Ok, it is all very important … crappy bicycle locks, public transport cards based on toy crypto, etc etc etc …
However, today and yesterday these topics are of no relevance, as my youngest son Melle turned five and demanded a big celebration party 😉
What do you think, will I make the ‘sunday blackbag posting’ with all these festivities ?!? …. lets see ….
We are on the verge of introducing a new payment system for public transport in the Netherlands. This so called ‘OV Chipkaart’ uses an RF-ID based payment system and is already deployed on a small scale. In less then a year it must be deployed nation wide.
As with all huge government IT projects, the stakes are high. We all know the government does not like to lose face, especially in large IT projects. This project already suffered from delay, but as it seems now this delay might be a blessing in disguise … as the OV-Chipkaart system uses Mifare classic (*) …
I guess we will soon hear more about this …
* source wikipedia: The OV-Chipkaart is based on Philips (currently NXP Semiconductors) Mifare technology. The regular cards (anonymous and personal) are Mifare Classic 4K cards with about 4 Kilobytes of available storage. These cards are locked for both reading and writing with keys only known by the card vendors. The temporary passes are cheaper Mifare Ultralight cards that do not employ encryption or keys, and can be read by anyone.
Update 21:00 Someone pointed out the OV-chipkaart FAQ (translated from dutch):
Q: Is the OV chipkaart protected?
A: Yes, because the OV-Chipkaart could potentially contain great value, we selected a chip that already uses a high security level (mifare). Besides that, additional security measurements are taken ‘in the application on the card’ as well as on the terminals.
Note: So I guess we have nothing to worry as they added some additional proprietary security measurements …
Life for us in the lockpick community is simple. If we want to tackle a specific lock we can just go buy a sample and study it.
During my search for lock knowledge, I have bought several locks simply because I felt the need to disassemble them and satisfy my curiosity. In some cases I had to use a small grinder to cut my way into the lock to make it reveal its secrets. But at the end of the day no lock ever was able to keep its inner working secret for me.
In that respect our life is easy compared to that of researchers that examine RF-ID systems. Most of the RF-ID vendors keep the inner working secret. Deep inside a one millimeter chip, a small proprietary encryption routine is held. Virtually impossible to reach, spread over five extremely thin wafers that are all interconnected.
Good luck taking that apart to see if you can reverse engineer the algorithm … or at least that must have been the thought of the inventors of the Mifare RF-ID system. Unfortunately for them, some German researchers did just that … take the one square millimeter chip apart.
And at the latest CCC congress in Berlin, Karsten Nohl and Henryk Plötz gave a brilliant and inspiring presentation about their findings (google video or MP4).
* Karsten Nohl pointing out the different layers
The researchers used a ‘simple’ setup. With lots of patience, they managed to slice off the top of the chip and reach the first layer. Using a 500X magnifying microscope they took a high resolution picture of this layer. They then used some very fine polish and ‘really really carefully’ polished away the first layer, making the second layer visible. And took another picture. And so on. The story does not say in how many tries they succeeded to make five high quality images, but it must have been a hell of a job. Not to mention laying these images on top of each other and trying to make sense out of it. According to the researchers this all was ‘painful work’. Well, I take my hat off for them as it the kind of research I greatly admire!
It took them some time, but they managed to reverse engineer the mifare encryption algorithm this way. And by that the Mifare system seems history (for serious applications).
Mifare heavily relies on keeping the encryption scheme secret. The problem is cheap/affordable RF-ID chips do not have enough CPU to do serious crypto, so keeping the inner working secret is the only defense. And during the research many more weaknesses in the Mifare system were found. Even if you do not understand everything, I strongly encourage everyone to view the video of the presentation. It is inspiring to say the least, and shows with determination even the most complex problem can be tackled (well …. almost).
The real lesson learned is that security through obscurity does not work, and only buys you some time. But it will bite you in the long run when using it in widely deployed systems. The problem now is millions of Mifare chips are deployed in the field in a huge install base. And most of the users are completely unaware of the disaster that is coming …
So far the users are ‘safe’. The researchers have not given out the full details on Mifare…. yet. But please take their advice serious: “If you rely on Mifare for anything, start migrating!”. More information about the mifare hack can be expected in the very near future.
