Today’s Wall Street Journal …

October 28th, 2006

wall street journal 

Wow … In today’s Wall Street Journal, there is a nice article on
locksport in the US. I am glad to see the locksport groups in the US
know how to talk with the media and get their point across without being
portrayed as criminals. Read the full article here: Page 1 and Page 2.

Breaking News! Mysterious car burglaries solved … or not?

October 25th, 2006

Police claim to have made a breakthrough in the mysterious car burglaries
case in Stadskanaal. As you might remember a wide range of different
car brands and models where opened without a trace and goods were
taken from the cars. And the police had no idea what tool or technique
was used by these crooks.

The stadskanaal police today claims to have found the answer. A twenty
year old drug addicted male was arrested. Police believe he is the
brain behind this intriguing case. The answer to the question how he
did it is a little ehrm … sobering. His modus operandi was simple:
He got on his bicycle and drove around town trying to find cars that
accidentally were left open and let statistics do the rest. It is a
fact not all cars are closed, and he based his ‘attack’ on nothing
more then just trying to see if a car was left open. That is it…

pliesie is je beste kameraad

Or is it? Three different sources have recently shown me a picture of a
mysterious tool. Police is trying to find out what type of tool it is
and who makes it. It seems to have something to do with car openings…
Unfortunately I can not show you the pictures since all sources do not
want me to publish it. Sorry about that :(   *update10 Nov. : mystery solved!

Update: Dutch SBS6 TV had an item about this (click here WMV 17 Mb)

‘Werkzeugspur’ a nice book on forensics

October 25th, 2006

Currently I took the time to relax a little and read some books. These
books are all in Dutch, except for one I recently bought at the German
lockpick championships. It is a German book by Manfred Göth named
‘Werkzeugspur’ ISBN 3-00-004285-7 (rough translation: ‘tool traces’).

Manfred is the only non government independent forensic specialist in
Germany and he is well respected for that. I had the pleasure of
meeting him once and he is really a knowledgeable person. This also
shows in his book. In it are many close up images of locks and pins.
Traces almost not visible with the naked eye all of a sudden become
crystal clear if he uses special electron microscopes to zoom in on
the subjects. The book is filled with images like the one below.

(electron microscope image of a pin with unusual marks on it)

werkzeugspur

Manfred made it clear that almost any non-destructive opening can be
identified by people with the right forensic knowledge and tools. He
is also capable of identifying if a lock was bumped open or not and
does this on a regular basis for insurance companies and their clients.

It could be coincidence or not, but over the last few weeks three
independent people asked me to look at their legal case against their
insurance company. One car theft where the insurance company claims
the car is so well protected it is impossible to steal. Just googling
for the brand and model I found at least 3 ways to steal that car…sigh.
One case was a burglary where probably a bump key was used and the
insurance company does not want to pay and one bizarre case where an
electronic locking system was bypassed one way or the other.

More info on Mr. Göth’s company and book on http://www.goeth.de/

9 year old Peter … champion of the future …

October 19th, 2006

“Hello my name is Peter, I am 9 year old and I have bumped open allllll
these locks. And now I am going to bump open this Mul-T-Lock(*), really
high security, bypass this combination lock and rake this Yale lock, 6 pins.”

Peter, nine years old

The video takes less then three minutes and is adorable and entertaining.
To be honest I do not know how genuine this video is. It looks right, but I
have never seen a Mul-T-Lock opened with the ‘pull one click back method’.
I don’t think it is a hoax, but you can not be too careful these days.

Martin, Peter’s dad, mailed me: Peter started picking and bumping after
watching bumping revisited, he has been doing it for a year now. I have
supply him with his bump keys and he brought his pick set. He can open
locks better than me sometimes a natural,his first lock was a yale
front door lock and his latest is the 7 pin multi t lock.

http://video.google.co.uk/videoplay?docid=5145437642005440092&q=lock+picking

(*) update 25/10: As you can read in the comments I was right, it was not a Mul-T-lock.
However, footage is available where little Peter bumps open and bypasses a 7X7 Mul-T-Lock:

http://video.google.co.uk/videoplay?docid=-8278930360889092448&pr=goog-sl

 

More keys to democracy (help needed!)

