Archive for the 'LSS+' Category
OPEN IN THIRTY SECONDS: Cracking One of the Most Secure Locks in America is now available. You can order at a discount on LP101 if you are a member.
I met with Josh Nekrep of Lockpicking101.com in Winnipeg, Canada on Tuesday to record an in-depth interview about our new book, OPEN IN THIRTY SECONDS. The one-hour discussion can be found on the LP101 site.
We have posted a special order form for LP101 members only, which provides for a 20% discount on the printed version of the book for pre-publication orders. Please check the LP101 site for details.
THE COMPROMISE OF MEDECO HIGH SECURITY LOCKS: A Foreword by Ross Anderson, Cambridge University, England
Ross Anderson, world renowned security expert and director of the Cambridge University Computer Security Laboratory, has written one of the forewords for our new book. Ross is the author of Security Engineering, Second Edition, which is a primary reference for software designers and engineers. The new edition of his book has recently been released by John Wiley & Sons publishers. This 1000 page book is the definitive work on the engineering of software systems and their vulnerabilities.
Ross discusses physical security and its relation to software systems, and how the two technologies can intersect to create additional security challenges or opportunities. His foreword should be a wake-up call for security professionals and especially locksmiths, that the integration of mechanical locks and software-based systems is inevitable, and that the physical security industry will face the same challenges with regard to security and disclosure of vulnerabilities as did the software industry.
See Ross Anderson’s web site for more information.
FOREWORD BY ROSS ANDERSON
Most the world’s serious assets, from computer rooms to art collections, are defended by pin tumbler locks, and Medeco has ruled this world supreme for a generation. So the Tobias attacks on the most modern Medeco offerings, which they describe in this book, came as a serious shock for security engineers.
It is a great honour to be asked to write this foreword, as the book is sure to be a milestone in the field. What is less clear is the future direction of travel for the industry.
As my own background lies more in cryptographic and systems security, there is some temptation to think that the attacks might signal a technology change — especially as they follow on widely-publicized and improved lock-bumping techniques that cast serious doubts on the low-cost end of the market. Has the metal lock now had its day? Will the future lie with cryptographic tokens and remote key-entry devices?
That is also far from clear. Electronic systems have vulnerabilities too, and although the first break can be harder to find, the eventual failure can be much more catastrophic. For example, the recent reverse-engineering of MIFARE has exposed millions of applications to low-cost forgery, starting with the Dutch public transit card but including many building access control systems.
I suspect that in the medium term, we will see a merger of the worlds of electronic locks and mechanical locks. I do not just mean that high-end products will combine both technologies – although this is already starting to happen. The important change, I believe, is that we will need to start thinking more in terms of systems.
First, the evaluation of mechanical locks has depended for many years on the reputation of the manufacturer plus some (often rather cursory) inspection by insurance bodies, as described in chapter 2. In the electronic domain, evaluation is much more open and combative: security researchers vie to find vulnerabilities in products, and a constant stream of vulnerability reports drives product upgrades and innovation. Locksmiths will have to get used to a much more open and fast-moving environment, in which vulnerabilities are reported publicly (as Medeco’s are in this book). Finding (or anticipating) vulnerabilities in complex systems is a collaborative effort of many people over time, and openness is vital.
Second, locks get much of their value from the role that they play in larger systems, rather than simply as components. The need to manage all the locks in a building has led to master keying, but (as this book hammers home) that brings with it complexity and other opportunities for error. Facility designers in the future may want some locks that can be integrated seamlessly into electronic control and surveillance systems; and if they are prudent they will want some other locks that are independent, to mitigate the risks of systemic and common-mode failures. Vendors may have to think more carefully about complexity and interaction, both of features and of failure modes, and not just within a single lock but in all their fielded products. Again, openness will be critical; security engineers need to know the vulnerabilities of the products they use as well as their strengths, so they can avoid untoward interactions.
Returning now to the Medeco locks that are the main subject of this book, I cannot help wondering whether their very complexity may have been their undoing. Electronic security professionals know that complexity is the enemy of security, and the marketers’ natural tendency to add features must be vigorously resisted by the security architect.
