I recently visited Salto Systems in San Sebastian, Spain, and interviewed Marc Handles, one of the original founders of the company. I spoke with him in regard to access control system technology and its level of sophistication. I think you will find the discussions valuable in terms of a survey and in-depth analysis of capabilities and complexities of properly implementing access control hardware and software.
Salto Systems is one of the leading providers and developers of sophisticated multi-platform EAC systems in Europe and the United States. They utilize EVVA mechanical cylinders and technology in some of their products. Salto has systems in about forty countries with more than 650,000 installed locks.
I wrote an article for the Airport Cities magazine as a result of my lecture in Dubai last April, which was published in their September, 2008 issue. It deals with the importantance of high security locks for use in airports, and discusses the failure of key control in Medeco locks, as well as other high security cylinders.
I interviewed Dr. Stefan Savage, the professor at the University of California San Diego, that directed the research team that developed a prototype for analyzing the images of keys to decode their bitting code.
The team issued a report last week that detailed its findings.
Although remote optical capture of bitting information is not new, the development of software to automatically analyze images of bitting codes may be unique in the commercial sector. You will recall that we were able to scan a Medeco m3 key last summer, email the image, and simulate a key that opened the lock using a piece of credit card plastic. The UCSD technique takes this one step further.
See the complete story on CNET Security.
Will we have to change the title of our book as a result of what happened this past weekend? Maybe!
Matt Fiddler (right) instructs on bumping open Medeco locks.
As usual, Barry Wels and Han Fey organized an incredible security conference at Sneek, Netherlands, this past weekend. The new name is LOCKCON, which was changed from “The Dutch Open” this year. There were almost 100 participants from all over Europe and the U.S. who interacted for three days of presentations, discussions, and contests to open locks and safes. Drinking beer was optional!
I would like to think that the highlight of the weekend was the four-hour presentation that my co-author, Tobias Bluzmanis and I gave with regard to the complete and total bypass of Medeco Biaxial and m3 high security locks, but at the end of the day, I think the lecture (almost five hours) that Peter Field gave was up to his usual standard of excellence and was the primary attraction. I have known Peter for more than 20 years, and have never been disappointed by one of his mega-presentations! Last Friday was no exception as he detailed the design features of more than fifty locks.
To say that his background and understanding of lock design is extraordinary would be an understatement. In our view, perhaps the most significant point is that Peter participated as the Director of Research and Development for Medeco. They have taken the lead in recognizing the contribution of the lock sport and professional bypass community. It is even more amazing that he (and Medeco) agreed to participate in the same gathering that saw Toby and I teach how to circumvent the security of the their locks.
And that is exactly what we did, both in a detailed Powerpoint presentation and in a workshop where everyone could cut keys for new Biaxial profile cylinders.
Barry and Han had purchased a Medeco key machine, hundreds of profile cylinders, and thousands of blanks in preparation for LOCKCON. Why did they go to this expense and effort? I believe that it is because of the impact that our bypass techniques could have in the high security community around the world, not just for Medeco but for other lock manufacturers as well. They wanted to let everyone learn the technique from its inventors, and then do their own vetting, rather than simply relying upon what they have heard, or read in our book, or on the web. Virtually none of the participants were familiar with Medeco locks before the conference. Few had actually picked them open, so this was a real learning experience and a test of our techniques with extremely competent technicians.
So, we explained in some detail the theory behind our concepts of “code setting keys” and “setting the sidebar code” in Medeco locks. We examined Medeco’s total lack of real key control, and the ability to bump and pick their locks in seconds. After our presentation, everyone had the chance to practice and learn the techniques that were required to open these cylinders. Just about everyone got it!
They were able to understand how to set the sidebar code in order to neutralize this vital security layer. Once that was accomplished, cylinders could be picked or bumped open, sometimes in as little as five seconds for a five-pin Biaxial.
The proof, however, was in the lock picking contest on Sunday.
There were several rounds to identify the best lock pickers in the group. By three in the afternoon, there were just a few finalists. It was agreed that the final rounds would require the contestants to pick open Medeco cylinders. Four different sidebar codes that matched our four code setting keys were assigned to five-pin Biaxial locks. Each participant had ten minutes to open their lock. Then, they exchanged cylinders with their opponent. At the end of the contest, there would only be one winner; the person that was able to open the most locks, or in the least amount of time.
