Archive for June, 2008

Questions answered about my 2006 Christmas Present

Sunday, June 29th, 2008

As a blogger, I always enjoy the comments on my writing a lot. I do not always follow up on them as accurately as I would like to, but trust me when I say I do enjoy them.

A couple of days ago I received mail from Vaughan Armstrong. I met Mr. Armstrong once at Aloa and learned he is a well respected authority in the field of US military locks and safes.

So I was thrilled to read Mr. Armstrong took his time to answer some of my (our) burning questions. As frequent readers of this weblog might remember, I received a nice US DoD safe (GSA security container) some time ago. When I got it, there were a lot of questions (as you can read in the original post). But thanks to Mr. Armstrong we now know a lot more:

I have read the posts regarding Barry’s Christmas present (December 2006). My thanks to all who posted; I would like to contribute some information.

The present is a field safe, a GSA (General Services Administration) approved security container, for storage of classified material in the field. Federal Specification AA-F-358 (current revision H),(18 May 2000) and its most recent Amendment (3),(20 April 2007) give the requirements for this “Class 6, Size VIII 1-drawer, for field use.” To view the Specification, visit the Department of Defense Lock Program’s website, https://portal.navfac.navy.mil/go/locks . Put your cursor on “Documents.” Several choices will appear in the drop-down; click on “Federal Specifications and QPLs,” and scroll down to AA-F-358H.

This is a Class 6 container; as with all Class 6 containers currently produced, it provides 30 man-minutes of covert entry protection, 20 man-hours of surreptitious entry protection, and is not tested for forced entry protection. (For definitions of “covert” and “surreptitious,” see paragraphs 6.4.3 and 6.4.2.) Because it is for use in the field, paragraph 3.3.8 requires that “The Class 6, Size VIII cabinet shall be provided with 2 lift type carrying handles” and paragraph 3.3.8.2 requires that it have a dial knob protector (visible in the photograph).

The red-lettered label on the front of the drawer indicates that it was made between October 1, 1990 and present. The drawerhead is removable from the rest of the drawer.

Paragraph 3.3, Table I gives maximum dimensions and weights for containers covered by the Specification; the weight of the Christmas present is within the limit (maximum weight 138 lbs.) for field safes. Paragraph 3.3.2 requires that “The weight shall be permanently marked” on the container.

Paragraph 3.4.2 addresses the lock required. It now must be approved to the requirements of Federal Specification FF-L-2937. Previously, locks meeting Underwriters Laboratories (UL) 768, Group 1R were required. The lock must have a snap-on dust cover. This is to prevent someone “dusting” the dial and dial ring to determine the combination. (Some people use a thumb as a “brake” to steady the dial when approaching a target number. This leaves half a thumbprint on the dial ring and half a thumbprint in three locations on the dial. There are only six ways that these indications can be combined: A-B-C, A-C-B, B-A-C, B-C-A, C-A-B, and C-B-A, and these can be entered in a very short time.) The original lock on this container was the S&G 8560MP.

To visit Hamilton Products Group’s website, from the home page of the DoD Lock Program website, put cursor on “Links Index,” scroll down to “Hamilton Products Group” and click on it. You’ll see that the field safe is made in a single-lock and a dual-lock version.

I hope this has been informative, and possibly interesting.

Vaughan Armstrong

I would like to thank Mr. Armstrong for taking his time to answer the open questions (especially on the dustcover) on this little humble weblog. Hopefully it will not be his last comment here.

Paper locks

Tuesday, June 24th, 2008

Wohoo … this is cool!

On Make magazine blog I read about a UK company called ‘flying pig’. This company came out with a collection of locking mechanisms that can be made from cardboard. Price: just £4.99 …

paper locks

From their website:

A working Yale type lock to cut out and make. Print out the pages of this model onto thin card, follow the fully illustrated instructions and make your own working model warded lock. The download consists of one acrobat file which will take no more than a couple of minutes download. The file has four pages of illustrated instructions for the easy construction of your model and four pages which make up model sheets.

I think they mixed up ‘yale type lock’ with ‘wafer lock’, but that does not make these models less cool.

My kids will have six weeks of holiday next week, and as part of their education I am going to build these locks with them for sure …

Uhlmann & Zacher, problem solved?

Saturday, June 21st, 2008

There is a new video on the Uhlmann & Zacher lock on YouTube.

It seems to show the effect of the much discussed firmware update. Problem solved?!?

Impressive presentations at the ‘Last Hope’ conference

Friday, June 20th, 2008

Finally the list of scheduled talks for the ‘Last Hope’ conference is out.

Besides the bigger and better lockpick village that is going to arise at the conference, there sure are a lot of lock-related talks!