Features interact, and past a certain level of complexity it is just not possible for designers to anticipate them all. This may be new to lock designers, but it’s old hat to people who work with computers. The exchange of such `lore’ between different security communities is at least as important as the exchange of formal engineering data.
In short, now that the electronic and mechanical security communities are converging, our task is to combine the best of both — not just at the component level, but the best design and evaluation thinking at the level of systems. This is going to be a fascinating challenge.
Professor of Security Engineering
Cambridge University, England
June 2nd 2008
CLICK THE “ORDER” TAB to purchase the book or CD.
Our new book, entitled “THE COMPROMISE OF MEDECO HIGH SECURITY LOCKS: New Methods of Forced, Covert, and Surreptitious Entry” will be available in the multimedia edition on June 15, 2008. This version will only be sold to Government and Locksmiths. The softbound book will be released about July 15, 2008.
The book presents an extensive analysis of Medeco locks and different methods to bypass them by covert and forced entry techniques. This photograph shows four keys that can be used to bump and pick Medeco Biaxial and m3 cylinders, sometimes in less than one minute. These keys will theoretically simulate the sidebar codes for all non-master keyed Biaxial and m3 cylinders that were pinned prior to December, 2007.
This photograph shows a specially-prepared six-pin mortise cylinder which we used in several macro-videos that are contained in the book, to demonstrate how we neutralize the sidebar prior to picking this lock. The key with the correct sidebar code is shown to the left of the keyway. Note how the angles match those of the bottom pins. The view is from the bottom of the plug, looking up at the chisel-points of each pin. Their angles are noted on the cylinder.
The book took more than eighteen months of research and has resulted in three separate patent filings that detail multiple methods of bypass, certain technology to prevent these attacks, and mechanical modifications to secure Medeco deadbolt cylinders against certain forms of forced entry to which they are still vulnerable.
The book is about 350 pages and contains more than 400 images, tables, charts, and graphics. There are more than thirty video segments to demonstrate all forms of bypass of these cylinders. A detailed discussion of conventional and high security locks is presented, as well as an analysis of UL 437 and BHMA/ANSI 156.30 standards, and what they fail to protect against.
We believe this is the most comprehensive book ever written about Medeco locks. It discloses methods of bypass that are completely new and unique, and can allow the circumvention of all layers of security within these cylinders, often in seconds. If you have security responsibility in the commercial or government sectors, you will need to understand the vulnerabilities of high security locks to attacks against key control, bumping, picking, extrapolation of the top level master key, and forced entry. This information is provided in the book, with significant supporting documentation.
For additional information, see www.security.org.
We hope everyone enjoys the book, as much as we did in its production. We are already working on the next edition, and will provide detailed information on the bypass of the ARX pin in greater depth than we have, to date. The ARX is the Medeco high security pin that is supposed to prevent picking, bumping, and decoding attacks. We anticipate an announcement from Medeco, based upon information that we have obtained, that would indicate that they will be supplying these pins as standard in their locks, beginning later this summer, in an effort to make them more secure against the methods of attack that are described in our book, and other methods described in a recent article with regard to the bypass of Medeco locks.
Although the various ARX pin designs make bypass much more difficult, they also can provide excellent feedback with regard to our techniques of covert entry. It should indeed be an interesting year.
Matt Fiddler and I will be lecturing at Defcon 16 again this year, to provide an in-depth analysis of Medeco locks and how we broke their security. We hope everyone can attend the conference, to be held the first week in August in Las Vegas.
And for everyone who has asked what is next in the LSS+x series? The second high security supplement will describe the bypass of Mul-T-Lock cylinders and why we do not believe they are secure against a variety of attacks, or should carry a UL 437 rating.
If you have any questions, feel free to contact us. We appreciate your feedback and look forward to seeing many of you during different conferences this summer, and at Toool at Sneek in October.
