A new attack on electronic locks: The magnetic ring

There has been quite some speculation about this video (YouTube) of a magnetic ring that is used to open some model of Uhlmann & Zacher lock. By now it is confirmed by the company itself the trick works. They claim a software update will fix the problem (and even log opening attempts).

null(click on image for a high resolution version)

The ring used in the video now has a name: ‘the ring of the devil’ and is already available on the market (just 25 euro!).

And the questions now are: What is in the ring, how does it work and what locks are affected?

Well … I have some answers. Saturday I received my own magnetic ring and can give you some details.

Some people thought the ring was completely magnetic, but this is not the case. The ring is made out of aluminum and there are four strong magnets inside. The spacing is 90° and the magnets are mounted N, S, N, S. On this image you can see four metal keyrings that are stuck to the ring by the magnetic fields. So far I did not pry open my ring to see what it looks like inside.

The next question is why does this open (some) electronic locks? Electronics is not my strongest point (as you could have read in my previous posting), but by now I understand a little more about it.

Solenoid VS Electro motor

solenoid vs electro motorimage: Winkhaus BlueChip solenoid vs electro motor from Burgwachter (ring will NOT open this lock!)

First things first: Over the years we have visited many lock companies, and if they had electronic (or electro mechanical) locks they all proudly showed us their lock was not using a solenoid. A solenoid is a metal pin that is being pulled into its housing by an electro magnet. So when current is applied to this coil, the electro magnetic field will pull the pin in, allowing the lock to open. The problem with a solenoid is that a nearby magnet can pull the pin down as well, and thus open the lock (like in the first generation Winkhaus BlueChip, problem fixed in later generations). On top of that vibrations also sometimes can bypass solenoids. So instead of a solenoid most manufacturers nowadays use a small electronic motor. If the motor makes a couple of rotations, a blocking element is pulled back and the lock opens. Turning the electronic lock the other way pushes back the blocking element and the lock is closed. A foolproof system…. until now.

The ‘ring of the devil’ is capable of attacking this kind of electronic motor lock on two ways.

Scenario 1: An electronic motor is nothing more then a metal part on an axe that turns because of a changing magnetic field. Turning electro magnets on and off will generate a pulling force on the metal part, making it rotate. The ring does the same thing. By turning the ring, the metal part in the electro motor starts turning, opening the lock. As Rop suggested in the comments of the previous posting, a bunch of bigger magnets and maybe a high-speed drill can amplify this effect some more.

Scenario 2: A dynamo is nothing more then a coil charged by a changing magnetic field. So any coil in the lock will start generating current when a magnetic field is rotating around it. If the coil is in the path of the electro motor, it might generate enough current for the motor to start turning.

Currently we are testing with this magnetic ring. Jord Knaap and Han Fey already found one other electro/mechanical lock that seems to open under some conditions with this technique. As with all problems we personally discover, we are first going to notify the manufacturer to give them some time to analyze the problem. But with the ‘devils ring’ out on the free market it will probably be a matter of day’s/weeks before other people will find (and report) locks that are vulnerable to it.

I can assure you this is not the last post about this new attack on electronic (and electro mechanical) locks on this weblog …..

34 Responses to “A new attack on electronic locks: The magnetic ring”

  1. So the ring was made from available materials, because the magnet I showed (radially magnetized) is basically the same but with only two poles. THe four pole version works faster and it is easy to make specific sizes.

    Indeed very clever attack and I can’t wait to see what is the fix for these 🙂

  2. JackNco says:

    Thanks for the update Barry. I just emailed a small company I know who are developing a lock which I think could be susceptible to this (or possible the bluechip style) attack, maybe this will get the problem fixed before it even goes on sale.

    John

  3. Francis says:

    Besides having the electronics detect this type of attack (either by using a mouse like decoder or current sensing) and applying power to keep the motors in place, I’m curious how they can design around it. Are there non magnetic electronic devices capable of movement? Muscle Wires probably wouldn’t fit this bill. (Apply heat to open lock ;-))

  4. Ryan says:

    The software update could eliminate some of the threat of this attack. However, only if the lock’s controller is still receiving power.

