A little delay updating blackback as I am quite busy with non-lock related stuff. But looking back at Hacking At Random’ still makes me smile … it was great! The people, the championships, the lockpick village, the presentations, the atmosphere … it all was magic.

And for us it was the ultimate dress rehearsal for the mega-event that is waiting for us at the 2010 ELF/LockCon conference in Turkey. The most important thing about that conference (for us) is that it will host the first official European lockpick championships. And we will be organizing it. Lockpickers from all over the globe could try to win three full paid ticket to that event at HAR.

From the beginning it was unclear if Julian Hardt could make it to Hacking At Random. But the moment he tapped on my shoulder and we greeted each other I said out loud: there go our tickets to Turkey.

And I was right. Julian won the most prestigious ticket to be won: that of the ‘unofficial european lockpick championships‘. And even though it was a hard battle, it was no surprise the winner would (most likely) be from Germany. And for me personally it was no surprise it would be Julian Hardt. I immediately admit that people like ‘Master of the universe’ Dr. Manfred Bölker or Arthur Meister also had a fair chance to win. But Julian is a multi-talent that keeps impressing us with his skills. He was the only one that managed to open the notorious Lips 6 pin in the finals (containing very nasty serrated pins). And on a side note: we just had another safe opening weekend where Julian proofed to be a bad-ass safecracker by picking open a couple of very high security safes (one of them containing a mauer variator B, 11 lever lock). The big surprise at the lockpick championships was to see Peter Fuhrmann from Labor/Bochum getting second! Arthur Meister and Gerhard Heperle became third and fourth.

Julian also became winner of the safe combination manipulation contest. In the qualifiers he opened his lock in 57 minutes … just three minutes before the end. In the finals he managed to dial open the lock in an impressive 21 minutes! But since Julian already won a ticket in the lockpick championships, second place winner Michael Huebler now won the ‘all in ticket’ to Turkey.

As the Germans have a tradition in winning lockpic games, the Dutch seem to have a reputation to protect when it comes to impressioning. Three out of the last four games were won by Toool members and the absolute world record time of 1 minute and 27 seconds is set by Jos Weyers from Toool too. It is interesting to note that both number two (Oliver Diederichsen) and three (Dr. Manfred Bölker) at HAR broke the previous record of 4:23 (by Olivier Diederichsen) by going well under the magical ‘four minute border’.

Still, we are not really clear about the future of these games in the current setup. For example: at the games in Sneek 2008 Oliver used 52 minutes to open a lock that would normally take him (much) less then ten minutes to open. And a few months ago in Hamburg Jos scored 46 minutes on a lock using six blanks … not to mention me not opening the lock at all.

This all makes it feel like some kind of lottery. So maybe we will sit down with some people before Turkey and work on a new style game to rule out this luck/bad luck factor (for example: people playing against each other on the same locks, using knock-out rounds).

There is so much more to say about HAR that I will split the post. The follow up will be about the presentations, the lockpick village and the more interesting things that happened there …

I am currently a little busy. So my HAR post will have to wait a couple of days …. Hope to finish it in the next 48 hours orso …

I have been looking forward to the HAR conference for a long time. After all, it was going to be the moment to publicly talk about our discovery on bypassing the electronic locking part on the first generation Mul-T-Lock Cliq. More then one year ago we discovered the samples we had in some instances could be opened with the so called ‘magnetic ring’ (you still needed to have the correct mechanical key or bypass the mechanical part). An important discovery as the attack would not show up in the electronic logfile in the lock. And the integrity of the logfile is a key issue in these kind of systems. So we immediately informed Mul-T-Lock about this problem. And even though communication did not always go smooth we came to an agreement. We agreed to go into full detail about this at the HAR conference in 2009. And that is what we just did. At the presentation we showed the problem was not magnetism … it was vibration!

At the presentation we explained how the blocking of the electronic part of these locks work.

In the meantime Mul-T-Lock came out with a new version and we even received some samples to test. How successful the fix was still has to be determined. And communication is still slow. Marc Tobias and Tobias Bluzmanis claimed at DefCon to be able to still open the latest generation Mul-T-Lock Cliq locks (and a wide range of other electronic and electromechanical locks). They briefed us behind closed doors and I can only say their claims look solid (as was to be expected from these clever and high-profile security experts!).