Marc and Toby
DETAILED ANALYSIS: THE MEDECO m3 MEETS THE PERILOUS PAPER CLIP
You will need a password to access the detailed report. Please register at www.security.org. The password has also been posted on ClearStar.
View the video: Security vulnerabilities of the m3
This is the first of a four-part series with regard to Medeco® security. Part II will detail the methodology we developed to bump these cylinders. Part III will examine the procedure that is employed to pick these locks. Part IV will detail what we perceive as design deficiencies that allow certain of the Medeco® deadbolts to be easily bypassed. All of the information is based upon material in the High Security Supplement to the latest edition of LSS+.
The reader should review the cautionary notes regarding statements made within this report. See Legal Issues.
A piece of wire or a specially-formed paper clip can be utilized to bypass the slider mechanism in the m3. In combination with other techniques, this can result in a total bypass of the key control for a facility with regard to the acquisition of restricted blanks and the replication or simulation of keys.
The Medeco® m3 cylinder was developed primarily to extend the Biaxial® patent (which expired in 2005) so that the company could continue to dominate the U.S. high security lock market and protect its unique rotating tumbler technology. The m3 is UL 437 and ANSI 156.30 certified which Medeco® represents as a guarantee that its security can be relied upon for the most sensitive of installations such as the Pentagon and the White House. Based upon our research during the past year, there may be some security vulnerabilities relating to key control and the ability to reliably bump and pick some of these locks.
There are approximately 26 different combinations of steps and keys within the m3 system. This allows for enhanced key control but is the system secure from the standpoint of preventing the ability to replicate or simulate keys, especially for restricted keyways? We do not think so.
In an excerpt from the High Security Supplement of the latest edition of LSS+ we examine the m3 in terms of potential key control issues and the possible susceptability of this lock to other forms of covert bypass. A comprehensive examination of the subject is contained in the third edition of LSS+ (the multimedia edition of Locks, Safes and Security) by the author.
®Medeco is a registered trademark of Medeco Locks.
Medeco is the predominant high security lock manufacturer in the United States and has been trusted for more than thirty-five years to provide cylinder and hardware security for the private, commercial and government sectors. Their sidebar technology was unique when first introduced and has presented a continuing obstacle to both covert and forced methods of entry. As detailed in the Government version of LSS+ some very sophisticated decoders have been developed for law enforcement and intelligence agencies to bypass the original two layers of security within the Medeco design. As described in the first article of a four part series, Medeco introduced the m3 cylinder which incorporated a third level of security through the implementation of a slider. Their latest product is a modified m3 called the Bilevel. This is a lock that does not utilize the traditional Medeco sidebar design and is a cheapened version that is no more secure than a conventional pin tumbler cylinder and in fact may allow systems that integrate the Bilevel to be more vulnerable because of the limited number of sidebar codes that are available.
When the threat from bumping was made public in the United States last July and August, consumers, risk managers, security experts and locksmiths from both the private and public sectors began to question the real security of the locks that they depend upon to protect people, facilities, and assets. It was more than unsettling to think that perhaps there was little protection against a procedure that a kid could learn and rapidly execute to open a high percentage of pin tumbler locks. At the same time, everyone was led to believe that the threat from bumping did not extend to high security locks.
Beginning last August, high security lock manufacturers were quick to announce the heightened security of their cylinders against bumping. This included Medeco, Mul-T-Lock and Assa: they all produce locks with UL437 or similar high security ratings.
Some announced that their locks were “bump proof” or “virtually bump proof” and that the consumer should have no fear that their security was in jeopardy. In all fairness, many of these manufacturers did not fully understand the threat or techniques that could be applied to bypass their internal security. Some still do not believe that such attacks are possible and continue to publicly decry any who make statements about bumping or picking of their cylinders, stating that any demonstration of bypass was a trick or “smoke and mirrors.”
