Open in Thirty Seconds Defcon 16

Embed Size (px)

Citation preview

  • 8/4/2019 Open in Thirty Seconds Defcon 16

    1/132

    Open in 30 Seconds

    Cracking One of the

    Most Secure Locks in America

    Marc Weber Tobias

    Matt Fiddler

    Tobias Bluzmanis

  • 8/4/2019 Open in Thirty Seconds Defcon 16

    2/132

    Agenda

    Part I: The Beginning Part II: Key Control and Key Security

    Part III: Locks Lies and Videotape

  • 8/4/2019 Open in Thirty Seconds Defcon 16

    3/132

    PART I

    The Beginning

  • 8/4/2019 Open in Thirty Seconds Defcon 16

    4/132

    WHY THE MEDECO CASESTUDY IS IMPORTANT

    Insight into design of high security locks Patents are no assurance of security

    Appearance of security v. Real World

    Undue reliance on Standards

    Manufacturer knowledge and Representations

    Methodology of attack

    More secure lock designs

  • 8/4/2019 Open in Thirty Seconds Defcon 16

    5/132

    CONVENTIONAL v.HIGH SECURITY LOCKS

    CONVENTIONAL CYLINDERS Easy to pick and bump open

    No key control

    Limited forced entry resistance

    HIGH SECURITY CYLINDERS UL and BHMA/ANSI Standards

    Higher quality and tolerances

    Resistance to Forced and Covert Entry

    Key control

  • 8/4/2019 Open in Thirty Seconds Defcon 16

    6/132

    HIGH SECURITY LOCKS:

    Protect Critical Infrastructure, highvalue targets

    Stringent security requirements

    High security Standards

    Threat level is higher

    Protect against Forced, Covert entry

    Protect keys from compromise

  • 8/4/2019 Open in Thirty Seconds Defcon 16

    7/132

    HIGH SECURITY:Three Critical Design Factors

    Resistance against forced entry Resistance against covert and

    surreptitious entry

    Key control and key security

    Vulnerabilities exist for each requirement

  • 8/4/2019 Open in Thirty Seconds Defcon 16

    8/132

    HIGH SECURITY LOCKS:Critical Design Issues

    Multiple security layers More than one point of failure

    Each security layer is independent Security layers operate in parallel

    Difficult to derive intelligence about a

    layer

  • 8/4/2019 Open in Thirty Seconds Defcon 16

    9/132

    ATTACK METHODOLOGY

    Assume and believe nothing Ignore the experts

    Think out of the box

    Consider prior methods of attack

    Always believe there is a vulnerability

    WORK THE PROBLEM

    Consider all aspects and design parameters

    Do not exclude any solution

  • 8/4/2019 Open in Thirty Seconds Defcon 16

    10/132

    ATTACKS:Two Primary Rules

    The Key never unlocks the lock Mechanical bypass

    Alfred C. Hobbs: If you can feel onecomponent against the other, you canderive information and open the lock.

  • 8/4/2019 Open in Thirty Seconds Defcon 16

    11/132

    METHODS OF ATTACK:High Security Locks

    Picking and manipulation of components Impressioning

    Bumping

    Vibration and shock Shim wire decoding (Bluzmanis and Falle)

    Borescope and Otoscope decoding

    Direct or indirect measurement of criticallocking components

  • 8/4/2019 Open in Thirty Seconds Defcon 16

    12/132

    ADDITIONAL METHODS OFATTACK

    Split key, use sidebar portion to setcode

    Simulate sidebar code

    Use of key to probe depths andextrapolate

    Rights amplification of key

  • 8/4/2019 Open in Thirty Seconds Defcon 16

    13/132

    EXPLOITINGFEATURES

    Codes: design, progression Key bitting design

    Tolerances

    Keying rules Medeco master and non-master key systems

    Interaction of critical components and locking

    systems

    Keyway and plug design

  • 8/4/2019 Open in Thirty Seconds Defcon 16

    14/132

    STANDARDSREQUIREMENTS

    UL and BHMA/ANSI STANDARDS TIME is critical factor

    Ten or fifteen minutes

    Depends on security rating

    Type of tools that can be used

    Must resist picking and manipulation

    Standards do not contemplate orincorporate more sophisticated methods

  • 8/4/2019 Open in Thirty Seconds Defcon 16

    15/132

    COVERT and FORCEDENTRY RESISTANCE

    High security requirement

  • 8/4/2019 Open in Thirty Seconds Defcon 16

    16/132

    CONVENTIONAL PICKING

  • 8/4/2019 Open in Thirty Seconds Defcon 16

    17/132

    SOPHISTICATEDDECODERS

    John Falle: Wire Shim Decoder

  • 8/4/2019 Open in Thirty Seconds Defcon 16

    18/132

    TOBIAS DECODER:[email protected]

