary, and so to use them as the ultimate benchmark or authority as to security is not responsible and in our view, can be misleading and reckless. Few if any of the methods that we have disclosed to bypass Medeco, Assa, Ikon, or Mul-T-Lock are addressed in the standards, which is precisely why these companies must have competent security engineers involved in every phase of lock design and testing. Medeco, for example, claims that its locks meet or exceed all applicable high security standards. So what, if the locks can easily be opened by methods not contemplated within the standards?
We were able to simulate the mechanical bitting for Mul-T-Lock Cliq keys. In this photograph, the factory original key that opens the Mul-T-Lock Cliq is shown, together with our simulate key that was cut on a standard interactive blank that should never, according to representations by Mul-T-Lock, open this cylinder. It does, and with no electronic credentials whatsoever, nor audit trail. See quotes from their advertising, below.
Mul-T-Lock, in its latest correspondence of July 30, 2009, stated that their warranty and liability would only extend to locks that are found to be defective “In normal use.” Well, at least that is what I think it said. You can judge for yourself, because in this case, it is unclear whether they will or will not stand behind their products and protect the locksmith and end-user if their locks are found “wanting” with regard to security. Based upon the statements of the General Counsel for Mul-T-Lock in Israel, reprinted below, my question to them and all other companies is quite simple: just what constitutes “normal use” and do you actually believe that you have no liability whatsoever if the lock can be opened with simple techniques, regardless of whether the attack is by insiders or outsiders, and with or without advanced intelligence?
Specifically, do you believe that any bypass techniques that allow your locks to be opened should not be covered by your warranty or that you are not responsible to fix, repair, or replace such deficiencies? Do you not think that the primary purpose of high security locks is to resist attack, as you have stated in prior correspondence to me? Do you not believe, to put it very bluntly, that locks are designed to be screwed with, attacked, tampered with, and that their primary purpose is to resist multiple and different method of attacks?
It would appear that these companies believe that they have no responsibility to retroactively fix anything dealing with security. Yes, they may make changes going forward, and will be glad to sell their customers new locks (and make more money by selling the lock again that should have been designed properly in the first place). But what about all those customers that spent $600 or more for each Cliq or Logic cylinder, and it can be shown to be easily bypassed or set so virtually anyone with the properly bitted (or synthesized) key can open the lock, with or without an audit trail? As Medeco so arrogantly stated in the Slate.com article, “when you buy a Medeco lock, you are not buying a [magazine] subscription.” And what about the locksmiths and dealers that have to answer to their customers? Should they be liable to repair or replace locks with significant security defects, or should they have to tell their customers to throw them away and buy new ones! We don’t think so.
Liability and Security Engineering
The concept of liability, as it applies to locks, is about the requirement that manufacturers disclose to their dealers and end-users any security flaws or potential vulnerabilities that they know, or become aware of. It should follow that a manufacture should immediately notify its dealers and stop selling locks that it knows, or has reason to believe, have significant vulnerabilities that could be exploited by criminals, terrorists, foreign intelligence agencies, or those that would cause harm by exploiting such weaknesses. Similarly, we think that a manufacturer has a duty to understand and find and remedy non state-of-the-art vulnerabilities before they release a product.
We believe that a failure to adhere to this policy constitutes what we call “irresponsible non-disclosure.” It is precisely what occurred, repeatedly, by Medeco and its security engineering with regard to its deadbolt design that we exposed in 2007. They fixed the problem twice, but did they ever tell their dealers to refrain from selling what we demonstrated as defective locks. Nor did they tell their customers that it was a potential threat, as evidenced by several interviews that we conducted and documented with senior customer service technicians at Medeco in 2007. Nor have they ever admitted the problems with bumping, picking, and the ability to compromise their locks through the use of any key within a system that contained the same sidebar code. It is my opinion that they have intentionally misled their dealers and customers with regard to the security vulnerabilities that exist in their locks.