The accompanying article specifically deals with the Medeco m3 and why we do not believe it provides any significant measure of key control security against a determined attack. In subsequent articles we will describe in detail how we determined that the Medeco and other high security locks could be bumped, picked open, or mechanically bypassed within minutes, if not seconds, thus rendering the ten minute minimum specification for UL 437 or fifteen minute standard for ANSI 156.30 as essentially meaningless. We thought it would be prudent to briefly analyze just what security the Medeco technology does provide against both casual and determined attacks and to hopefully dispel any confusion that may result from these articles as to whether the security provided by these locks is sufficient to protect you.
LOCKS AND THE CONCEPT OF SECURITY
“Security” is a generic term that can mean many things. In the world of locks, its definition has to be qualified by asking several core questions. Specifically, what are you trying to protect, and where? What is the value of the target for which these locks are providing security? Against what threat or whom are these locks designed to stop or delay entry? How sophisticated or determined is the attacker likely to be? Finally, does the lock provide the only barrier or is it one control in a “defense in depth” strategy, meaning that there are other measures of security such as alarms, video, guards, perimeter barriers, or other systems to back up the locks.
Many are surely asking whether their Medeco locks are secure enough, especially after Medeco has repeatedly issued press releases, advertising statements and even a DVD categorically stating that their locks were “bump proof” and lately “virtually bump proof.” Recently we asked a senior representative of Medeco just exactly what “virtually bump proof” exactly meant? We thought it was a fair question especially since the term “virtually bump proof” in my view is like “virtual reality.” It means nothing but is a phrase that my fellow lawyers have devised to shield a manufacturer from potential liability for material misrepresentation. Saying that something is “virtually secure” is a qualification based upon no measurable standard so it is an illusion. And the answer that we were given by Medeco: “Virtually bump proof means that you have about as much chance of opening our locks as you do of winning the lottery!” Well, if that is the case, I will place my bet on collecting from Medeco because my odds are a great deal better in opening their locks than in winning a lottery.
So, you have spent perhaps three or four times the money to install Medeco cylinders than you would have for conventional non-high security rated mechanisms, believing that the cost difference was worth it. But exactly what security is provided for all that extra money? We will try to answer that question by briefly analyzing what your Medeco cylinders offer in the way of protection.
MEDECO SECURITY: What is it?
So why is Medeco perceived and touted as one of the most secure locks on the planet? Why are they relied upon by the U.S. government for installations such as the White House and Pentagon? The answer is simple: Medeco makes quality products of the highest order. This does not mean they necessarily outperform other high security lock manufacturers or that their sidebar approach is any better or more secure than others who have different design philosophies.
At the end of the day each manufacturer’s design has its strengths and weaknesses but all lock security can be reduced to three issues: forced entry protection, covert and surreptitious attacks, and key control. In fact, these are precisely the criteria and requirements that are addressed in the ANSI 156.30 high security standard.
Medeco locks are secure in part based upon the following features and issues:
• High quality components
• High tolerance mechanisms
• Excellent engineering and design
• Five or six pin tumblers
• Integrated pins that incorporate elevation and rotation
• Sidebar technology
• Slider technology and key control
• Legal protection of keys
• Special cutters are required to duplicate keys
• The ability to utilize multiple sidebar codes within one master key system to separate and protect secure areas
• Difficult to pick
• Impossible to bump without the correct or operable sidebar code
• Availability of the ARX pin for added pick and decoding resistance
• Forced entry protection
• More difficult to progress keys when extrapolating the top level master key
We believe that Medeco locks are secure for most venues but also have certain vulnerabilities that must be addressed in certain locations. Those vulnerabilities may allow certain Medeco cylinders to be rapidly bypassed by bumping and picking and circumvention of key control.
Lets take forced entry first. Medeco, as with most other high security lock manufacturers, implement hardened inserts and components to resist most forms of drilling of the plug, shear line, or sidebar. These are the three vital areas that are most vulnerable. Almost everyone utilizes special steel pins, bearings and other blocking technologies to resist such attacks, at least for a minimum of five minutes. Some of these locks are incredibly tough, although the type of attack and amount of force must always be considered. In Part I of this series, force is not seen as the real threat: covert attacks and compromise of key control are.
