PART II: LOCKS AND THE CONCEPT OF RESPONSIBLE DISCLSOURE v. IRRESPONSIBLE NON-DISCLOSURE
© 2008 Marc Weber Tobias
This is Part II of an editorial that was prompted by the open letter in the May, 2008 issue of NDE magazine by Peter Field.
According to Peter Field, Medeco has now embraced and enlisted the support of the Locksport community. He cites their adherence to the concept of Responsible Disclosure as the principle reason for this apparent shift in attitude by the leading high security lock manufacturer in the United States.
In Part I, I examined the possible rationale behind this decision, and suggested that it was not done for purely altruistic motives. Jon King developed a wire pick and decoder to manipulate Medeco pins and open some of their locks. The public disclosure of this tool would constitute yet another attack on the “virtually resistant” security of Medeco locks. I believe the company decided to use this event as an opportunity to possibly re-introduce the implementation of special security pins (ARX) to prevent picking, decoding, and other forms of attack. They have been aware of these techniques for at least fifteen years, but have become timely and more relevant because of the Medecoder, as well as the release of our new book.
ARX PINS: Background
ARX pins, as I noted in Part I, were developed and introduced more than fifteen years ago, in response to a very sophisticated decoder that John Falle made available to government agencies. It used a fine wire to probe the channel at the base of each bottom pin. We believe that Medeco will be implementing certain changes in their locks to combat the Medecoder. It would be most logical that they begin using a form of ARX in their standard production line to accomplish this, because of the way in which the pick tool works, and their limited options to deal with this vulnerability.
If, in fact, Medeco supplies ARX pins, or a modified version, as standard in their cylinders, there are three important questions that need to be asked. First, why have they waited for fifteen years to do this? Second, will the pins make the locks secure against the Jon King attack, and more importantly, against the techniques we describe in our new book? Third, and perhaps most relevant, are they going to retrofit older locks to this “new” level of security, and if so, who is going to pay for it?
It is all about Cost
As to the first and second questions, I would submit that it is all about cost. Until now, Medeco did not believe they had to supply these pins, other than to customers with special needs, who were willing to pay extra for them. These pins are expensive to manufacture. In fact, Medeco management wanted to drop the ARX pin from production, but was wisely convinced by senior technical staff not to do so. The high security lock market is very competitive, so added manufacturing cost will likely be passed on to the consumer. Customers have many choices, and they may decide that other equivalent locks will meet their needs as well as Medeco. So, if the company chooses to implement these pins as their response to the Medecoder, why did they do so at this time?
The answer, I believe, is quite simple. The company is under attack from many quarters. Jon King is only the latest. More and more information is appearing on the Internet and other sources with regard to bypass techniques. So, Medeco needed to do something when Jon contacted them. I believe they used this opportunity to try to address not only the King attack, but the multiple bypass techniques that we developed and which may pose a far greater threat to Medeco. This may be especially true with regard to certain U.S. and foreign government contracts, and their specific requirements with regard to resistance against forced as well as covert and surreptitious entry.
If they do implement the ARX pin, or a pin that blocks access to the true gate channel at the tip of the pin, they will succeed in stopping the attack by the Medecoder. However, everyone should understand that the ARX pin may not be effective in stopping other attacks; including bumping and picking when using code setting keys.
The problem, as we discuss in the book, is that the ARX pin can provide positive feedback that will allow the lock to be opened, once the sidebar code has been set. This is the reason that we filed for a patent for the development of a pin to deter the very same bypass methods that we developed. We now can repeatedly demonstrate the vulnerability of these pins to bumping and picking attacks. Some locks with multiple ARX pins and varying depth increments can be reliably opened in as little time as thirty seconds. Sound impossible? We have already demonstrated certain bypass techniques for ARX pins to representatives of some U.S. and foreign government agencies.
Maybe the current Medeco description for their security, of “virtually resistant,” actually defines the opposite of what this meaningless phrase connotes: virtually not resistant to attack!
Responsible Disclosure v. Irresponsible Non-Disclosure
The third question (fixing installed products) is perhaps the most important, and relates to the concept of responsible disclosure and the counterpart to that, which we identify as Irresponsible Non-Disclosure.
I would submit that the concept of Responsible Disclosure, with regard to a manufacturer, is not quite the same in the world of mechanical locks as it is in the cyber world, when a serious software flaw is discovered. A security vulnerability in software can be instantly “patched” without any direct material cost or requirement to take apart the affected computer. This is not the case with mechanical hardware.
