Archive for the 'In the Media' Category
HOPE 2008: Three separate lectures that discussed Medeco vulnerabilities
The Usual Suspects, together for a discussion of different vulnerabilities of Medeco Biaxial and m3 cylinders. From left to right, Matt, Toby, Marc, and Jon.
This past weekend there were three different presentations at the HOPE security confernece in New York regarding different potential security vulnerabilities involving Medeco locks.
Jon King, inventor of the Medecoder picking tool, lectured on the use of his tool and demonstrated its use in picking a Medeco m3 in under three minutes.
Jon King demonstrates the use of the Medecoder picking tool.
We discussed bumping and picking and the different methods of defeating Medeco cylinders, including the defeat of ARX pins, which Medeco apparently plans to implement in their new cylinders to combat the King Attack. While they probably will prevent the use of the Medecoder in new locks, they may not be effective in stopping the use of code setting keys for bumping and picking, as described in our new book. We have repeatedly demonstrated the bypass of some of these pins to bumping and picking, so it remains to be seen just how effective they will be. Evidently Medeco will not be paying for any upgrades to currently installed locks. The company was quoted in an article today on Slate.com, saying that “when you buy a lock, you don’t buy a subscription.” I guess that means that everyone is on their own!
Matt Fiddler, Tobias Bluzmanis and I provided an hour briefing to an overflow audience on the Medeco case example and how we methodically developed bypass techniques for the different Medeco products. This research formed the basis of our new book, “OPEN IN THIRTY SECONDS: Cracking One of the Most Secure Locks in America.”
Then, on Saturday, Barry Wels and Han Fey offered a two-hour lecture on keys; how they work and how they can be simulated and copied. Their lecture was also to an overflow crowd and extremely well received. Barry, as usual, provided excellent background on how mechanical keys work and why they are not secure, even for certain high security locks.
Matt Fiddler, Toby, and myself will be going into much greater detail at Defcon with regard to the vulnerability of Medeco locks and their key control, and what we perceive as a particularly serious security issue with regard to certain Medeco cylinders.
We will also be addressing the concept of Responsible Disclosure and Irresponsible Non-Disclosure. The photograph below is of Han Fey, replete with Medeco shirt!
Han Fey and Marc Tobias at HOPE 2008.
You can view the short video of our discussion with myself, Tobias Bluzmanis, Matt Fiddler, and John King.
The semi-annual hardware fair is about to begin in Cologne, Germany again this year and Addi Wendt is hosting his traditional open house for locksmiths and government agents. Wendt is a global distributor of high tech lock bypass tools and works closely in conjunction with Lockmasters in the United States. The open house will continue for four days to coincide with the fair, which is one of the largest in the world. Most of the lock and safe manufacturers exhibit at this fair.
Marc Tobias hosted a book signing at the invitation of Wendt and promoted his new High Security Supplement that is to be released in June, 2008. This supplement to LSS+ offers a detailed examination of the compromise of Medeco Biaxial, m3, and Bilevel cylinders by forced and covert methods of entry and the complete bypass of key control.
Addi Wendt, owner of the company.
Theodore Schurmann is one of the key technicians for the company
More to follow….
The HITB Security Conference that was held in Kuala Lumpur the first week in September, 2007 featured speakers from around the world presenting detailed information about cyber and physical security. Marc Tobias gave a presentation on high security locks and discussed the security vulnerabilities of the Medeco® m3 cylinder. Marc shared the podium with representatives of Toool.US..
Attendees were primarily security professionals and law enforcement technical specialists.
®Medeco is a registered trademark of Medeco Security Locks
Marc Weber Tobias will be speaking at HITBSecConf2007 in Kuala Lumpur, Malaysia during the week of September 3-7th. He will be examining design issues involving some popular high security locks and the recent deficiencies that have been reported in the media with regard to Medeco cylinders. Defending against methods of entry will be the primary focus during his lecture as well as discussing the legal and standards issues that every IT and security professional must be aware of if they are to protect their infrastructure from covert attacks.