Keys with the correct sidebar code, but not the correct bitting, were provided to each lock picker. They were taught how to “set the sidebar code” with this key to make the sidebar irrelevant to the security equation. In order to win the round, the contestant would have to insert his key, set the code, remove it so as not to disturb the rotation angle for each pin, and then pick the lock.
All of the locks were opened during the contest. We proved that if the techniques that we taught in our book were understood and followed, the locks could be picked, sometimes with amazing speed.
See the video links below.
In the four preliminary rounds, the first lock to be opened by a participant was accomplished quickly: 49 seconds (Round 1), 23 seconds (Round 2), 2:07 (Round 3), and 5:46 (Round 4).
Then there were only two contestants.
The Final Round. 31 seconds was all that was required to open the lock to win the contest!
The locks were set to bitting and sidebar codes that were determined by Barry and Han. Neither Toby nor I had anything to do with how the contest was structured, or the configuration of the locks.
What this exercise really showed was that Medeco makes very tough locks if the sidebar cannot be compromised. Although a few of the participants had picked Medeco cylinders without learning our techniques, most could not do this. The locks, as we have always said, present a serious obstacle to covert entry attacks unless you understand how to neutralize the sidebar and other security layers. Then, they can be very simple to open. That fact, compounded by the complete compromise of the vaunted Medeco key control, makes this lock, in our opinion, unsuitable for any high security application where you really have to be sure of its ability to keep intruders out.
So all in all, it was an incredible weekend, and we would like to thank Barry Wels and Han Fey for organizing LOCKCON 2008 and allowing us the opportunity to demonstrate our techniques to compromise perhaps what was once thought of as the most secure lock in America.
Marc Tobias, JennaLynn, and Tobias Bluzmanis at Defcon 16 lock picking village
See the Video that documents JennaLynn opening a five-pin Medeco Biaxial at Defcon 16, in 2008.
See the PowerPoint presentation at Defcon 16.
At Defcon 16 this year, we demonstrated that the high security ARX pins that Medeco may be relying upon to fix the Medecoder problem might not quite be the solution they had hoped for.
Medeco announced in the May, 2008 NDE magazine that they would be implementing a solution to the Jon King Medecoder bypass. We received reliable information that their response to this fifteen-year-old threat would be to implement ARX pins, and that they are in the process of converting their production lines to accommodate the required changes. Three months later, everyone is still waiting.
As we pointed out in our previous editorials about Medeco embracing the Locksport community, ARX pins would likely prevent the use of the Medecoder but they may not be an effective deterrent to our methods of bumping and picking. Whether Medeco understands this is unclear. Given their apparent inability to figure out just how to compromise their own locks, it is probably unlikely that they comprehend all the issues involved, or would ever acknowledge them.
In a recent exchange of emails, we offered to open lines of communications with Medeco, as we had enjoyed up until about eighteen months ago. But of course, that was before we publicly disclosed the serious vulnerabilities in their “key control” or to be more accurate, the lack thereof. Actually, as applies to Medeco m3 cylinders, we believe the more descriptive term should be “key insecurity.”
In our view, Medeco does not have any key security for the m3, and for many of their older Biaxial locks. They continue to represent that they have strong patent protection for their keys. By inference, the facilities that rely upon Medeco can be assured that it is virtually impossible to duplicate a Medeco key. In our view, this is not only untrue, but it is nonsense. We will go into much more depth regarding “key-mail” in a later post, because this issue has far greater implications than just making keys out of plastic for their locks.
Immediately after Defcon, I also let the company know that we had documented the bumping of another Biaxial by thirteen-year-old JennaLynn, and offered to share the pre-release copy of the video with them for any comments they may wish to make.