October 18th, 2006

I previously mentioned the lousy keys that were used on our Dutch
Nedap voting computers. We found out the keys could be ordered on
various places on the internet for just about one euro each, and all
keys to operate the Nedap ES3B voting computers are the same.

Besides the Nedap company there is a second player on the Dutch voting
computer market: SDU. Their voting computers are called ‘newvote’ and
are more modern in comparison to the Nedap antiques. Little is known
about these devices except they are running an embedded windows
version (XP? NT?) and have a built-in wireless modem. Needless to say
this computer does not give us a warm fuzzy feeling. Their slick
advertisement video does not change this, on the contrary….

As far as we know the SDU newvote is fitted with three locks.

One of our informants handed us a photo of the keys to these locks.
Unfortunately the pictures you see below are not the best quality, but
we will have to live with that. And it is all we got to identify them
and find the manufacturer. Click on the images for a higher resolution.

 

SDU key 1 SDU key 2 SDU key 3

Key number one is an ‘important’ one. This ‘tubular key’ is used
by the head of the voting office and is labeled ‘control key’
(beheerssleutel). This key is important since it is necessary to start
the device. If you do not have this key the voting computer simply
does not work. It strongly reminds me of a lock one could open with
just a roll of toilet paper. It would not surprise me if the SDU
newvote lock could be opened just as easily. Unfortunately we will have
to wait till November 22 to find out (election day).

Key number two is needed to operate the machine. This key is
necessary to clear the machine after the vote is cast and is labeled
‘operator key’ (bedieningssleutel). The key is identified as a wafer
lock key for a four lever lock. Possible combination is ‘3-3-4-0’. It
is my impression this key operates a cheap and very simple lock that
could be bypassed with just a paperclip.

Key number three is already identified. This key is manufactured by a
company called EMKA, and probably the code of the key is ‘EK 333’.
These EMKA locks are well known in the computer server area and an
‘EK 333’ key is on its way to our office.

  
I would like to find out who manufactures the two unknown locks. Mind
you, they are electronic switch locks and probably both come from
the same manufacturer. On the locks themselves a three digit
number/code is stamped (unfortunately not well readable. see images below)

           
keys close uplock close upclose up

   
Of course there is a reward for the right answer… one big apple pie (old hack-tic tradition) …

The ‘Dutch Open’ lockpick championships (FULL! Sold Out!!)

October 15th, 2006

Ever since Wired wrote an heroic epic about the Dutch Open in 2004 it
has become an event that lures people from all over the world to a
cosy youth hostel in Sneek for a weekend they will remember.

This year there is another ‘Dutch Open’. From Friday November 10 till
Sunday November 12 it will take place in Sneek (Friesland, The
Netherlands). As always in the Wigledam youth hostel.

evva cut away locks

We are currently collecting prizes from different manufacturers and
other sponsors. EVVA was kind enough to donate a ‘collectors item’ box
filled with state of the art cut-away locks. This box covers the
Magnetic MCS, 3KS, DUAL and DPI/DPE locks. You might think this is a
guaranteed first price. However other manufacturers have promised
prizes too. And the winner has the first choice to select whatever
prize is available. The prizes will be discussed on the weblog as they
come in.

We already received many international requests asking if it is
possible to join. Others write on public fora that they will be
attending for sure, without bothering to ask us if that is ok.
Probably they think if it is called the ‘Dutch Open’, and one of
Toool’s O’s stands for ‘open’, we will let everybody in. This is not
true. Currently we are FULL. There is no more room for spectators or
people that want to visit. We are real sorry, but the limit has been
reached. Fire regulations are very strict in the Netherlands and we
will get in trouble with the fire department if we let more people in.
So we can not make any exceptions.

