Let’s keep the discussion about locks and physical security open.

I have been looking forward to the HAR conference for a long time. After all, it was going to be the moment to publicly talk about our discovery on bypassing the electronic locking part on the first generation Mul-T-Lock Cliq. More then one year ago we discovered the samples we had in some instances could be opened with the so called ‘magnetic ring’ (you still needed to have the correct mechanical key or bypass the mechanical part). An important discovery as the attack would not show up in the electronic logfile in the lock. And the integrity of the logfile is a key issue in these kind of systems. So we immediately informed Mul-T-Lock about this problem. And even though communication did not always go smooth we came to an agreement. We agreed to go into full detail about this at the HAR conference in 2009. And that is what we just did. At the presentation we showed the problem was not magnetism … it was vibration!

At the presentation we explained how the blocking of the electronic part of these locks work.

In the meantime Mul-T-Lock came out with a new version and we even received some samples to test. How successful the fix was still has to be determined. And communication is still slow. Marc Tobias and Tobias Bluzmanis claimed at DefCon to be able to still open the latest generation Mul-T-Lock Cliq locks (and a wide range of other electronic and electromechanical locks). They briefed us behind closed doors and I can only say their claims look solid (as was to be expected from these clever and high-profile security experts!).

At the HAR presentation we also demonstrated attacks on electronic locks that make use of the basic Dallas Ibutton key. This key is nothing more then a device that spits out a 64 bit number. If the number is on the list of the lock it will open. I read somewhere 175 million of these keys are in use. We found it is not difficult to duplicate these keys.

What is more interesting is that we found a way to scan for keys on some of these locks. Scanning a 64 bit key can take forever (at approximately one key per second!). However … we discovered sometimes these keys are handed out in batches with numbers following up or in close range of each other. In those cases it might be possible to scan for numbers in a known range.

And our presentation contains some other attack vectors you might enjoy….

To see the entire presentation you need to go to: www.rehash.nl , select ‘HAR2009’ and enter ‘lockpicking’. Unfortunately there is no deeplink to our presentation yet….

Presenting these hacks was nice, but more important to me we also tried to address a more serious topic. That of disclosure and dealing with lock manufacturers.

I like to keep things simple. If we discover a vulnerability in a lock we will notify the manufacturer. We will tell them what we know and most of the time an interesting and technical discussion is started. And sometimes the manufacturer is a little reluctant and barely wants (or dares) to communicate. Especially in the US the stakes can be high for them because of the ‘I will sue you’ culture. So in a way we understand both approaches and are fine with them, as long as it is clear we will go public on the vulnerability at one moment in time. In general we are talking giving them three to six months, although a longer period can be negotiated if that time is needed to update specific projects or customers.

The philosophy behind this is approach is to give the manufacturer some time to fix the problem, inform it’s customers, exchange locks or prepare a press statement. The fact they know a publication is coming should be enough to motivate them to do the right thing. Going public on the vulnerability will send out a clear signal: better make good locks! There are motivated people out there paying attention to what you do and who will write about it if weak spots are discovered.

So far so good ….

What we have seen lately is that lock manufacturers (try to) fix problems but no longer openly want to discuss their fixes. It could be because of this ‘I sue you culture’, but it also creates a lot of ‘security trough obscurity’. And to me that is a sign of weakness. After all, how can we evaluate the ‘new and improved’ product if the manufacturer is reluctant to release information on how they (supposedly?) fixed a problem? The ‘just trust us, we know what we are doing’ approach is not something that gives me a warm fuzzy feeling … at all.

By not saying anything about the fix the researchers are delayed. Or if they have a limited number of locks to test they might even miss an important new feature that is incorporated in some of the new locks. But at the end of the day the information leaks out or is distilled from a greater pool of locks. And since the researchers are highly motivated, the product will fall anyway. Only by it taking a little longer to fall, more locks are sold and more locks are affected when it happens.

Interestingly enough it now seems some security researchers are going the same route as the lock manufacturers. They claim specific locks can be bypassed but refuse to tell the manufacturer how they did it. Only if the manufacturer promises to exchange all the locks in the field (free of charge) they are willing to explain how the technique works. The idea behind this is they are trying to do the end customer a favor. After all, nobody knows how to bypass the customers lock and the manufacturer has to change it free of charge before anyone else hears about it. Logically the lock manufacturer will first try to find the problem itself, but now learns what it feels like to be kept in the dark. Even if they find a vulnerability they can never be sure it is the same one the researchers found. So a fix created does not necessarily means it actually works against the unknown attack…. or if the fix introduces an even bigger problem! And instead of being happy, the end customer is getting nervous. What if someone else finds out about the problem?