    Without more detailed descriptions of how this lock operates, I assume that the software update would be able to detect this attack by sensing the current generated from the “the ring of the devil”, log that event, and then apply current in the reverse direction to keep the motor from turning. If power was removed (by a determined individual), the attack would still work. If backup power was battery supplied, it is still possible to use the attack long enough to drain the battery to the point where the ring would overpower the controller. However, if the security system is still active, the cops will show up before you can drain it far enough.

    I wonder if it also has a solenoid to prevent the motor from turning in the event of an attack?

    Another possibility is that if you apply a magnetic field intense enough, the motor’s windings may eventually overheat, short circuit, and disable the controller. The magnets inside of the motor would still respond to the external magnetic field and the lock would open.

    Anybody interested in creating a more complicated “ring of the devil”? One could create a toroid (doughnut shape) with multiple windings and then attach a controller to apply current to the coils in a “rotating” manner. This could be made powerful enough to probably overpower the lock controller’s reverse “anti-attack” current. At the very least it would be faster way of draining the backup battery. It would also be silent and less conspicuous than a power drill. Battery and controller in your pockets, toroid in your hand, and a long sleeve shirt to conceal the wires.

    Then there’s the issue of how the security system communicates with the lock. If wirelessly and with a battery backup, metal bracelets are a sure thing. If the lock is in the door frame with a battery backup and secure shielding of the wires, metal bracelets are in your near future unless you can detect the communication frequency and jam it and the lock doesn’t continuously communicate with the security system. If wired with a battery back up, then the placement of the wires or contacts inbetween the door and frame would be critical, but could still be suceptible if the lock doesn’t continuously communicate with the security system.

    Anyway, I should probably get back to my electrical engineering homework. Thanks for reading my two cents. Ryan

  5. Ryan says:

    O.K., I’m procrastinating from my homework. This attack could be rendered completely useless if the lock’s motor consisted of two sets of coils instead of coils and permanent magnets like all conventional electric motors. Ryan

  6. ChillyWilly says:

    One kind of muscle wire may not be affected by the magnets but will definetly be affected by heat. Raising the material’s temperature makes it change length (that’s the short version of the explanation). There is a second kind of “muscle wire” that may be affected by the magnets.

  7. Ryan, what you desribed is working only if the small DC-motor is such that there is stator coils and rotor magnets. BUT, the motor in the picture also seems to have only two leads, indicating a basic brush type DC-motor that has rotor coils and stator magnets.

    Thus, if the software in the lock keeps the motor winding circuit open-loop (opposite to having the wires shorted), the magnet attack doesn’t work, because there is no current induced in the coils or more precisely, it has nowhere to go, so the motor doesn’t turn.

  8. Ryan says:

    Jaakko, great point, but it does raise another question: How would a rapidly rotating magnet field penetrate the metal case and stator magnets to produce a current to generate electromotive force strong enough to turn the rotor and counter the external magnetic field in the first place? Wouldn’t any induced current create the same/wrong polarity of magnetic field anyway?

    Maybe I should get back to learning about this stuff…

  9. drew says:

    There is a rather low-tech way to protect against this attack: shield the motor/solenoid with magnetically soft material. If you’ve ever taken apart a hard drive, generally the magnets will be stuck to Mu-metal(see link) – which transmits the magnetic field very poorly, if at all. Although, wikipedia says that it works best against low-frequency magnetic fields so if you spin the ring fast enough you can get by it. If you want to get really fancy, use superconductive shielding and be impervious to external magnetic fields

    Jaakko: I think you’re right that any brushed DC motor will be invulnerable as long as the rotor coils are kept open when it’s off. I think Ryan was saying the same thing – use a motor with both rotor coils and stator coils.

  10. mh says:

    One big flaw you could introduce into electronic locks is to put the locking mechanism into the outside knob where magnets and sledge hammers etc can reach it. To be fair though these locks are not marketed for doors where sledge hammer attacks are to be expected.

    For ideas that don’t involve magnetic fields see this example: http://www.wipo.int/pctdb/en/wo.jsp?wo=2007022910

    Cheers,
    mh

  11. Aleksander says:

    How about fixing the problem by mounting he small motor 90°/perpendicular to the axle/shaft inside the knob?

  12. rugelindinda says:

    You can find a devil’s ring in a pc hard drive, but with 8 poles.

  13. Ryan says:

    Any mounting inside the knob would be extemely vulnerable to a sledge hammer type attack (thanks mh). Even inside of a door or frame, an electomagnetic field could be created that could be effective as an attack if permanent magnets are used on the motor’s rotor. It’s somewhat common these days to have high-performance DC motors with magnets on the rotor.

