Upload
david-phillips
View
226
Download
0
Embed Size (px)
Citation preview
8/4/2019 Open in Thirty Seconds Defcon 16
1/132
Open in 30 Seconds
Cracking One of the
Most Secure Locks in America
Marc Weber Tobias
Matt Fiddler
Tobias Bluzmanis
8/4/2019 Open in Thirty Seconds Defcon 16
2/132
Agenda
Part I: The Beginning Part II: Key Control and Key Security
Part III: Locks Lies and Videotape
8/4/2019 Open in Thirty Seconds Defcon 16
3/132
PART I
The Beginning
8/4/2019 Open in Thirty Seconds Defcon 16
4/132
WHY THE MEDECO CASESTUDY IS IMPORTANT
Insight into design of high security locks Patents are no assurance of security
Appearance of security v. Real World
Undue reliance on Standards
Manufacturer knowledge and Representations
Methodology of attack
More secure lock designs
8/4/2019 Open in Thirty Seconds Defcon 16
5/132
CONVENTIONAL v.HIGH SECURITY LOCKS
CONVENTIONAL CYLINDERS Easy to pick and bump open
No key control
Limited forced entry resistance
HIGH SECURITY CYLINDERS UL and BHMA/ANSI Standards
Higher quality and tolerances
Resistance to Forced and Covert Entry
Key control
8/4/2019 Open in Thirty Seconds Defcon 16
6/132
HIGH SECURITY LOCKS:
Protect Critical Infrastructure, highvalue targets
Stringent security requirements
High security Standards
Threat level is higher
Protect against Forced, Covert entry
Protect keys from compromise
8/4/2019 Open in Thirty Seconds Defcon 16
7/132
HIGH SECURITY:Three Critical Design Factors
Resistance against forced entry Resistance against covert and
surreptitious entry
Key control and key security
Vulnerabilities exist for each requirement
8/4/2019 Open in Thirty Seconds Defcon 16
8/132
HIGH SECURITY LOCKS:Critical Design Issues
Multiple security layers More than one point of failure
Each security layer is independent Security layers operate in parallel
Difficult to derive intelligence about a
layer
8/4/2019 Open in Thirty Seconds Defcon 16
9/132
ATTACK METHODOLOGY
Assume and believe nothing Ignore the experts
Think out of the box
Consider prior methods of attack
Always believe there is a vulnerability
WORK THE PROBLEM
Consider all aspects and design parameters
Do not exclude any solution
8/4/2019 Open in Thirty Seconds Defcon 16
10/132
ATTACKS:Two Primary Rules
The Key never unlocks the lock Mechanical bypass
Alfred C. Hobbs: If you can feel onecomponent against the other, you canderive information and open the lock.
8/4/2019 Open in Thirty Seconds Defcon 16
11/132
METHODS OF ATTACK:High Security Locks
Picking and manipulation of components Impressioning
Bumping
Vibration and shock Shim wire decoding (Bluzmanis and Falle)
Borescope and Otoscope decoding
Direct or indirect measurement of criticallocking components
8/4/2019 Open in Thirty Seconds Defcon 16
12/132
ADDITIONAL METHODS OFATTACK
Split key, use sidebar portion to setcode
Simulate sidebar code
Use of key to probe depths andextrapolate
Rights amplification of key
8/4/2019 Open in Thirty Seconds Defcon 16
13/132
EXPLOITINGFEATURES
Codes: design, progression Key bitting design
Tolerances
Keying rules Medeco master and non-master key systems
Interaction of critical components and locking
systems
Keyway and plug design
8/4/2019 Open in Thirty Seconds Defcon 16
14/132
STANDARDSREQUIREMENTS
UL and BHMA/ANSI STANDARDS TIME is critical factor
Ten or fifteen minutes
Depends on security rating
Type of tools that can be used
Must resist picking and manipulation
Standards do not contemplate orincorporate more sophisticated methods
8/4/2019 Open in Thirty Seconds Defcon 16
15/132
COVERT and FORCEDENTRY RESISTANCE
High security requirement
8/4/2019 Open in Thirty Seconds Defcon 16
16/132
CONVENTIONAL PICKING
8/4/2019 Open in Thirty Seconds Defcon 16
17/132
SOPHISTICATEDDECODERS
John Falle: Wire Shim Decoder
8/4/2019 Open in Thirty Seconds Defcon 16
18/132
TOBIAS DECODER:[email protected]
