In.Security Home

A SIMPLE ATTACK CAN BYPASS THE SECURITY OF THIS LOCK IN LESS THAN ONE MINUTE, RENDERING ALL OF THE ADVANCED MEDECO TECHNOLOGIES VIRTUALLY IRRELEVANT.

If you are a locksmith or security professional, see the detailed analysis that follows. The password is available on ClearStar. or from the author.

There are millions of Medeco deadbolt systems in place worldwide. They are rated as one of the most secure systems available. That is based upon the Medeco reputation for quality and engineering excellence and their high security ratings by UL, BHMA/ANSI and other standards organizations. The current mechanical design of their deadbolt has been utilized on the Biaxial® product line and now the m3. Bypass of these systems by means of forced entry has been difficult although there are expensive tools that are available to compromise them.

We have conducted very limited testing but it appears there may be a serious security flaw in certain of their deadbolt designs. Part of the problem results from widening of the keyway in the m3 as discussed in Part I of this series of articles. We would urge any user to contact their locksmith, security consultant, or Medeco representative for further information. Medeco has been notified and is aware of the issue. We believe the problem is mainly with the m3 deadbolt cylinders but there may also be some Biaxial® models that could be affected.

A detailed analysis is available together with a video demonstration that clearly shows the method of bypass. This publication has been restricted to locksmiths and the professional security community because of the simplicity of the technique and the potential security ramifications that could result from a public disclosure of the exact method. If you have security responsibility, you may contact the author for access to the restricted document. The password has been posted on ClearStar for security professionals.

Marc Tobias and Matt Fiddler will be addressing this issue at Defcon 15 on August 5 in Las Vegas as part of a two hour presentation regarding design issues with conventional and high security locks. Marc Tobias will also be presenting with regard to high security locks at the HITB conference in Kuala Lumpur, Malaysia the first week in September.

® Medeco and Biaxial are registered trademarks of Medeco Security Locks, Inc.

Part I of a four-part series of articles detailing potential security vulnerabilities in the Medeco Biaxial and m3 is available to locksmiths, security professionals, law enforcement and government agencies. This information is also contained in the new edition of LSS+ and is restricted.

A public summary of the first article will be published on Engadget later this week but will not contain critical information that would be required to bypass Medeco cylinders.

The password for this article will be posted on ClearStar later in the week or you can register on www.security.org for site clearance. When registering, please specifically request the password for this article.

You may also contact the author at mwtobias@security.org for access or further information.

Medeco® is a registered trademark of Medeco Security Locks, Inc.

Two years ago, we posted an alert about the poor quality and insecurity of gun locks. The media reported the story in an in-depth television news story. The result: absolutely nothing changed. The manufacturers continued to produce cheap locks that afforded no protection. Standards were not changed by the State of California which certifies cable and trigger locks as secure to protect kids. Retail outlets continued to sell junk locks. And more alarming, law enforcement agencies throughout the U.S. still offer poor quality gun locks to the public for free, believing that they are designed properly.

There have been many adverse comments to my posting of videos with the article on in.security.org and on engadget.com. Many think that a simple warning would have been sufficient without the videos. History has shown that this is not the case.

The reality is that if you simply warn parents that gun locks are dangerous because they create a false sense of security, the warnings will be largely ignored as they were two years ago. In fact in 2001 a security alert was published by the Consumer Product Safety Commission on this subject. Shortly thereafter, ABC did a television report on the dangers of these locks and how easily they could be compromised. Again, nothing happened. It was business as usual.

A few months ago our local sheriff showed me the gun locks that they distribute as part of the Operation ChildSafe program (funded by the Department of Justice). I decided it was time to revisit this issue. If a police department hands a gun owner a lock then, it impliedly represents that the lock is secure and will keep kids safe from guns. Our Sheriff had no idea that these locks could be so easily compromised. When he learned otherwise he took immediate action to warn every consumer that received these devices through his department.

So, for everyone that feels that our report should not have been published, I respectfully disagree. Simple warnings would accomplish nothing, as borne out by past events. This was reinforced by my conversations with the National Shooting Sports Foundation. They have distributed 35,000,000 of these cable locks and tell people they will protect kids from access to weapons. Worse, they actually believe that the standards that California passed seven years ago are sufficient to keep kids safe up to the age of seventeen. They cite the American Society of Testing and Materials as the ultimate authority on standards and the fact that these locks passed ASTM tests.

Their concern could be paraphrased thusly: “We have never had a problem with these locks so there is no problem.” I don’t question their motives, just their understanding of how these locks work.