We also believe that a manufacturer should repair or replace locks that they have sold and which contain serious security deficiencies, and they should do so at their expense. Such design deficiencies should not result in the locksmith or end-user being required to purchase new and upgraded locks. Unfortunately, it appears that Assa Abloy, as one of the world’s largest lock conglomerates, and at least some of its companies do not share in this philosophy, as they have so eloquently noted in correspondence and public statements, noted at the end of this article.
Rather, it appears that they believe that lock exploits, such as we have disclosed at DefCon during the past five years, are inherent in the natural progression of lock design and engineering, and that a manufacturer is not liable, either legally or ethically, to fix or replace such defects retroactively. While I believe this is a nice legal theory which has been put forth by the General Counsel for Assa Abloy in the United States, we think it is only partially true, and not responsible. While we concur that new, state-of-the-art attacks that were unknown when a lock was designed and manufactured generally do not subject the manufacturer to liability, I would submit that the result is and should be quite different when the security vulnerability could and should have been discovered by competent engineers that are responsible for security engineering of a product. Example: a design defect that allows a paper clip to bypass the entire audit control feature and credentials security for a Mul-T-Lock or Assa Cliq, or a two-dollar screwdriver to bypass a Medeco deadbolt mortise cylinder.
Electro-Mechanical Lock Design and Cliq Technology
Many lock manufacturers have been touting the advantages of electro-mechanical and electronic access control systems. There is no question that, if properly designed, they can offer the end-user an incredible array of options. The advantages of electronic credentials are obvious, but again, only if the security engineering has been done competently. Otherwise, these locks can create, in my opinion, huge security and liability issues for the manufacturer, dealers, and end-users.
Cliq technology was developed and introduced about 2002. It appears that the system was initially introduced by Ikon, and then adopted by many of the Assa Abloy companies. The core technology consists of a key that contains mechanical bitting and a processor and battery, which communicates with the microprocessor and sidebar-control motor within the lock. When the proper mechanical and electronic credentials are simultaneously presented to the lock, an internal motor is activated, a rotor turns, and a sidebar is allowed to be pushed into the plug. If the key is properly bitted, then the lock can open.
Each lock and key maintains an audit trail of each access or access attempt. This data can be retrieved by a special programming tool and uploaded into a computer for review. Any key in the system can be added or deleted for any lock.
A macro photograph showing how the Mul-T-Lock Cliq mechanical bitting can be easily simulated with a specially prepared blank with a plastic insert.
Assa Abloy companies are representing this technology as highly secure, and the “ultimate security solution.” Mul-T-Lock states in its advertising video, which they refused to allow us to show the attendees at DefCon, (claiming it would violate their intellectual property rights, notwithstanding it is on the Internet) “Where security is an issue, compromise is simply not an option.”
Medeco claims in its advertising that its Logic provides “superior protection against unauthorized key copying.”
Mul-T-Lock also says, “In a world increasingly challenged my mounting security threats, the need for comprehensive locking systems has become an essential requirement in virtually every conceivable market sector.” “Each interactive Cliq key contains a unique electronic ID code. It is designated for one individual only, and cannot be duplicated, altered, or corrupted. “
“If the key is not authorized, the mechanical element in the locking system will simply remain locked.”
“Interactive Cliq: unprecedented benefits. The dual patent-protected technologies employed in interactive Cliq represent a truly successful marriage of electrical and mechanical locking systems offering a double layer of impenetrable security.”
“Audit trail control is an absolute necessity if you hope to keep tabs on the efficacy of your locking network…. Interactive Cliq’s control key enables you to easily access precise data from every cylinder in your facility…each key is designated for use by one individual only. If the key is lost, it is simply made obsolete…This enables total control of every key issued to personnel. “
“Interactive Cliq: launching electro-mechanical locking systems to the ultimate level of security.”
We believe such claims are false and misleading and publicly challenge any Assa Abloy company that is making such claims to dispute our findings. We demonstrated that each claim is only partially true, and we believe leaves a false impression with the consumer.