For locks, it depends upon a number of factors as to whether it even applies, and how. I believe there are two scenarios that must be considered. The first is the discovery of a flaw prior to or a very short time after the introduction of a new lock or design. The other is a vulnerability that has existed for some time, and is present in a significant embedded base of locks that have already been sold and installed.
In my view, the real discussion should focus on full disclosure to the public. The relevant question is when they should be warned that a vulnerability exists, and the extent of that vulnerability. Peter clearly linked the concept of responsible disclosure with the fact that Jon King came to Medeco with his specialized bypass tool prior to making it available to the public. It apparently is this rationale that prompted Medeco to recognize the Locksport community and work with them, rather than simply acknowledging the contributions they have been making for quite some time in finding flaws in locks.
The clear inference is that the King attack was a new threat and that he and the Locksport community acted responsibly by (1) disclosing the issue to Medeco, and (2) waiting to publish full details or offering the tool for sale until Medeco could take remedial action to protect everyone with Medeco locks. So I repeat my initial question: where has Medeco been for at least the past fifteen years with regard to this vulnerability, unless they claim it never existed before?
I agree that once a vulnerability is found in a new lock design, prior to, or just after its introduction, the manufacturer should be notified and given time to effect a remedy before its publication or the sale of bypass tools to exploit the flaw. This can be easily accomplished with the execution of a mutual non-disclosure agreement between those that found the problem, and the manufacturer. Then, everyone is protected.
A defect in a new lock does not affect the consumer because there is no significant implementation of the lock with the vulnerability. This is vastly different than discovering a problem with locks that are currently installed, especially if the manufacturer enjoys a significant market penetration for its products, as does Medeco.
The second scenario is a bit more complicated and subtle, and involves the disclosure of a flaw or vulnerability in locks that are presently installed. The relevant issue has little to do with notification of the manufacturer of such a problem, other than for allowing them to fix it, going forward. In this event, I think that the public has a right to know precisely what the problem is, so they can make their own assessment of its seriousness. If the vulnerability currently exists in their installed base, it matters little whether the manufacturer is notified or not, unless the manufacturer is willing to fix the problem at the dealer and consumer level. The end-user can decide to accept the risk, or take some action, such as attempting to remedy the threat, or replacing the locks. And herein lays the crux of the problem: who is responsible for the costs in such event?
I do not believe that the notion of Responsible Disclosure applies in this instance, but that such a concept is really a legal dodge by the manufacturer to shield themselves from liability, rather than protecting the consumer. In the end analysis, it is all about money and liability. Manufacturers will claim that “new methods of bypass” are always discovered. In such event, a fix is implemented, but the lock maker claims no responsibility to retroactively remedy the problem. Their typical answer: either don’t admit the problem, or tell the consumer to buy new locks. Rarely will they bear the cost associated with a recall or other remedy because such costs could be prohibitive.
In this event, both the dealer and consumer may be left without a remedy, and even worse, may be vulnerable to a breach in security. Is the dealer supposed to continue to sell deficient or defective locks to their customers until they deplete current stock? Will the manufacturer tell the dealer of security flaws? These questions can also present serious liability issues for dealers, which most manufacturers would rather not address.
Some may argue with a philosophy of full disclosure, but once locks are pinned and installed, they are quite different than software. They can be fixed prospectively, but not retroactively without expense. So not publishing a vulnerability will not help the consumer, unless the manufacturer recalls every lock with the deficiency or defect, and fixes it. And even if a manufacturer were to agree to remedy a defect in every lock they have sold, it would be impossible to do so without notifying the affected consumers. In that event, everyone would know about the problem anyway. So we have returned to where we began: full disclosure so everyone is altered to the security issue.
There are very few manufacturers that will admit publicly there is a problem. It has far more to do with their potential exposure than it does with their fear of “educating criminals.” So, manufacturers use language like “incremental improvements” or “enhancements” to cover what they may perceive as design defects that could result in liability. There is no doubt that every lock manufacturer whishes to produce locks that cannot be bypassed. And when they discover problems, they will usually make those “incremental improvements” to deal with these issues to protect themselves and their customers. But again, this has nothing to do with locks they have already sold.