Before I released the report I spoke with the California DOJ Firearms Division about their standards. They said that they believed that they were quite sufficient to keep kids from accessing weapons, repeating that the locks had been analyzed by designated testing laboratories and found compliant with the standards. It was the same story line.

In my view, the real issue is the standards and the manufacturers that produce cheap locks that do not even meet the minimal requirements promulgated by the DOJ. So, if this is an important issue (as I believe it is), then how do you get everyone’s attention so that something positive will occur?

Some say it is irresponsible to show how to compromise these locks. I considered very carefully whether to demonstrate the problems with these products or just write about them. I came to the conclusion that perhaps the only way to get the regulators to act was to show them what they apparently did not understand, and at the same time to graphically warn parents about the hazards of using these devices. Perhaps they might put pressure on the agencies to make needed changes.

And yes, there is a risk that kids will see this report. But I thought that would be far outweighed by the potential positive results that might occur. And frankly, it is clear that if a kid wants to access a weapon he will, regardless of whether there is a report showing him how to do it or not. The difficulty in compromising these locks is minimal and that is the entire point of the article.

The fact is that any adult that uses one of these locks as the sole protection of a handgun is grossly negligent. If they compound the problem by either locking a loaded weapon or keeping ammunition close by, then I would submit they could be held criminally liable if a kid uses the weapon.

So the conclusion I reached with regard to airing the videos was based upon the following premise: if the locks are as secure as represented by the DOJ, NSSF, and manufacturers, then why would they be concerned about showing how these locks can be compromised?

After all, they are all saying that the locks WILL protect a weapon against access by a kid, (no matter how ludicrous that argument might be) and that the standards are sufficient.

My contention: Either these locks are secure or they are not. You can’t have it both ways. And if they are not then laws should be changed so that the locks actually do what they are supposed to do.
Finally, the information that was presented has been on the Internet for quite some time as almost everyone knows. An incredible amount of material has been published about bumping, including padlocks. So kids already are aware of that method of bypass. The fact that bump keys are available on the Internet for the Master cable lock should alarm everyone. I and others have been raising this issue for the past year. In fact, I submitted draft legislation to the Postal Inspection Service six months ago to close the loopholes in the postal regulations to stop the trafficking in bump keys on the Internet.

And what about the ability to cut these cables? I would dare say that every reader would look at one of these locks and laugh at the absurdity of the ostensible protection that they afford. A pair of pliers or fourteen inch bolt cutters from Ace Hardware will sever any of these cables and everyone, including kids, knows it. Even Targus figured it out when I wrote the article last year about their much publicized armored computer lock that uses an almost identical approach as the gun cable lock.

So should we just keep quiet and continue to promote the failed concept of “security by obscurity”? I don’t think so, for the same reason that I am challenging the standards set forth by Underwriters Laboratories, BHMA, and ANSI with regard to high security locks and the ability to compromise some of them in well under the minimum time standards set forth for forced and covert entry in UL 437 and ANSI 156.30. I would submit that the risk could be far greater for reliance on some of these standards and for the defective or deficient design of some of these locks than for the compromise of gun locks.

I have never believed it was prudent to publicly demonstrate methods of covert bypass unless there was a valid reason to do so. That material is left to the multimedia edition of my book. I have never once shown such techniques in the media; only to law enforcement and security professionals. But when bypass techniques are so simple that anyone can accomplish them in a few seconds, I believe it is vastly different. In my view it enhances everyone’s security if they have a full understanding of the simplicity of the methods.

The issue raised in the gun lock story is about responsible disclosure with regard to matters of security. There has always been a legitimate debate as to whether disclosure promotes or places security at risk by publishing “secret” or more to the point, “unknown” information. The reality is that there are no more secrets. The Internet took care of all of that. And if I had simply posted a warning about the insecurity of these devices or there had been a news story written about a child that was hurt or killed as the result of his ability to bypass one of these locks, you can be sure that someone would have posted detailed information about the method of compromise. Welcome to the global information world.

There are two sides to every story and if this one has sparked thoughtful debate about the disclosure of security defects, then I would submit that the article has accomplished its purpose. Many parents have written to me after reading this article, not to complain but to voice concern about the locks they have relied upon and to ask what they should replace them with.

If you believe that material on gun locks should not have been released, then you will surely have an opinion regarding the next alert about the insecurity of small Fixed Base Operations at our airports, and the security issues it raises.