About 800 attendees from all over the world are expected to attend this conference which will present more than thirty hours of deep-knowledge lectures involving security vulnerabilities relating to both software and hardware issues.
Of particular interest will be a discussions relating to the following technologies:
Bypassing biometric systems, including ATMs, mobile phones, passports, facial recognition systems, fingerprint readers.
Vulnerabilities of RDS-TMC, the standard for Radio Data Systems in Europe that are utilized with vehicle navigation systems and how these systems can be compromised;
Compromising critical national infrastructure by circumventing SCADA system security;
Eric Michaud and his team from Toool USA will be presenting a workshop on certain forms of bypass of mechanical locks and biometric systems.
Nine year old Oliver has evidently figured out how to bypass the Master padlock at the Tupelo, Mississippi zoo and escape.
See the New York Times story about Oliver
Last week at Defcon twelve year old JennaLynn set two records as the youngest person to open a Medeco Biaxial® lock. She not only opened it but she bumped it open which according to Medeco is impossible. Concern has been mounting the past few days that this record had been broken not only by someone younger than little JennaLynn but by a primate in captivity! Not just any monkey but a Capucin that lives at the Tupelo, Mississippi zoo that is known for its escape exploits.
Ken Persson of Peterson Manufacturing contacted us this morning and expressed fears that the little nine year old “Oliver” had broken the record for opening Medeco locks! In fact others had asked the same question as word of the chimp escaping from his confines spread. Was it possible that a “bump proof” UL 437 listed Medeco cylinder could be opened in such fashion? Until recently everyone thought it was virtually impossible to compromise the famed Medeco security at all.
Not only did Oliver do this once but according to Kirk Nemechek the chimp has done it twice and has to be watched very carefully. Evidently this primate is very clever and can learn simple tasks rather quickly. And what could be simpler than bumping open a lock?
According to the zoo manager it appears that Oliver has figured out how to open a Master #3 padlock. Kirk advised that this recently purchased lock was used to keep the chimp contained after he escaped the last time. Zoo officials have no idea how he did it but do not suspect that anyone human was the culprit.
The manager of the zoo has invited us to meet Oliver to determine whether the record that JennaLynn set in Las Vegas will stand. We perceive this as an incredible opportunity to test the learning skills of a primate in the modern world of high security locks. After all, there has been a rash of home invasions in Africa by gangs of roaming Baboons who have learned how to open sliding glass doors and other locks so they can enter houses and raid refrigerators.
As impossible as it sounds maybe Oliver can succeed in opening a “bump proof” Medeco cylinder! Who knows? Medeco said it was impossible to open any of their locks by bumping just last week, much less by a twelve year old girl.
Ken Peterson of Peterson Manufacturing has agreed to provide a Peterson bump hammer for the experiment and an ample supply of bananas.
See related stories of primates opening locks
®Medeco and Biaxial are registered trademarks of Medeco Security Locks, Inc.
Last year, eleven year old JennaLynn demonstrated her ability to bump open a Kwikset five pin cylinder in about five seconds at Defcon 14. That event was perhaps the main catalyst to focus attention on the security threat that bumping posed to the general public. Well, this year she has graduated to high security locks. After several attempts, she was able to bump open a six pin Medeco® Biaxial® cylinder three times. One of these demonstrations was captured by the news media and a short segment of that interview between Marc Weber Tobias and JennaLynn is shown here.
Was it just luck, or has she advanced her bumping skills during the past year. Medeco has claimed publicly there cylinders are “virtually bump proof” and assume that all of these locks that have been bumped are manipulated. We can attest that this was a standard Biaxial cylinder and was working properly. All internal components were factory original and the lock was complete in every respect.
The cylinder was immediately sent for independent forensic analysis to confirm that the lock had not been tampered with or was in any way specially prepared for this demonstration.
®Medeco and Biaxial are registered trademarks of Medeco Security Locks, Inc.