8/4/2019 Open in Thirty Seconds Defcon 16
19/132
DECODE PIN ANGLES
8/4/2019 Open in Thirty Seconds Defcon 16
20/132
FORCED ENTRYRESISTANCE
8/4/2019 Open in Thirty Seconds Defcon 16
21/132
FORCED ENTRY ATTACKS:Deficiencies in standards
Many types of attacks defined Mechanical Bypass - Not Contemplated
Must examine weakest links
Do not cover hybrid attacks
Medeco deadbolt attacks
Medeco mortise attack
8/4/2019 Open in Thirty Seconds Defcon 16
22/132
SIDEBAR:Bypass and Circumvention
Direct Access Decoding attacks
Manipulation
Simulate the sidebar code (Medeco) Use of a key (Primus and Assa)
Indirect access
Medeco borescope and otoscope decodeissues
8/4/2019 Open in Thirty Seconds Defcon 16
23/132
FORCED ENTRY ATTACKS
Direct compromise of critical components Medeco deadbolt 1 and 2 manipulate
tailpiece
Hybrid attack: two different modes Medeco reverse picking
Defeat of one security layer: result
Medeco Mortise and rim cylinders, defeatshear line
8/4/2019 Open in Thirty Seconds Defcon 16
24/132
MEDECO CASE HISTORY
Exploited vulnerabilities Reverse engineer sidebar codes
Analyze what constitutes security
Analyze critical tolerances
Analyze key control issues
Analyze design enhancements for newgenerations of locks: Biaxial and m3and Bilevel
8/4/2019 Open in Thirty Seconds Defcon 16
25/132
MEDECO MISTAKES
Failed to listen Embedded design problems from beginning
Compounded problems with new designs
with two new generations: Biaxial and m3 Failed to connect the dots
Failure of imagination
Lack of understanding of bypass techniques
8/4/2019 Open in Thirty Seconds Defcon 16
26/132
DESIGN = VULNERABILITY
Basic design: sidebar legs + gates How they work: leg + gate interface
Tolerance of gates
Biaxial code designation Biaxial pin design: aft position decoding
M3 slider: geometry
M3 keyway design
Deadbolt design
8/4/2019 Open in Thirty Seconds Defcon 16
27/132
MEDECO DESIGN:Exploit design vulnerabilities
EXPLOIT BEST DESIGN FEATURES Sidebar leg true gate channel
Code assignment: Biaxial 1985
Gate sidebar leg tolerance
M3 design 2003
Widen keyway .007
Slider geometry, .040 offset
8/4/2019 Open in Thirty Seconds Defcon 16
28/132
MEDECO TIMELINE
1970 Original Lock introduced 1985 Biaxial, Second generation
2003 m3 Third generation
8/4/2019 Open in Thirty Seconds Defcon 16
29/132
MEDECO LOCKS:Why are they Secure?
2 shear lines and sidebar for Biaxial 3 independent security layers: m3
Pins = 3 rotation angles, 6 permutations
Physical pin manipulation difficult
False gates and mushroom pins
ARX special anti-pick pins
High tolerance
8/4/2019 Open in Thirty Seconds Defcon 16
30/132
MODERN PIN TUMBLER
8/4/2019 Open in Thirty Seconds Defcon 16
31/132
MEDECO BIAXIAL
8/4/2019 Open in Thirty Seconds Defcon 16
32/132
MEDECO LOCKS:3 Independent Layers
Layer 1: PIN TUMBLERS to shear line Layer 2: SIDEBAR: 3 angles x 2 positions
Layer 3: SLIDER 26 positions
Opened By;Lifting the pins to shear line
Rotating each pin individually
Moving the slider to correct position
8/4/2019 Open in Thirty Seconds Defcon 16
33/132
MEDECO TWISTING PINS:3 Angles + 2 Positions
8/4/2019 Open in Thirty Seconds Defcon 16
34/132
SIDEBAR Technology
Blocks rotation of the plug One or two sidebars
Primary or secondary locking
Only shear line or secondary Integrated or separate systems
Assa, Primus, Mul-T-Lock MT5, Evva MCS= split
Medeco and 3KS = integrated
Direct or indirect relationship and access bykey bitting
8/4/2019 Open in Thirty Seconds Defcon 16
35/132
SIDEBAR LOCKING:How does it work
One or two sidebars Interaction during plug rotation
Direct or indirect block plug rotation
Sidebar works in which modes Rotate left or right Pull or push
Can sidebar be neutralized: i.e. Medeco Setting sidebar code
Pull plug forward, not turn
8/4/2019 Open in Thirty Seconds Defcon 16
36/132
SIDEBAR LOCKINGInformation from the lock?
