In.Security Home

THE SIDEBAR: MARC WEBER TOBIAS

SO JUST HOW SECURE ARE MEDECO ARX PINS? Ask 13 Year Old JennaLynn!

Marc Tobias, JennaLynn, and Tobias Bluzmanis at Defcon 16 lock picking village

See the Video that documents JennaLynn opening a five-pin Medeco Biaxial at Defcon 16, in 2008.

See the PowerPoint presentation at Defcon 16.

At Defcon 16 this year, we demonstrated that the high security ARX pins that Medeco may be relying upon to fix the Medecoder problem might not quite be the solution they had hoped for.

Medeco announced in the May, 2008 NDE magazine that they would be implementing a solution to the Jon King Medecoder bypass. We received reliable information that their response to this fifteen-year-old threat would be to implement ARX pins, and that they are in the process of converting their production lines to accommodate the required changes. Three months later, everyone is still waiting.

As we pointed out in our previous editorials about Medeco embracing the Locksport community, ARX pins would likely prevent the use of the Medecoder but they may not be an effective deterrent to our methods of bumping and picking. Whether Medeco understands this is unclear. Given their apparent inability to figure out just how to compromise their own locks, it is probably unlikely that they comprehend all the issues involved, or would ever acknowledge them.

In a recent exchange of emails, we offered to open lines of communications with Medeco, as we had enjoyed up until about eighteen months ago. But of course, that was before we publicly disclosed the serious vulnerabilities in their “key control” or to be more accurate, the lack thereof. Actually, as applies to Medeco m3 cylinders, we believe the more descriptive term should be “key insecurity.”

In our view, Medeco does not have any key security for the m3, and for many of their older Biaxial locks. They continue to represent that they have strong patent protection for their keys. By inference, the facilities that rely upon Medeco can be assured that it is virtually impossible to duplicate a Medeco key. In our view, this is not only untrue, but it is nonsense. We will go into much more depth regarding “key-mail” in a later post, because this issue has far greater implications than just making keys out of plastic for their locks.

Immediately after Defcon, I also let the company know that we had documented the bumping of another Biaxial by thirteen-year-old JennaLynn, and offered to share the pre-release copy of the video with them for any comments they may wish to make.

So, again, Medeco is silent. They are saying nothing about bumping, or our latest attack with plastic, which is so simple that it can be carried out by one with very limited skills. If we are to understand their response in the Slate.com article last month, they believe and firmly embrace the premise of saying nothing about anything regarding the security of their locks, other than touting how secure they are. In other words, Security by Obscurity is definitely the policy. It is, in our view, an irresponsible policy, fraught with danger for the consumer and the lock manufacturer as well. But we will leave that discussion for a later time and venue.

* * *

We return to Defcon 16 and (now) thirteen-year-old Jenna Lynn. Everyone will remember in 2006 when she bumped open the Kwikset cylinder. She was probably the one most responsible for getting everyone’s attention to be focused on this threat because everyone understood the implications of an eleven year old being able to open one of the most widely used pin tumbler locks in America.

Medeco reaped the benefit of our presentation at Defcon 14 in 2006. In fact, a joint appearance between me and a senior Medeco representative in a widely-aired in-depth TV story surely must have increased their sales. Everyone, it seemed, was concerned about the threat from bumping so all was very well at Medeco. They had a solution to bumping, and announced it in a press release about August 4, 2006.

Now it is 2007, at Defcon 15. Something is terribly wrong! Young JennaLynn has now bumped open a Biaxial cylinder for the news media. How can this be, because Medeco represented to everyone that their locks were bump-proof in 2006! Oh, so much can change in such a short time. By the summer of 2007, they were claiming that their locks were either “virtually bump-proof” or “virtually resistant.” It is hard to tell when this precise obfuscation transformed their position of offering the bump-proof solution, to hedging their language as the lawyers got involved to protect them.