So, again, Medeco is silent. They are saying nothing about bumping, or our latest attack with plastic, which is so simple that it can be carried out by one with very limited skills. If we are to understand their response in the Slate.com article last month, they believe and firmly embrace the premise of saying nothing about anything regarding the security of their locks, other than touting how secure they are. In other words, Security by Obscurity is definitely the policy. It is, in our view, an irresponsible policy, fraught with danger for the consumer and the lock manufacturer as well. But we will leave that discussion for a later time and venue.
* * *
We return to Defcon 16 and (now) thirteen-year-old Jenna Lynn. Everyone will remember in 2006 when she bumped open the Kwikset cylinder. She was probably the one most responsible for getting everyone’s attention to be focused on this threat because everyone understood the implications of an eleven year old being able to open one of the most widely used pin tumbler locks in America.
Medeco reaped the benefit of our presentation at Defcon 14 in 2006. In fact, a joint appearance between me and a senior Medeco representative in a widely-aired in-depth TV story surely must have increased their sales. Everyone, it seemed, was concerned about the threat from bumping so all was very well at Medeco. They had a solution to bumping, and announced it in a press release about August 4, 2006.
Now it is 2007, at Defcon 15. Something is terribly wrong! Young JennaLynn has now bumped open a Biaxial cylinder for the news media. How can this be, because Medeco represented to everyone that their locks were bump-proof in 2006! Oh, so much can change in such a short time. By the summer of 2007, they were claiming that their locks were either “virtually bump-proof” or “virtually resistant.” It is hard to tell when this precise obfuscation transformed their position of offering the bump-proof solution, to hedging their language as the lawyers got involved to protect them.
Now, Medeco claims that they NEVER said their locks were bump-proof. Rather, they claim, others said it, but surely not them! Well, that argument sounds good, until one considers the slide that was shown in our Powerpoint lecture this year at Defcon. The slide that we believe conclusively proves that Medeco not only claimed that their locks were bump-proof, but made the error of attempting to register the name bump-proof with the Patent and Trademark office about two weeks after they issued their original press release.
I have really tried to understand why they would do that if they were not representing that their locks were indeed bump-proof. I have concluded that the only other logical answer, which only a lawyer could invent, would be that they wanted to prevent all other manufacturers from claiming their locks were bump-proof! Did they do it because they wanted to protect the public from such claims by other manufacturers. Maybe they did this, as the acknowledged leaders of the high security market, because it would be highly misleading to the public to advertise a lock as bump-proof when in fact it was not! They simply wanted to protect the public from such claims!
Surely that must have been their motivation, because there can be no other answer…unless, of course, they actually were claiming that their locks were bump-proof and wanted to get the jump on every other lock manufacturer. A really great idea, until a twelve-year old showed how to open their cylinders by bumping. Then, of course, Medeco went into spin-mode to make sure that nobody believed what they had seen on the video. After all, if Medeco said it was not true, then everyone would have to believe them. Because they were Medeco!
There was just one small problem. Medeco forgot about the Internet and open and instant access to records. It is the same naiveté that allowed them to believe they would actually get away with modifying their original bump-proof press release, as we presented in another slide at Defcon. Evidently they were not aware of www.archive.org, or that the two different versions of their press release are still available, and are included within the Multimedia edition of our book.
So JennaLynn bumped open the Biaxial cylinder in 2007, and Medeco said it was all a lie. Not publicly, of course, but they said it to many individuals privately. This was their disinformation campaign to discredit myself, my co-author, and others that dared to talk about or teach the techniques to compromise Medeco locks by bumping and picking. They repeatedly claimed that the lock that JennaLynn had opened had to have been modified or altered, because you simply could not bump open a Medeco lock. According to Medeco, not even those independent testing labs could open their locks by bumping. Yes, those very same labs that Medeco recently told Slate.com should be the ones to conduct vulnerability testing of locks.
Actually, the real problem is that Medeco could not bump open their own locks, rather than it not being possible for a twelve-year old to do it! So, for the past year, they have repeated their story about how we manipulated the internal mechanism of the lock to allow JennaLynn to open it. Medeco has represented that they have allegedly spent hundreds of hours internally trying to open their locks, and have been unable to do so. Well, we did suggest to Medeco that they invite young JennaLynn to the factory in order to instruct them how to open their own locks!
Now we come to the best part of this story.
