I interviewed Dr. Stefan Savage, the professor at the University of California San Diego, that directed the research team that developed a prototype for analyzing the images of keys to decode their bitting code.
The team issued a report last week that detailed its findings.
Although remote optical capture of bitting information is not new, the development of software to automatically analyze images of bitting codes may be unique in the commercial sector. You will recall that we were able to scan a Medeco m3 key last summer, email the image, and simulate a key that opened the lock using a piece of credit card plastic. The UCSD technique takes this one step further.
See the complete story on CNET Security.No comments
Will we have to change the title of our book as a result of what happened this past weekend? Maybe!
Matt Fiddler (right) instructs on bumping open Medeco locks.
As usual, Barry Wels and Han Fey organized an incredible security conference at Sneek, Netherlands, this past weekend. The new name is LOCKCON, which was changed from “The Dutch Open” this year. There were almost 100 participants from all over Europe and the U.S. who interacted for three days of presentations, discussions, and contests to open locks and safes. Drinking beer was optional!
I would like to think that the highlight of the weekend was the four-hour presentation that my co-author, Tobias Bluzmanis and I gave with regard to the complete and total bypass of Medeco Biaxial and m3 high security locks, but at the end of the day, I think the lecture (almost five hours) that Peter Field gave was up to his usual standard of excellence and was the primary attraction. I have known Peter for more than 20 years, and have never been disappointed by one of his mega-presentations! Last Friday was no exception as he detailed the design features of more than fifty locks.
To say that his background and understanding of lock design is extraordinary would be an understatement. In our view, perhaps the most significant point is that Peter participated as the Director of Research and Development for Medeco. They have taken the lead in recognizing the contribution of the lock sport and professional bypass community. It is even more amazing that he (and Medeco) agreed to participate in the same gathering that saw Toby and I teach how to circumvent the security of the their locks.
And that is exactly what we did, both in a detailed Powerpoint presentation and in a workshop where everyone could cut keys for new Biaxial profile cylinders.
Barry and Han had purchased a Medeco key machine, hundreds of profile cylinders, and thousands of blanks in preparation for LOCKCON. Why did they go to this expense and effort? I believe that it is because of the impact that our bypass techniques could have in the high security community around the world, not just for Medeco but for other lock manufacturers as well. They wanted to let everyone learn the technique from its inventors, and then do their own vetting, rather than simply relying upon what they have heard, or read in our book, or on the web. Virtually none of the participants were familiar with Medeco locks before the conference. Few had actually picked them open, so this was a real learning experience and a test of our techniques with extremely competent technicians.
So, we explained in some detail the theory behind our concepts of “code setting keys” and “setting the sidebar code” in Medeco locks. We examined Medeco’s total lack of real key control, and the ability to bump and pick their locks in seconds. After our presentation, everyone had the chance to practice and learn the techniques that were required to open these cylinders. Just about everyone got it!
They were able to understand how to set the sidebar code in order to neutralize this vital security layer. Once that was accomplished, cylinders could be picked or bumped open, sometimes in as little as five seconds for a five-pin Biaxial.
The proof, however, was in the lock picking contest on Sunday.
There were several rounds to identify the best lock pickers in the group. By three in the afternoon, there were just a few finalists. It was agreed that the final rounds would require the contestants to pick open Medeco cylinders. Four different sidebar codes that matched our four code setting keys were assigned to five-pin Biaxial locks. Each participant had ten minutes to open their lock. Then, they exchanged cylinders with their opponent. At the end of the contest, there would only be one winner; the person that was able to open the most locks, or in the least amount of time.
Keys with the correct sidebar code, but not the correct bitting, were provided to each lock picker. They were taught how to “set the sidebar code” with this key to make the sidebar irrelevant to the security equation. In order to win the round, the contestant would have to insert his key, set the code, remove it so as not to disturb the rotation angle for each pin, and then pick the lock.
All of the locks were opened during the contest. We proved that if the techniques that we taught in our book were understood and followed, the locks could be picked, sometimes with amazing speed.
See the video links below.
In the four preliminary rounds, the first lock to be opened by a participant was accomplished quickly: 49 seconds (Round 1), 23 seconds (Round 2), 2:07 (Round 3), and 5:46 (Round 4).
Then there were only two contestants.
The Final Round. 31 seconds was all that was required to open the lock to win the contest!
The locks were set to bitting and sidebar codes that were determined by Barry and Han. Neither Toby nor I had anything to do with how the contest was structured, or the configuration of the locks.
What this exercise really showed was that Medeco makes very tough locks if the sidebar cannot be compromised. Although a few of the participants had picked Medeco cylinders without learning our techniques, most could not do this. The locks, as we have always said, present a serious obstacle to covert entry attacks unless you understand how to neutralize the sidebar and other security layers. Then, they can be very simple to open. That fact, compounded by the complete compromise of the vaunted Medeco key control, makes this lock, in our opinion, unsuitable for any high security application where you really have to be sure of its ability to keep intruders out.