Cliq Technology and Security Engineering
So now we answer our own question: why haven’t we offered to share our research with Medeco, Mul-T-Lock, Ikon, and Assa, with regard to our ability to bypass their Cliq and Logic cylinders by various techniques? The fact is, we offered to do just that. Not once, but many times, but with the following requirements: (1) that the companies would provide us with current lock samples to confirm our research findings, (2) that we would refrain from publishing any information in order that they might confirm and fix the security engineering defects we identify, and (3) we would require that once they confirm the defects, they repair or replace, at their own expense, every lock they have sold to their dealers and end-users that contains the design defects.
And what was the response from Assa Abloy, Medeco, and Mul-T-Lock?
First, they never addressed the issue of supplying samples. Ever. In fact, when I was at the Mul-T-Lock factory in October, 2008, they said they did not have any Cliq locks. End of discussion!
As to agreeing to retroactively fix or replace locks that had security defects, they said that was not going to happen and was unreasonable to require as a precondition for our cooperation.
Finally, they advised that only their internal experts and UL and BHMA were allowed to test their locks. And they said they were not responsible for security defects, because, you know, this is an ongoing issue in lock manufacturing, and, well, nobody really retroactively fixes locks.
This is not quite true. Several companies, both in the U.S. and Europe have done precisely that, and at great cost to themselves. It is the responsible way to do business as a lock manufacturer.
Cliq Technology: What we did and Why it is a Problem
Cliq locks are employed in commercial, government, and residential applications. They are relied upon to protect critical infrastructure and to comply with statutory requirements involving financial institutions, airports, railway, and power generation facilities. If you are a dealer or end-user, you need to understand that we identified several significant vulnerabilities in Cliq and Logic locks which could adversely impact security.
Potential Security Vulnerabilities
OOur research allows us to bypass the security of some Cliq and Logic cylinders to accomplish the following:
Simulate the mechanical portion of the key for Medeco Logic, Assa and Mul-T-Lock Cliq, and Ikon Verso. Plastic keys can be utilized for the Assa Twin and their latest lock, the Solo, which was just released in Europe. Blanks can be modified to simulate Mul-T-Lock keys and allow any number of special blanks to be cut to any bitting;
Utilize a discarded, stolen, or lost key from an Ikon system to compromise other locks in that system, as well as cylinders within a Medeco Logic system, and in similar fashion, to utilize a key from a Medeco Logic system to compromise an Ikon Cliq system;
Change the bitting on a key for an Ikon Cliq or Medeco Logic system to activate the mechanical bitting portion of other systems;
Allow the use of standard Mul-T-Lock non-interactive blanks to open Mul-T-Lock Cliq, because the interactive element is not operable and the mechanical security of the lock is reduced;
Simulate and bypass the electronic credentials for each of the locks listed above;
Trivially bypass the audit trail for each of the locks so that the use of a key is not logged;
Bump open certain of these locks;
Allow an employee to easily bypass a cylinder so that it will accept a key with any credentials. This can occur in certain Mul-T-Lock and Assa versions of Cliq.
We have posted an edited video showing different versions of the Medeco Logic, Assa Cliq, Ikon Cliq, and Mul-T-Lock Cliq being compromised by different attacks. The video does not show the precise techniques to open the locks for obvious reasons. We are sharing that data with affected government agencies and critical customers who are using these locks.
Each of our attacks requires access, at least briefly, to a properly bitted key. However, we have been able to simulate the mechanical bittings for all of these locks.
Admittedly, these attacks all require access to a key with the correct mechanical bitting. However, in many applications, especially government and commercial, a greater threat level exists and is to be expected. Further, the majority of attacks are likely to occur from within an organization, or with the cooperation of an employee, or a person having access.
Summary
Lock manufacturers and consumers appear to believe that just because electronic credentials are utilized to open locks, that somehow these locks are inherently more secure. The problem, in our view, is that everyone has forgotten basic security engineering principles: these are still mechanical locks. Although they may employ the additional security layer with the use of electronic credentials, they are still just mechanical locks that rely on moving components to allow them to open.