Key control relates to the protection of keys from duplication, replication, and simulation. It also deals with system expansion, the number of secure key changes, ability to set up large master key systems, and an alternative to the use of sectional keyways.
The Medeco m3 specifically touts its key control as secure, flexible and effective. In fact, the m3 was designed primarily for enhanced key control as a way of extending the Biaxial patent that expired in 2005. In doing so, Medeco also claimed that the security of the cylinder was enhanced with the addition of the internal slider. So exactly what does the m3 and its slider accomplish?
There is no doubt that key control is enhanced to the extent that legal protection applies for the next twenty years, thereby preventing others from commercially manufacturing, selling or distributing blanks for the m3 that contain the patented protrusion on the side of the key. That’s it! There is no more protection against cutting keys with angled cuts, nor for replicating keys for the original or Biaxial locks. No, you cannot go to the local hardware store or Home Depot and obtain m3 blanks or have keys copied. If you have a system with a commercial keyway then your local locksmith may be able to legally replicate your keys. If the keyways are restricted or proprietary, then you are out of luck, but criminals may not be.
The m3 is subject to bypass of its key control features because the slider can be easily defeated with a piece of wire or a paper clip. In addition, restricted blanks can be synthesized or replicated, thereby potentially bypassing all of the key control you thought you had obtained when purchasing the Medeco brand. Is such bypass relevant? Again, it depends if you have a high value target to protect.
If you are a residential customer or own a small business, the likelihood that your locks will be compromised in this manner is pretty remote. Certainly it is not impossible but the chances are slim. What you need to understand is that the third layer of security that is provided by the slider is essentially non-existent given its ease of bypass. And that bypass can make the lock much more insecure to secondary and more advanced forms of attack such as bumping and picking. If you choose to implement Bilevel into an m3 system there is even less security but the locks are also less expensive.
Covert and Surreptitious Methods of Entry
In my view the real threat is from covert methods of entry. Notwithstanding their statements to the contrary, certain Medeco locks can indeed be bumped and picked, some with little difficulty. Did Medeco know this last year when they began their public information campaign of invulnerability to bumping? In fairness, probably they did not. In fact, they went so far as to have their locks tested against bumping attacks by a testing lab in Europe. They were pronounced secure according to Medeco.
Should Medeco have conducted more tests to make certain that their locks were immune to bumping? Probably, because they represent that they are experts in high security locks and that their customers can rely upon their expertise and statements. When Medeco categorically states that their locks are “bump proof” then they are surely believed because of their reputation, customer base, ethics, and expertise during the course of the past third of a century. All in the industry know that Medeco is a prime supplier to the U.S. and some foreign governments and that they did not earn their reputation or win those contracts without being one of the best at what they do. Everyone takes Medeco at their word about security.
So just what protection against covert attack does Medeco provide? In the m3, there are three levels of security, all of which are interrelated. The compromise of one level of protection will not result in the lock being opened. All three separate and parallel systems must be defeated before the lock can successfully be neutralized.
The primary security for a Medeco cylinder has always been its unique sidebar design which is controlled by rotating pin tumblers. This invention can be likened to the modification of the Egyptian pin tumbler lock by Linus Yale. The concept of the rotating pin was revolutionary and had never been done before, which is why Medeco received several ground-breaking patents almost forty years ago.
The requirement that pins be both elevated and lifted in order to align two different locking systems (shear line and sidebar) at one time set Medeco apart from all other high security lock manufacturers. This combination makes picking extremely difficult because pin tumblers must be manipulated at the same time for two different systems (rotation and elevation). Many have tried to reliably defeat Medeco, most with limited or little success. For that reason Medeco has thrived as a primary provider of high security locks.
For the vast majority of users this dual layer of security was and is more than sufficient. Then came the introduction of the m3, with another alleged layer of security: the slider.
I would be the first to acknowledge that for the average thief, whether casual or determined, Medeco provides a significant barrier against any covert form of attack that involves the compromise of the pin tumbler mechanism. But Medeco cylinders are not just employed in “average” installations requiring medium security. They are relied upon everywhere, often to protect incredibly high value targets where criminals, spies, and even insiders will expend a great deal of time, energy and money to defeat these systems. So they have to be secure. In fact, not just secure but very secure, and that is where we believe the problem begins.