    Shielding would defintely limit the potential for attack except to very strong magnetic fields. It seems to me that the only way to eliminate the possibility of this type of attack would be a motor with coils for both rotor and stator, I think it’s called series-winding? Or at least a solenoid that locks the motor’s rotor unless both the lock controller and security system deems it necessary.

  14. Lars says:

    Why not just use a design where there are two motors, and each need to remove an obstacle, but need to turn in opposite directions to do so. You\’d be hard pressed to generate any external interference that would spin two similar (and similarly aligned) motors in two opposite directions.

  15. ejonesss says:

    updating the firmware will do no good because it looks like the magnet ring works the magnets of the motorized lock.

    all the firmware can do is log any openings of the door.

  16. ejonesss, learn electronics first, because it is possible to turn a DC-brush-motor with a magnet, if the leads are shorted. Microprocessor outputs can be in three different modes: high, open or low. If the motor lead outputs are high and low, or low/high, the motor turns. If the outputs are high and high, or low and low, the motor is shorted and the magnet can open it. BUT, if you modify the software to keep the other or both outputs as open, the motor windings are open circuit and the magnet doesn’t work.

    How hard it is to believe that this is possible?

  17. Benjamin says:

    Normally a microprocessor can’t source that much current.
    Since the motor can go both forward and reverse i would guess there
    to be a H-bridge or equal. so lets think about it:

    1) What is the most common way to drive a small DC motor ?
    2) Even if the microprocessor sets its motor control pin(s) to input (after a firmware update) how would the common driver circuit react ?

    Regards
    Benjamin

  18. jim a. says:

    To design around this, I think that the way to go would be to have two motors close to each other (perhaps co-axial?) S.T. an external magnetic field that would turn one to the unlocked position would simultaneously turn the other to a locked position.

  19. Benjamin, the motor I see in the picture is probably some 3V model and those operate on very low currents. Even a regular PIC can source/drain 25mA per pin and was it 100mA total continously and even more when operated in short amounts, like this application.

    If there is external H-bridge, nothing changes to my description.

  20. Jean-Claude says:

    Poking around the U&Z website reveals some interesting patents. Watching the bypass video also reveals something, at least to me. Has anyone found an exploded diagram of the lock in question? LSS is lacking (at least my edition), and U&Z isn’t giving much up.

  21. Anon says:

    This is a well-known principle and one that can be easily protected against. Simply create a compound motor – one that is, in effect, two motors with their coils opposed. Forced induction (of the type mentioned above) will be useless against this design as an equal current will be induced in both sets of coils, hence two forces will be generated that oppose each other. In order to manually operate the motor two currents are required, in opposing polarity – something that can not be achieved by induction, but is possible when the motor contacts are accessible.

    A similar principle is employed in guitars using hum-bucking pickups – just google it 😉

  22. Breakable says:

    I would expect you can use stepped motors to prevent this type of attack.
    Any other motor I think is susceptible, no matter if its ac or dc, with magnets or without.

  23. Breakable, think again: It realy has difference if it is AC or DC and with permanent magnets or not.

  24. mh says:

    http://uk.youtube.com/watch?v=c0tr-rUQ3ZI&feature=related

    So what can we see here?
    Is that the firmware update at 1:20 and should this show that the lock now detects the attack and prevents it?

  25. Barry says:

    mh: Thaks for pointing to that link 😉

  26. Datsun says:

    Just shield it well.

  27. Harald says:

    A simple (and cheap) reed contact/sensor will thwart this attack.