So all in all, it was an incredible weekend, and we would like to thank Barry Wels and Han Fey for organizing LOCKCON 2008 and allowing us the opportunity to demonstrate our techniques to compromise perhaps what was once thought of as the most secure lock in America.
The contestants at LOCKCON during one of the preliminary rounds.No comments
Marc Tobias, JennaLynn, and Tobias Bluzmanis at Defcon 16 lock picking village
See the Video that documents JennaLynn opening a five-pin Medeco Biaxial at Defcon 16, in 2008.
See the PowerPoint presentation at Defcon 16.
At Defcon 16 this year, we demonstrated that the high security ARX pins that Medeco may be relying upon to fix the Medecoder problem might not quite be the solution they had hoped for.
Medeco announced in the May, 2008 NDE magazine that they would be implementing a solution to the Jon King Medecoder bypass. We received reliable information that their response to this fifteen-year-old threat would be to implement ARX pins, and that they are in the process of converting their production lines to accommodate the required changes. Three months later, everyone is still waiting.
As we pointed out in our previous editorials about Medeco embracing the Locksport community, ARX pins would likely prevent the use of the Medecoder but they may not be an effective deterrent to our methods of bumping and picking. Whether Medeco understands this is unclear. Given their apparent inability to figure out just how to compromise their own locks, it is probably unlikely that they comprehend all the issues involved, or would ever acknowledge them.
In a recent exchange of emails, we offered to open lines of communications with Medeco, as we had enjoyed up until about eighteen months ago. But of course, that was before we publicly disclosed the serious vulnerabilities in their “key control” or to be more accurate, the lack thereof. Actually, as applies to Medeco m3 cylinders, we believe the more descriptive term should be “key insecurity.”
In our view, Medeco does not have any key security for the m3, and for many of their older Biaxial locks. They continue to represent that they have strong patent protection for their keys. By inference, the facilities that rely upon Medeco can be assured that it is virtually impossible to duplicate a Medeco key. In our view, this is not only untrue, but it is nonsense. We will go into much more depth regarding “key-mail” in a later post, because this issue has far greater implications than just making keys out of plastic for their locks.
Immediately after Defcon, I also let the company know that we had documented the bumping of another Biaxial by thirteen-year-old JennaLynn, and offered to share the pre-release copy of the video with them for any comments they may wish to make.
So, again, Medeco is silent. They are saying nothing about bumping, or our latest attack with plastic, which is so simple that it can be carried out by one with very limited skills. If we are to understand their response in the Slate.com article last month, they believe and firmly embrace the premise of saying nothing about anything regarding the security of their locks, other than touting how secure they are. In other words, Security by Obscurity is definitely the policy. It is, in our view, an irresponsible policy, fraught with danger for the consumer and the lock manufacturer as well. But we will leave that discussion for a later time and venue.
* * *
We return to Defcon 16 and (now) thirteen-year-old Jenna Lynn. Everyone will remember in 2006 when she bumped open the Kwikset cylinder. She was probably the one most responsible for getting everyone’s attention to be focused on this threat because everyone understood the implications of an eleven year old being able to open one of the most widely used pin tumbler locks in America.
Medeco reaped the benefit of our presentation at Defcon 14 in 2006. In fact, a joint appearance between me and a senior Medeco representative in a widely-aired in-depth TV story surely must have increased their sales. Everyone, it seemed, was concerned about the threat from bumping so all was very well at Medeco. They had a solution to bumping, and announced it in a press release about August 4, 2006.
Now it is 2007, at Defcon 15. Something is terribly wrong! Young JennaLynn has now bumped open a Biaxial cylinder for the news media. How can this be, because Medeco represented to everyone that their locks were bump-proof in 2006! Oh, so much can change in such a short time. By the summer of 2007, they were claiming that their locks were either “virtually bump-proof” or “virtually resistant.” It is hard to tell when this precise obfuscation transformed their position of offering the bump-proof solution, to hedging their language as the lawyers got involved to protect them.
Now, Medeco claims that they NEVER said their locks were bump-proof. Rather, they claim, others said it, but surely not them! Well, that argument sounds good, until one considers the slide that was shown in our Powerpoint lecture this year at Defcon. The slide that we believe conclusively proves that Medeco not only claimed that their locks were bump-proof, but made the error of attempting to register the name bump-proof with the Patent and Trademark office about two weeks after they issued their original press release.
I have really tried to understand why they would do that if they were not representing that their locks were indeed bump-proof. I have concluded that the only other logical answer, which only a lawyer could invent, would be that they wanted to prevent all other manufacturers from claiming their locks were bump-proof! Did they do it because they wanted to protect the public from such claims by other manufacturers. Maybe they did this, as the acknowledged leaders of the high security market, because it would be highly misleading to the public to advertise a lock as bump-proof when in fact it was not! They simply wanted to protect the public from such claims!