Feel picking: sense interactions Medeco, 3KS, Primus, Assa = direct link
MCS = indirect link: sidebar tocomponent
Sidebar + pins/sliders interaction to
block each other: ability to applytorque?
8/4/2019 Open in Thirty Seconds Defcon 16
37/132
SECURITY CONCEPTS:Sidebar IS Medeco Security
GM locks, 1935, Medeco re-invented Heart of Medeco security and patents
Independent and parallel security layer
Integrated pin: lift and rotate to align
Sidebar blocks plug rotation
Pins block manipulation of pins forrotation to set angles
8/4/2019 Open in Thirty Seconds Defcon 16
38/132
PLUG AND SIDEBAR:All pins aligned
8/4/2019 Open in Thirty Seconds Defcon 16
39/132
SIDEBAR RETRACTED
8/4/2019 Open in Thirty Seconds Defcon 16
40/132
PLUG AND SIDEBAR: Locked
8/4/2019 Open in Thirty Seconds Defcon 16
41/132
MEDECO CODEBOOK:At the heart of security
All locksmiths worldwide must use All non-master keyed systems
New codes developed for Biaxial in1983
Chinese firewall: MK and Non-MK
Codebook defines all sidebar codes
8/4/2019 Open in Thirty Seconds Defcon 16
42/132
MEDECO RESEARCH:Results of Project
Covert and surreptitious entry in as little as30 seconds: standard requires 10-15 minutes
Forced entry: four techniques, 30 seconds,
affect millions of locks Complete compromise of key control
Duplication, replication, simulation of keys
Creation of bump keys and code setting keys Creation of top level master keys
8/4/2019 Open in Thirty Seconds Defcon 16
43/132
M3 SLIDER:Bypass with a Paper clip
8/4/2019 Open in Thirty Seconds Defcon 16
44/132
SECURITY OF m3:
8/4/2019 Open in Thirty Seconds Defcon 16
45/132
Video Demo:
Medeco Slider Bypass
8/4/2019 Open in Thirty Seconds Defcon 16
46/132
RESULTS OF PROJECT:Picking
Pick the locks in as little as 30 seconds Standard picks, not high tech tools
Use of another key in the system to set
the sidebar code
Pick all pins or individual pins
Neutralize the sidebar as security layer
8/4/2019 Open in Thirty Seconds Defcon 16
47/132
PICKING A MEDECO LOCK
8/4/2019 Open in Thirty Seconds Defcon 16
48/132
Video Demo:
Picking Medeco Locks
8/4/2019 Open in Thirty Seconds Defcon 16
49/132
RESULTS OF PROJECT:Reverse Picking
8/4/2019 Open in Thirty Seconds Defcon 16
50/132
Video Demo:
Reverse Picking Medeco Locks
8/4/2019 Open in Thirty Seconds Defcon 16
51/132
RESULTS OF PROJECT:Bumping
Reliably bump open Biaxial and m3locks
Produce bump keys on Medeco blanks
and simulated blanks Known sidebar code
Unknown sidebar code
8/4/2019 Open in Thirty Seconds Defcon 16
52/132
MEDECO BUMP KEY
8/4/2019 Open in Thirty Seconds Defcon 16
53/132
Video Demo:
Bumping Medeco Locks Jenna Lynn
Tobias
8/4/2019 Open in Thirty Seconds Defcon 16
54/132
RESULTS OF PROJECT:Decode Top Level Master Key
Determine the sidebar code in specialsystem where multiple sidebar codesare employed to protect one or more
locks Decode the TMK
PWN the system
8/4/2019 Open in Thirty Seconds Defcon 16
55/132
RESULTS OF PROJECT:Forced Entry Techniques
Deadbolt attacks on all three versions Deadbolt 1 and 2: 30 seconds
Deadbolt 3: New hybrid technique of