  • 8/4/2019 Open in Thirty Seconds Defcon 16

    19/132

    DECODE PIN ANGLES

  • 8/4/2019 Open in Thirty Seconds Defcon 16

    20/132

    FORCED ENTRYRESISTANCE

  • 8/4/2019 Open in Thirty Seconds Defcon 16

    21/132

    FORCED ENTRY ATTACKS:Deficiencies in standards

    Many types of attacks defined Mechanical Bypass - Not Contemplated

    Must examine weakest links

    Do not cover hybrid attacks

    Medeco deadbolt attacks

    Medeco mortise attack

  • 8/4/2019 Open in Thirty Seconds Defcon 16

    22/132

    SIDEBAR:Bypass and Circumvention

    Direct Access Decoding attacks

    Manipulation

    Simulate the sidebar code (Medeco) Use of a key (Primus and Assa)

    Indirect access

    Medeco borescope and otoscope decodeissues

  • 8/4/2019 Open in Thirty Seconds Defcon 16

    23/132

    FORCED ENTRY ATTACKS

    Direct compromise of critical components Medeco deadbolt 1 and 2 manipulate

    tailpiece

    Hybrid attack: two different modes Medeco reverse picking

    Defeat of one security layer: result

    Medeco Mortise and rim cylinders, defeatshear line

  • 8/4/2019 Open in Thirty Seconds Defcon 16

    24/132

    MEDECO CASE HISTORY

    Exploited vulnerabilities Reverse engineer sidebar codes

    Analyze what constitutes security

    Analyze critical tolerances

    Analyze key control issues

    Analyze design enhancements for newgenerations of locks: Biaxial and m3and Bilevel

  • 8/4/2019 Open in Thirty Seconds Defcon 16

    25/132

    MEDECO MISTAKES

    Failed to listen Embedded design problems from beginning

    Compounded problems with new designs

    with two new generations: Biaxial and m3 Failed to connect the dots

    Failure of imagination

    Lack of understanding of bypass techniques

  • 8/4/2019 Open in Thirty Seconds Defcon 16

    26/132

    DESIGN = VULNERABILITY

    Basic design: sidebar legs + gates How they work: leg + gate interface

    Tolerance of gates

    Biaxial code designation Biaxial pin design: aft position decoding

    M3 slider: geometry

    M3 keyway design

    Deadbolt design

  • 8/4/2019 Open in Thirty Seconds Defcon 16

    27/132

    MEDECO DESIGN:Exploit design vulnerabilities

    EXPLOIT BEST DESIGN FEATURES Sidebar leg true gate channel

    Code assignment: Biaxial 1985

    Gate sidebar leg tolerance

    M3 design 2003

    Widen keyway .007

    Slider geometry, .040 offset

  • 8/4/2019 Open in Thirty Seconds Defcon 16

    28/132

    MEDECO TIMELINE

    1970 Original Lock introduced 1985 Biaxial, Second generation

    2003 m3 Third generation

  • 8/4/2019 Open in Thirty Seconds Defcon 16

    29/132

    MEDECO LOCKS:Why are they Secure?