In our opinion, it is clear that the engineers at Medeco, Mul-T-Lock, Ikon, and Assa have ignored basic security engineering principles, are ignorant of them, or do not understand the potential for compromise of their locks. They clearly have a failure of imagination when it comes to lock design and testing.
While each of these locks are very clever and sophisticated in design, and clearly integrate mechanical and electronic locking systems to a new level, there are, in our opinion, serious deficiencies in each of these technologies that could potentially result in theft, sabotage, vandalism, compromise of critical information, and even loss of life. For that reason, the industry should re-evaluate the efficacy and design of any electronic cylinder and make certain that the essential and critical components of such systems are secure against different methods of attack. While Cliq and other technologies offer the end-user incredible advantages and options, they also offer a prescription for disaster if they are compromised.
We believe these companies should remedy the design issues that we have identified and which will allow their locks to be compromised, and that they should do so retroactively and at their own expense. As a dealer or end-user, we would encourage you to contact the manufacturer and demand to know the following information:
What version of locks do you have installed at your facility, and have they recently been upgraded? We just learned that Mul-T-Lock will be, for at least the fourth time, revising the design of their Cliq. Ask them if the upgrades have been implemented into any new locks that your company is receiving;
What security vulnerabilities have been identified that would allow these locks to be compromised?
What remedies have been taken by the manufacturer to cure the defects?
What does the manufacturer intend to do to insure the security of presently installed cylinders?
How long has the manufacturer been aware of specific methods of bypass of their Cliq or Logic cylinders?
Have the manufacturers notified any dealer, end-user, or government agency with regard to known or potential security vulnerabilities of Cliq or Logic systems?
Has the manufacturer advised their dealers and end-users that in certain keyed-alike systems, the compromise of one key can render the entire facility vulnerable, which would require a replacement of every cylinder in the system?
If you are a dealer or end-user of Cliq or Logic locks, you may contact our office for further information as to the security deficiencies of these locks, possible statutory ramifications for non-compliance, and your legal rights with regard to locks that you have purchased and which have been found to be easily bypassed.
DISCLAIMERS
We have tested a limited number of Assa, Mul-T-Lock, Ikon, and Medeco electro-mechanical locks. One or more of these companies may have remedied certain design issues that we have identified in different versions or generations of locks. Each individual customer should determine specific vulnerabilities for the version and brand of lock that they have in service.
QUOTES FROM CORRESPONDENCE THAT WE RECEIVED IN THE PAST YEAR
MUL-T-LOCK GENERAL COUNSEL
“You have misrepresented that Mul-T-Lock’s policy is not to consider replacing or repairing a product which proves to be defective in normal use. This is a gross misrepresentation and not true.”
(7/31/2009)
ASSA ABLOY GENERAL COUNSEL
“All of your accusations and unreasonable demands seem to stem from your mistaken or feigned belief that because a product may under certain limited circumstances be susceptible to a new form of attack. it is somehow rendered “defective.“
(5/15/2009)
® Cliq, Logic, Keymark, and Nexgen are registered trademarks of Assa Abloy companies.
Comments are off for this postNBC TODAY SHOW: Lock bumping in the news again
In case you missed it, there was a new segment on bumping that aired on the Today Show in the U.S. on July 8. Incredibly, the NBC lawyers would not allow the use of the term “bump key” because they were worried that viewers might figure out how to open locks! Then they showed a diagram of the key and how it works. Ironically, the program was supposed to air the week before, but at the last minute, I was notified that the segment had been “bumped” by the Michael Jackson tragedy. Tragedy? Really?
The same NBC correspondent, Janice Lieberman, published a related article in Readers Digest the same day that the story aired.
I don’t know why the renewed interest in lock bumping, but I have received calls from several media representatives about the issue in the past few weeks. I am quite sure that our friends at Medeco were very pleased with the story. As I told the correspondent, they are good locks, but not quite as good as they say. For residences, they are just fine, as are Schlage Primus and other brands. Note that the NBC story never claimed that the Medeco cylinders were bump-proof. Only Medeco and many of its dealers continue to represent that falsehood, while at the same time claiming that “they never said it…others did” and that Medeco cannot control what their employees and dealers say! The question as to when Medeco will level with their dealers and customers about the insecurity of their products will be left for another post, and venue. One would have expected a statement from Medeco after their Wired PR fiasco, but true to form…nothing.