reverse picking Mortise and rim cylinders
Prior intelligence + simulated key
Interchangeable core locks
8/4/2019 Open in Thirty Seconds Defcon 16
56/132
DEADBOLT ATTACK
8/4/2019 Open in Thirty Seconds Defcon 16
57/132
DEADBOLT BYPASS: 2$Screwdriver + $.25 materials
8/4/2019 Open in Thirty Seconds Defcon 16
58/132
Video Demo:
Deadbolt Bypass: Original
Interim Fix
Current Production
8/4/2019 Open in Thirty Seconds Defcon 16
59/132
MEDECO BILEVEL
2007 Bilevel locks introduced Integrate low and high security tocompete
Flawed design, will affect systemsecurity when integrated into highsecurity system
Borescope decoding of aft pins tocompromise security of entire system
8/4/2019 Open in Thirty Seconds Defcon 16
60/132
CONNECTING THE DOTS:The Results Biaxial Code assignment: Reverse
Engineer for all non-master key systems
Gate tolerance: 4 keys to open
NEW CONCEPT: Code Setting keys Sidebar leg-gate interface: NEW CONCEPT:
Setting sidebar code
M3 Wider keyway: Simulated blanks Slider design: paper clip offset
8/4/2019 Open in Thirty Seconds Defcon 16
61/132
4 KEYS TO THE KINGDOM
8/4/2019 Open in Thirty Seconds Defcon 16
62/132
PART II
Key Control
andKey Security
8/4/2019 Open in Thirty Seconds Defcon 16
63/132
KEY CONTROL: The Theory
PROTECTION OF BLANKS OR CUTKEYS FROM ACQUISITION OR USE:
Unauthorized duplication
Unauthorized replication Unauthorized simulation
restricted keyways
proprietary keyways sectional keyways
8/4/2019 Open in Thirty Seconds Defcon 16
64/132
MEDECO INSECURITY:Real World Threats - Keys
VIOLATION OF KEY CONTROL andKEY SECURITY
Compromise of entire facility
Improper generation of keys
8/4/2019 Open in Thirty Seconds Defcon 16
65/132
KEYS and KEY CONTROLKEYS: EASIEST WAY TO OPEN LOCKS
Change key or master key
Duplicate correct bitting
Bump keys
Rights amplification: modify keysPROTECTION OF KEYS
Side bit milling: Primus and Assa
Interactive elements: Mul-T-Lock
Magnets: EVVA MCS
8/4/2019 Open in Thirty Seconds Defcon 16
66/132
0WN THE SYSTEM:Obtaining the Critical Data
TECHNIQUES TO OBTAIN KEY DATA Impressioning methods
Decoding: visual and Key Gauges
Photograph
Scan keys
Copy machine
8/4/2019 Open in Thirty Seconds Defcon 16
67/132
KEYS: CRITICAL ELEMENTS
Length = number of pins/sliders/disks
Height of blade = depth increments = differs
Thickness of blade = keyway design
Paracentric design Keyway modification to accommodate other
security elements
Finger pins Sliders
8/4/2019 Open in Thirty Seconds Defcon 16
68/132
KEY CONTROL
8/4/2019 Open in Thirty Seconds Defcon 16
69/132
KEY CONTROLKEY SECURITY
Duplicate Replicate
Simulate
Key control and Key Security may not
be synonymous!
8/4/2019 Open in Thirty Seconds Defcon 16
70/132
KEY SECURITY: A Concept
Key control = physical control of keys
Prevent manufacture and access to blanks
Control generation of keys by code
Patent protection
Key security = compromise of keys Duplication
Replication
Simulation
8/4/2019 Open in Thirty Seconds Defcon 16
71/132
MEDECO KEY CONTROL:Appearance v. Reality WHAT IS IT SUPPOSED TO MEAN?
ARE THE STANDARDS SUFFICIENT?
