Setting new rules

I had dinner with Marc Tobias last week, and one of the things we spoke about was ‘disclosure’.

It is my philosophy you should warn a lock company if you find a (new) flaw in their product and give them time to fix it and inform their customers. Marc however defended the standpoint to only give them time if they promise to exchange the locks in the field, or apply a patch, free of charge. It is a dilemma, especially if you see how companies like Uhlmann & Zacher suffered from anonymous youtube videos that popped up out of the blue.

The other side of the medal is that lock companies sometimes are sloppy and do not take this all too serious. I still have not fully made up my mind about the future of disclosing issues, but tend to lean in Marc’s direction. If companies promise to compensate/exchange the flawed products the consumer wins. If the manufacturer does not want to fix the problem, the consumer needs to know the lock needs replacement. And most likely replace it with a product from a company that does take it’s customers serious….

But I guess it is a decision we will make case by case, as not all locks and flaws are equal …

To be continued for sure … (and I am curious to hear your opinion about this …)

19 Responses to “Setting new rules”

  1. Konrads says:

    I side with Marc’s viewpoint: security research is about consumer win. If company won’t treat security serious – let consumer take action himself.

    Maybe replacing locks for free in the field is a bit extremist: in contrast with software, where distribution costs -> 0, replacing locks costs way more. After all, the company has to hold up to their pledge to consumer and I doubt they have claimed, that “our lock will withstand superman’s lasers!”.
    What is the pledge lockmakers give to consumers anyway?

  2. Henk says:

    There are companies who seem to think when they don,t talk about a flaw in a lock it does not excist,that is not the way one should treat his customers,it is great to earn money ,we all know that, but if it is just about the money and not about developing a good decent lock which serves to protect people as well as properties then it is time to take action,in this case there is on one hand the time you give a company to fix the flaw and replace the old locks and on the other hand time itself,when a lock can be opened in just a couple of seconds,let,s say 30,then the company has to react quickly,when it involves the use of high tech knowledge and equipment,there is more time,depending on what door the lock is placed ofcourse.
    I think it is the responsiblity of the lock company to TAKE that responsibility.It is sometimes for the customer easier to replace the lock but that should not be the way.

  3. Henk says:

    Besides that,the advertising some companies use is sometimes misleading,100% pick and manipulation proof is sometimes more than they can sell.;-), that is a whole different story,still decided to mention it,because of advertising we respond to buy a certain lock right?!

  4. John C says:

    This is a highly complex issue. It is argued that the public have a ‘right to know’. Says who ? Have the public asked ? It is assumed by those seeking publicity for what THEY believe is a security ‘flaw’ that the whole world will want to know about it. This obviously includes criminal elements.

    If there is a need to inform the public then it should be done by the relevant authorities who have considerably more information available as to the consequences of disclosure. In other words it is a matter of judgement and bad judgements are made when not all the facts are taken into consideration. Some locksmiths and other security professionals/hobbyists may THINK they know what is best for the public but do they REALLY ? It is a very arrogant position to take.

    Many who make disclosure do so out of ego or because they have been shunned by manufacturers. I agree that manufacturers should be informed of ‘new’ opening methods, many of which are not new at all. I also agree that misleading advertising should be exposed but to the relevant authorities.

    There was so much complete and utter rubbish broadcast over the internet and in the media by so called experts in regards to the underlying physics behind ‘bumping’ that it caused me to change my view on disclosure.

    My views will probably be in the minority I guess !

  5. Mitch Capper says:

    I definitely believe in responsible disclosure in both the IT security and physical security arenas. I do think it is a bit harsh though to only give them time to fix their product if they provide a fix for existing customers. In many scenarios this may be very costly for a company to do, unlike in the IT world where a patch can be released and frequently fix a problem with locks replacing hardware can be expensive and impractical. With that said I would also say companies that go the extra mile to help out and inform existing customers should deserve some advantage. I would suggest some period of time X for companies who do not promise to fix the problem for existing customers and some period of time Y for those that do (say two vs four months). Uhlmann & Zacher is a perfect example of a company that handled an exploit is the best possible way with both immediately contacting their customers, providing fixes for existing customers, and by fixing their product going forward, and they are not a high security lock company. Anything we can do to get other companies to behave like them would be great, but again they were only able to fix existing products due to the fact their locks had software they could update. With that said I do believe all companies should get some amount of time for new problems so I think a balance must be found.