I am curious how many locksmiths and people from the lock industry are going to attend this conference. If they are even halfway clever they show up and pay attention….

the 'Last Hope' conference

The one presentation I am looking most forward to is “Maintaining a Locksporting Organization and Breakthroughs in the Community”, By Doug Farre and Jon King

“This presentation will go into detail about how to start and maintain a locksport organization and how groups like these can lead to influential research. You’ll learn how to keep everyone excited about lock picking and how to turn your club into a well oiled machine for years to come. In addition, you’ll find out what it takes to produce a good lock picker and see how anyone can influence the lock industry even after only a few months of being on the scene. Jon King’s research on high security Medeco locks will be revealed in detail. There will also be a demonstration on how to build a tool to pick high security cylinders, and how the responsible disclosure of exploits in the hardware world can make a positive impact for all involved.”

Second is a presentation that is not lock-related, yet given by a legend in his own field: “Technical Surveillance Countermeasures – A Brief Primer on the Arcane Art and Science of Electronics Surveillance and “Bug” Detection from a True Insider” by Marty Kaiser

“The spooky world of covert electronic surveillance and countersurveillance by governments, corporations, and individuals is veiled in secrecy, intrigue, and myth. Few people are well qualified to speak authoritatively about it, and fewer still are willing to. Hear firsthand from one of the most legendary and respected wiretap and bugging experts in the United States about some of the methods and technologies used, some case studies, and the future of privacy and surveillance from an insider’s viewpoint.”

Other interesting presentations that I will visit for sure are:

Escaping High Security Handcuffs By Ray

“Everybody knows normal police handcuffs are no real challenge for lockpickers, even though it helps to know the inner workings and tiny differences of the various models in use today. Less publicly known is that there’s also a variety of “high security” handcuffs on the market, used mainly for high risk prisoners and during transfers. But those also have their weaknesses… This talk will give an overview of the products in use today and their different attack vectors – not only focusing on picking but also bypassing some of the most advanced locking mechanisms used in this field.”

Safecracking by Eric Schmiedl

“Despite many appearances in film and television, fairly little is widely known about how safes can be opened without the proper combination or key. This talk will attempt to address some of the questions commonly asked about the craft, such as is it really possible to have a safe open in a minute or two using just a stethoscope and some clever fingerwork? (Yes, but it will take a bit more time than a few minutes.) Are the gadgets used by secret agents in the movies ever based on reality? (Some of them.) The talk will cover several different ways that safes are opened without damage, as well as the design of one lock that is considered completely secure.”

Strengths and Weaknesses of (Physical) Access Control Systems By Eric Schmiedl and Mike Spindel

“Access control systems are widely used in security, from restricting entry to a single room to locking down an entire enterprise. The many different systems available – card readers, biometrics, or even posting a guard to check IDs – each have their own strengths and weaknesses that are often not apparent from the materials each vendor supplies. This talk provides a comprehensive overview of 20 different access control technologies that focuse on weaknesses (particularly little known or not-yet public attacks) and other points that a buyer would not likely get from a vendor. Also presented will be a model for thinking about access control systems in general that will provide a useful framework for evaluating new or obscure technologies.”

Undoing Complexity – From Paper Clips to Ball Point Pens by Matt Fiddler and Marc Tobias

“This talk will be a systematic approach to dissecting and disabling multiple layers of physical security in locks. In this presentation, the focus will be on embedded design defects in high security locks, and how their discovery translates into security vulnerabilities and the disclosure of such flaws. The attack methodology for high security locks will be reviewed. Demonstrations will include case examples, examining tolerance exploitation, code design analysis, and leveraging the interaction of internal components within a locking system to achieve different types of bypass. The application of this program in the development of covert, surreptitious, and forced methods of entry will be examined. Also discussed will be the concept of responsible disclosure upon the discovery of security vulnerabilities, and how this concept applies to both those who discover flaws and to the manufacturer that produces them, and why the same concept becomes a technical, logistical, legal, and financial minefield for manufacturers. ”

And of course Han Fey and I will do: Methods of Copying High Security Keys

“In this two hour workshop you will learn some new and advanced opening techniques for high security locks from two key members of the locksport group Tool in the Netherlands. Special attention will be given to duplicating high security keys and detailed analysis of modern locking systems. After the presentation, some of the tools and techniques can be seen up close at the Lockpicking Village. You are invited to bring your complex locks or “impossible to copy” keys…. ”

The full list of (almost 100) presentations can be found here. Hope you can make it to the conference and see you there!

A new attack on electronic locks: The magnetic ring

Monday, June 16th, 2008

There has been quite some speculation about this video (YouTube) of a magnetic ring that is used to open some model of Uhlmann & Zacher lock. By now it is confirmed by the company itself the trick works. They claim a software update will fix the problem (and even log opening attempts).

null(click on image for a high resolution version)

The ring used in the video now has a name: ‘the ring of the devil’ and is already available on the market (just 25 euro!).

And the questions now are: What is in the ring, how does it work and what locks are affected?

Well … I have some answers. Saturday I received my own magnetic ring and can give you some details.

Some people thought the ring was completely magnetic, but this is not the case. The ring is made out of aluminum and there are four strong magnets inside. The spacing is 90° and the magnets are mounted N, S, N, S. On this image you can see four metal keyrings that are stuck to the ring by the magnetic fields. So far I did not pry open my ring to see what it looks like inside.