For those participating in the championships there will be a 10
euro fee. For this you will receive at least one of the brand new
locks used at the championships and hopefully you will win one of the
fabulous prizes. A lottery will make two attendees that did not win
any of the other prizes happy. Trough luck of the draw a nice cut-away
lock and a special pick tool will find a new owner. So it is always
worth your while to participate the championships. You might loose
during the games yet still get lucky in the lottery.

 

The only thing we do know for sure is that the championships will take
place on Saturday from 11:00 till approximately 16:00. The rest of the
schedule will be determined later since we are still negotiating with
some speakers and setting up things.

It is important to note the rest of the schedule is only available for
Ssdev and Toool members, as well as for the lucky few that are allowed
in.

Some people already promised to do the following presentation/activity:

‘keys to heaven’ STASI opening tools and techniques (Arthur Meister)

heavens door

In this workshop Arthur will show you some exotic opening tools and
techniques used by the former east German secret service ‘STASI’
(Staatssicherheit). Only locks the former east German government could
open without a trace where allowed back in the days. The internal code
name for the tools and techniques to open locks was ‘himmel Schlüsseln’
(keys to heaven). In this workshop you will learn how to bypass a
trabant car in under 30 seconds.
‘new state of the art US lock’, a challenge by Marc Tobias

Marc Tobias will present a new US brand lock. He will explain into
technical details why he thinks this new lock is secure. And he will
challenge the lockpickers if they can open this new lock without
damaging it. The first one to pick this lock will receive a nice
reward. Note: this challenge is just for internal use. The manufacturer
will not claim it is a secure lock because we could not pick it, or
vice versa. It is just a simple challenge to see who is more clever.
 

‘Chubb Manifoil combination lock’ by mike van der stelt

Mike van der Stelt will do a presentation about the history and
evolution of the Chubb Manifoil safe lock. This combination lock has
been the UK government’s security standard for many years. These locks
are hard to come by but Mike will bring a wide range of them for you
to see and play with. You might want to take a close look at the top
piece of his collection: a security container that is in use with the
UK government to store top secret documents.

 

‘Safecracking Without a Trace’ by Eric Schmiedl

In this workshop Eric will cover the art of combination lock
manipulation. This workshop will also cover the S&G manipulation-proof
lock, radiographic attack, robot dialing, robot manipulation, the
Mas-Hamilton X-07, and plain stupid lock design.

‘Keyshop and Lockshop ++’ by Steffen and Ssdev

During the Dutch open a basic lockshop will be present. During the
rest of the weekend some more high security tools will be on sale. At
the keyshop some nice key cutting machines are ready to serve you.
This includes an ez-entrie machine that creates blanks for
high-security copy restricted keys, machines to cut keys to code, copy
machines for straight and dimple keys and a huge collection of blanks
to make your own bumpkeys or do other experiments with. So you would
better make sure to bring these ‘impossible to copy’ keys to Sneek.
 

‘high security car locks’ and ‘advanced bumping’ (Barry Wels)

Two ‘hands on’ workshops.
Barry will bring a nice collections of car locks and tools to
open/decode them. This will include the famous Wendt BMW opener, some
13 songs tools (opel and others), a ford tibbe (disk lock) opener and
many more. And more informal there will be an experiment with some of
the most high security sidebar locks. A brave manufacturer send us
these locks to see if we can bypass them. Some of these sidebar
mechanisms have pins that have to be lifted to a specific height and
rotated to a certain angle. Can the conventional pins in these lock be
bumped if you know the sidebar combination? Lets find out in Sneek.
 

‘Meal of the Champions’ by Fiona Ivanov

Get ready for a real treat!
People who have attended the Dutch Open before know that meals and
dinners are always well taken care of in Sneek. Gea Schmidt and her
crew are well known and respected for their cooking skills. This time
however we will have a Fiona Ivanov come over to prepare the ‘meal of
the champions’ on Saturday. Fiona is responsible for lots and lots of
cooking recipes in a very well read cooking magazine in the Netherlands.
This meal will be followed by the famous Saturday night Toool party.