Surely that must have been their motivation, because there can be no other answer…unless, of course, they actually were claiming that their locks were bump-proof and wanted to get the jump on every other lock manufacturer. A really great idea, until a twelve-year old showed how to open their cylinders by bumping. Then, of course, Medeco went into spin-mode to make sure that nobody believed what they had seen on the video. After all, if Medeco said it was not true, then everyone would have to believe them. Because they were Medeco!
There was just one small problem. Medeco forgot about the Internet and open and instant access to records. It is the same naiveté that allowed them to believe they would actually get away with modifying their original bump-proof press release, as we presented in another slide at Defcon. Evidently they were not aware of www.archive.org, or that the two different versions of their press release are still available, and are included within the Multimedia edition of our book.
So JennaLynn bumped open the Biaxial cylinder in 2007, and Medeco said it was all a lie. Not publicly, of course, but they said it to many individuals privately. This was their disinformation campaign to discredit myself, my co-author, and others that dared to talk about or teach the techniques to compromise Medeco locks by bumping and picking. They repeatedly claimed that the lock that JennaLynn had opened had to have been modified or altered, because you simply could not bump open a Medeco lock. According to Medeco, not even those independent testing labs could open their locks by bumping. Yes, those very same labs that Medeco recently told Slate.com should be the ones to conduct vulnerability testing of locks.
Actually, the real problem is that Medeco could not bump open their own locks, rather than it not being possible for a twelve-year old to do it! So, for the past year, they have repeated their story about how we manipulated the internal mechanism of the lock to allow JennaLynn to open it. Medeco has represented that they have allegedly spent hundreds of hours internally trying to open their locks, and have been unable to do so. Well, we did suggest to Medeco that they invite young JennaLynn to the factory in order to instruct them how to open their own locks!
Now we come to the best part of this story.
* * *
It is Sunday morning, August 10, 2008, in Las Vegas, and it is Defcon 16. Tobias Bluzmanis, Matt Fiddler, and I are sitting in the lock picking village, watching Deviant Ollam and others giving classes on basic lock design and picking and bumping. It is always the most popular gathering at Defcon, and this year was no exception. The village was packed with enthusiasts from morning until late in the night.
We asked JennaLynn to try to bump open a new, five-pin Biaxial profile cylinder that we acquired in Europe from the stock of a Medeco lock shop. She was eager to try, given her success last year. So, we handed her the lock and the bump key that we prepared. The key had the correct sidebar code for this cylinder, and was cut to all #6 depths. Ten minutes after we gave her the lock, she returns and says she can open it. She is smiling. But she has no idea what she has actually accomplished! As it turns out, it was quite a feat as compared to what she had done last year.
Now we are sitting at a large round table with about 25 other attendees in the village. Matt starts shooting video, and you can see for yourself why this demonstration is different than last year, when she opened the Biaxial at Defcon 15. It is vastly more significant because we inserted four ARX pins and three mushroom top pins into this lock.
Medeco touts the ARX pins as the most secure. You know, these are the very same pins that will prevent the Medecoder from working, and were developed in response to the sophisticated John Falle decoder in the early 1990s. The same pins that were going to become standard in their cylinders, and why they got Jon King to hold off publishing information for two months about his decoder.
Whether these pins become standard in all of their locks is open to speculation. Medeco evidently believes that everyone should pay for this security upgrade, even though they were aware of the problem that prompted the ARX pin development for at least fifteen years.
The bottom line is that we can demonstrate the ability to bump and pick locks with at least one version of ARX. The pins that we used (#4 and #6 depths) were supplied directly by Medeco to us, so we can only assume they are as secure as any they produce.
And to add insult to injury, it appears that the company may want their dealers to bear the cost for the pin kits, which we have been told may run anywhere between $800 and $2,000. Now, how does that work, exactly? We are not quite sure, but any locksmith that is not happy about it is welcome to contact our office for advice and assistance.
As we are detailing in the next edition of OPEN IN THIRTY SECONDS, we believe there is a basic problem with the ARX philosophy and its ability to prevent bumping and picking when the sidebar code is known, as is the case when our four code-setting keys are employed to open their cylinders.
Tobias Bluzmanis disassembles the lock in front of 25 attendees, so an expert can verify the internal components and that the lock has factory-standard pins, springs, and sidebar and that they have not been altered or modified.
What everyone needs to understand is that a thirteen-year old girl was able to repeatedly open a Medeco Biaxial cylinder with four ARX pins. She did it effortlessly. Yes, the lock had been bumped many times before JennaLynn did it. That should not matter, because Medeco has repeatedly claimed that their locks were bump-proof. Well, at least until they realized they were not, and they changed their advertising language so as to make their claim next to meaningless, if not laughable.