At the HAR presentation we also demonstrated attacks on electronic locks that make use of the basic Dallas Ibutton key. This key is nothing more then a device that spits out a 64 bit number. If the number is on the list of the lock it will open. I read somewhere 175 million of these keys are in use. We found it is not difficult to duplicate these keys.

What is more interesting is that we found a way to scan for keys on some of these locks. Scanning a 64 bit key can take forever (at approximately one key per second!). However … we discovered sometimes these keys are handed out in batches with numbers following up or in close range of each other. In those cases it might be possible to scan for numbers in a known range.

And our presentation contains some other attack vectors you might enjoy….

To see the entire presentation you need to go to: www.rehash.nl , select ‘HAR2009’ and enter ‘lockpicking’. Unfortunately there is no deeplink to our presentation yet….

Presenting these hacks was nice, but more important to me we also tried to address a more serious topic. That of disclosure and dealing with lock manufacturers.

I like to keep things simple. If we discover a vulnerability in a lock we will notify the manufacturer. We will tell them what we know and most of the time an interesting and technical discussion is started. And sometimes the manufacturer is a little reluctant and barely wants (or dares) to communicate. Especially in the US the stakes can be high for them because of the ‘I will sue you’ culture. So in a way we understand both approaches and are fine with them, as long as it is clear we will go public on the vulnerability at one moment in time. In general we are talking giving them three to six months, although a longer period can be negotiated if that time is needed to update specific projects or customers.

The philosophy behind this is approach is to give the manufacturer some time to fix the problem, inform it’s customers, exchange locks or prepare a press statement. The fact they know a publication is coming should be enough to motivate them to do the right thing. Going public on the vulnerability will send out a clear signal: better make good locks! There are motivated people out there paying attention to what you do and who will write about it if weak spots are discovered.

So far so good ….

What we have seen lately is that lock manufacturers (try to) fix problems but no longer openly want to discuss their fixes. It could be because of this ‘I sue you culture’, but it also creates a lot of ‘security trough obscurity’. And to me that is a sign of weakness. After all, how can we evaluate the ‘new and improved’ product if the manufacturer is reluctant to release information on how they (supposedly?) fixed a problem? The ‘just trust us, we know what we are doing’ approach is not something that gives me a warm fuzzy feeling … at all.

By not saying anything about the fix the researchers are delayed. Or if they have a limited number of locks to test they might even miss an important new feature that is incorporated in some of the new locks. But at the end of the day the information leaks out or is distilled from a greater pool of locks. And since the researchers are highly motivated, the product will fall anyway. Only by it taking a little longer to fall, more locks are sold and more locks are affected when it happens.

Interestingly enough it now seems some security researchers are going the same route as the lock manufacturers. They claim specific locks can be bypassed but refuse to tell the manufacturer how they did it. Only if the manufacturer promises to exchange all the locks in the field (free of charge) they are willing to explain how the technique works. The idea behind this is they are trying to do the end customer a favor. After all, nobody knows how to bypass the customers lock and the manufacturer has to change it free of charge before anyone else hears about it. Logically the lock manufacturer will first try to find the problem itself, but now learns what it feels like to be kept in the dark. Even if they find a vulnerability they can never be sure it is the same one the researchers found. So a fix created does not necessarily means it actually works against the unknown attack…. or if the fix introduces an even bigger problem! And instead of being happy, the end customer is getting nervous. What if someone else finds out about the problem?

There may well be a few extreme cases where putting lots of pressure on some manufacturer is justified because they are really screwing over the public interest. But in general we feel everyone benefits if we try to keep as much information available to as many parties as possible, as quickly as possible. That way, consumers can make informed choices, manufacturers still make their own judgments (and face public scrutiny on them) and manufacturers and enthusiasts can continue to learn from eachother.

Let us try to keep the research area open and transparent and all learn from these discoveries…..

Newsflash: The LockCon #2 impressioning games were won by Jos Weyers (Toool.nl).
His time: 1 minute and 27 seconds (that is 87 seconds for a five pin lock …).

Some technical background on the lock: Abus 5 pin, non-masterkeyed, type C83, pin depths 3-2-6-7-4.