I draw an analogy between Medeco (and other high security lock manufacturers) to the communication common carriers and the provision of broadband Internet services. Almost every carrier has fiber optic cable to transport data across the country or across the world. Where the system breaks down is in the last mile where copper wires rather than fiber feed individual locations. It is the last mile that I am most concerned with in high security locks; an equivalent to the last five to ten percent of protection that really matters against competent and determined criminals.
In a nutshell my problem is this: the highly respected Medeco m3 lock, the new star in the Medeco flagship, can be bypassed with a paper clip, followed by a specially designed key which can be used to open it by bumping or picking. For sure, not all of their cylinders can be opened in the manner described in these articles, but many can. And what is a tolerable percentage that can be bypassed? This is a very good question for Medeco. Unfortunately, as will be demonstrated in the Fourth article in this series, the problems with Medeco security does not stop with bypassing the slider or sidebar. It is more basic and involves mechanical bypass which can be far more sinister than manipulating the internal components with bump keys or picks. We believe it is a failure of imagination on the part of Medeco design engineers to perceive of certain threats.
Most of the high security lock manufacturers offer cylinders that will provide more than ample protection and meet the security requirements for the vast majority of their customers. However, if you have what you perceive as high value or critical targets to protect then you just might want to research this matter further. You should not solely rely upon the so called high security standards promulgated by UL, BHMA and ANSI. The reality is that these organizations really do not test for certain forms of bypass. We believe that if they did then many of their “certified” locks would lose such designation.
This article began by asking the question whether your Medeco locks are “secure enough?” In my view there is no question that they are one of the best available cylinders but of course that comes with many caveats. The perceived level of threat should determine whether Medeco or some other vendor produces the locks that will afford the needed protection. The alternative, of course, is to prohibit the possession of paper clips in any facility where the m3 is installed!
® Medeco and Biaxial are registered trademark of Medeco Security Locks, Inc.
Part I of a four-part series of articles detailing potential security vulnerabilities in the Medeco Biaxial and m3 is available to locksmiths, security professionals, law enforcement and government agencies. This information is also contained in the new edition of LSS+ and is restricted.
A public summary of the first article will be published on Engadget later this week but will not contain critical information that would be required to bypass Medeco cylinders.
The password for this article will be posted on ClearStar later in the week or you can register on www.security.org for site clearance. When registering, please specifically request the password for this article.
You may also contact the author at firstname.lastname@example.org for access or further information.
Medeco® is a registered trademark of Medeco Security Locks, Inc.
Protected: DETAILED ANALYSIS: POTENTIAL SECURITY VULNERABILITIES OF THE MEDECO m3 AND ITS KEY CONTROL
LSS+ Version 2007 will soon be released. This new edition contains four new disks: LSS+ Infobase, LSS102, LSS205, LSS206. In addition, the update to the DAME version will be available at ALOA on July 22. The Defenses Against Methods of Entry series contains sixty video files detailing many covert and mechanical bypass techniques. Twenty new video files have been added to this collection, including material on the new pick tool for Mul-T-Lock that can allow some of these UL 437 rated cylinders to be opened in under one minute.
There is a significant amount of new material in the latest edition of LSS+, including approximately twenty interviews with biometrics professionals in the U.S. and England. In addition, a majority of the Wendt collection of locksmith and bypass tools are now integrated into the Infobase. A comprehensive list of updates by chapter will be posted shortly.
A High Security Supplement will be available later this year that will detail advanced bypass techniques for UL and ANSI rated cylinders. This will be a must-read for security professionals who rely upon these standards.
The new edition of LSS+ will be issued on DVD and 2GB USB drive due to the increased size of the Infobases. New security updates have also been implemented by Folio to protect the information from unauthorized access.
Discounted copies of LSS+ will again be available at DEFCON 15.