And even though I am thrilled about this attack, I am not too happy. We use Mifare ourselves to secure some parts of some of our offices …. (sigh)
Still I would like to thank the researchers and compliment them for their excellent work and for giving us some time to migrate.
I can not wait to hear more about it!
Fist of all I would like to wish all loyal blackbag readers a happy new year!
Just like most people I made some new year’s resolutions. The most important one for you (reader of this blog) is that from now on there will be at least one blog entry per week. And it will always be released on sunday evening (or monday morning). If there is a lot going on maybe it will be even more active here, but on sunday/monday there will be something on blackbag for sure.
And to keep a steady flow of information on this blog, I am looking for informants. That is right, if you have juicy information, or just something you feel would be of interest to the readers of this blog …. please let me know and mail me! (barry at toool nl)
And even tough I like to write about new and inventive things you sometimes will find old news here. But is will be about things I value greatly. Like for instance this posting about the ‘tiger team’.
I read about this great new television show on schneiers blog some days ago, but only had time to watch the video streams today. And boy, I like them!
They cover it all: picking locks, cracking safes using fingerprint powder, bypassing alarm systems with magnets, cloning RF-ID cards from someone walking in the streets, using hidden camera’s, social engineering people, hacking computers, setting up surveillance … the works!
The first two episodes can be found on torrent sites or in the newsgroups (alt.binaries.multimedia: Tiger.Team.S01E01.DSR.XviD-iHT, Tiger.Team.S01E02.DSR.XviD-iHT) …. and I will keep an eye open for new episodes ….
Hope you will be able to download them and … visit blackbag on Sunday!
Who said burglars never pick locks ?!?
‘I’m a lock-pick until the day I die. They’ll have to pry the lock-picks from my cold, dead fingers,’ Joseph Carbone once said.
Old-school jewel thief arrested in Brevard
BY DAVID OVALLE
THE MIAMI HERALD
Condo Joe, slick jewel thief, longtime Miami-Dade police nemesis, bald senior citizen, is back behind bars.
Joseph Carbone, 60, was arrested late Wednesday, this time in Palm Bay for a break-in across Alligator Alley in Collier County.
Deputies say a husband and wife surprised him just after 1 p.m. Nov. 14 as he rifled through a nightstand inside their condo. Carbone escaped and zoomed off in a black Ford Crown Victoria — but not before the couple jotted down his license plate.
”I’ve spent 30 years chasing this guy and he just doesn’t want to quit,” said retired Miami-Dade Detective Michael Crowley.
Crowley and Miami-Dade Sgt. Thomas ”Bulldog” Blake spent decades tracking the old-breed lock-pick thief who targeted high-rise condos and high-end jewelry.
In the mid-1970s, Blake drew national headlines for his pursuit of Carbone, who bragged about wearing expensive jewelry while committing heists, stayed at swank hotels and always valet parked.
For 18 months, Blake tracked Carbone, tailing him while off duty — even distributing fliers to police along the East Coast while on vacation with his family.
His diligence paid off. Alerted to Carbone’s presence, Virginia authorities arrested Carbone with stolen jewelry and a set of lock picks on him.
Blake helped arrest Carbone two more times, in 1984 and 1990.
Carbone was unabashed about his career choice.
”I’m a lock-pick until the day I die. They’ll have to pry the lock-picks from my cold, dead fingers,” Carbone once told Blake.
After a 19-month stint in state prison, Carbone was released on probation in February 2004 but disappeared. He was arrested within a month at the Best Western Floridian Hotel in Cutler Ridge.
Found in his room: some 15 lock picks, jewelry, watches — and copies of old Miami Herald articles chronicling his exploits.
He was released from prison a month later and finished his probation in October 2005. Though he slipped off the radar, Crowley and Blake suspected he had returned to his old ways.
Carbone was again arrested this Oct. 3 in Indian River County.
He was found, deputies say, at 10:25 a.m. trying to open a house door, his hand draped with a white handkerchief. A deputy later pulled over Carbone, driving a Ford Fusion rented in Miami.
Sweaty and nervous, he allowed the deputy to search his brown fanny pack. Inside: small screw drivers, a small pry tool, two white handkerchiefs and a “a large amount of lock picking tools.”