Now I need some time to relax.
When my internal battery is charged up a little I will try to write a nice post about HAR ….

The HAR camp is on schedule. As a matter of fact: they are ahead of schedule. When we arrived this morning the tent was already set up, the only thing we had to do was carry ten big tables and thirty five chairs in. And the tent is much bigger as I expected too! I am sure we are going to have one hell of a time there!

I am real curious how the lockpick championships will go. After all, there is quite something at stake! The games will be played in on solid ground and not in a tent. The risk of rain on a Dutch event just is too big. So for this we rented a nice location (on walking distance from lockpick village). Please visit us at the ‘paasheuvel zaal’ on Saturday from 11:30 till +- 16:00 to see the lockpick championships, or at 23:00 on Saturday evening for the impressioning games. The reason we are doing the impressioning games so late is to give Oliver Diederichsen a fair chance to win a ‘double whammy‘ too. Lets see how that all goes …. I am looking very forward to it all!

Just got back from Vegas and will share some experiences with you….

Lets start with the US lockpick championships:

And the winner is … JGOR!

From the fifty participants that attended the US lockpick championships at the Defcon17 conference, JGOR stood out. It was impressive to see his ‘cool’ way of picking. While his opponents were nervously raking and rapidly moving the tools in and out the lock he was just calmly picking. Setting one pin at the time yet opening locks in impressive times (like 17 seconds in the finals on a lock others did not open). To me it is clear the best man won. Second best was Schuyler Towne, third was a draw between Chris Pentacoff and Tokey (from France!).

By winning the US lockpick championships Jgor won a full paid plane ticket to the European lockpick championships in Turkey next year. It will be interesting to see how well he does there.

Deviant and Babak (Toool.US) did a great job organizing the lockpick village and the various lockpick games. One of the things I admire from Babak and Deviant is their eye for detail. Take for instance the locks used in the games. These locks are connected to an electronic timer that stops when the lock is opened!

Fun:

It is always fun in Vegas. Renderman introduced me to one of his friends who had a little problem with some of her locks. I seem to be losing my touch as I was not able to open the simple lock. Maybe it was the jetlag? After hearing the story, my dear wife Charlotte found an appropriate t-shirt for me at the vendor area two days later. Other fun was meeting some famous people in vegas.

The vendor area:

As you can see on the video above, there was lots of activity at the vendor area. There even was a stand selling bumpkeys (using a slightly NSFW booth-babe). Check the youtube video for details (and a good laugh).

Public and private talks:

I only visited one presentation. Obviously it was the one by Mark Tobias and Tobias Bluzmanis. Han and I spoke with them before the presentation and learned about the details of their attacks on some of the electromechanical Cliq locks. Pretty impressive things they have come up with. They did not go publicly into details on how to bypass these expensive ‘top of the line’ high security locks. Han and I know the Cliq system well as we did conduct our own research for a year now too. And we will go into details when we discuss our research at our presentation at HAR next week. Interesting times we live in ….

Dangerous place:

Defcon is a dangerous place. At least for those that are not computer savvy. The famous ‘Wall of sheep’ was showing (parts of) login data of those not using SSL or other types of encryption when popping mail or transferring files etc….

But even when Defcon is a dangerous place … we all made it back safe. Now preparing for HAR! Hope to see you there!

As you might know I am in Las Vegas for the Defcon conference. Not a lot of time to spend on my blog at this moment 🙂

Now on my way to an interesting presentation ….

Hurrying to finish this post before I start packing for DefCon in Vegas. Exciting news: it looks as if LockCon 2010 and the accompanying lockpicking championships will be held in Turkey. The events will coincide with the convention of the ELF, the European Locksmith Federation. This means that participants and visitors to LockCon can also visit this (rather cool) lock-related ELF convention. More details can be found below, and I will probably also re-visit this topic in the coming weeks and months.

On another front, there’s more information about lock-related events at the HAR convention that is happening just two weeks from now. Most of that information is written FAQ-style, as you will see below.

My next post will most likely be from sunny Las Vegas…

ELF – Turkey – LockCon 2010 – Lockpicking championships

Wow … Just received an exiting call I have been waiting on for weeks now … we have ‘green light’!

