http://www.wired.com/politics/security/news/2007/08/medeco By Kim Zetter Wired.com 08.09.07 High-security lock manufacturer Medeco says it's planning a design change to counter one of two attacks against its products that were described at the DefCon hacking conference over the weekend, boosting security on a line of locks found at the White House, the Pentagon, embassies and other critical locations. On Sunday, three researchers led by lock-picking expert Marc Webber Tobias showed how they could easily "bump" and pick Biaxial and high-security M3 locks made by Medeco Security Locks, a Virginia-based company that claimed last year that its locks were "bump-proof." The only tools the researchers needed to bump the Biaxial lock was a special bump key and a hammer. The M3 lock, which comes with an added slider feature, required an additional tool -- a paper clip. Matt Blaze, a professor of computer and information science at the University of Pennsylvania who has written about master-key locks, says the researchers' work is impressive and concerning. "Medeco locks are marketed to people who want to use them for high-security applications," Blaze says. "They're widely trusted to be very, very secure and are regarded as effectively pick-proof in practice. So any time there is an attack against this kind of lock, particularly a non-destructive kind of attack (that doesn't show evidence of an attack), that's very surprising." Privately, the researchers also showed Wired News a new type of attack on deadbolt locks that requires only a modified $2 screwdriver and a wire shim device. Wired News agreed not to publish the details of the technique, but the researchers say it exploits a flaw present in single-cylinder deadbolts -- those that have a single-sided key entry with a flip switch on other side. It does not work on deadbolts that require a key on both sides of the lock. The researchers demonstrated this technique on Medeco's M3, though they say it will work on all brands of single-cylinder deadbolts. "The interface for deadbolts is defective," says Tobias, an investigative lawyer and author. "I don't want to create a panic, but this needs to get fixed." Clyde Roberson, director of technical services at Medeco, acknowledged that the researchers might be right about the deadbolt problem. This week the company rapidly developed what he hopes is a hardware solution to the vulnerability, and Roberson is scheduled to fly to Florida on Thursday to meet privately with one of Tobias' researchers to see their attack on the lock and try out the fix. Medeco hopes to roll out the solution on its factory floor this Friday if tests show the solution works. But Roberson is more skeptical about the bumping demonstration. He told Wired News he thinks the researchers' claims are untrue and Medeco locks are still bump proof. "We stand behind our locks," Roberson said. "We don't believe you can use a bump key on Biaxial or M3 (locks) at all, whether it's with a paper clip or not. We believe that this information is factually incorrect." Bumping uses kinetic energy to open a lock with a specially cut key. The attacker inserts a bump key into a lock, and then raps it with a small hammer. The energy created by the impact travels through the key and causes the locking pins inside the lock cylinder to separate, allowing the cylinder to turn and unlock the device. The attack is considered a serious threat because, like lock-picking, it's a covert technique for breaking into a locked door that leaves no obvious telltale evidence behind (though forensic examiners who scrutinize the inside of the lock might find little marks on the internal pins). Although locksmiths and covert-entry specialists have known about and practiced bumping for years, the general public became aware of it only in the last two years after researchers disclosed the industry secret, and videos showing how to bump locks appeared on the internet. It's been widely believed that Medeco's high-security locks were impervious to the technique. In a conventional pin-tumbler lock, each cut in the user's key lifts the corresponding pin in the lock to the exact height needed to turn the cylinder. But Medeco's patented pin tumbler locks also require the key to rotate the pin to one of three orientations -- left, right or center. The feature has made its Biaxial high-security locks a favorite for years with customers who sought extra protection. When bumping received national media attention last year, the company even issued a press release boasting that its locks are "bump proof." Tobias and his colleagues began testing that claim a year ago last April through a combination of computational analysis and mechanical tests. Using computers, they analyzed and crunched Medeco's published non-master-key codes to determine how many bump keys they would need to make to encompass all of the possible key-code combinations. (Lock companies publish such codes so that locksmiths can create keys for the locks.) Medeco's keys have a special feature in that the bidding on them (the peaks and valleys) is cut at different angles and different offsets (spacing). These angles and offsets can be combined in more than a million variations to create keys that are unique to each lock. Using a computer, however, and taking advantage of engineering tolerances in the lock, the researchers crunched the codes and synthesized the combinations to create fewer than a dozen keys (they've asked us not to disclose the exact number) that will fit into numerous Medeco Biaxial and M3 locks. Blaze says the approach is impressive. "It's interesting to see how this combination of mechanical and computer analytical methods can be used to attack these things," he says. "If you're just looking at these things in mechanical terms or you're just looking at these things in computational terms, you won't be able to attack them successfully. The combination of the two, I think, is fairly unique and pretty clever." Even then, the researcher's technique should have failed against Medeco's newest lock, the high-security M3 introduced in 2005. An improvement on the old Biaxial, the M3 cylinders feature a slider inside. A patented bar on the side of the key has to push in the slider in order for the key to enter. But the researchers, among them computer security researcher Matt Fiddler and a professional locksmith who asked not to be named, found a way to bypass the slider on the M3 locks as well. They simply use a modified paper clip to push back the slider and then bump the lock as if it were a previous-generation Biaxial lock. To demonstrate their bumping technique against Medeco's M3 lock for Wired News, Tobias took a lock and inserted one of the keys that he and his researchers designed from Medeco's codes, then hit it several times with a bump hammer and turned the key. Tobias says that last year his group provided Medeco with full documentation of their techniques as well as video showing them cracking the locks. But Medeco's Roberson dismissed their claims after Tobias visited him last October to show him the technique. Although Tobias was able to open locks he'd brought with him, he was unable to bump open locks that Roberson pulled directly from the factory line. Tobias says this is because his team was still perfecting the bump keys at the time, and that he was able to open those same locks later after the design of the bump keys was tweaked and the keys were re-cut. The failed demonstration is what left Medeco's Roberson initially unconvinced of Tobias's claims. Roberson adds that since then Medeco researchers have not been able to replicate the bumping claims, he thinks the researchers simply designed one bump key to open one lock used in their demonstration, which wouldnt open other locks. "A bump key is something that works on any cylinder that you walk up to," Roberson says. "They couldnt walk up to a random lock on a door and open it." Tobias says that contrary to Roberson's statement, their bump key has worked on more than one lock. "We've opened many, many locks with the bump keys," he says. "Theoretically, we can open all of the M3 locks, but we don't know for sure. What if we can open just 50 percent of them? The question is ... what percentage becomes a threat?" Tobias has posted a security alert about the M3 deadbolts to a restricted industry site for professional locksmiths and next month he'll meet with representatives of the Underwriters Laboratories -- the lab that tests and creates standards for manufacturers' products -- to discuss improving the standard for such locks. Currently the standards don't test for bumping. Two other companies that manufacture deadbolt locks -- Schlage and Abloy -- did not respond to calls by press time. Blaze says that Tobias' claims shouldnt be dismissed. "We can all be excused for not having realized this was possible before somebody pointed it out to us, but I think the big question is, now that somebody has figured it out, how is Medeco going to react? Hopefully Medeco will acknowledge the problem and look for ways to correct it," he says. Roberson will be discussing the bumping attacks again during his Thursday meeting with Tobias' research partner, and says Medeco is conducting additional tests of the bumping attack with independent testers. He says if he's satisfied that the researchers' claims are true, the company will address the issue. "There's always a possibility that we're wrong," he says. ____________________________________ Visit the InfoSec News book store! http://www.shopinfosecnews.org
This archive was generated by hypermail 2.1.3 : Thu Aug 09 2007 - 23:52:03 PDT