  6. Killbox says:

    I think you have to take into account the severity of the flaw, the extensiveness of the deployment of the lock, and what claims are maid for the lock,

    I would not expect a cheap kwikset clone company to go out and replace all their $10 knobset locks because someone found that with a $40 large pipe wrench it could damaged to a point where the door opens, one would naturally assume a $10 lock was just about as good as its price indicates. But on the flip side when $60 kryptonite locks fell to a $0.20 bic pen, I think it was reasonable to ask for the manufacturer to replace the failed security.

    I dont think that lock security testers shoudl be placed under any sort of gag order not to disclose the problem should the manufacturer not admit the problem or come up with and offer a fix.

  7. John C says:

    I think the comments from Killbox demonstate some of the problems. For example the old bic pen method against RPT locks ( NOT just kryptonite ) was known for years before it entered the public domain.

    What about a latch that can be slipped using mica ?

    What about the MILLIONS of euro profile cylinders that can be bypassed in seconds, including numerous so called high security types ?

    Who decides ? What gives any of us the right ? With disclosure comes responsibility and that could manifest into accountability.

    In trying to perform a ‘public service’ security can very easily be undermined in unintentional areas. In other words there is risk and the potential isnt always obvious or easily measured.

    That’s why there are security standards including many that are NOT in the public domain. The standards that are in the public domain are not perfect. I believe that pressure should be applied to the various standards bodies to raise the bar when ‘new’ discoveries are made. That in my opinion is responsible disclosure.

  8. Nicholas says:

    I don’t expect any lock manufacture to replace any lock out in the field. When a lock is manufactured/sold/purchased a lock manufacturer has every right to hold righteous the security of their locks. Eventually a exploit will be found in every locking system whether it be a diamond-carbide bit, or a $.0.20 bic pen. At that point the lock manufacturer should immediately halt the manufacturing of the current lock design and take steps to inform and protect the customer. They should either redesign the lock to negate this vulnerability or at least downgrade their “security rating” and inform the customer of the issue and provide a workaround or a fix.

    As for disclosure I feel that the researcher should immediately post the vulnerability while not disclosing details such as the techniques and tools used, as well as informing the lock manufacturer that a vulnerability exists. I would give the manufacturer around 3 months at which time they have had time to responsibly deal with the problem. After that time I would fully disclose the tools and techniques, allowing other companies looking into similar designs to learn from the mistakes of other companies as well as for the consumer to protect themselves.

  9. I definitely agree that this issue is a complex one. Anyone claiming that one sweeping philosophy or approach is applicable across the board needs to reconsider in my opinion. I also don’t think that the “newness” of a vulnerability is an issue. If the vuln was known and the company did not act on it, it was likely because the publicity vs cost was not advantegous. In a perfect world, all lock manufacturers would build the best products possible and offer them at the lowest prices; this is not the case in the real world. The last thing folks like us should be doing is “punishing” companies for not acting like angels.

    No matter the age or popularity of the exploit, I think that the company/companies should be informed privately first. From there, a window of opportunity should open for them to fix the issue. The length of this time period will vary greatly and should be discussed with the manufacturer. If they are unreceptive or rude, I still think this time period of non-disclosure should exist (determine by the discoverer/s) in case minds change, etc… Just because the company folks are being jerks to you, this does not mean that nothing is being done. In any case, private discussion with other experts should not be impeded (through NDAs, etc..) during this time. After the silence period is over, I believe it should be the personal decision of the discover/s as to whether public disclosure is appropriate. One thing that I do not agree with at all is “shutup money”; this include both the overt cases as well as the more formal/subtle forms of extortion. Also, if the company starts playing lawsuit games; I consider the gloves to be off and the discoverer/s have the right to start swinging.

    These are just my personal views at this time generalized. In the end, it comes down to your ethics and the manufacturer’s response (or lack thereof).

  10. John C says:

    All security products and systems are flawed to some extent. Who is to judge the seriousness of a ‘flaw’ and by what criteria ? Just because a person perceives that a newly found weakness in an established security device makes it likely that every criminal in the world will exploit is mistaken. It becomes a matter of opinion. Some get very excited about a new discovery ( to them anyway ) and feel a sort of indignation; they feel compelled to tell the world.

    Manufacturers are not stupid even though they may appear so from time to time. You cant expect a major company to respond to threats of ‘if you dont fix this I’ll go public’. No matter how you slice the onion, a threat is a threat. Worse still are those who seek money for their knowledge and silence. That is blackmail or extortion.

