In.Security Home

THE SIDEBAR: MARC WEBER TOBIAS

Archive for August, 2007

MEDECO DEADBOLT DESIGN: What Next?

Medeco is scrambling to fix their deadbolt security problem worldwide. Last week, they were reportedly set to begin manufacture of the modification of their high security cylinders to protect them against a simple method of attack that was disclosed by Marc Weber Tobias and his research team two weeks ago. Medeco was warned for the past two months there was a significant design issue with these cylinders but made no attempt to contact Marc to determine the precise nature of the problem. Now, they have a real problem because many of their customers that have installed single-sided deadbolts may be at risk, especially those that are utilizing the newer m3 technology. We have found that the vulnerability may extend to certain Biaxial® models also.

If you employ these deadbolts we would urge you to contact your locksmith, security consultant or Medeco to determine the proper course of action. A detailed report of the vulnerability is available to security professionals. You may contact the author for details at mwtobias@security.org.

Comments are off for this post

HITBSecConf2007 SECURITY CONFERENCE: Kuala Lumpur, Malaysia

Marc Weber Tobias will be speaking at HITBSecConf2007 in Kuala Lumpur, Malaysia during the week of September 3-7th. He will be examining design issues involving some popular high security locks and the recent deficiencies that have been reported in the media with regard to Medeco cylinders. Defending against methods of entry will be the primary focus during his lecture as well as discussing the legal and standards issues that every IT and security professional must be aware of if they are to protect their infrastructure from covert attacks.

About 800 attendees from all over the world are expected to attend this conference which will present more than thirty hours of deep-knowledge lectures involving security vulnerabilities relating to both software and hardware issues.

Of particular interest will be a discussions relating to the following technologies:

Bypassing biometric systems, including ATMs, mobile phones, passports, facial recognition systems, fingerprint readers.

Vulnerabilities of RDS-TMC, the standard for Radio Data Systems in Europe that are utilized with vehicle navigation systems and how these systems can be compromised;

Compromising critical national infrastructure by circumventing SCADA system security;

Eric Michaud and his team from Toool USA will be presenting a workshop on certain forms of bypass of mechanical locks and biometric systems.

Comments are off for this post

JENNALYNN’S RECORD STANDS: No, It’s Not a Medeco®

monkey_300.jpg masterlock_300.jpg

Nine year old Oliver has evidently figured out how to bypass the Master padlock at the Tupelo, Mississippi zoo and escape.
See the New York Times story about Oliver

Last week at Defcon twelve year old JennaLynn set two records as the youngest person to open a Medeco Biaxial® lock. She not only opened it but she bumped it open which according to Medeco is impossible. Concern has been mounting the past few days that this record had been broken not only by someone younger than little JennaLynn but by a primate in captivity! Not just any monkey but a Capucin that lives at the Tupelo, Mississippi zoo that is known for its escape exploits.

Ken Persson of Peterson Manufacturing contacted us this morning and expressed fears that the little nine year old “Oliver” had broken the record for opening Medeco locks! In fact others had asked the same question as word of the chimp escaping from his confines spread. Was it possible that a “bump proof” UL 437 listed Medeco cylinder could be opened in such fashion? Until recently everyone thought it was virtually impossible to compromise the famed Medeco security at all.

Not only did Oliver do this once but according to Kirk Nemechek the chimp has done it twice and has to be watched very carefully. Evidently this primate is very clever and can learn simple tasks rather quickly. And what could be simpler than bumping open a lock?

According to the zoo manager it appears that Oliver has figured out how to open a Master #3 padlock. Kirk advised that this recently purchased lock was used to keep the chimp contained after he escaped the last time. Zoo officials have no idea how he did it but do not suspect that anyone human was the culprit.

The manager of the zoo has invited us to meet Oliver to determine whether the record that JennaLynn set in Las Vegas will stand. We perceive this as an incredible opportunity to test the learning skills of a primate in the modern world of high security locks. After all, there has been a rash of home invasions in Africa by gangs of roaming Baboons who have learned how to open sliding glass doors and other locks so they can enter houses and raid refrigerators.