And if you have any questions as to the authenticity of the demonstration, or that the cylinder was somehow modified, check to see who verified the internal components of the lock immediately after the demonstration, on the video.
From our perspective, nobody is more qualified to confirm what we demonstrated with JennaLynn than one of the individuals that Medeco selected in 2007 to help them in an attempt to debunk and discredit our findings. As you will see on the video, Han Fey, one of the most respected cylinder security engineers in Europe, was able to confirm exactly what occurred at Defcon. And if you are still skeptical about the 2007 JennaLynn demonstration, it might be interesting to hear from ALOA senior staff because ultimately they may be required to weigh in on this matter and present evidence as to the ability to bump Medeco cylinders. Yes, the same ALOA that issued their famous press release in 2006 about bumping, and how the publication of this information had “unduly raised the alarm.”
We think it is about time for Medeco to start leveling with their customers and the public. They should candidly address the security vulnerabilities of their locks to bumping, picking, and what we perceive as their total failure of key control and key security in the m3. If significant research involving bumping had not been conducted, nobody would have been aware of the security threat that existed, especially in high security locks, with regard to bumping and picking.
Medeco locks are certified by UL and BHMA as meeting minimum criteria to protect the public from different forms of attack. As we note in our book, BHMA 156.30, (the true high security standard), does not specify many forms of attack that can be critical to the protection of a facility, so the value of such certifications are diminished.
We believe that Medeco does not and cannot comply with certain requirements of this standard, to the potential detriment of the public, commercial, and government sectors. We are actively pursuing this issue regarding Medeco and other certified high security lock manufacturers with BHMA. It is our position that they should not continue to be certified, because their locks can be compromised in well under the minimum specified times that are enumerated in both UL 437 and 156.30.
We would urge Medeco and other manufacturers to join us in a thorough review of the standards and to insure that the requirements are comprehensive, realistic, and complied with. Presently, we can show that some high security locks will simply not meet the standards and should be de-certified.No comments
We just returned from DEFCON 16 in Las Vegas. The conference organizers report the largest attendance ever, and that was evident at our two-hour presentation on Friday afternoon. Matt Fiddler, Tobias Bluzmanis, and I did a three-part presentation on Medeco high security locks, demonstrating how all of their security layers have been compromised.
You would expect to be able to simulate a plastic key for a Kwikset cylinder, but not for a high security lock like Medeco. This key easily opens the Kwikset. We accomplished the same result with a Medeco m3. So much for key security!
A credit card was cut to form a key for a Medeco m3. It incorporated both the vertical bitting and angles needed to open the lock.
A Medeco mortise m3 cylinder can be easily compromised with a plastic key. We graphically demonstrated this vulnerability to a Wired Magazine reporter, both with a credit card, and Shrinky Dinks plastic. The full story of how this key was emailed by the reporter to us prior to Defcon will be posted shortly, and documents the threat that is posed by a lack of key control.
An inexpensive HP copier/scanner was used to produce a replica of an m3 key on Shrinky Dinks plastic. We demonstrated the ability to compromise the security of a mortise cylinder using this key.
We also discussed the security threat that is posed by a camera within a cell phone. In this case, we used the image of a Medeco key that was captured by a Blackberry Curve.
JennaLynn did it again this year. At age 13, she opened a five-pin Biaxial profile cylinder. But this was not an ordinary lock, as you will see in the interview.
We will post our Powerpoint presentation together with all of the video files from Defcon.
At our Defcon presentation, we talked about the methodology that we employed to break the locks and the lessons that should be learned from our experience. Then, we discussed the ability to totally compromise the key control of the m3, and many Biaxial cylinders, using plastic or Shrinky Dinks keys. We introduced the concept of Key-Mail, and warned of the threat from emailing restricted keys from within a high security facility.
Finally, we discussed the concept of Responsible Disclosure v. Irresponsible Non-Disclosure upon the part of a lock manufacturer. We took many questions from the overflow audience at the end of our presentation.
JennaLynn demonstrated her ability to bump open a Medeco Biaxial cylinder once again this year. You will recall that she did the same thing at Defcon 15. Medeco claimed that the demonstration was not true, and that the locks had been modified or altered so that she could open them. This, of course, was not true, and the cylinder was subsequently verified by independent experts a few weeks later that it conformed to factory standards, and indeed could be repeatedly bumped open. To our knowledge, Medeco has never admitted publicly that this is possible.
So, the lock that JennaLynn, at age 13, bumped open was no ordinary cylinder. And this year we decided to have her do the demonstration in front of about 25 participants at the lock picking village, where both amateurs and experts converged to try their skills at openeing a wide variety of locks. Not only did she open the lock twice in a few seconds, but we had an indpendent expert immediately confirm that the lock was configured as we represented, which would prevent Medeco from claiming that this was a staged demonstration.