REAL WORLD VULNERABILITIES
8/4/2019 Open in Thirty Seconds Defcon 16
72/132
MEDECO KEY CONTROL:Virtually Impossible to Copy
High security starts with key control; a processthat insures that keys cannot be duplicatedwithout proper permission. Clearly, if anyone
can have a locks key copied, then it trulydoesnt matter how tough the lock itself isbuilt. Medecos patented key control makes itvirtually impossible for someone to duplicatea commercial or residential key withoutproper permission.
8/4/2019 Open in Thirty Seconds Defcon 16
73/132
MEDECO HIGH SECURITYKEYS v. STANDARD KEYS
A standard key can be copied at a millionstores without restriction or proof of
ownership. Unauthorized duplicate keys
often result in burglaries, theft, vandalism,and even violent crimes.
Medeco advertising brochure
8/4/2019 Open in Thirty Seconds Defcon 16
74/132
Video Demo:
Medeco Key Copy Promo
8/4/2019 Open in Thirty Seconds Defcon 16
75/132
MEDECO KEY CONTROL:The ProblemCIRCUMVENTING SECURITY LAYERS
Keyways can be bypassed
Blanks can be simulated
Sidebar codes are simulated
Slider can be bypassed
NO REAL LEGAL PROTECTION EXCEPT FOR M3STEP
Patent expired 2005 Keyways not protected
Third party blanks
8/4/2019 Open in Thirty Seconds Defcon 16
76/132
KEY Control:Duplicate - Replicate - Simulate
SECURITY THREAT:
8/4/2019 Open in Thirty Seconds Defcon 16
77/132
Failure of Key Control:Duplicate
IMPROPER ACQUISITION OR USE OFKEYS BY EMPLOYEES ORCRIMINALS
Unauthorized access to facilities or areas
Bump keys
Use for rights amplification
Compromise master key systems
SECURITY THREAT:
8/4/2019 Open in Thirty Seconds Defcon 16
78/132
Failure of Key Control:Replicate
HIGH SECURITY LOCKS AND KEYS Designed to prevent replication
REPLICATION TECHNIQUES
Easy entrie milling machine
Silicone casting
Plastic and epoxy copies Facsimile copy
SECURITY THREAT:
8/4/2019 Open in Thirty Seconds Defcon 16
79/132
Failure of Key Control:Simulate
M3 KEYWAY
Wider than Biaxial
No paracentric keyway
COMPONENTS OF MEDECO KEYS
Ward pattern and paracentric keyway
Bitting
M3 Slider
SECURITY THREAT Bypass wards in paracentric keyway
Create new blanks
RESULT:
8/4/2019 Open in Thirty Seconds Defcon 16
80/132
Failure of Key Control Restricted and proprietary keyways
M3 Slider: bypass with paper clip
Sabotage potential
Availability of blanks Duplicate from codes or pictures
TMK extrapolation
Set the sidebar code Make keys to open your locks
MEDECO INSECURITY:
8/4/2019 Open in Thirty Seconds Defcon 16
81/132
Real World Threats - Keys NO KEY CONTROL OR KEY SECURITY
All m3 and some Biaxial keyways
Keyways (restricted and proprietary)
M3 Step = no security Copy keys
Produce any blank
Generate Top Level Master Key Cut any key by code
MEDECO INSECURITY:
8/4/2019 Open in Thirty Seconds Defcon 16
82/132
The Threat from Within COMPROMISE OF KEY CONTROL +
HYBRID ATTACK Mortise, Rim, Interchangeable cores
MEDECO KEY CONTROL v.
CONVENTIONAL KEYS
Conventional keys = 1 layer of security
Medeco keys = 3 layers of security Hybrid attacks
With key cutting machine
MORTISE, RIM, IC:
8/4/2019 Open in Thirty Seconds Defcon 16
83/132
A Special Form of AttackHYBRID ATTACK
Will damage the lock
Entry in ten seconds
Millions of Locks affected
KEYMAIL: The New
8/4/2019 Open in Thirty Seconds Defcon 16
84/132
Security Threat from Within
NEW AND DANGEROUS THREAT
FAILURE OF KEY CONTROL IN m3 andSOME BIAXIAL CYLINDERS
Duplicate keys easily USE OF NEW MULTI-FUNCTION COPIERS
It scans, copies, prints, and allows the
production of MEDECO keys
8/4/2019 Open in Thirty Seconds Defcon 16
85/132
KEYMAIL: The Premise
EASILY CAPTURE AN IMAGE OF KEY
REPLICATE THE KEY IN PLASTIC
DIFFERENT METHODS TO OPEN
LOCKS No key control
Easy to accomplish with access to source
key
Simple technique to replicate any key
MEDECO ACCEPTS
8/4/2019 Open in Thirty Seconds Defcon 16
86/132
PLASTIC!