Medeco alludes to the fact that they will be sending out letters to all of their dealers and customers, once their “enhancement” is implemented with regard to the Medecoder. Will they claim that a “new” vulnerability has been “discovered” which, they may suggest, requires the implementation of ARX pins or other changes? If that is the case, then we would expect Medeco to pay all costs associated with the repining of all locks so affected, because it definitely is not a new threat. Otherwise, it becomes a marketing ploy to sell more products, based upon a new version of an old bypass technique.
I would submit that there is another side of Responsible Disclosure, and that is the immediate duty of a lock manufacturer to advise their dealers and customers of vulnerabilities that can directly affect their liability, safety, and security. If Medeco is “in business to protect people and property, and not to compromise their security,” then one would expect them to immediately notify their customers when they are aware of a serious risk that could affect many customers, especially those that that have purchased their locks to protect high value targets and critical infrastructure. The failure to do so, in my view, constitutes Irresponsible Non-Disclosure, and can have significant legal and ethical consequences.
The Medeco Deadbolt: A Classic Example
Last summer, we disclosed a serious vulnerability in Medeco deadbolts. We did not tell the public the precise method to open these locks, but did issue a detailed report to the security community. We notified Medeco almost three months prior to the release of our report that there was a serious problem with their lock design. They never asked what that problem was.
When we disclosed the problem (but not the details) at Defcon last August, Medeco then implemented certain fixes to make their locks more secure. According to several dealers, they never told anyone what the nature of the problem was, or why certain “incremental improvements” were made. Their customer service representatives downplayed the issue and stated there was no real security threat. They said that Medeco had made certain “enhancements” to fix a problem that did not exist, because they were the leaders in the market, and then had the temerity to state that now they were the only one in the industry that did not have this “problem.”
We detail this issue in our book, because the flip side of responsible disclosure is the responsibility of lock manufacturers to tell the truth to all who rely upon both their expertise in lock design and in their integrity to do so. The fundamental question is whether the end-user has a right to know the precise nature of a vulnerability. Consider the alternatives: perhaps they should be told that there is a problem, but not what it is. Or, maybe they should be told nothing at all, adhering to the old concept of Security by Obscurity. Neither of these alternatives, in my view, is acceptable, either from an ethical or legal standpoint.
Unfortunately, in our world of instant communications and the Internet, simply advising that there may be a problem will likely prompt a discovery and full disclosure of that problem in a very short period of time. So, why not properly advise everyone at the outset, unless the issues can impact upon national security? I find it rather disingenuous of Medeco to use the Medecoder as their rationale for embracing the Locksport community. While I applaud their decision, they should be forthright in their disclosure of multiple vulnerabilities in their locks, not only from the Medecoder, but to other forms of attack. Telling a customer the truth is always the best policy. Half-truths, innuendo, and misrepresentations will ultimately backfire and will lead to mistrust, placing consumers in jeopardy, and liability upon the part of the manufacturer.
While the company may effectively prevent the Jon King tool from being used in picking attacks, by the introduction of ARX pins or similar measures, there are other techniques, both old and new, that can completely compromise the security of these locks. Medeco is fully aware of these issues, and has chosen to artfully dodge them by denials and half-truths, by misleading advertising, by being less than candid in admitting to potential security vulnerabilities, and engaging in a disinformation campaign aimed at those that have dared to publish information about bumping and picking their high security cylinders.
We will squarely address these issues at Defcon, beginning with their attempt to retroactively alter their prior statements and press releases. These issues are fully documented in our book.
We will also specifically address and present information with regard to what we perceive as other very serious vulnerabilities that exist in Medeco locks, which have been discovered as a result of our research. Medeco has been supplied with this information months ago. They should publicly address the ability to bypass their forty-year old technology by bumping, picking, forced entry attacks, and the compromise of their key control. Their customers deserve to know and understand how these locks can be compromised, especially when they are used to protect high value targets and critical infrastructure. To do less, in my view, constitutes Irresponsible Non-Disclosure upon their part.
As we have done for the past three years, we again invite representatives of Medeco to take part in our presentation at Defcon 16, and to set the record straight, from their perspective, as to the security or insecurity of their locks. It would be a perfect forum for them to address specific issues that relate to key control, forced entry, and surreptitious entry of their various products, and to explain exactly what the term “virtually resistant” really means, and how they intend on making their locks more secure against the Medecoder and more sophisticated forms of bypass that use code setting keys.
OPEN IN THIRTY SECONDS: Cracking One of the Most Secure Locks in America is now available. You can order at a discount on LP101 if you are a member.