    There are subtle ways to ‘encourage’ manufacturers without scaring the hell out of the public. ‘Experts’ should consider this: by disclosing what they know they dilute their expertise. It is different for those who play with locks as a hobby. Security is my profession and not a hobby. For me knowledge = profit. I often have to bite my tongue when I’m tempted to let rip. I’m all for total disclosure in regards to what makes a security product or system ‘tick’. But I can see no real justification whatsoever in disclosing bypass methods in the public domain. To do so is nothing short of attention seeking behavior in my opinion.

  11. mh says:

    Interesting topic, and interesting title (“setting rules”… whose rules?)

    It’s quite complex and I totally agree with JK that one cannot try to apply the same approach to all cases. Things that come to my mind are

    – how “easy” to use is the technique? how big is the risk to the public if it’s published? how big is the risk if it’s not published? will criminals learn about it or do they know it already?

    – if you publish the presence of a vulnerability but not the details, is your claim credible? e.g. if you told me that the Abloy Protec can be manipulated nondestructively, but not how, would I believe you? if my claim isn’t credible, but if I still wanted to warn the public, what should I do?

    – but why would I want to warn the public in the first place? maybe I just want to sell a tool to NDE experts and earn money for my work?

    Different people all have different motivations. To learn more about technology. To improve skills. To earn money. To compete with others. To become famous. Some work for lock manufacturers and don’t publish known weaknesses, because they are loyal to their employer and don’t want to endanger a lot of jobs.

    I guess a lot of different opinions on this can be valid –
    I find it very difficult to make my own judgement about different cases.

    E.g. I don’t have a high opinion of people who publish an attack to take revenge on a lock manufacturer, because they were not treated nicely.
    But what if they did *not* publish the attack?
    I want security to be transparent for me. I want to know what level of security a locking system offers for me. I want to know if my Protec can be milled or manipulated.

    But, when I myself find a way to manipulate a lock to which no successful attack has been published yet – will I tell the lock manufacturer? Or will I try to sell the tool concept to John Falle and keep it secret? Will I accept if the manufacturer wants to buy the tool concept and keep the public uniformed? Or will I give a speech about it at the next big locksport event?

    I’d love to hear what someone who has been there did and why.

    All others are entitled to their own opinion, too; I however find it difficult to judge about others when I haven’t been there.

    Cheers,
    mh

  12. TOWCH says:

    It’s not like you can ask for hush money, so you’re getting paid for your courtesy through improved relations or not at all.

    IMO, at it’s core:
    Marc’s process improves the odds of the consumer getting an exchange. Short term publicity benefits.

    Your process has long term access benefits, and benefits the consumer through resulting improved research+disclosure.

    I guess it depends on how generous the lock companies are being. If they take your courtesy for granted: get some people some free locks.

    Remember: if you give a mouse a cookie.

  13. raimundo says:

    there is no one who has the authority prevent disclosure, and there never should be. people understand that when they buy a cheap lock, thats what their gonna get, but the HS lock companies seem to think that kwikset is the standard to beat.
    If you make a lock and make claims about its security, that security will be tested, by crooks, and now by experts in locks. Your claim of the effectiveness of your lock should not rest on claiming its unfair to test the claim.
    I really love to find the stories where very low tech/smartmonkey tech beats the purported HS. like when the black marker defeated Sony’s copyright protection about a week after it came out.
    In locks, the parallel is the way Mark Tobias found that medeco single cylinder deadbolts are livebolts if you just tension the core.

  14. John C says:

    I respectfully disagree.

    Locks are manufactured and tested to various security standards. If there is weakness it is down to the standards and there are numerous options available to anyone to address. If a product is sold as being to a certain standard and it isnt, that’s different and again there is redress available.

    Bypassing someone’s copyright isnt smart, it may be popular but it is dishonest.

    A very good example of where a new low cost lock managed to achieve a very high degree of pick resistance is Kwikset’s Smart Key. A very clever design that is built to sell as low cost. It could be beefed up but that isnt Kwikset’s market.

  15. pk says:

    From 1993 to 2008 there were 800 callbacks by major automobile manufacturers. If there is the risk that your car cannot brake any more or if the airbags don’t inflate at an accident – would you like to know? Think about that.
    What happens if one person dislikes another one – wants to kick him out of business? Could he buy drugs or other criminal goods and place them in his office? Would someone believe the victim when there are no signs of an inbreak?
    The car-guys have responsibility for their customers. Do the lock-guys have no responsibility?

  16. locfoc says:

    The question is the side on which disclosure is more important and ethics, morals and general humanity come in to play in this. Is it more important for the company to keep full disclosure of their products?