Now, Medeco claims that they NEVER said their locks were bump-proof. Rather, they claim, others said it, but surely not them! Well, that argument sounds good, until one considers the slide that was shown in our Powerpoint lecture this year at Defcon. The slide that we believe conclusively proves that Medeco not only claimed that their locks were bump-proof, but made the error of attempting to register the name bump-proof with the Patent and Trademark office about two weeks after they issued their original press release.

I have really tried to understand why they would do that if they were not representing that their locks were indeed bump-proof. I have concluded that the only other logical answer, which only a lawyer could invent, would be that they wanted to prevent all other manufacturers from claiming their locks were bump-proof! Did they do it because they wanted to protect the public from such claims by other manufacturers. Maybe they did this, as the acknowledged leaders of the high security market, because it would be highly misleading to the public to advertise a lock as bump-proof when in fact it was not! They simply wanted to protect the public from such claims!

Surely that must have been their motivation, because there can be no other answer…unless, of course, they actually were claiming that their locks were bump-proof and wanted to get the jump on every other lock manufacturer. A really great idea, until a twelve-year old showed how to open their cylinders by bumping. Then, of course, Medeco went into spin-mode to make sure that nobody believed what they had seen on the video. After all, if Medeco said it was not true, then everyone would have to believe them. Because they were Medeco!

There was just one small problem. Medeco forgot about the Internet and open and instant access to records. It is the same naiveté that allowed them to believe they would actually get away with modifying their original bump-proof press release, as we presented in another slide at Defcon. Evidently they were not aware of www.archive.org, or that the two different versions of their press release are still available, and are included within the Multimedia edition of our book.

So JennaLynn bumped open the Biaxial cylinder in 2007, and Medeco said it was all a lie. Not publicly, of course, but they said it to many individuals privately. This was their disinformation campaign to discredit myself, my co-author, and others that dared to talk about or teach the techniques to compromise Medeco locks by bumping and picking. They repeatedly claimed that the lock that JennaLynn had opened had to have been modified or altered, because you simply could not bump open a Medeco lock. According to Medeco, not even those independent testing labs could open their locks by bumping. Yes, those very same labs that Medeco recently told Slate.com should be the ones to conduct vulnerability testing of locks.

Actually, the real problem is that Medeco could not bump open their own locks, rather than it not being possible for a twelve-year old to do it! So, for the past year, they have repeated their story about how we manipulated the internal mechanism of the lock to allow JennaLynn to open it. Medeco has represented that they have allegedly spent hundreds of hours internally trying to open their locks, and have been unable to do so. Well, we did suggest to Medeco that they invite young JennaLynn to the factory in order to instruct them how to open their own locks!

Now we come to the best part of this story.

* * *
It is Sunday morning, August 10, 2008, in Las Vegas, and it is Defcon 16. Tobias Bluzmanis, Matt Fiddler, and I are sitting in the lock picking village, watching Deviant Ollam and others giving classes on basic lock design and picking and bumping. It is always the most popular gathering at Defcon, and this year was no exception. The village was packed with enthusiasts from morning until late in the night.

We asked JennaLynn to try to bump open a new, five-pin Biaxial profile cylinder that we acquired in Europe from the stock of a Medeco lock shop. She was eager to try, given her success last year. So, we handed her the lock and the bump key that we prepared. The key had the correct sidebar code for this cylinder, and was cut to all #6 depths. Ten minutes after we gave her the lock, she returns and says she can open it. She is smiling. But she has no idea what she has actually accomplished! As it turns out, it was quite a feat as compared to what she had done last year.

Now we are sitting at a large round table with about 25 other attendees in the village. Matt starts shooting video, and you can see for yourself why this demonstration is different than last year, when she opened the Biaxial at Defcon 15. It is vastly more significant because we inserted four ARX pins and three mushroom top pins into this lock.


JennaLynn attempts to open the five-pin Biaxial cylinder by bumping

Medeco touts the ARX pins as the most secure. You know, these are the very same pins that will prevent the Medecoder from working, and were developed in response to the sophisticated John Falle decoder in the early 1990s. The same pins that were going to become standard in their cylinders, and why they got Jon King to hold off publishing information for two months about his decoder.