    2 shear lines and sidebar for Biaxial 3 independent security layers: m3

    Pins = 3 rotation angles, 6 permutations

    Physical pin manipulation difficult

    False gates and mushroom pins

    ARX special anti-pick pins

    High tolerance

  • 8/4/2019 Open in Thirty Seconds Defcon 16

    30/132

    MODERN PIN TUMBLER

  • 8/4/2019 Open in Thirty Seconds Defcon 16

    31/132

    MEDECO BIAXIAL

  • 8/4/2019 Open in Thirty Seconds Defcon 16

    32/132

    MEDECO LOCKS:3 Independent Layers

    Layer 1: PIN TUMBLERS to shear line Layer 2: SIDEBAR: 3 angles x 2 positions

    Layer 3: SLIDER 26 positions

    Opened By;Lifting the pins to shear line

    Rotating each pin individually

    Moving the slider to correct position

  • 8/4/2019 Open in Thirty Seconds Defcon 16

    33/132

    MEDECO TWISTING PINS:3 Angles + 2 Positions

  • 8/4/2019 Open in Thirty Seconds Defcon 16

    34/132

    SIDEBAR Technology

    Blocks rotation of the plug One or two sidebars

    Primary or secondary locking

    Only shear line or secondary Integrated or separate systems

    Assa, Primus, Mul-T-Lock MT5, Evva MCS= split

    Medeco and 3KS = integrated

    Direct or indirect relationship and access bykey bitting

  • 8/4/2019 Open in Thirty Seconds Defcon 16

    35/132

    SIDEBAR LOCKING:How does it work

    One or two sidebars Interaction during plug rotation

    Direct or indirect block plug rotation

    Sidebar works in which modes Rotate left or right Pull or push

    Can sidebar be neutralized: i.e. Medeco Setting sidebar code

    Pull plug forward, not turn

  • 8/4/2019 Open in Thirty Seconds Defcon 16

    36/132

    SIDEBAR LOCKINGInformation from the lock?

    Feel picking: sense interactions Medeco, 3KS, Primus, Assa = direct link

    MCS = indirect link: sidebar tocomponent

    Sidebar + pins/sliders interaction to

    block each other: ability to applytorque?

  • 8/4/2019 Open in Thirty Seconds Defcon 16

    37/132

    SECURITY CONCEPTS:Sidebar IS Medeco Security

    GM locks, 1935, Medeco re-invented Heart of Medeco security and patents

    Independent and parallel security layer

    Integrated pin: lift and rotate to align

    Sidebar blocks plug rotation

    Pins block manipulation of pins forrotation to set angles

  • 8/4/2019 Open in Thirty Seconds Defcon 16

    38/132

    PLUG AND SIDEBAR:All pins aligned

  • 8/4/2019 Open in Thirty Seconds Defcon 16

    39/132

    SIDEBAR RETRACTED

  • 8/4/2019 Open in Thirty Seconds Defcon 16

    40/132

    PLUG AND SIDEBAR: Locked

  • 8/4/2019 Open in Thirty Seconds Defcon 16

    41/132

    MEDECO CODEBOOK:At the heart of security

    All locksmiths worldwide must use All non-master keyed systems

    New codes developed for Biaxial in1983

    Chinese firewall: MK and Non-MK

    Codebook defines all sidebar codes

  • 8/4/2019 Open in Thirty Seconds Defcon 16

    42/132

    MEDECO RESEARCH:Results of Project

    Covert and surreptitious entry in as little as30 seconds: standard requires 10-15 minutes

    Forced entry: four techniques, 30 seconds,

    affect millions of locks Complete compromise of key control

    Duplication, replication, simulation of keys

    Creation of bump keys and code setting keys Creation of top level master keys

  • 8/4/2019 Open in Thirty Seconds Defcon 16

    43/132

    M3 SLIDER:Bypass with a Paper clip

  • 8/4/2019 Open in Thirty Seconds Defcon 16

    44/132

    SECURITY OF m3:

  • 8/4/2019 Open in Thirty Seconds Defcon 16

    45/132

    Video Demo:

    Medeco Slider Bypass

  • 8/4/2019 Open in Thirty Seconds Defcon 16

    46/132

    RESULTS OF PROJECT:Picking

    Pick the locks in as little as 30 seconds Standard picks, not high tech tools

    Use of another key in the system to set

    the sidebar code

    Pick all pins or individual pins

    Neutralize the sidebar as security layer

  • 8/4/2019 Open in Thirty Seconds Defcon 16

    47/132

    PICKING A MEDECO LOCK

  • 8/4/2019 Open in Thirty Seconds Defcon 16

    48/132

    Video Demo:

    Picking Medeco Locks

  • 8/4/2019 Open in Thirty Seconds Defcon 16

    49/132

    RESULTS OF PROJECT:Reverse Picking

  • 8/4/2019 Open in Thirty Seconds Defcon 16

    50/132

    Video Demo:

    Reverse Picking Medeco Locks

  • 8/4/2019 Open in Thirty Seconds Defcon 16

    51/132

    RESULTS OF PROJECT:Bumping

    Reliably bump open Biaxial and m3locks

    Produce bump keys on Medeco blanks

    and simulated blanks Known sidebar code

    Unknown sidebar code

  • 8/4/2019 Open in Thirty Seconds Defcon 16

    52/132

    MEDECO BUMP KEY

  • 8/4/2019 Open in Thirty Seconds Defcon 16

    53/132

    Video Demo:

    Bumping Medeco Locks Jenna Lynn

    Tobias

  • 8/4/2019 Open in Thirty Seconds Defcon 16

    54/132

    RESULTS OF PROJECT:Decode Top Level Master Key

    Determine the sidebar code in specialsystem where multiple sidebar codesare employed to protect one or more

    locks Decode the TMK

    PWN the system

  • 8/4/2019 Open in Thirty Seconds Defcon 16

    55/132

    RESULTS OF PROJECT:Forced Entry Techniques

    Deadbolt attacks on all three versions Deadbolt 1 and 2: 30 seconds

    Deadbolt 3: New hybrid technique of

    reverse picking Mortise and rim cylinders

    Prior intelligence + simulated key

    Interchangeable core locks

  • 8/4/2019 Open in Thirty Seconds Defcon 16

    56/132

    DEADBOLT ATTACK

  • 8/4/2019 Open in Thirty Seconds Defcon 16

    57/132

    DEADBOLT BYPASS: 2$Screwdriver + $.25 materials

  • 8/4/2019 Open in Thirty Seconds Defcon 16

    58/132

    Video Demo:

    Deadbolt Bypass: Original

    Interim Fix

    Current Production

  • 8/4/2019 Open in Thirty Seconds Defcon 16

    59/132

    MEDECO BILEVEL

    2007 Bilevel locks introduced Integrate low and high security tocompete

    Flawed design, will affect systemsecurity when integrated into highsecurity system

    Borescope decoding of aft pins tocompromise security of entire system

  • 8/4/2019 Open in Thirty Seconds Defcon 16

    60/132

    CONNECTING THE DOTS:The Results Biaxial Code assignment: Reverse

    Engineer for all non-master key systems

    Gate tolerance: 4 keys to open

    NEW CONCEPT: Code Setting keys Sidebar leg-gate interface: NEW CONCEPT:

    Setting sidebar code

    M3 Wider keyway: Simulated blanks Slider design: paper clip offset

  • 8/4/2019 Open in Thirty Seconds Defcon 16

    61/132

    4 KEYS TO THE KINGDOM

  • 8/4/2019 Open in Thirty Seconds Defcon 16

    62/132

    PART II

    Key Control

    andKey Security

  • 8/4/2019 Open in Thirty Seconds Defcon 16

    63/132

    KEY CONTROL: The Theory

    PROTECTION OF BLANKS OR CUTKEYS FROM ACQUISITION OR USE:

    Unauthorized duplication

    Unauthorized replication Unauthorized simulation

    restricted keyways

    proprietary keyways sectional keyways

  • 8/4/2019 Open in Thirty Seconds Defcon 16

    64/132

    MEDECO INSECURITY:Real World Threats - Keys

    VIOLATION OF KEY CONTROL andKEY SECURITY

    Compromise of entire facility

    Improper generation of keys

  • 8/4/2019 Open in Thirty Seconds Defcon 16

    65/132

    KEYS and KEY CONTROLKEYS: EASIEST WAY TO OPEN LOCKS

    Change key or master key

    Duplicate correct bitting

    Bump keys

    Rights amplification: modify keysPROTECTION OF KEYS

    Side bit milling: Primus and Assa

    Interactive elements: Mul-T-Lock

    Magnets: EVVA MCS

  • 8/4/2019 Open in Thirty Seconds Defcon 16

    66/132

    0WN THE SYSTEM:Obtaining the Critical Data

    TECHNIQUES TO OBTAIN KEY DATA Impressioning methods

    Decoding: visual and Key Gauges

    Photograph

    Scan keys

    Copy machine

  • 8/4/2019 Open in Thirty Seconds Defcon 16

    67/132

    KEYS: CRITICAL ELEMENTS

    Length = number of pins/sliders/disks

    Height of blade = depth increments = differs

    Thickness of blade = keyway design

    Paracentric design Keyway modification to accommodate other

    security elements

    Finger pins Sliders

  • 8/4/2019 Open in Thirty Seconds Defcon 16

    68/132

    KEY CONTROL

  • 8/4/2019 Open in Thirty Seconds Defcon 16

    69/132

    KEY CONTROLKEY SECURITY

    Duplicate Replicate

    Simulate

    Key control and Key Security may not

    be synonymous!

  • 8/4/2019 Open in Thirty Seconds Defcon 16

    70/132

    KEY SECURITY: A Concept

    Key control = physical control of keys

    Prevent manufacture and access to blanks

    Control generation of keys by code

    Patent protection

    Key security = compromise of keys Duplication

    Replication

    Simulation

  • 8/4/2019 Open in Thirty Seconds Defcon 16

    71/132

    MEDECO KEY CONTROL:Appearance v. Reality WHAT IS IT SUPPOSED TO MEAN?

    ARE THE STANDARDS SUFFICIENT?