Inside the trunk, deputies found diamond earrings in a box, two pairs of binoculars, a window punch tool, more handkerchiefs — and 12 baseball caps.
”I guess they cover up the baldness,” Crowley quipped.
Carbone was charged with attempted burglary, possession of burglary tools and loitering and prowling. He was released on bond.
Then in November in Collier County, a husband and wife returning to their two-story condo in a gated community saw Carbone through the bedroom window. He was rifling through the nightstand.
”She ran in yelling and chasing him out of the house,” said Collier County Lt. Chad Parker.
Carbone dropped the jewelry and hopped into the Crown Victoria but the couple wrote down the tag number.
That proved his undoing, deputies said: The license plate was registered to him.
Deputies consulted with Blake, Crowley, and Miami-Dade career criminal Detective John Laughlin.
Crowley immediately called a former co-worker at Miami police: William Berger, now the police chief of Palm Bay — where Carbone has been living.
By Wednesday night, the old jewel thief was arrested at his exclusive home by Palm Bay crime suppression detectives.
Even Berger was surprised at Carbone’s stubborn refusal to quit thieving.
”You don’t see these type of guys around anymore,” Berger said.
—
Web Extra: ‘Condo Joe’ arrested wearing pajamas
He was wearing pj’s
Palm Bay police arrested career criminal “Condo†Joe Carbone while he was wearing pajamas and relaxing at home Wednesday night, spokeswoman Yvonne Martinez said.
Palm Bay Police Chief William Berger received a tip from his former Miami-Dade police colleagues that Carbone was staying at 253 Wishing Well Circle, less than a mile west of DeGroodt Road.
Police don’t know if Carbone owned the house or was staying with friends. Carbone doesn’t own a house in Brevard County, according to property records.
About six officers, including the crime suppression unit, arrested Carbone without incident, on a warrant of Collier County, Martinez said.
“They didn’t give him an opportunity to resist,†Martinez said.
He was taken to Brevard County Jail in Sharpes but later transported to Collier County.
“If convicted for the charges on this warrant he could be looking at 40 years,†Martinez added.
– Megan Downs, FLORIDA TODAY
(thanks to Froggy for the link to the original article)
An image can say more then a thousand words ….
I guess by now quite some people are comparing their key to the above image, hoping their key has the same profile as the AX1RP blank (on the right)…..
Why?!?
In cooperation with Kassa TV and one other organisation we performed a little test. In and around Amsterdam we tried to open over 150 bicycles. We got help from random bicyclists, bike shops, and even received assistance from local law-enforcement. Result: we managed to open around 50% of them….
By far the most interesting and intriguing thing we found is that almost all locks we could open used the so called ‘standard key profile’ (blank AX1P). Locks using the ‘mirror image profile’ (AX1RP) seemed almost impossible to open. And we are still investigating why. And we do warn people the flaw might be exploitable in the mirror image profile someday soon … many people are now looking into it, and it could be a matter of time. But for now it seems ok …
One other interesting fact: we managed to open almost all 583 models (over 90%), as well as a high percentage of SL7 and SL9 locks…. if they used a ‘standard key profile’ that is. And a lot of SL9 locks were equipped with a mirror image profile.
Axa by now admits more locks are vulnerable as they expected before, and they will come out with a report themselves any day now. Curious if they found the same things we did (in our relatively small test).
More about this test and the findings (in Dutch) on Kassa TV or http://toool.nl
Today ABUS announced (trough an ad in the newspapers) they will send a free lock to everybody that has a lock vulnerable to the ‘blank key’ method. It concerns some of the 48 and 4800 series ABUS bicycle ring-locks.
Rumor has we are talking over 100.000 pieces. And they will all be replaced by ABUS … for free.
I read a lot of comments on various Dutch webpages AXA should follow ABUS and do the same. People say it is not fair they ‘only’ receive 50% discount on an additional extra lock.
Now, I disagree with that, not completely, but still … I disagree.
People do not seem to realize all ABUS locks were manufactured after 2005, while AXA produced defective locks between 1998 and 2005. So while a defective ABUS lock is at most two years old (or should I say young?), an AXA lock on average is five years old, and in some cases even nine years! As far as I am concerned this is old enough not to be entitled for a full refund. I think it is fair to give people a full refund if the lock is under four years old, but after that … you should be happy with your discount.