* * *
It is Sunday morning, August 10, 2008, in Las Vegas, and it is Defcon 16. Tobias Bluzmanis, Matt Fiddler, and I are sitting in the lock picking village, watching Deviant Ollam and others giving classes on basic lock design and picking and bumping. It is always the most popular gathering at Defcon, and this year was no exception. The village was packed with enthusiasts from morning until late in the night.
We asked JennaLynn to try to bump open a new, five-pin Biaxial profile cylinder that we acquired in Europe from the stock of a Medeco lock shop. She was eager to try, given her success last year. So, we handed her the lock and the bump key that we prepared. The key had the correct sidebar code for this cylinder, and was cut to all #6 depths. Ten minutes after we gave her the lock, she returns and says she can open it. She is smiling. But she has no idea what she has actually accomplished! As it turns out, it was quite a feat as compared to what she had done last year.
Now we are sitting at a large round table with about 25 other attendees in the village. Matt starts shooting video, and you can see for yourself why this demonstration is different than last year, when she opened the Biaxial at Defcon 15. It is vastly more significant because we inserted four ARX pins and three mushroom top pins into this lock.
Medeco touts the ARX pins as the most secure. You know, these are the very same pins that will prevent the Medecoder from working, and were developed in response to the sophisticated John Falle decoder in the early 1990s. The same pins that were going to become standard in their cylinders, and why they got Jon King to hold off publishing information for two months about his decoder.
Whether these pins become standard in all of their locks is open to speculation. Medeco evidently believes that everyone should pay for this security upgrade, even though they were aware of the problem that prompted the ARX pin development for at least fifteen years.
The bottom line is that we can demonstrate the ability to bump and pick locks with at least one version of ARX. The pins that we used (#4 and #6 depths) were supplied directly by Medeco to us, so we can only assume they are as secure as any they produce.
And to add insult to injury, it appears that the company may want their dealers to bear the cost for the pin kits, which we have been told may run anywhere between $800 and $2,000. Now, how does that work, exactly? We are not quite sure, but any locksmith that is not happy about it is welcome to contact our office for advice and assistance.
As we are detailing in the next edition of OPEN IN THIRTY SECONDS, we believe there is a basic problem with the ARX philosophy and its ability to prevent bumping and picking when the sidebar code is known, as is the case when our four code-setting keys are employed to open their cylinders.
Tobias Bluzmanis disassembles the lock in front of 25 attendees, so an expert can verify the internal components and that the lock has factory-standard pins, springs, and sidebar and that they have not been altered or modified.
What everyone needs to understand is that a thirteen-year old girl was able to repeatedly open a Medeco Biaxial cylinder with four ARX pins. She did it effortlessly. Yes, the lock had been bumped many times before JennaLynn did it. That should not matter, because Medeco has repeatedly claimed that their locks were bump-proof. Well, at least until they realized they were not, and they changed their advertising language so as to make their claim next to meaningless, if not laughable.
And if you have any questions as to the authenticity of the demonstration, or that the cylinder was somehow modified, check to see who verified the internal components of the lock immediately after the demonstration, on the video.
From our perspective, nobody is more qualified to confirm what we demonstrated with JennaLynn than one of the individuals that Medeco selected in 2007 to help them in an attempt to debunk and discredit our findings. As you will see on the video, Han Fey, one of the most respected cylinder security engineers in Europe, was able to confirm exactly what occurred at Defcon. And if you are still skeptical about the 2007 JennaLynn demonstration, it might be interesting to hear from ALOA senior staff because ultimately they may be required to weigh in on this matter and present evidence as to the ability to bump Medeco cylinders. Yes, the same ALOA that issued their famous press release in 2006 about bumping, and how the publication of this information had “unduly raised the alarm.”
We think it is about time for Medeco to start leveling with their customers and the public. They should candidly address the security vulnerabilities of their locks to bumping, picking, and what we perceive as their total failure of key control and key security in the m3. If significant research involving bumping had not been conducted, nobody would have been aware of the security threat that existed, especially in high security locks, with regard to bumping and picking.