Han Fey, as he examines the Biaxial lock that JennaLynn easily bumped open in a few seconds.
We asked Han Fey to be our independent observer. Han is from the Netherlands and works with Barry Wels and Toool, and is recognized as an expert in his field. More importantly, if you read our book, he is also recognized by Medeco as an expert. We offered a pre-release copy of the video to Medeco last week, so that they could include comments when it was posted. We have not heard from them since that offer.
Han and Barry came to Defcon 16 this year, in part to view our presentation on key security, as a follow-up to a detailed presentation that Barry gave at HOPE a few weeks before in New York.
Stay tuned for the demonstration by JennaLynn, and a discussion of how we compromised Medeco key control. Both topics should be of interest to security professionals who are responsible for insuring the integrity of their locks and keys.1 comment
See my interview with Matthew Myers. He read the book and picked open a Medeco Biaxial in 55 seconds. Not bad at all! Toby’s best time is 27 seconds for a six-pin m3. Will Matthew beat this record? It is up to you Matthew!
Last week, on my way back from Defcon 16, I stopped in Fort Collins, Colorado to interview eighteen-year old Matthew Myers. He is a college freshman at Colordo State University, and also works for the lock shop in Fort Collins. The shop services many facilities in Larimer County that utilize Medeco locks. He told me that Medeco is the predominant high security lock that is sold in the area.
About three weeks ago, Matthew purchased a copy of OPEN IN THIRTY SECONDS. Two days after receiving it, he contacted me and sent me an email containing what he believed were the correct codes for the four code-setting keys that could be used to bump and pick Medeco cylinders. He used the data from a Medeco code book to almost figure it out. The codes were close, but not quite correct.
He told me that after reading the book, he was able to open an off-the-shelf Biaxial cylinder in 55 seconds, by using a key with the correct sidebar code to set the angles. He then picked it with conventional picks. He said that othe lMedeco cylinders took longer.
He confessed that he has been picking locks for about five years, so he was quite profficient, but he was amazed that he was able to compromise the security of the lock in such a short period of time.
Matthew described his experience and his views on the book in our interview.
We thought that the ability to compromise Medeco cylinders by picking could be told much better by an eighteen-year old who had never been able to reliably pick one of these locks prior to reading the book. It should be noted that Matthew agreed not to release the code data that he developed.
We congratulate Matthew for acquiring the skills that we describe in our book. He will surely excell in college.
Matthew is a regular contributor on LP101.
Great work, Matthew!No comments
HOPE 2008: Three separate lectures that discussed Medeco vulnerabilities
The Usual Suspects, together for a discussion of different vulnerabilities of Medeco Biaxial and m3 cylinders. From left to right, Matt, Toby, Marc, and Jon.
This past weekend there were three different presentations at the HOPE security confernece in New York regarding different potential security vulnerabilities involving Medeco locks.
Jon King, inventor of the Medecoder picking tool, lectured on the use of his tool and demonstrated its use in picking a Medeco m3 in under three minutes.
Jon King demonstrates the use of the Medecoder picking tool.
We discussed bumping and picking and the different methods of defeating Medeco cylinders, including the defeat of ARX pins, which Medeco apparently plans to implement in their new cylinders to combat the King Attack. While they probably will prevent the use of the Medecoder in new locks, they may not be effective in stopping the use of code setting keys for bumping and picking, as described in our new book. We have repeatedly demonstrated the bypass of some of these pins to bumping and picking, so it remains to be seen just how effective they will be. Evidently Medeco will not be paying for any upgrades to currently installed locks. The company was quoted in an article today on Slate.com, saying that “when you buy a lock, you don’t buy a subscription.” I guess that means that everyone is on their own!
Matt Fiddler, Tobias Bluzmanis and I provided an hour briefing to an overflow audience on the Medeco case example and how we methodically developed bypass techniques for the different Medeco products. This research formed the basis of our new book, “OPEN IN THIRTY SECONDS: Cracking One of the Most Secure Locks in America.”
Then, on Saturday, Barry Wels and Han Fey offered a two-hour lecture on keys; how they work and how they can be simulated and copied. Their lecture was also to an overflow crowd and extremely well received. Barry, as usual, provided excellent background on how mechanical keys work and why they are not secure, even for certain high security locks.
Matt Fiddler, Toby, and myself will be going into much greater detail at Defcon with regard to the vulnerability of Medeco locks and their key control, and what we perceive as a particularly serious security issue with regard to certain Medeco cylinders.
We will also be addressing the concept of Responsible Disclosure and Irresponsible Non-Disclosure. The photograph below is of Han Fey, replete with Medeco shirt!
Han Fey and Marc Tobias at HOPE 2008.