    REAL WORLD VULNERABILITIES

  • 8/4/2019 Open in Thirty Seconds Defcon 16

    72/132

    MEDECO KEY CONTROL:Virtually Impossible to Copy

    High security starts with key control; a processthat insures that keys cannot be duplicatedwithout proper permission. Clearly, if anyone

    can have a locks key copied, then it trulydoesnt matter how tough the lock itself isbuilt. Medecos patented key control makes itvirtually impossible for someone to duplicatea commercial or residential key withoutproper permission.

  • 8/4/2019 Open in Thirty Seconds Defcon 16

    73/132

    MEDECO HIGH SECURITYKEYS v. STANDARD KEYS

    A standard key can be copied at a millionstores without restriction or proof of

    ownership. Unauthorized duplicate keys

    often result in burglaries, theft, vandalism,and even violent crimes.

    Medeco advertising brochure

  • 8/4/2019 Open in Thirty Seconds Defcon 16

    74/132

    Video Demo:

    Medeco Key Copy Promo

  • 8/4/2019 Open in Thirty Seconds Defcon 16

    75/132

    MEDECO KEY CONTROL:The ProblemCIRCUMVENTING SECURITY LAYERS

    Keyways can be bypassed

    Blanks can be simulated

    Sidebar codes are simulated

    Slider can be bypassed

    NO REAL LEGAL PROTECTION EXCEPT FOR M3STEP

    Patent expired 2005 Keyways not protected

    Third party blanks

  • 8/4/2019 Open in Thirty Seconds Defcon 16

    76/132

    KEY Control:Duplicate - Replicate - Simulate

    SECURITY THREAT:

  • 8/4/2019 Open in Thirty Seconds Defcon 16

    77/132

    Failure of Key Control:Duplicate

    IMPROPER ACQUISITION OR USE OFKEYS BY EMPLOYEES ORCRIMINALS

    Unauthorized access to facilities or areas

    Bump keys

    Use for rights amplification

    Compromise master key systems

    SECURITY THREAT:

  • 8/4/2019 Open in Thirty Seconds Defcon 16

    78/132

    Failure of Key Control:Replicate

    HIGH SECURITY LOCKS AND KEYS Designed to prevent replication

    REPLICATION TECHNIQUES

    Easy entrie milling machine

    Silicone casting

    Plastic and epoxy copies Facsimile copy

    SECURITY THREAT:

  • 8/4/2019 Open in Thirty Seconds Defcon 16

    79/132

    Failure of Key Control:Simulate

    M3 KEYWAY

    Wider than Biaxial

    No paracentric keyway

    COMPONENTS OF MEDECO KEYS

    Ward pattern and paracentric keyway

    Bitting

    M3 Slider

    SECURITY THREAT Bypass wards in paracentric keyway

    Create new blanks

    RESULT:

  • 8/4/2019 Open in Thirty Seconds Defcon 16

    80/132

    Failure of Key Control Restricted and proprietary keyways

    M3 Slider: bypass with paper clip

    Sabotage potential

    Availability of blanks Duplicate from codes or pictures

    TMK extrapolation

    Set the sidebar code Make keys to open your locks

    MEDECO INSECURITY:

  • 8/4/2019 Open in Thirty Seconds Defcon 16

    81/132

    Real World Threats - Keys NO KEY CONTROL OR KEY SECURITY

    All m3 and some Biaxial keyways

    Keyways (restricted and proprietary)

    M3 Step = no security Copy keys

    Produce any blank

    Generate Top Level Master Key Cut any key by code

    MEDECO INSECURITY:

  • 8/4/2019 Open in Thirty Seconds Defcon 16

    82/132

    The Threat from Within COMPROMISE OF KEY CONTROL +

    HYBRID ATTACK Mortise, Rim, Interchangeable cores

    MEDECO KEY CONTROL v.

    CONVENTIONAL KEYS

    Conventional keys = 1 layer of security

    Medeco keys = 3 layers of security Hybrid attacks

    With key cutting machine

    MORTISE, RIM, IC:

  • 8/4/2019 Open in Thirty Seconds Defcon 16

    83/132

    A Special Form of AttackHYBRID ATTACK

    Will damage the lock

    Entry in ten seconds

    Millions of Locks affected

    KEYMAIL: The New

  • 8/4/2019 Open in Thirty Seconds Defcon 16

    84/132

    Security Threat from Within

    NEW AND DANGEROUS THREAT

    FAILURE OF KEY CONTROL IN m3 andSOME BIAXIAL CYLINDERS

    Duplicate keys easily USE OF NEW MULTI-FUNCTION COPIERS

    It scans, copies, prints, and allows the

    production of MEDECO keys

  • 8/4/2019 Open in Thirty Seconds Defcon 16

    85/132

    KEYMAIL: The Premise

    EASILY CAPTURE AN IMAGE OF KEY

    REPLICATE THE KEY IN PLASTIC

    DIFFERENT METHODS TO OPEN

    LOCKS No key control

    Easy to accomplish with access to source

    key

    Simple technique to replicate any key

    MEDECO ACCEPTS

  • 8/4/2019 Open in Thirty Seconds Defcon 16

    86/132

    PLASTIC!