Security is all about liability; this maxim may prove to be a very expensive lesson for Medeco and its parent company to learn.
We went to two upscale houses in New Jersey and opened the locks in seconds.
Any joy at Medeco will likely be short-lived. Toby, myself, and Matt Fiddler will be presenting at DefCon again this year, and will be issuing a security alert with regard to electro-mechanical locks and what we perceive as extremely serious vulnerabilities. During the past year, we have focused our efforts on Assa Abloy Cliq technology that is shared by Mul-T-Lock, Medeco, Ikon, and maybe even Assa itself. It should come as no surprise that we found what we believe to be serious design flaws in these locks, both in terms of mechanics and electronics. Anyone who thought that we were ending our research efforts with Medeco will find that the story has just begun. Key control, covert entry, and forced entry…all the same issues that we found wanting in the Medeco locks… are alive and well in Logic, Cliq, and NexGen and should prove highly relevant for everyone concerned with the security of electronic locks.
And for those of you that are not familiar with NexGen, these are the very neat cam locks that are used in vending machines (for example thousands of machines owned by Coca Cola in Philadelphia); In major municipalities’ parking meters (in San Francisco, Los Angeles, Miami Beach, and New York); and also for the protection of cargo shipments in padlocks. Audit trails and revenue security are the prime rationale and justification to install these expensive locks ($100-$150). We think that the premise for implementing these locks might have to be reviewed and re-thought after DefCon. Not only will the implied guarantee of revenue security have to be re-examined, but the issue of potential false accusations that could affect innocent employees will most surely be a serious topic for some labor unions and legal counsel. Insurers and underwriters may also be involved because their premiums are based upon risk assessment. We believe that high-value targets may be at increased risk from the use of certain locks; hence insurability and premium rates could be affected.
During our presentation we will review some of the representations in the advertising of certain vendors, and why we believe these may not only be overstated, but inaccurate and uninformed at best, and false and misleading at worst. We are producing a very detailed WhitePaper with regard to this issue, followed by a supplement to Open in Thirty Seconds. The title still applies to some of these electronic locks.
We are planning a government-only briefing on this topic, and will release more details shortly. If you are a commercial facility, regulated industry, or government agency that has implemented, or is considering the implementation of the Cliq technology, you may want to follow this closely, both in the United States and in Europe. We believe, and will so state in our WhitePaper, that potentially serious security and legal liability issues may flow directly from the implementation or continued use of this technology until the issues we believe exist are remedied. Obviously, many factors are involved, and in part this depends upon the security and regulatory requirements of the specific location, but in general, it would be our view that some electro-mechanical locks are not quite the panacea that the vendors would like you to believe.
The manufacturers are touting this technology as the answer to the insecurity of even their high security mechanical cylinders. Maybe that is true, but we think they may come at quite a high price, both in terms of actual cost, and also with regard to what can happen when things go wrong and there is a breach of security.
We hope to see all of you at DefCon.
Comments are off for this postAIRPORT CITIES MAGAZINE, DUBAI: New article on airports and high security locks
I wrote an article for the Airport Cities magazine as a result of my lecture in Dubai last April, which was published in their September, 2008 issue. It deals with the importantance of high security locks for use in airports, and discusses the failure of key control in Medeco locks, as well as other high security cylinders.
No commentsDEFCON 16: Plastic Keys; and JennaLynn Does it Again!
We just returned from DEFCON 16 in Las Vegas. The conference organizers report the largest attendance ever, and that was evident at our two-hour presentation on Friday afternoon. Matt Fiddler, Tobias Bluzmanis, and I did a three-part presentation on Medeco high security locks, demonstrating how all of their security layers have been compromised.