You can view the short video of our discussion with myself, Tobias Bluzmanis, Matt Fiddler, and John King.No comments
On October 28, 2008, I will be the Keynote speaker at the Forensic-Security conference at NIST headquarters in Gaithersburg, Maryland. The National Institute of Standards and Technology is the site of this three-day conference for law enforcement, security and IT professionals. I will be discussing high security locks and the Medeco case example and the lessons to be learned for security managers and those responsible for critical infrastructure protection. There will be more than 1100 registered attendees.
July 18, 2008Tobias Bluzmanis, Matt Fiddler, and I will be presenting at HOPE in New York on Friday, July 18, 2008. Then we will be doing a special briefing on Medeco locks and our new book. We will answer questions with regard to security issues involving Medeco Biaxial, m3, and Bilevel cylinders. We hope that many can join us during the three-day conference.
August 8, 2008We will be giving a presentation at DEFCON 16 in Las Vegas, on August 8. During that conference, we will go into significant detail about new and serious vulnerabilities that we discovered with regard to Medeco and other locks.
October 5-6, 2008
We will be visiting the Trezor Test Labs in Prague, Czech Republic, to discuss current bypass techniques.
October 7-8, 2008Tobias Bluzmanis and I will be signing books at the Wendt exhibit at the Essen Security Exhibition in Germany.
October 9-10-11, 2008
Tobias Bluzmanis and myself will be at Sneek, Netherlands, at the Toool meeting. We are doing a detailed presentation and hands-on demonstration to teach bumping, picking, and compromise of key control for Medeco locks.No comments
PART II: LOCKS AND THE CONCEPT OF RESPONSIBLE DISCLSOURE v. IRRESPONSIBLE NON-DISCLOSURE
© 2008 Marc Weber Tobias
This is Part II of an editorial that was prompted by the open letter in the May, 2008 issue of NDE magazine by Peter Field.
According to Peter Field, Medeco has now embraced and enlisted the support of the Locksport community. He cites their adherence to the concept of Responsible Disclosure as the principle reason for this apparent shift in attitude by the leading high security lock manufacturer in the United States.
In Part I, I examined the possible rationale behind this decision, and suggested that it was not done for purely altruistic motives. Jon King developed a wire pick and decoder to manipulate Medeco pins and open some of their locks. The public disclosure of this tool would constitute yet another attack on the “virtually resistant” security of Medeco locks. I believe the company decided to use this event as an opportunity to possibly re-introduce the implementation of special security pins (ARX) to prevent picking, decoding, and other forms of attack. They have been aware of these techniques for at least fifteen years, but have become timely and more relevant because of the Medecoder, as well as the release of our new book.
ARX PINS: Background
ARX pins, as I noted in Part I, were developed and introduced more than fifteen years ago, in response to a very sophisticated decoder that John Falle made available to government agencies. It used a fine wire to probe the channel at the base of each bottom pin. We believe that Medeco will be implementing certain changes in their locks to combat the Medecoder. It would be most logical that they begin using a form of ARX in their standard production line to accomplish this, because of the way in which the pick tool works, and their limited options to deal with this vulnerability.
If, in fact, Medeco supplies ARX pins, or a modified version, as standard in their cylinders, there are three important questions that need to be asked. First, why have they waited for fifteen years to do this? Second, will the pins make the locks secure against the Jon King attack, and more importantly, against the techniques we describe in our new book? Third, and perhaps most relevant, are they going to retrofit older locks to this “new” level of security, and if so, who is going to pay for it?
It is all about Cost
As to the first and second questions, I would submit that it is all about cost. Until now, Medeco did not believe they had to supply these pins, other than to customers with special needs, who were willing to pay extra for them. These pins are expensive to manufacture. In fact, Medeco management wanted to drop the ARX pin from production, but was wisely convinced by senior technical staff not to do so. The high security lock market is very competitive, so added manufacturing cost will likely be passed on to the consumer. Customers have many choices, and they may decide that other equivalent locks will meet their needs as well as Medeco. So, if the company chooses to implement these pins as their response to the Medecoder, why did they do so at this time?
The answer, I believe, is quite simple. The company is under attack from many quarters. Jon King is only the latest. More and more information is appearing on the Internet and other sources with regard to bypass techniques. So, Medeco needed to do something when Jon contacted them. I believe they used this opportunity to try to address not only the King attack, but the multiple bypass techniques that we developed and which may pose a far greater threat to Medeco. This may be especially true with regard to certain U.S. and foreign government contracts, and their specific requirements with regard to resistance against forced as well as covert and surreptitious entry.
If they do implement the ARX pin, or a pin that blocks access to the true gate channel at the tip of the pin, they will succeed in stopping the attack by the Medecoder. However, everyone should understand that the ARX pin may not be effective in stopping other attacks; including bumping and picking when using code setting keys.