The next question is why does this open (some) electronic locks? Electronics is not my strongest point (as you could have read in my previous posting), but by now I understand a little more about it.

Solenoid VS Electro motor

solenoid vs electro motorimage: Winkhaus BlueChip solenoid vs electro motor from Burgwachter (ring will NOT open this lock!)

First things first: Over the years we have visited many lock companies, and if they had electronic (or electro mechanical) locks they all proudly showed us their lock was not using a solenoid. A solenoid is a metal pin that is being pulled into its housing by an electro magnet. So when current is applied to this coil, the electro magnetic field will pull the pin in, allowing the lock to open. The problem with a solenoid is that a nearby magnet can pull the pin down as well, and thus open the lock (like in the first generation Winkhaus BlueChip, problem fixed in later generations). On top of that vibrations also sometimes can bypass solenoids. So instead of a solenoid most manufacturers nowadays use a small electronic motor. If the motor makes a couple of rotations, a blocking element is pulled back and the lock opens. Turning the electronic lock the other way pushes back the blocking element and the lock is closed. A foolproof system…. until now.

The ‘ring of the devil’ is capable of attacking this kind of electronic motor lock on two ways.

Scenario 1: An electronic motor is nothing more then a metal part on an axe that turns because of a changing magnetic field. Turning electro magnets on and off will generate a pulling force on the metal part, making it rotate. The ring does the same thing. By turning the ring, the metal part in the electro motor starts turning, opening the lock. As Rop suggested in the comments of the previous posting, a bunch of bigger magnets and maybe a high-speed drill can amplify this effect some more.

Scenario 2: A dynamo is nothing more then a coil charged by a changing magnetic field. So any coil in the lock will start generating current when a magnetic field is rotating around it. If the coil is in the path of the electro motor, it might generate enough current for the motor to start turning.

Currently we are testing with this magnetic ring. Jord Knaap and Han Fey already found one other electro/mechanical lock that seems to open under some conditions with this technique. As with all problems we personally discover, we are first going to notify the manufacturer to give them some time to analyze the problem. But with the ‘devils ring’ out on the free market it will probably be a matter of day’s/weeks before other people will find (and report) locks that are vulnerable to it.

I can assure you this is not the last post about this new attack on electronic (and electro mechanical) locks on this weblog …..

Electronic door lock bypass trough static electricity

Sunday, June 8th, 2008

As many of you might know, I have a passion for clever ways to bypass electronic locks (YouTube).

And I just got a mail from a ‘blackback informer’ that pointed me to a highly interesting YouTube video.
The only problem with YouTube video’s is that you never know if it is a hoax or not.

However this video seems genuine and I believe the following trick could work!

On the video we see a euro profile cylinder, supposably a ‘Uhlmann & Zacher‘ electronic door lock, that seems to open when charged with static electricity.

When a metal ring is turned clockwise the lock seems to be charged, allowing it to open and close, even when no transponder key is present.
Turning the ring counterclockwise seems to discharge the static electricity and the lock remains closed.

I would like to thank the blackbag informant who reported this great and interesting video.
Now all I need is one of these locks to see if this really works or not …

A package from Vienna … cool GeGe locks!

Thursday, June 5th, 2008

Han just received some locks from GeGe. It is nice to see people keep their promises…

GeGe locks ... pretty nice ehrm?!?

This is what Han has to say about them:

The locks in the picture are some locks we got from Gege, from the left to the right: P-extra, AP2000, AP3000, ANS-2 and the AP4000.

They all have an exotic looking keyway, but besides that here is a lot to tell about the inner live of these cilinders, they contain for example horizontal sliders, undercuts, cogwheel, special anti-bump pins, key copy protection, spring loaded axial pins, carbide sintered steel insert, etc.

I intend to write an article about these high security locks, so that you will learn more about these cilinders.

Click the image for a high-detailed version.

The new NDE magazine

Monday, June 2nd, 2008

The new NDE magazine is out. For the real die-hards nothing new, it has been out for a few days now.

NDE magazine

But it is good to see the quality of the magazine getting better and better with each new number coming out. And it gives me a god feeling to see Schuyler doing so well. He came up with a crazy idea (NDE magazine) and instead of just talking about it simply executed his plan. And it seems he was able to find the right people to support him. I am curious where this will go to as it has the potential to get really big (with locksport getting big aswell). It brings back memories from a time I was involved in a small magazine that had trouble getting new numbers out in time ….

I surely enjoyed reading the ‘Medecoder’ story, and the tension they are building up, not to mention the fact Medeco is changing their production because of it. Something very special has been achieved with that! And to finally see Jaakko Fagerlund’s exploit against Abus Plus series out in the open. The rest you will have to read yourelf, but it is a must read for visitors of this blog.

On a personal level: I am done writing long pieces of text under time pressure. First there was the deadline on the foreword of Marc Tobias his book, and on Saturday I finally completed the article for 2600 magazine. The article came out nice, and is an introduction to my presentation at the ‘final hope‘ conference that will be about “high security key duplication”.