I met with Josh Nekrep of Lockpicking101.com in Winnipeg, Canada on Tuesday to record an in-depth interview about our new book, OPEN IN THIRTY SECONDS. The one-hour discussion can be found on the LP101 site.
We have posted a special order form for LP101 members only, which provides for a 20% discount on the printed version of the book for pre-publication orders. Please check the LP101 site for details.
© 2008 Marc Weber Tobias
I read with interest the May, 2008, edition of Non-Destructive Entry Magazine (#3). What immediately caught my attention was the emphasis on Medeco locks, and an open letter from the company, written by Peter Field. The article addresses two primary issues: the recognition of Locksport contribution to security, and the fact that Medeco is taking steps to correct what they evidently perceive as a “new” vulnerability in their locks, occasioned by the development of a picking tool by Jon King.
I have known Peter for a long time, and from my perspective, he is one of the brightest engineers on the planet, with regard to lock design and innovation. He has been the chief architect of Medeco products almost forever, and the company has flourished because of his talents, insight, and creativity.
For many years, I have consulted with lock manufacturers in the United States and Europe with regard to the analysis of bypass techniques for their locks, and how to prevent or deter such attacks. This is often a complex problem, involving technical, legal and ethical issues. As a lawyer, I have advised clients as to how to protect them from liability for deficient and defective lock designs, and related corporate policies. Specifically relevant to the NDE article and the concept of responsible disclosure, I have counseled that my clients adopt a policy of full disclosure about vulnerabilities unless the release of such information would impact national security. Many have subscribed to this philosophy.
Four years ago, I began speaking publicly about the need for the lock industry to embrace, listen to, and exploit the talents of Locksport members. ALOA referred to them as hackers, criminals, persons of questionable character, and other derogatory and mostly uninformed and inaccurate descriptions. The HOPE 2006 conference that Schuyler Towne refers to was one of the hacker forums wherein Matt Fiddler and I specifically addressed this issue. In 2004 at HOPE, we did the same thing, and solicited feedback from the participants of the conference with regard to cooperation between the hacker community, manufacturers, and law enforcement. The response in 2004 and 2006 was mainly positive, but went largely ignored by manufacturers.
This prompted ALOA to advise me that I had violated their Code of Ethics, which forbids associating with “persons of questionable character.” They were referring specifically to the attendees at HOPE, which included representatives of federal law enforcement agencies, the Department of Defense, and other security professionals.
They sent the message that if I spoke at any more conferences, I would no longer be a member of ALOA. I appealed their ruling, and they never responded. I am still a member, and have been so for more than fifteen years. And I have continued to support Locksport groups in the media and lectures, and have repeatedly advocated full disclosure upon the part of lock manufacturers as the best means to insure the security of the public and improve the quality of products. As Schuyler aptly points out, Security by Obscurity does not work, and is an inherently flawed premise. There are no more secrets: the Internet and the instant proliferation of information are responsible for that fact. Some in the locksmith community still will not accept this fact, nor will they accept the premise that the consumer has a right to know and understand security vulnerabilities in the locks that they purchase and rely on to protect them.
When Barry Wels and I gave our presentation at HOPE in 2006, and then Matt Fiddler and I spoke at Defcon the following month, we all introduced bumping to the American consumer. That, as everyone knows, caused an instant furor. The public was concerned, the locksmiths were dismayed, and ALOA was furious. That organization made their views known in an editorial in August, 2006, to which I responded. Those editorials can be found on my blog at http://in.security.org.
As an aside, now that Medeco has recognized the Locksport community, I am wondering if the fundamental thinking by ALOA will change. Will the trade organization and its members now agree with one of their major supporters (Medeco) and acknowledge the Locksport community and the valuable contributions they can offer?
Schuyler Towne and Peter Field are quite correct in what they wrote in NDE: the issue is responsible disclosure. But I would submit that this concept is different in the world of physical security, than it is in the cyber world. That principle has always guided how and when I have written about security vulnerabilities in locks and related hardware. But there are variables and distinguishing issues that exist with regard to deficiencies or defects in locks, in comparison to bugs or vulnerabilities in software code. As a lawyer and technician, I may have a different and broader perspective with regard to such issues, and the legal and moral right of the public to understand vulnerabilities that can directly impact their lives and property.
Based upon Peter’s open letter, it would appear that Medeco has now embraced working with the Locksport community. As we noted in our book, it is actually not the first time they have done so. I laud them for publicly adopting this policy, but in my view, such a decision does not stem entirely from altruistic motives.