The problem, as we discuss in the book, is that the ARX pin can provide positive feedback that will allow the lock to be opened, once the sidebar code has been set. This is the reason that we filed for a patent for the development of a pin to deter the very same bypass methods that we developed. We now can repeatedly demonstrate the vulnerability of these pins to bumping and picking attacks. Some locks with multiple ARX pins and varying depth increments can be reliably opened in as little time as thirty seconds. Sound impossible? We have already demonstrated certain bypass techniques for ARX pins to representatives of some U.S. and foreign government agencies.
Maybe the current Medeco description for their security, of “virtually resistant,” actually defines the opposite of what this meaningless phrase connotes: virtually not resistant to attack!
Responsible Disclosure v. Irresponsible Non-Disclosure
The third question (fixing installed products) is perhaps the most important, and relates to the concept of responsible disclosure and the counterpart to that, which we identify as Irresponsible Non-Disclosure.
I would submit that the concept of Responsible Disclosure, with regard to a manufacturer, is not quite the same in the world of mechanical locks as it is in the cyber world, when a serious software flaw is discovered. A security vulnerability in software can be instantly “patched” without any direct material cost or requirement to take apart the affected computer. This is not the case with mechanical hardware.
For locks, it depends upon a number of factors as to whether it even applies, and how. I believe there are two scenarios that must be considered. The first is the discovery of a flaw prior to or a very short time after the introduction of a new lock or design. The other is a vulnerability that has existed for some time, and is present in a significant embedded base of locks that have already been sold and installed.
In my view, the real discussion should focus on full disclosure to the public. The relevant question is when they should be warned that a vulnerability exists, and the extent of that vulnerability. Peter clearly linked the concept of responsible disclosure with the fact that Jon King came to Medeco with his specialized bypass tool prior to making it available to the public. It apparently is this rationale that prompted Medeco to recognize the Locksport community and work with them, rather than simply acknowledging the contributions they have been making for quite some time in finding flaws in locks.
The clear inference is that the King attack was a new threat and that he and the Locksport community acted responsibly by (1) disclosing the issue to Medeco, and (2) waiting to publish full details or offering the tool for sale until Medeco could take remedial action to protect everyone with Medeco locks. So I repeat my initial question: where has Medeco been for at least the past fifteen years with regard to this vulnerability, unless they claim it never existed before?
I agree that once a vulnerability is found in a new lock design, prior to, or just after its introduction, the manufacturer should be notified and given time to effect a remedy before its publication or the sale of bypass tools to exploit the flaw. This can be easily accomplished with the execution of a mutual non-disclosure agreement between those that found the problem, and the manufacturer. Then, everyone is protected.
A defect in a new lock does not affect the consumer because there is no significant implementation of the lock with the vulnerability. This is vastly different than discovering a problem with locks that are currently installed, especially if the manufacturer enjoys a significant market penetration for its products, as does Medeco.
The second scenario is a bit more complicated and subtle, and involves the disclosure of a flaw or vulnerability in locks that are presently installed. The relevant issue has little to do with notification of the manufacturer of such a problem, other than for allowing them to fix it, going forward. In this event, I think that the public has a right to know precisely what the problem is, so they can make their own assessment of its seriousness. If the vulnerability currently exists in their installed base, it matters little whether the manufacturer is notified or not, unless the manufacturer is willing to fix the problem at the dealer and consumer level. The end-user can decide to accept the risk, or take some action, such as attempting to remedy the threat, or replacing the locks. And herein lays the crux of the problem: who is responsible for the costs in such event?
I do not believe that the notion of Responsible Disclosure applies in this instance, but that such a concept is really a legal dodge by the manufacturer to shield themselves from liability, rather than protecting the consumer. In the end analysis, it is all about money and liability. Manufacturers will claim that “new methods of bypass” are always discovered. In such event, a fix is implemented, but the lock maker claims no responsibility to retroactively remedy the problem. Their typical answer: either don’t admit the problem, or tell the consumer to buy new locks. Rarely will they bear the cost associated with a recall or other remedy because such costs could be prohibitive.
In this event, both the dealer and consumer may be left without a remedy, and even worse, may be vulnerable to a breach in security. Is the dealer supposed to continue to sell deficient or defective locks to their customers until they deplete current stock? Will the manufacturer tell the dealer of security flaws? These questions can also present serious liability issues for dealers, which most manufacturers would rather not address.
Some may argue with a philosophy of full disclosure, but once locks are pinned and installed, they are quite different than software. They can be fixed prospectively, but not retroactively without expense. So not publishing a vulnerability will not help the consumer, unless the manufacturer recalls every lock with the deficiency or defect, and fixes it. And even if a manufacturer were to agree to remedy a defect in every lock they have sold, it would be impossible to do so without notifying the affected consumers. In that event, everyone would know about the problem anyway. So we have returned to where we began: full disclosure so everyone is altered to the security issue.