At the ELF meeting in Poland I was approached by the President of ELF Turkey. I learned the Turkish Locksmiths now officially became part of ELF (European Locksmith Federation) and will organize the yearly ELF convention in 2010 in Turkey. He then asked me if it was possible to organize our yearly lockpick championships at this ELF convention in 2010. A great offer, especially if you keep in mind they are willing to sponsor us financially to make it all happen. But instead of saying ‘yes Sir’ immediately, I asked for some time to think about it. After all, the lockpick championships we have in Sneek (The Netherlands) are the most international lockpick championships in the world, but only because they are part of our yearly ‘lockcon’ conference. It is the combination of LockCon and the Lockpick championships that make it such a great event.

After some thinking about it, we made him a counter offer: we are willing to organize the lockpick championships in Turkey, but only if we can also host LockCon at the same event (a day before the ELF convention). And today I (finally) received the green light!

Personally I am thrilled about this deal as it really means something for the locksport community to be taken this serious by the industry. With only nineteen days before this years championships at the HAR conference in Vierhouten (The Netherlands) I have an important announcement to make: As part of the sponsorship deal with ELF, the winners of this years lockpick championships at HAR 2009 will win an ‘all in’ ticket to LockCon/ELF Turkey 2010 (‘all in’ means plane and hotel *). The same goes for the winner of the impressioning games and the combination lock manipulation game. So three ‘all in’ tickets can be won! (* disclaimer at the bottom of this posting)

The same goes for the lockpick championships in Germany. The winner of the German SSDeV ‘hand opening lockpick contest’ will win an ‘all in’ ticket’ to Turkey too. And since Oliver Diederichsen already won the 2009 impressioning games in Germany he will get his trip to Turkey sponsored too.

The last ticket we will get sponsored is for the winner of the US lockpick games at DEFCON17. Toool.US will be organizing these games in the lockpick village at DEFCON, and the winner of these games can represent the US locksport community at the official first European lockpick championships in Turkey 2010!

And I will personally see we all (the participants of previous LockCon events) will benefit from this sponsorship deal. So you do not have to win any of the games to get a good deal!

I am now packing my gear to go to DEFCON17 (Las Vegas) and look forward to see my friends in the lockpick village soon!

Hacking At Random 2009

The HAR LockPick championship FAQ

Normally Toool’s Dutch Open lockpick championships are held at the youth hostel in Sneek (Friesland, NL). However, if there is a special event or location that wants us there we can be persuaded to move to that location. And this has happened at previous Dutch hacker camps and will happen again at HAR.

It is crucial you read the following FAQ and register for the championships as fast as possible! Registration closes at August 5! (*Edit Barry: please mail lockcon09 @ toool nl)

First question in the FAQ:

Q: what kind of championships are there at HAR?
A: There will be three kinds of games: lockpicking, impressioning and safe combination lock manipulation.

Lest start with the lockpick championships:

Q: When will the Dutch Open lockpick championships be held?
A: On Saturday August 15 the games will start at 11:30. Depending on how fast the rounds go, the finals will most likely be at 18:30.

Q: Where will it be held?
A: As the games are part of the HAR conference, it will be held at the HAR campsite. For a moment we were tempted to do the games at the Lockpick village tent but at the end preferred to spend some money and battle on ‘solid ground’. For this purpose we rented the ‘paasheuvel zaal’ building for the entire saturday.

Q: What kind of locks will be used at the championships?
A: To give lockpickers from all over the planet a fair chance we decided to keep the exact brands secret until two minutes before the games.

Q: What can I win?
A: Traditionally we offer great prizes (as the contacts with the lock industry are pretty good and we always manage to arrange nice cut-away locks as prizes). This year we have something even more special: an all exclusive ticket (plane + hotel) to the first official European Lockpick championships at the ELF (European Locksmith Federation) conference in 2010 in Turkey! (* read disclaimer!) Of course the second and third prize winners will also receive something worthwhile.

Q: I am not a star lockpicker … why should I attend?
A: Lockpicking is fun, fun, fun, and you can only become good at something if you try and get more experienced. Not to mention that by lottery we will give away a nice cut-away lock, an official Toool pickset and some other nice prizes.

Q: How many people can attend?
A: There is room for a maximum of sixty people, so register fast!

