In case you missed it, there was a new segment on bumping that aired on the Today Show in the U.S. on July 8. Incredibly, the NBC lawyers would not allow the use of the term “bump key” because they were worried that viewers might figure out how to open locks! Then they showed a diagram of the key and how it works. Ironically, the program was supposed to air the week before, but at the last minute, I was notified that the segment had been “bumped” by the Michael Jackson tragedy. Tragedy? Really?
The same NBC correspondent, Janice Lieberman, published a related article in Readers Digest the same day that the story aired.
I don’t know why the renewed interest in lock bumping, but I have received calls from several media representatives about the issue in the past few weeks. I am quite sure that our friends at Medeco were very pleased with the story. As I told the correspondent, they are good locks, but not quite as good as they say. For residences, they are just fine, as are Schlage Primus and other brands. Note that the NBC story never claimed that the Medeco cylinders were bump-proof. Only Medeco and many of its dealers continue to represent that falsehood, while at the same time claiming that “they never said it…others did” and that Medeco cannot control what their employees and dealers say! The question as to when Medeco will level with their dealers and customers about the insecurity of their products will be left for another post, and venue. One would have expected a statement from Medeco after their Wired PR fiasco, but true to form…nothing.
Security is all about liability; this maxim may prove to be a very expensive lesson for Medeco and its parent company to learn.
We went to two upscale houses in New Jersey and opened the locks in seconds.
Any joy at Medeco will likely be short-lived. Toby, myself, and Matt Fiddler will be presenting at DefCon again this year, and will be issuing a security alert with regard to electro-mechanical locks and what we perceive as extremely serious vulnerabilities. During the past year, we have focused our efforts on Assa Abloy Cliq technology that is shared by Mul-T-Lock, Medeco, Ikon, and maybe even Assa itself. It should come as no surprise that we found what we believe to be serious design flaws in these locks, both in terms of mechanics and electronics. Anyone who thought that we were ending our research efforts with Medeco will find that the story has just begun. Key control, covert entry, and forced entry…all the same issues that we found wanting in the Medeco locks… are alive and well in Logic, Cliq, and NexGen and should prove highly relevant for everyone concerned with the security of electronic locks.
And for those of you that are not familiar with NexGen, these are the very neat cam locks that are used in vending machines (for example thousands of machines owned by Coca Cola in Philadelphia); In major municipalities’ parking meters (in San Francisco, Los Angeles, Miami Beach, and New York); and also for the protection of cargo shipments in padlocks. Audit trails and revenue security are the prime rationale and justification to install these expensive locks ($100-$150). We think that the premise for implementing these locks might have to be reviewed and re-thought after DefCon. Not only will the implied guarantee of revenue security have to be re-examined, but the issue of potential false accusations that could affect innocent employees will most surely be a serious topic for some labor unions and legal counsel. Insurers and underwriters may also be involved because their premiums are based upon risk assessment. We believe that high-value targets may be at increased risk from the use of certain locks; hence insurability and premium rates could be affected.
During our presentation we will review some of the representations in the advertising of certain vendors, and why we believe these may not only be overstated, but inaccurate and uninformed at best, and false and misleading at worst. We are producing a very detailed WhitePaper with regard to this issue, followed by a supplement to Open in Thirty Seconds. The title still applies to some of these electronic locks.
We are planning a government-only briefing on this topic, and will release more details shortly. If you are a commercial facility, regulated industry, or government agency that has implemented, or is considering the implementation of the Cliq technology, you may want to follow this closely, both in the United States and in Europe. We believe, and will so state in our WhitePaper, that potentially serious security and legal liability issues may flow directly from the implementation or continued use of this technology until the issues we believe exist are remedied. Obviously, many factors are involved, and in part this depends upon the security and regulatory requirements of the specific location, but in general, it would be our view that some electro-mechanical locks are not quite the panacea that the vendors would like you to believe.
The manufacturers are touting this technology as the answer to the insecurity of even their high security mechanical cylinders. Maybe that is true, but we think they may come at quite a high price, both in terms of actual cost, and also with regard to what can happen when things go wrong and there is a breach of security.
We hope to see all of you at DefCon.