Medeco locks are certified by UL and BHMA as meeting minimum criteria to protect the public from different forms of attack. As we note in our book, BHMA 156.30, (the true high security standard), does not specify many forms of attack that can be critical to the protection of a facility, so the value of such certifications are diminished.
We believe that Medeco does not and cannot comply with certain requirements of this standard, to the potential detriment of the public, commercial, and government sectors. We are actively pursuing this issue regarding Medeco and other certified high security lock manufacturers with BHMA. It is our position that they should not continue to be certified, because their locks can be compromised in well under the minimum specified times that are enumerated in both UL 437 and 156.30.
We would urge Medeco and other manufacturers to join us in a thorough review of the standards and to insure that the requirements are comprehensive, realistic, and complied with. Presently, we can show that some high security locks will simply not meet the standards and should be de-certified.
We just returned from DEFCON 16 in Las Vegas. The conference organizers report the largest attendance ever, and that was evident at our two-hour presentation on Friday afternoon. Matt Fiddler, Tobias Bluzmanis, and I did a three-part presentation on Medeco high security locks, demonstrating how all of their security layers have been compromised.
You would expect to be able to simulate a plastic key for a Kwikset cylinder, but not for a high security lock like Medeco. This key easily opens the Kwikset. We accomplished the same result with a Medeco m3. So much for key security!
A credit card was cut to form a key for a Medeco m3. It incorporated both the vertical bitting and angles needed to open the lock.
A Medeco mortise m3 cylinder can be easily compromised with a plastic key. We graphically demonstrated this vulnerability to a Wired Magazine reporter, both with a credit card, and Shrinky Dinks plastic. The full story of how this key was emailed by the reporter to us prior to Defcon will be posted shortly, and documents the threat that is posed by a lack of key control.
An inexpensive HP copier/scanner was used to produce a replica of an m3 key on Shrinky Dinks plastic. We demonstrated the ability to compromise the security of a mortise cylinder using this key.
We also discussed the security threat that is posed by a camera within a cell phone. In this case, we used the image of a Medeco key that was captured by a Blackberry Curve.
JennaLynn did it again this year. At age 13, she opened a five-pin Biaxial profile cylinder. But this was not an ordinary lock, as you will see in the interview.
We will post our Powerpoint presentation together with all of the video files from Defcon.
At our Defcon presentation, we talked about the methodology that we employed to break the locks and the lessons that should be learned from our experience. Then, we discussed the ability to totally compromise the key control of the m3, and many Biaxial cylinders, using plastic or Shrinky Dinks keys. We introduced the concept of Key-Mail, and warned of the threat from emailing restricted keys from within a high security facility.
Finally, we discussed the concept of Responsible Disclosure v. Irresponsible Non-Disclosure upon the part of a lock manufacturer. We took many questions from the overflow audience at the end of our presentation.
JennaLynn demonstrated her ability to bump open a Medeco Biaxial cylinder once again this year. You will recall that she did the same thing at Defcon 15. Medeco claimed that the demonstration was not true, and that the locks had been modified or altered so that she could open them. This, of course, was not true, and the cylinder was subsequently verified by independent experts a few weeks later that it conformed to factory standards, and indeed could be repeatedly bumped open. To our knowledge, Medeco has never admitted publicly that this is possible.
So, the lock that JennaLynn, at age 13, bumped open was no ordinary cylinder. And this year we decided to have her do the demonstration in front of about 25 participants at the lock picking village, where both amateurs and experts converged to try their skills at openeing a wide variety of locks. Not only did she open the lock twice in a few seconds, but we had an indpendent expert immediately confirm that the lock was configured as we represented, which would prevent Medeco from claiming that this was a staged demonstration.
Han Fey, as he examines the Biaxial lock that JennaLynn easily bumped open in a few seconds.
We asked Han Fey to be our independent observer. Han is from the Netherlands and works with Barry Wels and Toool, and is recognized as an expert in his field. More importantly, if you read our book, he is also recognized by Medeco as an expert. We offered a pre-release copy of the video to Medeco last week, so that they could include comments when it was posted. We have not heard from them since that offer.
Han and Barry came to Defcon 16 this year, in part to view our presentation on key security, as a follow-up to a detailed presentation that Barry gave at HOPE a few weeks before in New York.