As impossible as it sounds maybe Oliver can succeed in opening a “bump proof” Medeco cylinder! Who knows? Medeco said it was impossible to open any of their locks by bumping just last week, much less by a twelve year old girl.

Ken Peterson of Peterson Manufacturing has agreed to provide a Peterson bump hammer for the experiment and an ample supply of bananas.

See related stories of primates opening locks

http://www.news24.com/Regional_Papers/Components/Category_Article_Text_Template/0,,486-658-672_1832193~E,00.html

Independent On-Line South Africa

Living on Earth

®Medeco and Biaxial are registered trademarks of Medeco Security Locks, Inc.

Comments are off for this post

DEFCON 15: Twelve Year Old JennaLynn Graduates to High Security Locks

medeco_bumping_defcon_350.jpg

Last year, eleven year old JennaLynn demonstrated her ability to bump open a Kwikset five pin cylinder in about five seconds at Defcon 14. That event was perhaps the main catalyst to focus attention on the security threat that bumping posed to the general public. Well, this year she has graduated to high security locks. After several attempts, she was able to bump open a six pin Medeco® Biaxial® cylinder three times. One of these demonstrations was captured by the news media and a short segment of that interview between Marc Weber Tobias and JennaLynn is shown here.

Was it just luck, or has she advanced her bumping skills during the past year. Medeco has claimed publicly there cylinders are “virtually bump proof” and assume that all of these locks that have been bumped are manipulated. We can attest that this was a standard Biaxial cylinder and was working properly. All internal components were factory original and the lock was complete in every respect.

The cylinder was immediately sent for independent forensic analysis to confirm that the lock had not been tampered with or was in any way specially prepared for this demonstration.

See the brief excerpt from the complete interview with JennaLynn.

See the complete interview with JennaLynn at Defcon15

®Medeco and Biaxial are registered trademarks of Medeco Security Locks, Inc.

Comments are off for this post

The Medeco® m3 Deadbolt Design: How Secure is it?

deadbolt_350_3.jpg

A SIMPLE ATTACK CAN BYPASS THE SECURITY OF THIS LOCK IN LESS THAN ONE MINUTE, RENDERING ALL OF THE ADVANCED MEDECO TECHNOLOGIES VIRTUALLY IRRELEVANT.

If you are a locksmith or security professional, see the detailed analysis that follows. The password is available on ClearStar. or from the author.

There are millions of Medeco deadbolt systems in place worldwide. They are rated as one of the most secure systems available. That is based upon the Medeco reputation for quality and engineering excellence and their high security ratings by UL, BHMA/ANSI and other standards organizations. The current mechanical design of their deadbolt has been utilized on the Biaxial® product line and now the m3. Bypass of these systems by means of forced entry has been difficult although there are expensive tools that are available to compromise them.

We have conducted very limited testing but it appears there may be a serious security flaw in certain of their deadbolt designs. Part of the problem results from widening of the keyway in the m3 as discussed in Part I of this series of articles. We would urge any user to contact their locksmith, security consultant, or Medeco representative for further information. Medeco has been notified and is aware of the issue. We believe the problem is mainly with the m3 deadbolt cylinders but there may also be some Biaxial® models that could be affected.

A detailed analysis is available together with a video demonstration that clearly shows the method of bypass. This publication has been restricted to locksmiths and the professional security community because of the simplicity of the technique and the potential security ramifications that could result from a public disclosure of the exact method. If you have security responsibility, you may contact the author for access to the restricted document. The password has been posted on ClearStar for security professionals.

Marc Tobias and Matt Fiddler will be addressing this issue at Defcon 15 on August 5 in Las Vegas as part of a two hour presentation regarding design issues with conventional and high security locks. Marc Tobias will also be presenting with regard to high security locks at the HITB conference in Kuala Lumpur, Malaysia the first week in September.

® Medeco and Biaxial are registered trademarks of Medeco Security Locks, Inc.

Comments are off for this post

Protected: BYPASS OF THE MEDECO® m3 DEADBOLT LOCK: A Detailed Analysis

This post is password protected. To view it please enter your password below:


Comments are off for this post