We are still negotiating some presentations that cover safe opening,
more special/exotic locks and possibly a Han Fey presentation. Han
will be present for sure and bring (cutaway/abloy) locks and
interesting stories to tell. Paul Crouwel will bring his famous
‘Russian lock’ as well as some other interesting locks and tools.

Needless to say all ‘Dutch Open’ attendees have a story to tell and
information to share. Joining the Dutch Open is a lockpickers dream.
So far we have received confirmation from American, English, German,
French, Swedish and Dutch participants. Do not hesitate and register
today: Send a mail to toool@xs4all.nl for more information.

Press/media is also welcome at this event. But you also need to
register at forehand. Please send us a mail with your request.

And last but not least: How much does attending the Dutch Open cost?

That is a complicated matter. The most simple answer is 65 euro for
the ‘all in’ event. This includes a place to sleep, three warm meals,
two breakfasts, free beer (!) and/or other drinks.

It gets more complicated if you only want to attend specific parts of
the Dutch Open and/or sleep in the nearby hotel (or at home). Attending
Fri-Sun will cost 40 euro and include all meals and free drinks.

And it gets even more complicated when people only attend one day,
or only stay for dinner or the party on Saturday. We were forced to
think about these details and came up with the following pricing
scheme:

Dinner, Sleep over one night and breakfast 37.50 per person (includes party and free drinks).
Sleep over one night, breakfast, NO dinner 30 euro (includes party and free drinks/beer)
Only attend dinner and party 20 euro
Only attend party on Saturday 15 euro (includes free drinks)
only attend dinner 10 euro

On Friday dinner will be served at 20:00, on Saturday at 18:00 and on
Sunday around 17:00.

For children there will be a discount. Usually this is 50% of what the
parents/adults pay. If you are a student or do not have much money we
can work something out too. Just mail us. The goal of this event is to
have as many interesting people attend as possible.

The security show in Essen (Germany)

October 12th, 2006

Todays posting is a little longer as usual.

Yesterday was a good day. Together with Han, Paul and Annette I
visited the security show in Essen. I think I could fill this blog for
weeks and weeks writing about what I saw there. Unfortunately I do
not have time for that, so here are some highlights.

 heli video

For about 10K euro you can get yourself a nice video helicopter. This
device weighs less then a kilo and can stay in the air 25 minutes. All
four rotors are stabilized and the device is relatively silent. The
demo was impressive and you could see what the helicopter sees on the
big tv screen at the back. I am waiting to get one of these till the
price drops a little.

heli video

 

We have also seen some bump key tools and demos. Unfortunately the
quality was very poor. This includes a hammer that was on display. The
hammer is way to heavy and could be considered an illegal weapon if
you ask me. Damaging of keys and locks almost guaranteed. The design
was not well thought off and development was done by someone with
obviously no experience in the field of bumping. It was supposed to
have ‘swing’, but the material was pretty easy to bend.

clone number 512 ... or was it 513?

clone angle

Visiting the Wendt booth is always worthwhile. We had to squeeze in
because lots of people are attracted by the tools and knowledge of
this booth. I did manage to make some pictures of the most interesting
displays, but only managed to cover 25% orso. So you will have to
visit the show yourself if you want to see the rest.

wendt booth

The displays are filled with tools, sometimes for locks I have never
heard of. And there was lots of focus on safes and safe opening. One
of their experts showed his special scopes, and the video of that
scope was projected on a big screen (see middle of image above)

tool for pump lock?

 

I also like the relatively simple things like this ‘setup key’ for a safe lock.
The levers are pushed up by the small screws, and with a little screw
driver you can set every combination. Simple yet elegant.

setup key

more setup key

And last but not least we visited the semi-private presentation room.
Steffen Wernéry showed to be a talented speaker who introduced his
audience to the wonderful world of locks and security flaws. He
covered a wide range of topics, from lock basics, to picking and
bumping. Steffens presentation was sparkling and the audience liked
it. This also goes for the free ‘flipper card’ he gave each and every
one of them.

steffen

I can advice everyone to visit this show. Make sure you have enough
time since it is truly huge. It will be on today and tomorrow.