In just a few seconds, JennaLynn bumps open the five-pin Biaxial lock

Whether these pins become standard in all of their locks is open to speculation. Medeco evidently believes that everyone should pay for this security upgrade, even though they were aware of the problem that prompted the ARX pin development for at least fifteen years.

The bottom line is that we can demonstrate the ability to bump and pick locks with at least one version of ARX. The pins that we used (#4 and #6 depths) were supplied directly by Medeco to us, so we can only assume they are as secure as any they produce.

And to add insult to injury, it appears that the company may want their dealers to bear the cost for the pin kits, which we have been told may run anywhere between $800 and $2,000. Now, how does that work, exactly? We are not quite sure, but any locksmith that is not happy about it is welcome to contact our office for advice and assistance.

As we are detailing in the next edition of OPEN IN THIRTY SECONDS, we believe there is a basic problem with the ARX philosophy and its ability to prevent bumping and picking when the sidebar code is known, as is the case when our four code-setting keys are employed to open their cylinders.


Tobias Bluzmanis disassembles the lock in front of 25 attendees, so an expert can verify the internal components and that the lock has factory-standard pins, springs, and sidebar and that they have not been altered or modified.

What everyone needs to understand is that a thirteen-year old girl was able to repeatedly open a Medeco Biaxial cylinder with four ARX pins. She did it effortlessly. Yes, the lock had been bumped many times before JennaLynn did it. That should not matter, because Medeco has repeatedly claimed that their locks were bump-proof. Well, at least until they realized they were not, and they changed their advertising language so as to make their claim next to meaningless, if not laughable.


Han Fey examines the internal components

Han verifies that the lock contains four ARX pins and three mushroom pins, and has a sidebar that is functioning properly.

And if you have any questions as to the authenticity of the demonstration, or that the cylinder was somehow modified, check to see who verified the internal components of the lock immediately after the demonstration, on the video.


The lock has been disassembled, showing the ARX pins and mushrooms.

From our perspective, nobody is more qualified to confirm what we demonstrated with JennaLynn than one of the individuals that Medeco selected in 2007 to help them in an attempt to debunk and discredit our findings. As you will see on the video, Han Fey, one of the most respected cylinder security engineers in Europe, was able to confirm exactly what occurred at Defcon. And if you are still skeptical about the 2007 JennaLynn demonstration, it might be interesting to hear from ALOA senior staff because ultimately they may be required to weigh in on this matter and present evidence as to the ability to bump Medeco cylinders. Yes, the same ALOA that issued their famous press release in 2006 about bumping, and how the publication of this information had “unduly raised the alarm.”


Han compares the change key and bump key for this lock to confirm the bitting and verify the sidebar codes are the same.

We think it is about time for Medeco to start leveling with their customers and the public. They should candidly address the security vulnerabilities of their locks to bumping, picking, and what we perceive as their total failure of key control and key security in the m3. If significant research involving bumping had not been conducted, nobody would have been aware of the security threat that existed, especially in high security locks, with regard to bumping and picking.


Han Fey gives his opinion about the lock and its ability to be bumped open.

Medeco locks are certified by UL and BHMA as meeting minimum criteria to protect the public from different forms of attack. As we note in our book, BHMA 156.30, (the true high security standard), does not specify many forms of attack that can be critical to the protection of a facility, so the value of such certifications are diminished.

We believe that Medeco does not and cannot comply with certain requirements of this standard, to the potential detriment of the public, commercial, and government sectors. We are actively pursuing this issue regarding Medeco and other certified high security lock manufacturers with BHMA. It is our position that they should not continue to be certified, because their locks can be compromised in well under the minimum specified times that are enumerated in both UL 437 and 156.30.


The lock was disassembled to show all the top and bottom pins and springs.

We would urge Medeco and other manufacturers to join us in a thorough review of the standards and to insure that the requirements are comprehensive, realistic, and complied with. Presently, we can show that some high security locks will simply not meet the standards and should be de-certified.

Comments are off for this post

Comments are closed.

Mexico