There may well be a few extreme cases where putting lots of pressure on some manufacturer is justified because they are really screwing over the public interest. But in general we feel everyone benefits if we try to keep as much information available to as many parties as possible, as quickly as possible. That way, consumers can make informed choices, manufacturers still make their own judgments (and face public scrutiny on them) and manufacturers and enthusiasts can continue to learn from eachother.

Let us try to keep the research area open and transparent and all learn from these discoveries…..

9 Responses to “Let’s keep the discussion about locks and physical security open.”

  1. NKT says:

    Great post, as ever.

    It was a very interesting presentation. We were planning to heckle you and Han, but you were too good.

    I still worry that the “Exchange all the locks” attitude is going to kill off the (few) remaining small lock companies, as they are likely to have only one lock type, unlike the big companies who can simply plug one of their other non-tarnished brands for a while. We certainly need more small players to keep the lock field innovative.

  2. Travis says:

    great write up Barry, thanks for the coverage. It looks like more and more companies are starting to get into coded locks and they are even easier to compromise than a good mechanical lock.

  3. Parker says:

    I fully agree with the research and testing groups vs. lock companies campaign. In most cases I really disagree with the “Exchange all locks” attitude too though. For the industrial clients that may be a fine ‘customer service’. Other business related alternatives should be acceptable choices in those instances too. In residential areas it’s a ridiculous request to make of a company. But as you said, negotiations can be had with reasonable, conscientious companies.

  4. Squelchtone says:

    Great post Barry, excellent videos as well!

    To comment on what Parker wrote, I wouldn’t hold the twisting pin lock manufacturer to pull every lock they ever made since 1970. I’m sure that when faced with a design problem that reduced their locks’ security, they would immediately fix the locks for their military, government, and high end corporate customers, but I doubt they would care to even make their fix known to the locksmiths around the country who have bought into their brand. As an end user of a twisting pin deadbolt, I honestly wouldn’t expect my local locksmith to call me offering a free replacement, but at the least, as my lock is registered in the computers in Salem, VA, it would be nice to at least get an email or something via regular mail, saying, Hi, a problem was discovered, we can’t cover it by buying you a new lock, but here it is in detail, just so you can make an informed decision as to your security needs. You can go to the local locksmith who sold it to you and buy the parts to fix it, pay the locksmith to fix it, or do nothing. This scenario would be a good start.

    Keep up the good work Barry, you’re a bright light in a very dark tunnel.

  5. sfi72 says:

    ^^^^The twisting pin manufacturer eh? But seriously, it is a little ridiculous to ask them to replace all the locks. I think maybe they could set something up where when you buy a lock, you have the option pay some fee(maybe some % of the lock price) and then if a major vulnerability is discovered, they will replace/fix all the locks free of charge. Seems like a fair way to compromise.

  6. Schuyler says:

    I was very proud as I read through Eric S.’s notes from your talk at HAR, and even more so to read through your post here. Responsible disclosure in physical security is a subject very dear to my heart, and, as a famous old American commercial goes “I learned it from watching you.”

    It’s this, and many other small things, that keep me picking under the TOOOL Banner.

  7. blar says:

    An attack on locks that use the serial number of an iButton? What’s next–demonstrating vulnerabilities in safes made of wet cardboard? Showing that you can replay a basic iButton serial number is showing us that you can tear apart cardboard–anyone can do that.

    The iButton serial is not a secure mechanism, and isn’t intended to be. If any “locks” are doing something that absurd, please name them publically.

    If you can show a vulnerability in the DS1963S–which is actually designed for secure use–you might be saying something interesting.

  8. mh says:

    Here’s a list of iButton locks from the manufacturer of the iButtons: http://www.maxim-ic.com/products/ibutton/solutions/search.cfm?Action=DD&id=181
    I’m very sure that most of these simply use the basic iButton version.

    Cheers
    mh

  9. NKT says:

    blar, you totally miss the point (possibly on purpose?) If someone uneducated uses a basic iButton as a key for a secure system, then it becomes an issue.

    It’s like securing a safe with a wafer lock – if you know nothing about locks, a lock is a lock.

    Same with data comms and token protocols – you just pick one that meets the few questions you have (generally: Is this easy to use? Is this cheap enough? Can we get 12,000 of them by next Thursday?) and run with that.