Q: Is it possible to just visit the lockpick games?
A: This is possible. We have made a deal with the HAR organizers that (a limited number of) ‘known’ lockpickers can buy a special ‘day ticket’. These day tickets are valid on Saturday and Sunday. And we managed to squeeze a good deal out of them: for just 25 euro’s you can visit the championships on Saturday and stay till Sunday. This will allow you to see the lockpick presentations at 20:00 and 21:00 on Saturday evening. Just a small warning: you have to be a lockpicker to be able to make use of this deal! Please mail lockcon09 @ toool nl to apply for this deal!

Q: how are the games played?
A: The games are played (as always) according to the ‘Dutch rules’. These rules were optimized to give each participant a fair chance. This means (in short): per round, two people play against each other and will each receive a lock from us. If they manage to open the lock in under seven minutes, they write down their time. After seven minutes they switch locks, and again try to pick it in seven minutes. The person opening the most locks always wins, as two locks open is always better as one lock opened (no matter what times are scored). If both persons opened the same number of locks, the person doing so in the least amount of time wins. The winners of each round will receive a point, and in the next round pools will be made of people who do have one point and people who have zero point. At the next round, sets of two people will be made that have one point and they will play against each. In the other pools sets are made by people who have zero points. And so on, until four people have collected six point (* depending on the number of participants this number can change). In the semi-finals we will traditionally have special, more difficult, locks to pick. The rules will be discussed in detail before the games start. and other questions will be answered at the lockpick village.

Q: I still have a hard time imagining this …
A: Read the excellent article in Wired about one of the previous Dutch Open games, or view the video impression of the games and interview with last event’s winner Torsten Quast (MP4 17 minutes, 139 MB).

The impressioning games

Q: What is impressioning?
A: Impressioning is the art of filing a working key to a closed lock without any prior knowledge about the original key or the lock.

Q: How is this possible?
A: That is a little difficult to explain in a few sentences. Oliver Diederichsen (2009 champion of the impressioning games in Germany and holder of the record time of four minutes and XX seconds) wrote a book about this topic and there will be room to explain and demonstrate the impressioning technique at the lockpick village.

Q: When are the games?
A: We are not 100% sure yet, but most likely it will be on the last day of HAR: Sunday August 16 at 10:00 or 10:30 AM.

Q: Where will it be held?
A: We hope renting the ‘paasheuvel zaal’ building for the lockpick games on saturday is a 24 hour deal. As the impressioning games only take 60 minutes (and the winner will most likely open the lock in under five or six minutes) this would mean we can get the most of out if. If this is not the case we might have to shift the games to Saturday evening/night after the lockpick presentations, or play on sunday in the lockpick village tent.

Q: What kind of locks are used?
A: Abus is sponsoring the event with locks and blanks. The lock used will be a standard abus C83.

Q: What can I win?
A: First of all: your name will be added to the special challenge cup. This cup contains a special Abus watch that was a reward for winning the last Dutch Open impressioning games. Oliver Diederichsen turned the watch into a challenge cup that will move from winner to winner (read the full story here). And besides fame, we also offer a free ‘all inclusive’ ticket to the first European impressioning games at the ELF convention in 2010 in Turkey!

Q: I still have a hard time imagining this …
A: Have a look at this video. It was shot by Steffen Wernéry at the last Dutch Open impressioning championships and should give you a good idea about what the games look like.

The safe combination dial contest

Q: What is ‘safe combination lock manipulation’?
A: It is a technique used to open the combination lock used on safes without damaging it. It is the kind of thing you see in movies when they listen to the ‘clicks’ in the lock to open it.

Q: How does it work?
A: Standard safe combination locks can be opened by measuring small mechanical tolerances in the lock. Instead of listening for clicks we are achieving this by dialing known combinations and closely looking at the dial for fluctuations. Again, just as with impressioning this topic will be explained in the lockpick village.

Q: When are the games?
A: The finals will be held on Sunday, the qualifiers in the days before that.