MWT

A detailed report and videos that demonstrate design deficiencies in gun locks may be found at: http://download.security.org/gunlock_2007.pdf

The eleven year old demonstrated the removal of three of the most popular trigger locks from a rifle in just a few seconds. The eighteenth month old examines the Project ChildSafe® cable lock for guns. We do not believe that either of these types of locks are secure as the primary method to protect weapons.

Gunlocks are designed to protect kids and keep them from gaining access to weapons. An extremely successful program was launched several years ago by the National Shooting Sports Foundation to promote gun safety and keep children away from guns. The U.S. Justice Department provided funding so that NSSF could administer a program to provide free gun locks to the public through law enforcement agencies around the country. A total of thirty-five million Project ChildSafe® locks have been produced.

We do not think these locks are secure enough and should not be used to provide the primary protection to immobilize a weapon. Poor quality locks rarely offer any protection, and this is a classic example. These devices are produced in China with cheap pin tumbler mechanisms that can be bumped open in seconds. The cables on some models are easily compromised.

The quality control in the case of at least one model, the GL710N (listed on the California DOJ website as having been produced by PCS) appears to be so poor that two out of three locks that we obtained from the Denver Police Department could be circumvented merely by twisting the cable. That’s right; simply hand twisting the cable caused it to pull loose from the lock housing! Could a kid have done that? Without question the answer is yes.

The real problem is the standards for these devices. NSSF rightfully responded to our concerns about security by stating that the locks meet California and ASTM requirements. In our view, the standards need to be updated so that they take into account real world attempts to open them, which just might involve the use of more than a paper clip or screwdriver! Kids can be clever, especially when it comes to guns.

The NSSF statement in their literature that the locks will not stop a “determined attack” does not really address the issue. Is their position really that anyone that wants to remove a lock from the gun will succeed, as opposed to the kid that half-heartedly pulls on the cable and if it does not come apart, then he gives up. Of course, in the case of the GL710N models that we tested that may be good enough!

We take an in-depth look at gun locks and the standards that are supposed to make them safe.

See the WPIX NEW YORK news story on bumping at http://video.security.org/wpix_200.wmv

See the detailed White Paper at http://download.security.org/bumping_040206.pdf

See Bumping of locks: Legal issues in the United States
http://download.security.org/bumping_legal_mwt_040206.pdf

See the security alert at http://security.org/dial-90/alerts.htm

See the resposne to the ALOA editorial at OpEd on this site.

See Spectrum On Line at http://www.spectrum.ieee.org/jul06/comments/1459

See the feature article at www.engadget.com by the author and at
http://www.engadget.com/2006/08/24/the-lockdown-locked-but-not-secure-part-i/

A report was released on March 22, 2006 in the Netherlands regarding the vulnerability from bumping of more than 80 different pin tumbler locks that are manufactured or utilized in that country. The findings were researched and produced by Dutch Consumentenbond, the most prestigious Dutch consumer protection organization . This study was largely the result of significant research that was conducted by Toool, “The Open Organization of Lock pickers” in the Netherlands with regard to the vulnerability of certain cylinders. Their tests and that of Consumentenbond demonstrated that many locks could be opened within seconds by an unskilled individual with less than one hour of instruction.

The author previously addressed this issue in LSS+, the multimedia edition of Locks, Safes and Security, and in an article published in the ALOA magazine KEYNOTES in January, 2005. A White Paper had also been issued by members of Toool. Although the Netherlands tests showed that many locks could easily be opened with little skill, there are many variables that can affect the ability to compromise a lock in this manner. As a result, a detailed analysis of the threat level to physical security posed by bumping is now available.

The Targus Defcon CL Armored computer cable lock is touted as the most secure in the industry, but is it? Read the feature article by the author at
http://www.engadget.com/2006/09/08/the-lockdown-your-new-targus-defcon-cl-lock-hacked-by-beer/

The Transportation Security Agency has approved certain locks to be used by passengers to secure their luggage against theft of contents. An investigation by the author has determined that these locks are not designed to provide any measure of security and should not be relied upon to do so. Each of the mechanisms that are examined in this report can be easily bypassed without any special tools or expertise, often in a few seconds. Detailed photographs within the report allow a thorough understanding of the TSA 002, TSA 003, TSA 004 and TSA 005 locks.

See the detailed report at http://download.security.org/tsa_luggage_locks_report.pdf

Read the detailed report on how some computer locks will not protect your laptop from being stolen.
See http://download.security.org/computer_locks.pdf