KEYMAIL:
H I W k f M d
8/4/2019 Open in Thirty Seconds Defcon 16
87/132
How It Works for Medeco ACCESS TO THE TARGET KEY
CAPTURE AN IMAGE PRINT THE IMAGE
PRODUCE A KEY
OPEN THE LOCK
MEDECO and KEY CONTROL? American Express, Master Card, Visa, Discover, and Diners Club
8/4/2019 Open in Thirty Seconds Defcon 16
88/132
Dont leave home without one
What is behind the locked door:Priceless
Go anywhere you want to be
The card that can get you cash
The card is key
CUT A FACSIMILE OF KEY
8/4/2019 Open in Thirty Seconds Defcon 16
89/132
CUT A FACSIMILE OF KEY KEY REQUIREMENTS FOR
MORTISE, RIM, and IC LOCKS Vertical bitting only
No sidebar data
No slider data
M d K C t l?
8/4/2019 Open in Thirty Seconds Defcon 16
90/132
Medeco Key Control?
PLASTIC KEYS:
8/4/2019 Open in Thirty Seconds Defcon 16
91/132
PROCEDURE OBTAIN IMAGE OF THE KEY
Scan, copy, or photograph a Medeco key
Email and print the image remotely
Print 1:1 image on paper, label, Shrinky Dinks
Trace onto plastic or cut out the key bitting Copy with a key machine or by hand
INSERT KEY INTO PLUG
Neutralize three layers of security Open Mortise, Rim, IC cylinders
ACCESS TO TARGET KEY
8/4/2019 Open in Thirty Seconds Defcon 16
92/132
ACCESS TO TARGET KEY
BORROW BRIEFLY
AUTHORIZED POSSESSION
USE
COLLUSION WITH EMPLOYEE WHO
HAS ACCESS TO A KEY
CAPTURE AN IMAGE
8/4/2019 Open in Thirty Seconds Defcon 16
93/132
CAPTURE AN IMAGE
COPIER
TRACE THE KEY
CELL PHONE CAMERA
SCANNER / FAX
OBTAIN DATA - COPIER
8/4/2019 Open in Thirty Seconds Defcon 16
94/132
OBTAIN DATA - SCANNER
8/4/2019 Open in Thirty Seconds Defcon 16
95/132
OBTAIN DATA - CELL CAM
8/4/2019 Open in Thirty Seconds Defcon 16
96/132
BLACKBERRY CURVE
8/4/2019 Open in Thirty Seconds Defcon 16
97/132
RESULTING IMAGE
8/4/2019 Open in Thirty Seconds Defcon 16
98/132
RESULTING IMAGE
REPRODUCE THE IMAGE
On Paper
On credit card or plastic card
On plastic sheet On Adhesive Labels
On Shrinky Dinks plastic
On a piece of copper wire On a simulated metal key
PRINT IMAGE
ON PLASTIC OR PAPER
8/4/2019 Open in Thirty Seconds Defcon 16
99/132
ON PLASTIC OR PAPER
KEYS FROM PLASTICCARDS
8/4/2019 Open in Thirty Seconds Defcon 16
100/132
CARDS OPEN m3 and SOME BIAXIAL LOCKS
STANDARD KEY MACHINE
Hybrid attack, vertical bitting only
MEDECO CUTTER Vertical bitting and angles
CUT BY HAND
Vertical bitting and angles BYPASS SLIDER
Paper clip or wire
NEUTRALIZE SHEAR LINE
8/4/2019 Open in Thirty Seconds Defcon 16
101/132
PRODUCE A KEY:
Set the Shear Line
8/4/2019 Open in Thirty Seconds Defcon 16
102/132
Set the Shear Line
SET THE SHEAR LINE
8/4/2019 Open in Thirty Seconds Defcon 16
103/132
SET THE SHEAR LINE
SET THE SHEAR LINE
8/4/2019 Open in Thirty Seconds Defcon 16
104/132
SET THE SHEAR LINE
HYBRID ATTACK:Set the Shear Line, Open the Lock for