Medeco is well aware that their locks are vulnerable to attack by many different techniques, including bumping, picking, decoding, and the compromise of their key control. Just look at how Medeco has modified their disclaimers in the past eighteen months with regard to bumping and picking. They have gone from “bump proof” to “virtually bump proof” to “virtually resistant.”
We documented how they subtly changed their advertising and retroactively altered their press releases because they knew their locks were vulnerable. The real question is whether this knowledge translated into what I would refer to as the other side of Responsible Disclosure? Did they notify their dealers or customers, especially those in the federal or state government, of such vulnerabilities? The answer, from our investigation, is no.
For the past eighteen months, my associates and I have been involved in a detailed and comprehensive research project to develop entirely new methods of forced, covert, and surreptitious methods of entry for the Biaxial and m3 cylinders. The result of that research, and every detail along the way, has been provided to Medeco, (other than copies of our three separate patent filings). This “full disclosure” has taken the form of video, locks, keys, code tables, diagrams, charts, and demonstrations at the factory and in the field to management at Medeco. We even provided an advanced copy of our book at least four months ago for their engineers and counsel to review. We repeatedly encouraged them to seek an injunction to block publication, or to have the government classify the information, if they believed that it would be contrary to national security.
Of even more interest is the inference that Medeco was unaware of this “new” method of compromise that Jon King developed to pick their cylinders. I had a long discussion with Jon last month with regard to his decoder and technique. I credit him with being very creative in solving the problem of how to control and manipulate the chisel-point pins within a Medeco cylinder. This allows them to be rotated in order to align the sidebar leg to the true gate channel. It is a clever solution to a forty year old problem. But it is not unique, and Medeco knows it.
There have been several variations of tools for decoding and manipulating Medeco pins that have been patented or available to government agencies. Jon just made it a lot simpler to accomplish. According to Medeco, its use can potentially affect perhaps twenty percent of their locks. So, Medeco used the NDE forum to announce that they would be improving the security against picking, for locks that they have been advertising as “virtually resistant” to such attack!
In 1976, the company sued Lock Technology Company to stop them from producing a pick tool and technique to reproduce Medeco keys. Medeco lost this lawsuit, although most in the industry believe they won it. In 1994, the company, in response to the development of another decoding tool that was produced by John Falle in England, introduced the ARX pin. ARX is an acronym for Attack Resistance Xtended. The Lock Technology case and the development of the ARX pin are significant because they both relate to security vulnerabilities in Medeco locks that stem from the ability to probe and manipulate the bottom pins by using the true gate channel. This is the same method of attack that Jon is employing to feel-pick these locks.
This specially-designed ARX bottom pin was designed to prevent John and others from decoding the true gate channel by probing the tip of the bottom pin with a fine wire. The government and some commercial customers employ these pins to add another layer of protection against pick and decoding resistance. As we have documented, they are only partially effective in preventing certain methods of bypass that we discuss in our book.
So for Medeco to now claim that they are making incremental improvements to their locks to protect against this “new” threat is not quite the full story. We believe that Medeco will shortly announce the implementation of the ARX pin for all of its m3 cylinders in an attempt to prevent the use of the bypass methods developed by Jon, and those that are disclosed in our new book.
If Medeco claims that they were not aware of the method to pick their locks that Jon King developed, then I would suggest that you read the Lock Technology patents and other prior art and draw your own conclusions. If they in fact implement ARX pins in all of their cylinders, then they are doing so fifteen years after the fact. The significant question is why and why now?
Peter talks about standards. As we note in our book, we believe that the standards, those enumerated in UL 437 and BHMA/ANSI 156.30, are precisely the problem. In our detailed analysis, we talk about why we feel that these standards do not go far enough in protecting high value targets or critical infrastructure.
Manufacturers, such as Medeco, tout these standards as an assurance that their locks are secure against defined threats, especially for high security applications. “Defined’ is the operative word, because the standards do not protect against many threats that can allow Medeco and other high security cylinders to be opened in seconds. They only protect against “defined” standards that do not contemplate many forms of attack.
For those of you that may be unaware of BHMA/ANSI 156.30, this is the civilian high security standard for locks. In discussions with BHMA, I have pointed out what we perceive as the deficiencies in their current standard. We have asked them to look at our methods of bypassing Medeco and other cylinders, with the view to addressing these methods of compromise in a new standard that is based upon “real world testing” rather than specifically defining each method of bypass.