Stay tuned for the demonstration by JennaLynn, and a discussion of how we compromised Medeco key control. Both topics should be of interest to security professionals who are responsible for insuring the integrity of their locks and keys.
The IDG News Service, Network World TV, posted this video this past week, reflecting some of the events at HOPE 2008 in New York.
HOPE 2008: Three separate lectures that discussed Medeco vulnerabilities
The Usual Suspects, together for a discussion of different vulnerabilities of Medeco Biaxial and m3 cylinders. From left to right, Matt, Toby, Marc, and Jon.
This past weekend there were three different presentations at the HOPE security confernece in New York regarding different potential security vulnerabilities involving Medeco locks.
Jon King, inventor of the Medecoder picking tool, lectured on the use of his tool and demonstrated its use in picking a Medeco m3 in under three minutes.
Jon King demonstrates the use of the Medecoder picking tool.
We discussed bumping and picking and the different methods of defeating Medeco cylinders, including the defeat of ARX pins, which Medeco apparently plans to implement in their new cylinders to combat the King Attack. While they probably will prevent the use of the Medecoder in new locks, they may not be effective in stopping the use of code setting keys for bumping and picking, as described in our new book. We have repeatedly demonstrated the bypass of some of these pins to bumping and picking, so it remains to be seen just how effective they will be. Evidently Medeco will not be paying for any upgrades to currently installed locks. The company was quoted in an article today on Slate.com, saying that “when you buy a lock, you don’t buy a subscription.” I guess that means that everyone is on their own!
Matt Fiddler, Tobias Bluzmanis and I provided an hour briefing to an overflow audience on the Medeco case example and how we methodically developed bypass techniques for the different Medeco products. This research formed the basis of our new book, “OPEN IN THIRTY SECONDS: Cracking One of the Most Secure Locks in America.”
Then, on Saturday, Barry Wels and Han Fey offered a two-hour lecture on keys; how they work and how they can be simulated and copied. Their lecture was also to an overflow crowd and extremely well received. Barry, as usual, provided excellent background on how mechanical keys work and why they are not secure, even for certain high security locks.
Matt Fiddler, Toby, and myself will be going into much greater detail at Defcon with regard to the vulnerability of Medeco locks and their key control, and what we perceive as a particularly serious security issue with regard to certain Medeco cylinders.
We will also be addressing the concept of Responsible Disclosure and Irresponsible Non-Disclosure. The photograph below is of Han Fey, replete with Medeco shirt!
Han Fey and Marc Tobias at HOPE 2008.
You can view the short video of our discussion with myself, Tobias Bluzmanis, Matt Fiddler, and John King.
On October 28, 2008, I will be the Keynote speaker at the Forensic-Security conference at NIST headquarters in Gaithersburg, Maryland. The National Institute of Standards and Technology is the site of this three-day conference for law enforcement, security and IT professionals. I will be discussing high security locks and the Medeco case example and the lessons to be learned for security managers and those responsible for critical infrastructure protection. There will be more than 1100 registered attendees.
July 18, 2008Tobias Bluzmanis, Matt Fiddler, and I will be presenting at HOPE in New York on Friday, July 18, 2008. Then we will be doing a special briefing on Medeco locks and our new book. We will answer questions with regard to security issues involving Medeco Biaxial, m3, and Bilevel cylinders. We hope that many can join us during the three-day conference.
August 8, 2008We will be giving a presentation at DEFCON 16 in Las Vegas, on August 8. During that conference, we will go into significant detail about new and serious vulnerabilities that we discovered with regard to Medeco and other locks.
October 5-6, 2008
We will be visiting the Trezor Test Labs in Prague, Czech Republic, to discuss current bypass techniques.
October 7-8, 2008Tobias Bluzmanis and I will be signing books at the Wendt exhibit at the Essen Security Exhibition in Germany.
October 9-10-11, 2008
Tobias Bluzmanis and myself will be at Sneek, Netherlands, at the Toool meeting. We are doing a detailed presentation and hands-on demonstration to teach bumping, picking, and compromise of key control for Medeco locks.