8/4/2019 Open in Thirty Seconds Defcon 16
105/132
Set t e S ea e, Ope t e oc oMortise, IC, Rim Cylinders
CONVENTIONAL LOCKS
8/4/2019 Open in Thirty Seconds Defcon 16
106/132
CONVENTIONAL LOCKSKWIKSET = 1 Layer of Security
KWIKSET PLASTIC KEY
8/4/2019 Open in Thirty Seconds Defcon 16
107/132
KWIKSET PLASTIC KEY
Video Demo:
8/4/2019 Open in Thirty Seconds Defcon 16
108/132
Video Demo:
Kwikset Plastic Key
HIGH SECURITY KEYS
8/4/2019 Open in Thirty Seconds Defcon 16
109/132
HIGH SECURITY KEYS MULTIPLE SECURITY LAYERS
Many cannot be simulated
Video Demo:
8/4/2019 Open in Thirty Seconds Defcon 16
110/132
Video Demo:
Medeco Plastic on key Machine
Medeco Plastic on Door
MEDECO INSECURITY:Protective Measures
8/4/2019 Open in Thirty Seconds Defcon 16
111/132
Protective MeasuresFACILITY RESTRICTIONS
No First Amendment
No paper clips!
No credit cards, key cards, hotel room cards
No Copiers, scanners, cameras
No scissors or X-Acto knives No self-adhesive labels
No plastic report covers
No Shrinky-Dinks! No printers or Multifunction Devices
No cell, email or Fax connections to outside world
PART III
8/4/2019 Open in Thirty Seconds Defcon 16
112/132
Locks, Lies
And Videotape
Our locks are bump-proof, virtuallybump-proof and Virtually Resistant
8/4/2019 Open in Thirty Seconds Defcon 16
113/132
bump-proof, and Virtually Resistant
We Never claimed our Locks were bump-proof!
Our deadbolts are secure, no problem!
We have spent hundreds of hours andcannot replicate any of the Tobias attacks!
MEDECO RECOGNIZES
LOCKSPORT:NDE M 2008
8/4/2019 Open in Thirty Seconds Defcon 16
114/132
NDE: May, 2008
BASED ON RESPONSIBLEDISCLOSURE ABOUT MEDECODER
Give Medeco time to fix the vulnerability
Right result, wrong reason
Not new: 15 year old bypass
Problem in millions of locks
Concept not applicable
KNOWN VULNERABILITIESIN MEDECO LOCKS
8/4/2019 Open in Thirty Seconds Defcon 16
115/132
RESPONSIBLE DISCLOSURE v.
IRRESPONSIBLE NON-DISCLOSURE Serious vulnerabilities disclosed to Medeco
Notice to manufacturer for 18 months
Failure to disclose to dealers orcustomers
Misrepresentation, half truth, misleadingadvertising and use of language that
means nothing
RESPONSIBLE
DISCLOSURE:Its a Two Way Street
8/4/2019 Open in Thirty Seconds Defcon 16
116/132
It s a Two-Way Street
DISCOVERY OF VULNERABILITY Locksport, hacker, security expert disclosure to
manufacturers
Manufacturers to dealers and consumers
SIGNIFICANT QUESTIONS
When discovered
New lock or embedded base
Number of users affected
National security issues
RESPONSIBILITIES
8/4/2019 Open in Thirty Seconds Defcon 16
117/132
Locksport and hacker responsibility
Disclose vulnerability in new lock design orupgrade
What about current locks that are installed
Give time to fix? When relevant?