Finally, Peter and Schuyler address the concept of Responsible Disclosure. While I certainly agree that we should not be educating criminals as to techniques to bypass locks, there is a problem in this logic, which Schuyler correctly identifies. The consumer has a right to know of deficiencies or defects that can affect their security. The problem is that locks are quite different than software. Code errors can be fixed with updates that can be instantly implemented without any cost of materials. Patches can be effected remotely to fix a security vulnerability. This is not the case with locks.
And often the criminals are far ahead of the consumer in their knowledge, so is it wise to keep that knowledge from the consumer, commercial security officer, or government agency? The real problem, and the irony of embracing the Locksport and hacking community, is that Medeco and other manufacturers often do not know how to bypass their own locks! That is very obvious, for if they did, they would have taken the necessary steps to properly design their cylinders against such techniques. This fact can be no more graphically illustrated than by Medeco’s insistence that their locks cannot be bumped or picked by the methods we developed and attempted to explain to Medeco since 2006. The fact that Medeco could not open their own locks does not mean that they cannot be opened by others, using those same techniques!
So it often falls upon the Locksport enthusiasts, hackers, or security professional, outside of the lock manufacturing community, to demonstrate vulnerabilities that should have been discovered by the manufacturer before offering their products for sale. In my experience, design engineers learn how to make things work quite well; they rarely are educated in how to break them. That is a fundamental problem. If locks were designed properly, hackers and others would not be able to circumvent security. It is about time that manufacturers recognized that the more minds that are evaluating their products, the better.
So, when Peter says that Medeco and other lock manufacturers are reluctant to publicize potential threats to their products, primarily because they do not want to teach criminals how to decipher their mechanical puzzles, I would submit that this statement is not quite correct, nor does it tell the whole story. While there is no question that every lock manufacturer is “genuinely concerned with the security of their customers,” there is another side to this issue, and that is money and liability. And at the end of the day, there should be no illusion as to why lock makers are in business: it is to make money, first and foremost.
Advising a manufacturer of a design defect is the right course of action. Unfortunately, most manufacturers have been unwilling to listen to the Locksport community, instead calling them hackers and criminals. This is clearly changing. In Europe, Toool has been responsible for a shift in attitude, primarily upon the part of some major manufacturers. And the realization by Medeco that they can have a valuable ally by using individuals with diverse backgrounds, to test their locks, is an important step forward. The question is the effect of advising a manufacturer of a problem, and when to notify the public. This is the real issue.
While I completely embrace responsible disclosure, thus giving a manufacture time to fix a problem in a new design, I do not quite subscribe to the theory of giving a manufacturer time to address all problems, especially if they have existed for quite awhile, the locks have achieved significant market penetration, and the issue likely will not be remedied by the manufacturer without cost to the consumer.
In Part II, I shall address this issue, and why the concept of responsible disclosure is a technical, logistical, legal and financial minefield for lock manufacturers.
THE COMPROMISE OF MEDECO HIGH SECURITY LOCKS: A Foreword by Ross Anderson, Cambridge University, England
Ross Anderson, world renowned security expert and director of the Cambridge University Computer Security Laboratory, has written one of the forewords for our new book. Ross is the author of Security Engineering, Second Edition, which is a primary reference for software designers and engineers. The new edition of his book has recently been released by John Wiley & Sons publishers. This 1000 page book is the definitive work on the engineering of software systems and their vulnerabilities.
Ross discusses physical security and its relation to software systems, and how the two technologies can intersect to create additional security challenges or opportunities. His foreword should be a wake-up call for security professionals and especially locksmiths, that the integration of mechanical locks and software-based systems is inevitable, and that the physical security industry will face the same challenges with regard to security and disclosure of vulnerabilities as did the software industry.
See Ross Anderson’s web site for more information.
FOREWORD BY ROSS ANDERSON
Most the world’s serious assets, from computer rooms to art collections, are defended by pin tumbler locks, and Medeco has ruled this world supreme for a generation. So the Tobias attacks on the most modern Medeco offerings, which they describe in this book, came as a serious shock for security engineers.
It is a great honour to be asked to write this foreword, as the book is sure to be a milestone in the field. What is less clear is the future direction of travel for the industry.
As my own background lies more in cryptographic and systems security, there is some temptation to think that the attacks might signal a technology change — especially as they follow on widely-publicized and improved lock-bumping techniques that cast serious doubts on the low-cost end of the market. Has the metal lock now had its day? Will the future lie with cryptographic tokens and remote key-entry devices?