    If the lock manufactures keep full disclosure the consumer will get the shaft. The vulnerabilities will travel over online private forums and lock sport groups and the consumer will never know but these techniques will be embraced by criminals. The same concept works with hackers and mass distributed services on linux servers. Once a bug is found there are mass hacks because they don’t disclose the bugs to the community or public. If the vulnerability is made public there is a near immediate patch and the hack doesn’t work anymore.

    Why should locks be any different?

  17. raimundo says:

    Medeco once had a challenge prize for picking their locks, I understand that the locks were in fact picked within a few years of this advertizine claim. But medeco never disclosed how many people it paid off on this claim. While they no longer make the challenge, once they did, they invited lock experts to take them on. They never made an equally strong effort to withdraw the challenge for obvious marketing reasons. Therefore people who heard about it are welcome to take them on and publish thier results.
    Only an agile company that is willing to look at discovered vulnerablities and patch them should make a challenge.
    @ John C………..I was not advocating copyright piracy, I was saying that I enjoy hearing about low tech that trumps high tech. Our world as its functioning now with all the super techy infrastructure could crash like a hollowed out financial system and low tech will still work.
    Of course, I like to work with hand tools and don’t rely on power tools.

  18. John C says:

    I agree about the joy of low tech overcoming high tech. The philosophy behind fundamentally secure ‘low tech’ is not taken on board by those who think High Tech is the new master and the only game in town.

    The premium we are expected to pay for so called high tec irks me greatly. I dont have any problems having a go at misleading claims in the public arena if needs be. If the manufacturer has not made such claims then I think that is different.

    One of the greatest ever tools that poses a huge threat to us all is the medium Im using now: the internet. Part of me would like to see far more regulation but there is another part that says leave it alone.

    We all know the internet isnt perfect, it isnt secure and probably cant be made secure without all our PCs etc being replaced. So we live with it and the risk it poses. Nobody seems motivated to hang a software company that has a defect which allows a virus to manifest, as long as there is a ‘fix’. Most of us ( including me) wouldnt understand word one of what the problem and fix was at a technical level. In other words it appears that it is acceptable for the internet to be insecure yet not acceptable for other means of providing security to have ANY weakness. I find that very ironic.

  19. NKT says:

    I see this from both sides. I open doors all day, often without the owners consent, and occasionally with them actively trying to stop me. If we have to call in the police, I and they want the door opened as fast as possible, and better for me to pop it open nicely than for the police to smash the door, quite literally, into bits.
    On the other hand, I like to sell my clients the best locks for the money that I can. While some would say “Never sell a lock you can’t open” I disagree, but only if the customer is prepared to pay for that top-end lock should they get it. If an exploit came along for said high-end locks, then I would certainly flag it up to them.

    There are plenty of doors near here with things like EVVA 3KS, ASSA SCD and the like. They tend to be fitted by the council to doors that house their tenants. This really annoys me, for some reason. Not only do they not pay for the door or the lock or the house, but they get better locks and security at taxpayers expense than almost any taxpayer!

    My point? Life is unfair. I can and have opened “high security” doors in mere seconds. Other times that same make and model of lock has stalled me for an hour. Should we be suing the maker because on one day I’m on top of my game? Or because the bitting on that lock wasn’t very strong? Or because whoever fitted the lock did it wrongly? Or because the door was rotten? These are all exploits. Flagging them up to people doesn’t often help.

    And the analogy with software is very, very flawed. Even to replace a hundred locks would drive me out of business, if it was at my total expense. Patching a program, however, takes a few seconds to “push” out, or, more commonly, the install is done by the owner – if they want to patch, they can. If they lock manufacturers simply sent people the anti-bump pin (for example) to put in their lock, how many could? Because that is the same thing – it’s a patch to be applied by the customer.

    Further, when a patch breaks something in software, you can simply re-install or re-patch. Try doing that with a stack of Abus discs if you drop them because you don’t know what you are doing. Or you take the head off a screw because its the wrong size driver, etc.

    Lastly, obviously, the cost of putting a patch on your website is pennies for distribution. The cost of just the postage for 100 lock bits would be, even if a second class stamp and envelope, over £30. Add in time spent doing a mailmerge, going to the post office, etc. and it’s hilarious to think that it could be done.

    The answer is that locks need testing, then they need to be sold for profit. If something comes up that was un-foreseen, you sell the lock without that claim, or you change the design. But suggesting that anyone repair, patch or replace for free something that, after all, still works, is laughable.