HIGH SECURITY LOCKMANUFACTURERS
8/4/2019 Open in Thirty Seconds Defcon 16
118/132
Responsibility of high security lock
manufacturer are different High security is different than normal mfg
or corporation
Protect high value targets, criticalinfrastructure
Duties
Tell the truth
Disclose security vulnerabilities tocustomers and dealers
RESPONSIBLE
DISCLOSURE: REALITY,AND LIABILITY
8/4/2019 Open in Thirty Seconds Defcon 16
119/132
AND LIABILITY
WHAT TO DISCLOSE AND TO WHOM TWO COMPONENTS
PUBLIC RIGHT AND NEED TO KNOW
Security by Obscurity Assume the risk: only based upon knowledge
Bad guys already know
LOCKS NOT LIKE SOFTWARE
Notice is only prospective to fix a problem
DISCLOSURE TO
MANUFACTURER: Prospective orRetroactive Effect
8/4/2019 Open in Thirty Seconds Defcon 16
120/132
Retroactive Effect
PROSPECTIVE IMPLEMENTATION OF FIX BY
MANUFACTURER
Only applies to new locks or new product
Does not apply to embedded base
Does not help the consumer unless manufacturerdoes a recall or field fix
QUESTION OF LIABILITY AND COST
Who will pay for retroactive upgrade? Enhancement to new bypass technique or
liability to remedy?
MEDECO: Responsible or
Irresponsible Actions?
8/4/2019 Open in Thirty Seconds Defcon 16
121/132
WHAT IS THE TRUTH?
August 4, 2006 press release: Bump-proof
February 2007 - Retroactively changed thelanguage: Virtually Bump-proof
The Medeco Problem: www.archive.org
TV, Advertising, DVD, Medeco website
August 2006: Bump Proof
8/4/2019 Open in Thirty Seconds Defcon 16
122/132
Feb 2007:Virtually BumpProof
8/4/2019 Open in Thirty Seconds Defcon 16
123/132
2008:
8/4/2019 Open in Thirty Seconds Defcon 16
124/132
WE NEVER SAID OUR
LOCKS WERE BUMP-PROOF
8/4/2019 Open in Thirty Seconds Defcon 16
125/132
PROOF
AUGUST 15, 2006
U.S. Patent and Trademark Office filing
by Medeco Security Locks, Inc. lawyerG. Franklin Rothwell, Application
78952460
Word mark: BUMP PROOF Abandoned: February 9,2007
BUMP PROOF: USPTO
FILING FOR THE WORDMARK
8/4/2019 Open in Thirty Seconds Defcon 16
126/132
MARK
ABOUT CLAIMS OF
PICKINGMEDECO LOCKS
8/4/2019 Open in Thirty Seconds Defcon 16
127/132
MEDECO LOCKS
NOBODY HAS PROVED THEY CANPICK OUR LOCKS IN 40 YEARS
False demonstrations, special locks
They are lying We cannot replicate anything
THE REAL PROBLEM
They cannot open their own locks
Failure of imagination
RESPONSIBLE
DISCLOSURE BY LOCKMANUFACTURERS
8/4/2019 Open in Thirty Seconds Defcon 16
128/132
MANUFACTURERS
KNOWLEDGE OF VULNERABILITY Known or suspected
Make responsible notifications
Let users and dealers assess risks
Duty to tell the truth
Duty to fix the problem
MEDECO LOCKS ARE
VULNERABLE
8/4/2019 Open in Thirty Seconds Defcon 16
129/132
MEDECO KNOWS
Vulnerability from Bumping, Picking, Keycontrol, Forced Entry techniques
Should be candid with dealers and users
so they understand the potential risks Failure to tell the truth = irresponsible non-
disclosure
Dealers and customers have a need and aright to know
VULNERABILITIES:
Full Disclosure Required
8/4/2019 Open in Thirty Seconds Defcon 16
130/132
SECURITY BY OBSCURITY
It does not work with Internet
It is the Users security
They have a right to assess their own risks
Criminals already have information
Disclosure: benefits outweigh risks
Liability for failure to disclose
LESSONS LEARNED
8/4/2019 Open in Thirty Seconds Defcon 16
131/132
THE MEDECO CASE
Nothing is impossible
Corporate arrogance does not work
HIGH SECURITY LOCK MAKERS Engineering, Security, Integrity
Duty to tell the truth
Thank You!
8/4/2019 Open in Thirty Seconds Defcon 16
132/132
[email protected] 2008 Marc Weber Tobias, Matt Fiddler and Tobias Bluzmanis