That is also far from clear. Electronic systems have vulnerabilities too, and although the first break can be harder to find, the eventual failure can be much more catastrophic. For example, the recent reverse-engineering of MIFARE has exposed millions of applications to low-cost forgery, starting with the Dutch public transit card but including many building access control systems.
I suspect that in the medium term, we will see a merger of the worlds of electronic locks and mechanical locks. I do not just mean that high-end products will combine both technologies – although this is already starting to happen. The important change, I believe, is that we will need to start thinking more in terms of systems.
First, the evaluation of mechanical locks has depended for many years on the reputation of the manufacturer plus some (often rather cursory) inspection by insurance bodies, as described in chapter 2. In the electronic domain, evaluation is much more open and combative: security researchers vie to find vulnerabilities in products, and a constant stream of vulnerability reports drives product upgrades and innovation. Locksmiths will have to get used to a much more open and fast-moving environment, in which vulnerabilities are reported publicly (as Medeco’s are in this book). Finding (or anticipating) vulnerabilities in complex systems is a collaborative effort of many people over time, and openness is vital.
Second, locks get much of their value from the role that they play in larger systems, rather than simply as components. The need to manage all the locks in a building has led to master keying, but (as this book hammers home) that brings with it complexity and other opportunities for error. Facility designers in the future may want some locks that can be integrated seamlessly into electronic control and surveillance systems; and if they are prudent they will want some other locks that are independent, to mitigate the risks of systemic and common-mode failures. Vendors may have to think more carefully about complexity and interaction, both of features and of failure modes, and not just within a single lock but in all their fielded products. Again, openness will be critical; security engineers need to know the vulnerabilities of the products they use as well as their strengths, so they can avoid untoward interactions.
Returning now to the Medeco locks that are the main subject of this book, I cannot help wondering whether their very complexity may have been their undoing. Electronic security professionals know that complexity is the enemy of security, and the marketers’ natural tendency to add features must be vigorously resisted by the security architect.
Features interact, and past a certain level of complexity it is just not possible for designers to anticipate them all. This may be new to lock designers, but it’s old hat to people who work with computers. The exchange of such `lore’ between different security communities is at least as important as the exchange of formal engineering data.
In short, now that the electronic and mechanical security communities are converging, our task is to combine the best of both — not just at the component level, but the best design and evaluation thinking at the level of systems. This is going to be a fascinating challenge.
Professor of Security Engineering
Cambridge University, England
June 2nd 2008
CLICK THE “ORDER” TAB to purchase the book or CD.
Our new book, entitled “THE COMPROMISE OF MEDECO HIGH SECURITY LOCKS: New Methods of Forced, Covert, and Surreptitious Entry” will be available in the multimedia edition on June 15, 2008. This version will only be sold to Government and Locksmiths. The softbound book will be released about July 15, 2008.
The book presents an extensive analysis of Medeco locks and different methods to bypass them by covert and forced entry techniques. This photograph shows four keys that can be used to bump and pick Medeco Biaxial and m3 cylinders, sometimes in less than one minute. These keys will theoretically simulate the sidebar codes for all non-master keyed Biaxial and m3 cylinders that were pinned prior to December, 2007.
This photograph shows a specially-prepared six-pin mortise cylinder which we used in several macro-videos that are contained in the book, to demonstrate how we neutralize the sidebar prior to picking this lock. The key with the correct sidebar code is shown to the left of the keyway. Note how the angles match those of the bottom pins. The view is from the bottom of the plug, looking up at the chisel-points of each pin. Their angles are noted on the cylinder.
The book took more than eighteen months of research and has resulted in three separate patent filings that detail multiple methods of bypass, certain technology to prevent these attacks, and mechanical modifications to secure Medeco deadbolt cylinders against certain forms of forced entry to which they are still vulnerable.
The book is about 350 pages and contains more than 400 images, tables, charts, and graphics. There are more than thirty video segments to demonstrate all forms of bypass of these cylinders. A detailed discussion of conventional and high security locks is presented, as well as an analysis of UL 437 and BHMA/ANSI 156.30 standards, and what they fail to protect against.
We believe this is the most comprehensive book ever written about Medeco locks. It discloses methods of bypass that are completely new and unique, and can allow the circumvention of all layers of security within these cylinders, often in seconds. If you have security responsibility in the commercial or government sectors, you will need to understand the vulnerabilities of high security locks to attacks against key control, bumping, picking, extrapolation of the top level master key, and forced entry. This information is provided in the book, with significant supporting documentation.
