THE COMPROMISE OF MEDECO HIGH SECURITY LOCKS: A Foreword by Ross Anderson, Cambridge University, England
Ross Anderson, world renowned security expert and director of the Cambridge University Computer Security Laboratory, has written one of the forewords for our new book. Ross is the author of Security Engineering, Second Edition, which is a primary reference for software designers and engineers. The new edition of his book has recently been released by John Wiley & Sons publishers. This 1000 page book is the definitive work on the engineering of software systems and their vulnerabilities.
Ross discusses physical security and its relation to software systems, and how the two technologies can intersect to create additional security challenges or opportunities. His foreword should be a wake-up call for security professionals and especially locksmiths, that the integration of mechanical locks and software-based systems is inevitable, and that the physical security industry will face the same challenges with regard to security and disclosure of vulnerabilities as did the software industry.
See Ross Anderson’s web site for more information.
FOREWORD BY ROSS ANDERSON
Most the world’s serious assets, from computer rooms to art collections, are defended by pin tumbler locks, and Medeco has ruled this world supreme for a generation. So the Tobias attacks on the most modern Medeco offerings, which they describe in this book, came as a serious shock for security engineers.
It is a great honour to be asked to write this foreword, as the book is sure to be a milestone in the field. What is less clear is the future direction of travel for the industry.
As my own background lies more in cryptographic and systems security, there is some temptation to think that the attacks might signal a technology change — especially as they follow on widely-publicized and improved lock-bumping techniques that cast serious doubts on the low-cost end of the market. Has the metal lock now had its day? Will the future lie with cryptographic tokens and remote key-entry devices?
That is also far from clear. Electronic systems have vulnerabilities too, and although the first break can be harder to find, the eventual failure can be much more catastrophic. For example, the recent reverse-engineering of MIFARE has exposed millions of applications to low-cost forgery, starting with the Dutch public transit card but including many building access control systems.
I suspect that in the medium term, we will see a merger of the worlds of electronic locks and mechanical locks. I do not just mean that high-end products will combine both technologies – although this is already starting to happen. The important change, I believe, is that we will need to start thinking more in terms of systems.
First, the evaluation of mechanical locks has depended for many years on the reputation of the manufacturer plus some (often rather cursory) inspection by insurance bodies, as described in chapter 2. In the electronic domain, evaluation is much more open and combative: security researchers vie to find vulnerabilities in products, and a constant stream of vulnerability reports drives product upgrades and innovation. Locksmiths will have to get used to a much more open and fast-moving environment, in which vulnerabilities are reported publicly (as Medeco’s are in this book). Finding (or anticipating) vulnerabilities in complex systems is a collaborative effort of many people over time, and openness is vital.
Second, locks get much of their value from the role that they play in larger systems, rather than simply as components. The need to manage all the locks in a building has led to master keying, but (as this book hammers home) that brings with it complexity and other opportunities for error. Facility designers in the future may want some locks that can be integrated seamlessly into electronic control and surveillance systems; and if they are prudent they will want some other locks that are independent, to mitigate the risks of systemic and common-mode failures. Vendors may have to think more carefully about complexity and interaction, both of features and of failure modes, and not just within a single lock but in all their fielded products. Again, openness will be critical; security engineers need to know the vulnerabilities of the products they use as well as their strengths, so they can avoid untoward interactions.
Returning now to the Medeco locks that are the main subject of this book, I cannot help wondering whether their very complexity may have been their undoing. Electronic security professionals know that complexity is the enemy of security, and the marketers’ natural tendency to add features must be vigorously resisted by the security architect.
Features interact, and past a certain level of complexity it is just not possible for designers to anticipate them all. This may be new to lock designers, but it’s old hat to people who work with computers. The exchange of such `lore’ between different security communities is at least as important as the exchange of formal engineering data.
In short, now that the electronic and mechanical security communities are converging, our task is to combine the best of both — not just at the component level, but the best design and evaluation thinking at the level of systems. This is going to be a fascinating challenge.
Professor of Security Engineering
Cambridge University, England
June 2nd 2008