    Harry

  28. Jcarly says:

    We are a lock manufacturer using a micro motor, with a clutch system, after several attempts, we are happy to see that it does NOT work, did you really try it with the lock inside the door and the door closed ???? I dont think so, also most doors have only a very narrow spacing between the door and the frame not allowing for a big ring to be inserted. Furthermore, if the door is an outside door and burglar proof, the metal sheet on the outside will distort the signal.
    If you are trying to open the lock when the door is already open, what is the point of this otherwise very interesting blog, any lock even 600 euro lock requires a screw to have it fixed in the door, by removing the screw you compltelly can remove the lock and fool anyone that they are in control.
    An anecdote – one of our customers ordered lock as he wanted to monitor an isolated workplace where management was rarely present, for attendance reasons. After the staff understood what the management was trying to do, they removed the electronic cylinder, installed one of their mechanical ones, and agreed that one staff would meticulously ‘log attendance’ on the lock for all the staff, we caught ‘all of them’ because the staff that did the logging, did so, for all staff….on a public holiday…. 🙂 when reviewing the monthly logs it became evident that there was a problem, installation of a camera confirmed the thoughts of the customer.
    Lastly, it seems that you do not have all the elements regarding the past winkhaus problem, the magnet did not ONLY open the door, even worse, it ALSO erased the data on the embedded IC, something that apparently also happens with the SimonVoss product.

  29. Jcarly, I’ve seen this thing in reality and yes it works even if installed to a door. But do understand, the magnet trick only works on some lock models, not all electromechanical locks.

  30. mh says:

    Jcarly,

    It is good that you are very confident about your lock solution.
    As the locksport community has a strong track record of finding even the best hidden flaws, you might want to provide us (e.g. SSDeV Germany, TOOOL NL, …) with a number of samples, and we will test it in real life conditions. You can find the contact information on our websites, my e-mail would be [mh at The Open Source Lock dot org].

    Of course, the door was closed in the cases that Barry published here.
    The lock on which the magnetic ring worked had all relevant parts in the outside knob.

    That said, if you are confident that your competitors have issues, maybe you also want go give proof for that.

    Cheers
    mh

  31. Barry says:

    There is a whole new range of attacks coming for electronic and electromechanical locks (just look at this Burgwachter article), and I am confident this is just the beginning. Jord, Han and I did our own research months ago and found some serious flaws in one of the Cliq products. We learned this attack can also be applied to other electronic and electromechanical locks. So I would not be to sure if I were Jcarly (as he simply does not know the details of this attack yet). Attacks always get better, not worse … and attacks on electronic and electromechanic locks are just getting started. But more about that on DefCon and HAR.

    And about offering assistance to test locks: I am always very careful when companies approach me to test locks. It is great fun indeed, and nine out of ten times we will find something. But if you find something or not, you always have the risk they will advertise the lock as ‘Toool (or Barry or MH or SSDeV or whoever) has tested/improved this lock, so it is secure’. It is a fact there are always people out there that are more clever then you and will find things you overlooked, or new attacks appear that simply were not known at the time you tested the lock (and all of a sudden your ‘secure and tested by XXX lock’ now opens in 5 seconds …).

    So yes, we do test locks, but only if we know the people behind the company quite well.

    If you want anything tested feel free to contact me (barry at toool.nl) or use the comments of this weblog …

  32. Barry says:

    One more note to Jcarly: I opened my winkhaus lock(s) hundreds and hundreds of times using the magnet (it is great for demonstrations/workshops) and it still functions quite well with the programmed key. So I do not know who told you magnetism will erase data on IC’s, but from my own experience I can say it is just not true (at least not on my locks) ….

    Are you sure you are not confused with the ‘magnetic seal’ solution Winkhaus came out with? As a ‘security measure’ (ahum ahun) they put a small magstripe sticker on the side of the lock. The idea was that if the magnetic encoded information was erased from the sticker, someone must have tampered with it (and the insurance would pay as there is ‘proof of burglary’) …

  33. Yep, forgot to mention that you can’t erase EEPROMs and other type of storage media in ICs with a magnet.

  34. mh says:

    Barry,

    You have a good point about the risk – however, I have not yet seen such advertisements by lock manufacturers. I did see strange statements by ‘experts’ like “these locks open in xx seconds, take those locks instead, they are secure”.
    I would not make such statements, they are silly. Nor would I agree to my name being used in advertisements in this way. On the contrary, there are examples of flaws that I did *not* find although they were right before my eyes many times, like Jaakko’s stamped disks exploit.

    I am very certain though that thorough review by *many* locksport experts will yield better results than what a single lock manufacturer could ever achieve. This is also the principle for The Open Source Lock – the security limits will be well known and documented, and they will reach a very high level. The peer review by *many* experts will lead to a lock that’s as good as it can possibly get.

    So I continue to offer flaw-finding assistance 🙂 as long as it stays fun and doesn’t eat up all of my time; but of course, the result cannot be complete security, it will be just one more opinion.

    Cheers,
    mh