Over the last few days I visited many bicycle shops. A lot of them had stories of customers who did the right thing: they upgraded to an AXA Defender lock and simply paid twenty euro. These people took the warnings in the media serious and did not want to wait to have their bike stolen. Most of them did not even blame AXA. After all, it is a freak accident. A rare mechanical defect discovered by the wrong people, probably by accident. And years after a serious test institute certified the locks. AXA did what it could when these locks were made.
Now, I realize not everybody can easily pay twenty euro for a new lock. And not all bicycle shops will change the lock for free, although most feel it is a service to their customers to do so in this specific case. But still, if you have the money, just find a shop that will replace the lock for twenty euro and get it over with.
Having said that, it would be a good thing if AXA gave a 50% discount on the Defender (or Solid) ringlock, as that is what would make most of their customers happy…. and brush off the negative image they are creating by not making this offer …
Some Dutch media picked up on my last posting on AXA bike locks, including one of the most popular consumer television programs ‘Kassa’. Saturday prime-time, 1.4 million people watched Dirk Bolderman, head of AXA bicycle locks, answer the question how many locks might have this flaw. His answer: “Between 1998 and 2005 we produced four million locks. We assume 100.000 to 200.000 might have this vulnerability. And the locks can not be identified by their serial number”….
(video available as 33 MB quicktime or on YouTube)
Some people have serious doubts about Mr. Boldermans claims ….
The good thing is he did promise AXA will offer 50% discount on new additional bike locks soon.
I received mostly positive feedback for pointing out the ‘interesting’ AXA/Abus advertisement campaign. One exception is the Dutch association of bicycle enthusiasts (fietserbond). Normally I sympathize with them, as they are really doing good work for us bicyclists (yes, I ride a bike too). But they are now asking Dutch justice department to take ‘legal action’ against ‘these instructional video’s on internet’. They claim these video’s are criminal because they encourage criminal behavior. Sigh….
Now, there are lots of ways I can defend myself against these ridiculous claims. And I have no concerns on the legal part of it. We have a long list of lawyers that owe us a favor, mainly because of our technical assistance in difficult court-cases (mostly fraud cases were insurance companies don’t want to pay). And legally they do not have a point. Maybe morally, but I think the awareness created by the clip had much more impact then the silly AXA advertisement in the papers.
And I decided to look at their website, trying to learn some more about them. Interestingly their site is filled with information that can help thieves. Take for instance their excellent study (PDF) on bike lock security. Assisted by the Technical University in Delft, they studied a more destructive way of opening locks: using special pliers used to cut concrete reinforcement elements (dutch: betonschaar). Potential thieves are advised what locks to avoid (including images of locks), and how to use the cutting tool properly (Use 65 Rockwell blades and let one of the cutters arms rest on the ground to increase impact). Maybe it is time to arrest the people from technical university Delft now …
Anyway, good luck to them trying to sue Kassa for warning the public on prime time television ….
Update: Volkskrant reporter Michiel Haighton went to Amsterdam Central station to try his luck (video) …. and guess who he met there ?!?
To be continued for sure …
According to an article on the front page of the biggest newspaper in the Netherlands, some Dutch bicycle locks are not worth a dime.
And they are right. There is a trick to open some of these locks in seconds, causing no damage to the lock. In the article, Dutch police advises to always use two locks to secure your bike (and better lock your bike to solid objects too).
Yesterday I learned manufacturers of these locks were going to warn the public using nation wide advertisement in newspapers. Curiously I looked in the newspaper today, and had to look twice. But I found the add on page 26 (of the digital telegraaf edition). I expected the add to say something like: Warning, possible product failure. Instead it said: A new phase in security. First thing the add does is … advertise the new AXA Defender RL as a secure lock. Second it mentions ‘the police discovering a new method of manipulating locks’. This ‘by the police discovered method’ happens to work on ‘some older models SL7, SL9 and 583’. Needless to say police did not discover this method. If they did it would (still) be a big secret. Instead of the police, the guild of bicycle thiefs discovered it. And police found out about it that way. I am real curious if other brands are affected by this too.