You would expect to be able to simulate a plastic key for a Kwikset cylinder, but not for a high security lock like Medeco. This key easily opens the Kwikset. We accomplished the same result with a Medeco m3. So much for key security!
A credit card was cut to form a key for a Medeco m3. It incorporated both the vertical bitting and angles needed to open the lock.
A Medeco mortise m3 cylinder can be easily compromised with a plastic key. We graphically demonstrated this vulnerability to a Wired Magazine reporter, both with a credit card, and Shrinky Dinks plastic. The full story of how this key was emailed by the reporter to us prior to Defcon will be posted shortly, and documents the threat that is posed by a lack of key control.
An inexpensive HP copier/scanner was used to produce a replica of an m3 key on Shrinky Dinks plastic. We demonstrated the ability to compromise the security of a mortise cylinder using this key.
We also discussed the security threat that is posed by a camera within a cell phone. In this case, we used the image of a Medeco key that was captured by a Blackberry Curve.
JennaLynn did it again this year. At age 13, she opened a five-pin Biaxial profile cylinder. But this was not an ordinary lock, as you will see in the interview.
WIRED MAGAZINE, August 8, 2008
Agence France Presse, August 10, 2008
We will post our Powerpoint presentation together with all of the video files from Defcon.
At our Defcon presentation, we talked about the methodology that we employed to break the locks and the lessons that should be learned from our experience. Then, we discussed the ability to totally compromise the key control of the m3, and many Biaxial cylinders, using plastic or Shrinky Dinks keys. We introduced the concept of Key-Mail, and warned of the threat from emailing restricted keys from within a high security facility.
Finally, we discussed the concept of Responsible Disclosure v. Irresponsible Non-Disclosure upon the part of a lock manufacturer. We took many questions from the overflow audience at the end of our presentation.
JennaLynn demonstrated her ability to bump open a Medeco Biaxial cylinder once again this year. You will recall that she did the same thing at Defcon 15. Medeco claimed that the demonstration was not true, and that the locks had been modified or altered so that she could open them. This, of course, was not true, and the cylinder was subsequently verified by independent experts a few weeks later that it conformed to factory standards, and indeed could be repeatedly bumped open. To our knowledge, Medeco has never admitted publicly that this is possible.
So, the lock that JennaLynn, at age 13, bumped open was no ordinary cylinder. And this year we decided to have her do the demonstration in front of about 25 participants at the lock picking village, where both amateurs and experts converged to try their skills at openeing a wide variety of locks. Not only did she open the lock twice in a few seconds, but we had an indpendent expert immediately confirm that the lock was configured as we represented, which would prevent Medeco from claiming that this was a staged demonstration.
Han Fey, as he examines the Biaxial lock that JennaLynn easily bumped open in a few seconds.
We asked Han Fey to be our independent observer. Han is from the Netherlands and works with Barry Wels and Toool, and is recognized as an expert in his field. More importantly, if you read our book, he is also recognized by Medeco as an expert. We offered a pre-release copy of the video to Medeco last week, so that they could include comments when it was posted. We have not heard from them since that offer.
Han and Barry came to Defcon 16 this year, in part to view our presentation on key security, as a follow-up to a detailed presentation that Barry gave at HOPE a few weeks before in New York.
Stay tuned for the demonstration by JennaLynn, and a discussion of how we compromised Medeco key control. Both topics should be of interest to security professionals who are responsible for insuring the integrity of their locks and keys.
1 commentIDG NEWS SERVICE: Hope 2008 Snippets
The IDG News Service, Network World TV, posted this video this past week, reflecting some of the events at HOPE 2008 in New York.
No commentsDATA SECURITY PODCAST 7/29/2008: Discussion regarding Medeco Security
i was interviewed by Ira Victor with regard to Medeco security and its relation to cyber security issues. The interview is available on line.
Other interviews are also available at http://datasecuritypodcast.com
This was posted on their site on July 29, 2008.