    KEYMAIL:

    H I W k f M d

  • 8/4/2019 Open in Thirty Seconds Defcon 16

    87/132

    How It Works for Medeco ACCESS TO THE TARGET KEY

    CAPTURE AN IMAGE PRINT THE IMAGE

    PRODUCE A KEY

    OPEN THE LOCK

    MEDECO and KEY CONTROL? American Express, Master Card, Visa, Discover, and Diners Club

  • 8/4/2019 Open in Thirty Seconds Defcon 16

    88/132

    Dont leave home without one

    What is behind the locked door:Priceless

    Go anywhere you want to be

    The card that can get you cash

    The card is key

    CUT A FACSIMILE OF KEY

  • 8/4/2019 Open in Thirty Seconds Defcon 16

    89/132

    CUT A FACSIMILE OF KEY KEY REQUIREMENTS FOR

    MORTISE, RIM, and IC LOCKS Vertical bitting only

    No sidebar data

    No slider data

    M d K C t l?

  • 8/4/2019 Open in Thirty Seconds Defcon 16

    90/132

    Medeco Key Control?

    PLASTIC KEYS:

  • 8/4/2019 Open in Thirty Seconds Defcon 16

    91/132

    PROCEDURE OBTAIN IMAGE OF THE KEY

    Scan, copy, or photograph a Medeco key

    Email and print the image remotely

    Print 1:1 image on paper, label, Shrinky Dinks

    Trace onto plastic or cut out the key bitting Copy with a key machine or by hand

    INSERT KEY INTO PLUG

    Neutralize three layers of security Open Mortise, Rim, IC cylinders

    ACCESS TO TARGET KEY

  • 8/4/2019 Open in Thirty Seconds Defcon 16

    92/132

    ACCESS TO TARGET KEY

    BORROW BRIEFLY

    AUTHORIZED POSSESSION

    USE

    COLLUSION WITH EMPLOYEE WHO

    HAS ACCESS TO A KEY

    CAPTURE AN IMAGE

  • 8/4/2019 Open in Thirty Seconds Defcon 16

    93/132

    CAPTURE AN IMAGE

    COPIER

    TRACE THE KEY

    CELL PHONE CAMERA

    SCANNER / FAX

    OBTAIN DATA - COPIER

  • 8/4/2019 Open in Thirty Seconds Defcon 16

    94/132

    OBTAIN DATA - SCANNER

  • 8/4/2019 Open in Thirty Seconds Defcon 16

    95/132

    OBTAIN DATA - CELL CAM

  • 8/4/2019 Open in Thirty Seconds Defcon 16

    96/132

    BLACKBERRY CURVE

  • 8/4/2019 Open in Thirty Seconds Defcon 16

    97/132

    RESULTING IMAGE

  • 8/4/2019 Open in Thirty Seconds Defcon 16

    98/132

    RESULTING IMAGE

    REPRODUCE THE IMAGE

    On Paper

    On credit card or plastic card

    On plastic sheet On Adhesive Labels

    On Shrinky Dinks plastic

    On a piece of copper wire On a simulated metal key

    PRINT IMAGE

    ON PLASTIC OR PAPER

  • 8/4/2019 Open in Thirty Seconds Defcon 16

    99/132

    ON PLASTIC OR PAPER

    KEYS FROM PLASTICCARDS

  • 8/4/2019 Open in Thirty Seconds Defcon 16

    100/132

    CARDS OPEN m3 and SOME BIAXIAL LOCKS

    STANDARD KEY MACHINE

    Hybrid attack, vertical bitting only

    MEDECO CUTTER Vertical bitting and angles

    CUT BY HAND

    Vertical bitting and angles BYPASS SLIDER

    Paper clip or wire

    NEUTRALIZE SHEAR LINE

  • 8/4/2019 Open in Thirty Seconds Defcon 16

    101/132

    PRODUCE A KEY:

