In.Security Home

THE SIDEBAR: MARC WEBER TOBIAS

DEFCON 18: LOCKS, LIES, AND VIDEOTAPE

See the Wired.com, AFP, and Brickhouse Security articles.

DefCon is the largest hacking/security conference of its kind in the world. For the past six years, our research team has demonstrated vulnerabilities in both high security and conventional locks. This year our team (Marc Tobias, Tobias Bluzmanis, Matt Fiddler) selected five different locking mechanisms that are popular in the consumer sector. We chose a broad cross-section: conventional programmable mechanical lock, electronic “safe”, biometric fingerprint lock, RFID-based deadbolt, and a very sophisticated electro-mechanical lock that requires no batteries in either the lock or key. Three of these locks are imports: two from China, and one from Finland. Notably, the locks from China (BioLock and Amsec), are both sold in the United States, and are prime examples of insecurity engineering at its best. They denote a total lack of competence in design, often typical of the cheap products that are being imported from China. More about this later, but suffice it to say, these are prime examples to support the premise: there are no shortcuts to quality and security.

Three of the five companies refused to comment or return phone calls to Wired. Kwikset and Iloq did make statements, both of which, in my view, were inaccurate or misleading, or demonstrated a basic misunderstanding of their products with regard to security. On previous occasions I had attempted to speak with General Counsel for Kwikset and their VP of Engineering in order to disclose security vulnerabilities. They likewise refused to return phone calls.

None of these locks can be considered as high security, but Kwikset, which sells millions of cylinders a year in the U.S., and has incredible market presence, has a grade 1 security rating for its model 980/985 deadbolt, which we selected to analyze. I have attacked Kwikset for several years because of their poor quality and security. In fact, in 2006, the company flew me out to their corporate facility in California for a pre-release briefing of their Smartkey, after eleven-year old JennaLynn bumped open their locks at DefCon. The irony was that senior engineering and management at Kwikset told me that they were not even aware of bumping, except for what they had seen on the Internet! The Smartkey was not designed to be bump-resistant.

At that meeting, I voiced my opinion that the company was selling junk locks. Their reply was “yes, we know, but we make 20-25 million of them a year.” In my view, nothing much has changed in the past four years, other than their locks are mechanically reprogrammable. Clever, yes. Convenient, yes. Secure and maintenance-free, no.

FALSE SENSE OF SECURITY

Each of the five companies represents their products as secure. This creates a false sense of security in the buying public. In the case of Kwikset, in my view they are perhaps the worst offender because of their market penetration. But the problem and responsibility is shared equally with the standards organization that rates their locks, and specifically with BHMA. I have had many discussions with regard to this issue during the past three years with their executive director in an attempt to modify the standards so they actually mean something. I think we are making progress, but because of the inherent way in which standards are adopted, it is a slow process.

The standards do not adequately address simple methods of bypass. The result is that locks are sold that the consumer relies upon as being secure; and yet they are not. Many of the bypass techniques that we utilize are not even included within the standard. Some companies hide behind the standards, stating that their locks “meet or exceed” them, knowing those same locks can be bypassed by methods not enumerated in the standards they are citing. I would submit that whether a lock is certified under an applicable standard or not has nothing do with the its real security if it can be bypassed in seconds. In such a case, any such statements are illusory and mean nothing with regard to protection of the end-user.

WHAT NEEDS TO BE DONE

There is no substitute for competent security engineering. Unfortunately, some locks are expensive and not secure, but generally, you get what you pay for. I think the critical issue for the consumer to understand is that cheap locks are inherently not secure. In 2006 Kwikset told me their smartkey cylinder would cost them about two dollars to produce. In my view, they are of poor quality, and just about every locksmith in the country knows it. Clever options like being programmable are extremely convenient for the consumer, but unless executed properly, can reduce the overall security of the lock.

Granted, some consumers cannot afford better locks, (or those that carry a high security rating), but at least they should know what they are buying and not be misled by untrue or misleading claims of manufacturers. Kwikset has been aware of the vulnerabilities in their locks, and specifically that they can be opened in seconds with a specially modified key and the application of sufficient torque. They have made changes to prevent this bypass technique, but the locks can still be opened, and they know it. Yet, their employees continue to mislead the public into believing that their deadbolts can only be opened by drilling, breaking the door down, or breaking the door frame. This is simply not true. They continue to focus on their Grade 1 rating. Yes, they are certified, but we do not think they will pass in a re-certification test.

We are filing a challenge with BHMA to ask for a retest, because in my view, the Smartkey deadbolt will not pass, based upon two sections of the BHMA/ANSI 156.5 standard: Sections 12.1 and 12.5.2.