No commentsHOPE 2008: Focus on Medeco Security Vulnerabilities
HOPE 2008: Three separate lectures that discussed Medeco vulnerabilities
The Usual Suspects, together for a discussion of different vulnerabilities of Medeco Biaxial and m3 cylinders. From left to right, Matt, Toby, Marc, and Jon.
This past weekend there were three different presentations at the HOPE security confernece in New York regarding different potential security vulnerabilities involving Medeco locks.
Jon King, inventor of the Medecoder picking tool, lectured on the use of his tool and demonstrated its use in picking a Medeco m3 in under three minutes.
Jon King demonstrates the use of the Medecoder picking tool.
We discussed bumping and picking and the different methods of defeating Medeco cylinders, including the defeat of ARX pins, which Medeco apparently plans to implement in their new cylinders to combat the King Attack. While they probably will prevent the use of the Medecoder in new locks, they may not be effective in stopping the use of code setting keys for bumping and picking, as described in our new book. We have repeatedly demonstrated the bypass of some of these pins to bumping and picking, so it remains to be seen just how effective they will be. Evidently Medeco will not be paying for any upgrades to currently installed locks. The company was quoted in an article today on Slate.com, saying that “when you buy a lock, you don’t buy a subscription.” I guess that means that everyone is on their own!
Matt Fiddler, Tobias Bluzmanis and I provided an hour briefing to an overflow audience on the Medeco case example and how we methodically developed bypass techniques for the different Medeco products. This research formed the basis of our new book, “OPEN IN THIRTY SECONDS: Cracking One of the Most Secure Locks in America.”
Then, on Saturday, Barry Wels and Han Fey offered a two-hour lecture on keys; how they work and how they can be simulated and copied. Their lecture was also to an overflow crowd and extremely well received. Barry, as usual, provided excellent background on how mechanical keys work and why they are not secure, even for certain high security locks.
Matt Fiddler, Toby, and myself will be going into much greater detail at Defcon with regard to the vulnerability of Medeco locks and their key control, and what we perceive as a particularly serious security issue with regard to certain Medeco cylinders.
We will also be addressing the concept of Responsible Disclosure and Irresponsible Non-Disclosure. The photograph below is of Han Fey, replete with Medeco shirt!
Han Fey and Marc Tobias at HOPE 2008.
You can view the short video of our discussion with myself, Tobias Bluzmanis, Matt Fiddler, and John King.
No commentsCOLOGNE MESSE HARDWARE FAIR
The semi-annual hardware fair is about to begin in Cologne, Germany again this year and Addi Wendt is hosting his traditional open house for locksmiths and government agents. Wendt is a global distributor of high tech lock bypass tools and works closely in conjunction with Lockmasters in the United States. The open house will continue for four days to coincide with the fair, which is one of the largest in the world. Most of the lock and safe manufacturers exhibit at this fair.
Marc Tobias hosted a book signing at the invitation of Wendt and promoted his new High Security Supplement that is to be released in June, 2008. This supplement to LSS+ offers a detailed examination of the compromise of Medeco Biaxial, m3, and Bilevel cylinders by forced and covert methods of entry and the complete bypass of key control.
Some photographs of the Wendt open house appear below.
Addi Wendt, owner of the company.
Theodore Schurmann is one of the key technicians for the company
More to follow….
No commentsTOOOL USA: The Most Popular Exhibit at HITB Kuala Lumpur, Malaysia
The HITB Security Conference that was held in Kuala Lumpur the first week in September, 2007 featured speakers from around the world presenting detailed information about cyber and physical security. Marc Tobias gave a presentation on high security locks and discussed the security vulnerabilities of the Medeco® m3 cylinder. Marc shared the podium with representatives of Toool.US..
Eric Michaud at the Toool exhibit.
Close to 1000 attendees participated in the security conference
last week in Kuala Lumpur
Members of Toool USA (Eric Michaud, Deviant, and Q) demonstrated
lock opening skills for a very enthusiastic audience and also
lectured on bypass techniques and biometrics system vulnerabilities.
Attendees were primarily security professionals and law enforcement technical specialists.
®Medeco is a registered trademark of Medeco Security Locks
No comments