    Set the Shear Line

  • 8/4/2019 Open in Thirty Seconds Defcon 16

    102/132

    Set the Shear Line

    SET THE SHEAR LINE

  • 8/4/2019 Open in Thirty Seconds Defcon 16

    103/132

    SET THE SHEAR LINE

    SET THE SHEAR LINE

  • 8/4/2019 Open in Thirty Seconds Defcon 16

    104/132

    SET THE SHEAR LINE

    HYBRID ATTACK:Set the Shear Line, Open the Lock for

  • 8/4/2019 Open in Thirty Seconds Defcon 16

    105/132

    Set t e S ea e, Ope t e oc oMortise, IC, Rim Cylinders

    CONVENTIONAL LOCKS

  • 8/4/2019 Open in Thirty Seconds Defcon 16

    106/132

    CONVENTIONAL LOCKSKWIKSET = 1 Layer of Security

    KWIKSET PLASTIC KEY

  • 8/4/2019 Open in Thirty Seconds Defcon 16

    107/132

    KWIKSET PLASTIC KEY

    Video Demo:

  • 8/4/2019 Open in Thirty Seconds Defcon 16

    108/132

    Video Demo:

    Kwikset Plastic Key

    HIGH SECURITY KEYS

  • 8/4/2019 Open in Thirty Seconds Defcon 16

    109/132

    HIGH SECURITY KEYS MULTIPLE SECURITY LAYERS

    Many cannot be simulated

    Video Demo:

  • 8/4/2019 Open in Thirty Seconds Defcon 16

    110/132

    Video Demo:

    Medeco Plastic on key Machine

    Medeco Plastic on Door

    MEDECO INSECURITY:Protective Measures

  • 8/4/2019 Open in Thirty Seconds Defcon 16

    111/132

    Protective MeasuresFACILITY RESTRICTIONS

    No First Amendment

    No paper clips!

    No credit cards, key cards, hotel room cards

    No Copiers, scanners, cameras

    No scissors or X-Acto knives No self-adhesive labels

    No plastic report covers

    No Shrinky-Dinks! No printers or Multifunction Devices

    No cell, email or Fax connections to outside world

    PART III

  • 8/4/2019 Open in Thirty Seconds Defcon 16

    112/132

    Locks, Lies

    And Videotape

    Our locks are bump-proof, virtuallybump-proof and Virtually Resistant

  • 8/4/2019 Open in Thirty Seconds Defcon 16

    113/132

    bump-proof, and Virtually Resistant

    We Never claimed our Locks were bump-proof!

    Our deadbolts are secure, no problem!

    We have spent hundreds of hours andcannot replicate any of the Tobias attacks!

    MEDECO RECOGNIZES

    LOCKSPORT:NDE M 2008

  • 8/4/2019 Open in Thirty Seconds Defcon 16

    114/132

    NDE: May, 2008

    BASED ON RESPONSIBLEDISCLOSURE ABOUT MEDECODER

    Give Medeco time to fix the vulnerability

    Right result, wrong reason

    Not new: 15 year old bypass

    Problem in millions of locks

    Concept not applicable

    KNOWN VULNERABILITIESIN MEDECO LOCKS

  • 8/4/2019 Open in Thirty Seconds Defcon 16

    115/132

    RESPONSIBLE DISCLOSURE v.

    IRRESPONSIBLE NON-DISCLOSURE Serious vulnerabilities disclosed to Medeco

    Notice to manufacturer for 18 months

    Failure to disclose to dealers orcustomers

    Misrepresentation, half truth, misleadingadvertising and use of language that

    means nothing

    RESPONSIBLE

    DISCLOSURE:Its a Two Way Street

  • 8/4/2019 Open in Thirty Seconds Defcon 16

    116/132

    It s a Two-Way Street

    DISCOVERY OF VULNERABILITY Locksport, hacker, security expert disclosure to

    manufacturers

    Manufacturers to dealers and consumers

    SIGNIFICANT QUESTIONS

    When discovered

    New lock or embedded base

    Number of users affected

    National security issues

    RESPONSIBILITIES

  • 8/4/2019 Open in Thirty Seconds Defcon 16

    117/132

    Locksport and hacker responsibility

    Disclose vulnerability in new lock design orupgrade

    What about current locks that are installed

    Give time to fix? When relevant?