Section 12.1 requires that the cylinder be of the pin tumbler design. The Smartkey is not; it uses tiny sliders, as shown in the photograph below. While they may control a sidebar for locking, which generally is more secure, the sliders themselves are not, and never will be as strong as pin tumblers. The BHMA standard excepts locks that are more secure than pin tumbler designs. In my view, the Smartkey is not, and Kwikset knows it. And they cannot use the fact that they are bump-proof, either, because bumping is not in the standard. Yes, they are pick resistant, but we have picked them as well.

The point is that the locks are not physically secure and can be easily compromised. BHMA should not be certifying a deadbolt Grade 1 cylinder that can be opened in thirty seconds. Further, Kwikset should be forced to place a warning on their packaging denoting this fact to the buyer. If they did, I am quite certain that few persons would choose them for protection.

Section 12.5.2 requires that the plug can withstand a minimum of 300 foot-pounds of torque without turning, or that it cannot be turned by manipulation. We do not believe that the Kwikset Smartkey 980/985 deadbolt can meet this requirement either. To open the lock, we are inserting a portion of a key, cut to specific depths, and applying torque. This procedure, we believe, meets the definition of “manipulation”in the standard.

RE-WRITE THE STANDARDS AND MAKE THEM REFLECT “REAL-WORLD” ATTACKS

Include real-world testing procedures that are not presently incorporated within the standards. This will insure that what the manufacturer represents as secure actually is.

START TELLING THE TRUTH TO CONSUMERS AND WARM THEM OF KNOWN VULNERABILITIES

I am quite certain that if Kwikset and all of the other manufacturers that were shown at DefCon 18 were to place warnings on their packaging that their locks could be compromised in seconds, nobody would buy them. After watching the videos, would YOU buy any of these locks? Not likely. And that is precisely the point. If a manufacturer is going to produce inferior quality locks, then warn the public, so that they have the information to make an informed decision as to security.

HIRE ENGINEERS THAT UNDERSTAND SECURITY ENGINEERING, NOT JUST MECHANICAL ENGINEERING

In my experience, many manufacturers have no idea how to open their own locks. While their engineers are quite competent to make things work properly, they have little understanding of bypass techniques. And this is precisely the problem. It is a simple principle: you cannot properly design a lock if you do not have a thorough understanding of the methods to break it.

STOP PLACING PROFIT AHEAD OF SECURITY

For a manufacturer, security can be very expensive. Materials, high tolerance, production controls, and competent engineering all come at a price. If a company is to represent their products as secure, then the company has a duty to make sure they in fact are. Many place profit well ahead of security, leaving consumers at potential risk.

VENDORS SHOULD SEND A MESSAGE TO LOCK MANUFACTURERS THAT THEY WILL NOT BUY (OR SELL) PRODUCTS WITH SHODDY QUALITY OR POOR ENGINEERING

Brickhouse Security is the leading vendor of surveillance and security-related hardware to law enforcement and corporate facilities in the U.S. When we notified them of the problems with the BioLock, they took action, as noted in their press release. Notwithstanding that the manufacturer, BioLock refused to accept any responsibility whatsoever for their defective product, Brickhouse has set the standard for vendors in the security hardware sector. Hopefully, others will follow. It is only when the manufacturers get a clear message from vendors that they will not sell their junk, that they will be forced to engineer their products properly and take responsibility for what they make.

LOCKS, LIES, AND VIDEOTAPE

We tested the following locks for DefCon 18:
KWIKSET SMARTKEY
BIOLOCK 333 FINGERPRINT LOCK
KABA SAFLOK IN-SYNC RFID LOCK
AMSEC ES1014 ELECTRONIC SAFE
ILOQ C10S ELECTROMECHANICAL LOCK

Photographs and comments below.

KWIKSET SMARTKEY DEADBOLT OPENED WITH A SCREWDRIVER

Kwikset represents that the Smartkey Model 980 Grade 1 deadbolt is the highest grade of residential security available. This is not, in my view, an accurate statement at all, except perhaps for Kwikset products. it is, in my opinion, misleading, and Kwikset knows it. Such statements are being made by their customer service representatives and in their advertising. If in fact this is the best the consumer can buy, and can be opened in thirty seconds or less, then what does a Grade 2 or Grade 3 rating denote in Kwikset’s world? Ten seconds to open? Perhaps both Kwikset and BHMA would like to answer that question!

KWIKSET Smartkey deadbolt can be opened with simple implements, notwithstanding it is rated as a Grade 1 lock.

KWIKSET SLIDERS
In my view, the critical security vulnerability in the Kwikset Smartkey are the sliders that control the sidebar. They will never be as secure as brass or nickel-silver pin tumblers, even though they tout sidebar security. They can be easily warped, which in my view is the fatal defect in this lock. The macro photograph shows a normal slider (left) and one that has been warped by the application of torque from a 3.5″ screwdriver blade inserted into the keyway and turned with a small vice grip.