Q: How do I qualify for the finals?
A: First of all you have to register! After we know exactly how many people will attend we can make a schedule. This is the rough outline of the games (it can change as it is only the second time ever such a championship is organized inside the locksport community) In short: it’s a knock-out system. At random, two players will be selected that will both receive an identical safe lock. Both locks will have the same combination and the same mechanical properties. Both players will start on the lock at the same time, and the person opening the lock first will go on to the next round! Depending on how many people attend there might be room for a ‘wildcard’. So just maybe all the people that get knocked out can battle for a place in the finals through a separate round. On Saturday evening/night there will be (limited) room for the people arriving on Saturday with a dayticket to earn a place into the finals on Sunday.

Q: What can I win?
A: Fame: If you win, you will be the first person to have ever won a safe combo game (in the locksport community). But if you managed to read all trough the bottom of this FAQ, you can guess it: the winner gets an ‘all inclusive’ flight+hotel ticket to the 2010 European safe combination contest at the ELF tradeshow in Ankara Turkey.

Q: I still have a hard time imagining this …
A: For more technical details read Matt Blaze his excellent article (PDF) on safe combo manipulation.

—

* and last but not least, an important disclaimer: I have reached a verbal agreement with ELF regarding this LockCon/Championships sponsorship deal. I completely expect them to come through on this one, but someone advised me to insert the following disclaimer anyway: Toool (and/or it’s members) can not be held responsible in any way, shape, or form if this sponsorship deal bounces after all.

A little while ago a good friend informed me about a ‘must have’ lock that was for sale on e-bay. It was a large unique masterpiece lock made out of plexiglass. It is the kind of lock you normally only see at trade shows, and I am quite sure that this is the reason the lock was ever made in the first place.

As I said, the lock is a masterpiece! It comes with two keys: one ‘normal’ dimple key (including the famous DOM ball) and one ‘split key’ that consists of two parts. The idea behind it is that if two people have one half of the key they can only open the lock when they are together. A nice idea and a piece of art if you see it magnified in plexiglass ….

The moment I saw the first images this lock I immediately clicked the ‘buy now’ option and paid with trembling fingers …. this lock is cool 🙂 Communication with seller “lordfairfox” (aka Anthony Fox) went smooth. He did send the lock straight away and when I received it in good order I send him a nice ‘thank you’ mail. He did reply me to following: “A gentleman from the Netherlands offered me 1,500 euros for it when the listing was finished! I was tempted but could not go back on our deal. I hope you enjoy your lock”.

I later learned the identity of this mysterious person who made the offer, and know for a fact Anthony spoke the truth. To me Anthony proved to be worthy of his nick ‘Lord Fair Fox’! And with this post I would like to thank him and make sure many people will enjoy looking at it and playing with this remarkable lock at the HAR conference!

And speaking of HAR: Today is the last day you can order tickets for the ‘pre-sale’ price. I am working on a somewhat long and hopefully inspiring piece of text for HAR, but lack inspiration 🙂 But for now I can only direct you to the HAR WIKI to read about the lockpick village …. Hopefully inspiration comes quickly. There will be an update in a couple of days …

Detailed information on the lock and it’s security features can be found on page 11 on Han Fey’s excellent article on DOM IX (PDF) .

As far as I can see now, 2009 will be the year of exploits for electronic and electro-mechanical locks. As you can read on Marc Tobias his blog they will talk about some exploits against these kind of locks at Defcon. And so will Han Fey and me (in more detail) at the HAR conference two weeks after Defcon.

And there are others doing the same thing. Take for example a mysterious group calling themselves ‘lockbeepers’. They just published a report about the Burgwächter TSE 3000, showing two interesting attack vectors.

The image above shows the heart of the Burgwächter TSE 3000. For those unfamiliar with the lock: it is a fully electronic lock that replaces a mechanical lock. Instead of using a key you have to enter a PIN on a keypad.

The lockbeepers seem to have had a hell of a time analyzing it as you can read in their report (PDF).

In the report they explain two possible ways of attacking this lock. The first attack is locating the cable the pin numbers are being transported by (in the clear). Hooking up a small chip on that line would allow anyone to record and replay the pin-numbers captured.

The second attack is more practical: it shows you where to apply power on the circuit board and open the lock. According to the lockbeepers it is not difficult to reach that point.

I would like to thank the lockbeepers for their document and hope to see more work from their hands. If they do you will most likely read it on blackbag …