For additional information, see www.security.org.
We hope everyone enjoys the book, as much as we did in its production. We are already working on the next edition, and will provide detailed information on the bypass of the ARX pin in greater depth than we have, to date. The ARX is the Medeco high security pin that is supposed to prevent picking, bumping, and decoding attacks. We anticipate an announcement from Medeco, based upon information that we have obtained, that would indicate that they will be supplying these pins as standard in their locks, beginning later this summer, in an effort to make them more secure against the methods of attack that are described in our book, and other methods described in a recent article with regard to the bypass of Medeco locks.
Although the various ARX pin designs make bypass much more difficult, they also can provide excellent feedback with regard to our techniques of covert entry. It should indeed be an interesting year.
Matt Fiddler and I will be lecturing at Defcon 16 again this year, to provide an in-depth analysis of Medeco locks and how we broke their security. We hope everyone can attend the conference, to be held the first week in August in Las Vegas.
And for everyone who has asked what is next in the LSS+x series? The second high security supplement will describe the bypass of Mul-T-Lock cylinders and why we do not believe they are secure against a variety of attacks, or should carry a UL 437 rating.
If you have any questions, feel free to contact us. We appreciate your feedback and look forward to seeing many of you during different conferences this summer, and at Toool at Sneek in October.
Marc and Toby
I hope that many of you had a chance to listen to Emmanuel Goldstein’s radio program, Off The Hook, on WBAI in New York last Wednesday, May 23, 2008. We had a good discussion of security and high security locks, especially relating to Medeco cylinders.
I have received quite a few emails with regard to our new book on Medeco. We anticipate releasing the extremely detailed multimedia edition on June 15, 2008. The Government and Locksmith editions are entitled “The Compromise of Medeco High Security Locks: New techniques of forced, covert, and surreptitious entry.”
The softbound edition is scheduled for limited release in New York during the second week of July, with full release the first week in August. The printed edition is entitled, “OPEN IN THIRTY SECONDS: Cracking one of Americas most secure locks.”
We will be posting the chapter outline and video content shortly.
Stay tuned for more details.
Marc Tobias and Tobias Bluzmanis have been invited by Barry Wels to give a detailed presentation at the annual Toool conference in Sneek between October 9-11, with regard to how they developed bypass techniques to compromise one of the most secure locks in America, produced by Medeco, of Salem, Virginia.
Marc and Toby will be training security professionals as to methods of picking, bumping, forced entry, and the complete compromise of key control for the m3 and certain Biaxial cylinders. Overflow attendance is expected at the conference this year because it immediately follows the security show in Essen, Germany.
Additional details can be found at the Toool website.
Marc Tobias and Matt Fiddler will again be lecturing at the annaul Defcon 16 security conference in Las Vegas between August 8-10. Last year, more then 8,000 people attended the three day event.
Marc and Matt will lecture on the development of bypass techniques for Medeco high security locks and explore this classic case of multiple failures that allowed perhaps the most secure lock in America to be compromised by forced and covert methods of entry. The new book by Marc Tobias and Tobias Bluzmanis on how the Medeco locks were cracked will be released at the conference.
A demonstratiion of new and extremely serious vulnerabilities will be presented with regard to Medeco cylinders in an effort to alert security officers of the potential threat that currently exists for certain Medeco locks. Last year, JennaLynn, 12 years old, bumped open a Medeco Biaxial cylinder in about a minute. This year, she is expected to again demonstrate certain bypass techniques that surely will be of interest to consumers as well as security specialists.
Marc Tobias will be conducting a workshop at the annual Techno-Security conference in Myrtle Beach, SC, on June 2, 2008, put on by The Training Company..
Approximately 1400 law enforcement personnel are expected to attend the four day conference, which is recognized as one of the most successful gatherings of its kind. Marc will lecture on the vulnerabilities of high security locks; vital information for covert entry experts.
Marc Tobias will be interviewed by Emmanuel Goldstein, Founder of 2600 Magazine and the HOPE Conference in New York. This one hour radio program will be aired on Wednesday, May 21, 2008 at 7:00 P.M. in New York on WBAI-FM.
Marc will discuss various issues that relate to high security locks and the standards by which they are certified, as well as a broad range of other vulnerabilities. He will also discuss his soon to be released book about how the security of Medeco locks has been compromised.