OPENING THE KWIKSET SMARTKEY

Kwikset has been aware, for quite some time, that Major Manufacturing has been producing a locksmith tool to open their locks by applying torque with a key blade cut to specific depths. Kwikset has made changes in an attempt to fix this problem, but not very successfully. Yet their representatives continue to state that the only way to open the lock is to drill it. In our tests, we chose to utilize a cut blank key, a screwdriver, and a small vice grip to demonstrate the insecurity of this lock. In their statement to Wired, it would appear that the Kwikset spokesman tried to give the impression they were not aware of this problem. Maybe the spokesman was not, but the engineering division of Kwikset has known about the issue for quite some time.

Opening a Smartkey can be easily accomplished with a portion of a key cut to specific depths, a screwdriver, and vice grip

BIOLOCK is a company based in China, with an office in Los Angeles. They produce a line of biometric locks, including the Model 333, which we tested, and which Brickhouse Security carried until last week.

This very professional-looking fingerprint lock has a bypass cylinder which provides its fatal flaw in its security. As shown in the video and photograph, the locking system can be bypassed within seconds with a piece of wire or paperclip. The design of this lock is completely incompetent and denotes a total disregard and understanding of security issues in lock design.

The BioLock fingerprint lock with bypass cylinder that can be opened in seconds.

The BIOLOCK 333 fingerprint lock can be compromised in five seconds with a paperclip.

AMSEC CONSUMER-LEVEL ELECTRONIC SAFE, MODEL ES1014

AMSEC is a quality safe manufacturer in California, who would, in my opinion, never knowingly market a product with the design defect we demonstrated. Their customer service representatives told me that this safe was a Chinese import and that AMSEC did not test it. That is unfortunate for the consumer who has purchased these. And, just to be clear, we think that to represent this as a “safe” is misleading to the consumer. It is not a safe; it is a container with a lock.

The AMSEC ES1014 consumer-level electronic safe. It is not secure and can be easily compromised.


A flat piece of metal from a hanging file folder is bent and inserted through the top of the door. It is used to make contact with the reset switch to allow the combination to be reset. This is an incredibly inept design.

KABA IN-SYNC LOCK

The Kaba In-Sync is a RFID-based cylinder that is popular for use on military bases, apartment houses, churches and other commercial facilities. Incredibly, the design engineers that are responsible for the security of this device did not understand that a wire could be inserted next to the USB communications port to access the locking pin that provides the security for this lock. We had contacted the lead engineer for Saflok almost a year ago, and then last month to discuss this issue. No response.

The Kaba InSync RFID cylinder can be easily opened with a piece of wire

ILOQ ELECTROMECHANICAL LOCK

The Iloq is an award-winning electromechanical lock that does not use any batteries, but rather generates the needed current through the use of a motor to perform two functions: power generation, and turning a gear to control the primary locking element. These locks are extremely popular in Finland and other Scandinavian countries.

As we note in the video, there are four operating stages for the Iloq. The critical failure of this lock is the ability to circumvent the mechanical re-locking feature. Once this is accomplished, the electronic credentials are neutralized and the Iloq becomes a one-pin conventional lock, which in my view is less secure than the Egyptian pin tumbler lock of 4000 years ago. A senior representative of the company told me that Iloq had made certain changes to prevent our methods of bypass, and that those locks will be available within a couple of months. This is an extremely responsible company who clearly should have understood the ramifications of their design failure, from the security perspective.

ILOQ in Finland produces a very sophisticated electro-mechanical lock that can be easily compromised This photograph shows the Scandinavian profile and the actuating lever at the front of the keyway that can be modified to set the lock to open by any mechanical key.

A cutaway view of the award-winning Iloq, from Finland.

ILOQ KEY TIP MODIFICATION

There are two ways to circumvent the security of this lock: one through an internal attack, and one by externally modifying the actuating lever just inside the keyway. The photographs show the very minimal material removal from the key tip to set this lock so that it can be opened by any other key or even a screwdriver.

All ILOQ keys are mechanically the same configuration. Each key-head contains a unique electronic identifier.

The tip of the ILOQ key is modified for an internal attack. The top photograph shows a normal key (green); the bottom has been modified.

MODIFICATION OF THE ACTUATING LEVER AT THE FRONT OF THE KEYWAY

The actuating lever can also be modified by removing an equivalent amount of material, about 1/32″. When this occurs, the lock is set and can be opened by any key, simulated key, or screwdriver. Note the small amount of lever material (circled in red) that has been removed. This can be accomplished rapidly and will result in the lock being permanently set, requiring only a mechanical key to open.

ILOQ actuating lever showing the modification to permanently set this lock.

Comments are off for this post

Comments are closed.

Mexico