There are very few manufacturers that will admit publicly there is a problem. It has far more to do with their potential exposure than it does with their fear of “educating criminals.” So, manufacturers use language like “incremental improvements” or “enhancements” to cover what they may perceive as design defects that could result in liability. There is no doubt that every lock manufacturer whishes to produce locks that cannot be bypassed. And when they discover problems, they will usually make those “incremental improvements” to deal with these issues to protect themselves and their customers. But again, this has nothing to do with locks they have already sold.
Medeco alludes to the fact that they will be sending out letters to all of their dealers and customers, once their “enhancement” is implemented with regard to the Medecoder. Will they claim that a “new” vulnerability has been “discovered” which, they may suggest, requires the implementation of ARX pins or other changes? If that is the case, then we would expect Medeco to pay all costs associated with the repining of all locks so affected, because it definitely is not a new threat. Otherwise, it becomes a marketing ploy to sell more products, based upon a new version of an old bypass technique.
I would submit that there is another side of Responsible Disclosure, and that is the immediate duty of a lock manufacturer to advise their dealers and customers of vulnerabilities that can directly affect their liability, safety, and security. If Medeco is “in business to protect people and property, and not to compromise their security,” then one would expect them to immediately notify their customers when they are aware of a serious risk that could affect many customers, especially those that that have purchased their locks to protect high value targets and critical infrastructure. The failure to do so, in my view, constitutes Irresponsible Non-Disclosure, and can have significant legal and ethical consequences.
The Medeco Deadbolt: A Classic Example
Last summer, we disclosed a serious vulnerability in Medeco deadbolts. We did not tell the public the precise method to open these locks, but did issue a detailed report to the security community. We notified Medeco almost three months prior to the release of our report that there was a serious problem with their lock design. They never asked what that problem was.
When we disclosed the problem (but not the details) at Defcon last August, Medeco then implemented certain fixes to make their locks more secure. According to several dealers, they never told anyone what the nature of the problem was, or why certain “incremental improvements” were made. Their customer service representatives downplayed the issue and stated there was no real security threat. They said that Medeco had made certain “enhancements” to fix a problem that did not exist, because they were the leaders in the market, and then had the temerity to state that now they were the only one in the industry that did not have this “problem.”
We detail this issue in our book, because the flip side of responsible disclosure is the responsibility of lock manufacturers to tell the truth to all who rely upon both their expertise in lock design and in their integrity to do so. The fundamental question is whether the end-user has a right to know the precise nature of a vulnerability. Consider the alternatives: perhaps they should be told that there is a problem, but not what it is. Or, maybe they should be told nothing at all, adhering to the old concept of Security by Obscurity. Neither of these alternatives, in my view, is acceptable, either from an ethical or legal standpoint.
Unfortunately, in our world of instant communications and the Internet, simply advising that there may be a problem will likely prompt a discovery and full disclosure of that problem in a very short period of time. So, why not properly advise everyone at the outset, unless the issues can impact upon national security? I find it rather disingenuous of Medeco to use the Medecoder as their rationale for embracing the Locksport community. While I applaud their decision, they should be forthright in their disclosure of multiple vulnerabilities in their locks, not only from the Medecoder, but to other forms of attack. Telling a customer the truth is always the best policy. Half-truths, innuendo, and misrepresentations will ultimately backfire and will lead to mistrust, placing consumers in jeopardy, and liability upon the part of the manufacturer.
While the company may effectively prevent the Jon King tool from being used in picking attacks, by the introduction of ARX pins or similar measures, there are other techniques, both old and new, that can completely compromise the security of these locks. Medeco is fully aware of these issues, and has chosen to artfully dodge them by denials and half-truths, by misleading advertising, by being less than candid in admitting to potential security vulnerabilities, and engaging in a disinformation campaign aimed at those that have dared to publish information about bumping and picking their high security cylinders.
We will squarely address these issues at Defcon, beginning with their attempt to retroactively alter their prior statements and press releases. These issues are fully documented in our book.
We will also specifically address and present information with regard to what we perceive as other very serious vulnerabilities that exist in Medeco locks, which have been discovered as a result of our research. Medeco has been supplied with this information months ago. They should publicly address the ability to bypass their forty-year old technology by bumping, picking, forced entry attacks, and the compromise of their key control. Their customers deserve to know and understand how these locks can be compromised, especially when they are used to protect high value targets and critical infrastructure. To do less, in my view, constitutes Irresponsible Non-Disclosure upon their part.
As we have done for the past three years, we again invite representatives of Medeco to take part in our presentation at Defcon 16, and to set the record straight, from their perspective, as to the security or insecurity of their locks. It would be a perfect forum for them to address specific issues that relate to key control, forced entry, and surreptitious entry of their various products, and to explain exactly what the term “virtually resistant” really means, and how they intend on making their locks more secure against the Medecoder and more sophisticated forms of bypass that use code setting keys.1 comment