The AXA website covers the problem the same way as the ‘ad’ in the newspaper. Instead of making a serious effort to warn their customers they just mention on the side of the page: AXA advertisment, a new phase in security. Not something a concerned customer will click on straight away.
I am curious were this is heading to, as this story shows great resemblance to problems Kryptonite had in the US. Someone found out these locks could be opened in seconds, without any damage, using just a bic pen. That story started with some denial, but ended with Kryptonite publicly making a lock exchange offer. I am curious if AXA thinks it is going to get away with this, or if they are going to make the same offer to their customers as Kryptnite did….
I have know for at least a week there was a problem with the AXA locks, without knowing the details. My locksmith friends were swamped by kiddo’s asking them for SL7 blanks (really, for a science project at school sir). And when I visited the bicycle shop around the corner they told me quite some people had their bikes stolen….
The bicycle shop gave me two locks from their garbage bin for me to experiment on. It only took me a couple of minutes to figure it out and open them both. And since every bicycle thief in the Netherlands already knows how to open these locks, I do not mind sharing the trick with you (18 MB quicktime movie or youtube). And please do not complain about me teaching malicious people how to open locks. Complain to the manufacturer of the lock that makes locks ‘that are not worth a dime’ ….
Update 08-12: Abus does not only seem to have the same problem as AXA, it looks as if they also share the same marketing people. The head of the ad in the newspapers today says: New generation Abus bike locks. And it does mention some ABUS Protecta 48 and 4600 can be opened using an ‘illegal method’. Who’s next?
It is amazing what can happen in the course of just one weekend. The list of interesting things happened in Sneek is just too long, so I am just going to highlight a few here…
“Lock Pathologist” Peter Field his presentation was very well received.
And in a weekend that is about breaking records, this presentation broke quite a few! Most obvious record: the longest presentation ever at a Dutch Open (almost 5 hours). But also it received the longest and loudest applause ever (at least 5 minutes straight!). A great contrast to another record: that of the one presentation were the audience was completely silent. All in all one of the most interesting presentations at the Dutch Open ever. Thanks again Peter!
Another great class was that of Paul Crouwel on combination lock manipulation.
Paul prepared this class with great precision and besides arranging plenty combination locks, he had some tools and charts made to make manipulation more easy. So I would not be surprised if we will have combination lock championships at the Dutch Open in the near future, as some of the attendees became very enthusiastic about opening combination locks this way. And already Paul is receiving requests from other organisations who are interested in attending his classes.
Of course there was a lot of lockpicking going on in Sneek. I have seen some exotic tools, ranging from home made Abus plus picks, to the famous sputnik to the new mul-t-lock opener and more. But what everybody was there for was the Dutch Open championship. Under strict supervision of referee Ivana Belgers (toool eindhoven), Julian Hardt managed to win the open again (just like in 2003).
Peter Danilov became second, followed by André Matuschek. Too bad Nigel Tolley from the UK became fourth, and Eric Schmiedel of Toool USA became fifth. In total there were 42 people attending the open this year. At least half of them good enough to make it to the finals.
And then there was impressioning:
Manfred won his second impressioning championship title this year. I became second, just like two months ago in Germany.
Manfred opened the lock, setting a new impressioning record of 5 minutes and 19 seconds. It took me just a lousy 28 seconds more: 5 minutes 47. Oliver Diederichsen became third in 6 minutes and 20 seconds. And some background info: there were a total of 22 attendees of which 11 managed to open the lock within the hour. Walter Belgers was last in 58 minutes and 39 seconds (just 1 minute and 21 seconds before the end of the game!). And it was fun to see many people picked up on impressioning and open a lock for the first time this way in Sneek.
The new hostel in Sneek also was a great success. Professionally run by Gea Schmidt and her staff she made everybody feel at home. A small minority was un-happy about the non-smoking policy, but besides that I heard no complaints.
Again, the list of things that happened is too long to fully mention here. Jaakko’s Abus presentation, the interesting things people shared, the lack of time for some scheduled presentations …
So I would like to end here, thanking all that helped make the Dutch Open 2007 a success. The list of people to thank is also too long, as almost all attendees helped out one way or the other. Thank you all, and … see you next year!