    HIGH SECURITY LOCKMANUFACTURERS

  • 8/4/2019 Open in Thirty Seconds Defcon 16

    118/132

    Responsibility of high security lock

    manufacturer are different High security is different than normal mfg

    or corporation

    Protect high value targets, criticalinfrastructure

    Duties

    Tell the truth

    Disclose security vulnerabilities tocustomers and dealers

    RESPONSIBLE

    DISCLOSURE: REALITY,AND LIABILITY

  • 8/4/2019 Open in Thirty Seconds Defcon 16

    119/132

    AND LIABILITY

    WHAT TO DISCLOSE AND TO WHOM TWO COMPONENTS

    PUBLIC RIGHT AND NEED TO KNOW

    Security by Obscurity Assume the risk: only based upon knowledge

    Bad guys already know

    LOCKS NOT LIKE SOFTWARE

    Notice is only prospective to fix a problem

    DISCLOSURE TO

    MANUFACTURER: Prospective orRetroactive Effect

  • 8/4/2019 Open in Thirty Seconds Defcon 16

    120/132

    Retroactive Effect

    PROSPECTIVE IMPLEMENTATION OF FIX BY

    MANUFACTURER

    Only applies to new locks or new product

    Does not apply to embedded base

    Does not help the consumer unless manufacturerdoes a recall or field fix

    QUESTION OF LIABILITY AND COST

    Who will pay for retroactive upgrade? Enhancement to new bypass technique or

    liability to remedy?

    MEDECO: Responsible or

    Irresponsible Actions?

  • 8/4/2019 Open in Thirty Seconds Defcon 16

    121/132

    WHAT IS THE TRUTH?

    August 4, 2006 press release: Bump-proof

    February 2007 - Retroactively changed thelanguage: Virtually Bump-proof

    The Medeco Problem: www.archive.org

    TV, Advertising, DVD, Medeco website

    August 2006: Bump Proof

  • 8/4/2019 Open in Thirty Seconds Defcon 16

    122/132

    Feb 2007:Virtually BumpProof

  • 8/4/2019 Open in Thirty Seconds Defcon 16

    123/132

    2008:

  • 8/4/2019 Open in Thirty Seconds Defcon 16

    124/132

    WE NEVER SAID OUR

    LOCKS WERE BUMP-PROOF

  • 8/4/2019 Open in Thirty Seconds Defcon 16

    125/132

    PROOF

    AUGUST 15, 2006

    U.S. Patent and Trademark Office filing

    by Medeco Security Locks, Inc. lawyerG. Franklin Rothwell, Application

    78952460

    Word mark: BUMP PROOF Abandoned: February 9,2007

    BUMP PROOF: USPTO

    FILING FOR THE WORDMARK

  • 8/4/2019 Open in Thirty Seconds Defcon 16

    126/132

    MARK

    ABOUT CLAIMS OF

    PICKINGMEDECO LOCKS

  • 8/4/2019 Open in Thirty Seconds Defcon 16

    127/132

    MEDECO LOCKS

    NOBODY HAS PROVED THEY CANPICK OUR LOCKS IN 40 YEARS

    False demonstrations, special locks

    They are lying We cannot replicate anything

    THE REAL PROBLEM

    They cannot open their own locks

    Failure of imagination

    RESPONSIBLE

    DISCLOSURE BY LOCKMANUFACTURERS

  • 8/4/2019 Open in Thirty Seconds Defcon 16

    128/132

    MANUFACTURERS

    KNOWLEDGE OF VULNERABILITY Known or suspected

    Make responsible notifications

    Let users and dealers assess risks

    Duty to tell the truth

    Duty to fix the problem

    MEDECO LOCKS ARE

    VULNERABLE

  • 8/4/2019 Open in Thirty Seconds Defcon 16

    129/132

    MEDECO KNOWS

    Vulnerability from Bumping, Picking, Keycontrol, Forced Entry techniques

    Should be candid with dealers and users

    so they understand the potential risks Failure to tell the truth = irresponsible non-

    disclosure

    Dealers and customers have a need and aright to know

    VULNERABILITIES:

    Full Disclosure Required

  • 8/4/2019 Open in Thirty Seconds Defcon 16

    130/132

    SECURITY BY OBSCURITY

    It does not work with Internet

    It is the Users security

    They have a right to assess their own risks

    Criminals already have information

    Disclosure: benefits outweigh risks

    Liability for failure to disclose

    LESSONS LEARNED

  • 8/4/2019 Open in Thirty Seconds Defcon 16

    131/132

    THE MEDECO CASE

    Nothing is impossible

    Corporate arrogance does not work

    HIGH SECURITY LOCK MAKERS Engineering, Security, Integrity

    Duty to tell the truth

    Thank You!

  • 8/4/2019 Open in Thirty Seconds Defcon 16

    132/132

    [email protected]

    [email protected]

    [email protected] 2008 Marc Weber Tobias, Matt Fiddler and Tobias Bluzmanis