I did upload some images I shot in Essen on the following address:
http://toool.nl/security-2006.zip (20 Mb, 41 images)

secure camlocks

October 9th, 2006

(C) Han Fey 

We try to have constructive criticism when it comes to security in
general and voting computers in particular. But it is not easy. The
Nedaps simply do not offer any protection and can not ever be secured
if you ask me. When I wrote about the lousy locks that are used to
secure our Dutch Nedap voting computers I felt the need to at least
give them some advice on locks, although I realize it will never
improve the insecure box.

The best place to look for real secure locks is in places where the
lock is the only thing between the thief and money/valuables. In this
case we are looking for a rather small cam lock that can be equipped
with ‘switch function’.

Since they are the onces with most experience in the matter I always
take a very close look when visiting casino’s, payphones and jewelry
stores to see what kind of locks they use.In the Las Vegas
Casino’s we saw Medeco, ASSA Desmo and Miwa (Japanese magnetic lock)
being used. All outstanding locks. Abloy seems to be dominant in the
European payphone market, as well as for displays in jewelry stores.

more secure camlocks

Of course we also keep our eyes open for secure camlocks when visiting
trade shows like Aloa or the Security Messe in Essen (that starts tomorrow
and I will visit Wednesday).

In my opinion the following camlocks are secure against manipulation
and have a key that is not trivial to duplicate:

Abloy Protec camlock
ASSA Desmo
EVVA MCS camlock
Kaba camlock
Medeco Axial camlock
Miwa magnetic lock

To be honest I don’t know if these locks all standard can be delivered
as electronic switch locks. But since they need at least 10.000 pieces I
guess the manufacturer will gladly be of service to Nedap, Diebold or SDU.

I am running out of time so google for the lock specs yourself. Of
course we are interested what other camlocks you think are any good.
Feel free to post your thoughts.

Meer info over de nedap stemcomputer hack

October 6th, 2006

Even een kleine update voor de nederlandse lezers. Een MP3 met de
volledige persconferentie staat vanaf nu online. Hierin hoor je al
onze bezwaren en bevindingen. Op het net is veel info over de actie te
vinden. Mij viel in het bijzonder het leuk geschreven verslag van
bright.nl op. Die gaan op een luchtige manier in op alle onderdelen
van de persconferentie.

http://toool.nl/persconferentie.mp3 (18 Mb)
http://www.bright.nl/bom-onder-verkiezingen

The keys to democracy …

October 5th, 2006

The sh*t has hit the fan!

 a126

We came out in the open about research we conducted on a couple of
Nedap ES3B voting computers we got our hand on. Behind the scenes we
have been working hard for the last five weeks to reverse engineer and
hack these devices. It was quite a project, but since of yesterday the
world knows about it. A whitepaper is available online for you to read
our conclusions. And besides that we also decided to trow all Nedap
software, rom dumps and internal documentation online
. Just for the
public to see what it is they are voting on….

The juicy part: about the keys …. If you read Dutch law about the
requirements concerning voting they mention several times the
importance of the voting computers key. The head of the ticket office
must carry this key with him at all times, and when the elections
close it has to be stored in a sealed envelope. When Nedap learned we
where after their device they send out an emergency letter to each
municipality to store the keys to these voting computers in a safe.

I was heavily disappointed when I finally got my hands on these keys.

Just a very, very, simple four lever key and no use of anti-manipulation
or anti-copy technology. It was no problem to have the key copied in
the first lock shop I entered. Anyone with five minutes of instruction
(or less) could learn how to pick or bypass this lock.

nedap A126 C&K key

All three Nedap voting computers we examined came with a sets of
identical keys. So all keys where the same, and one of these keys could
operate all these computers. We can safely assume one key can operate
all 8.000 Nedap voting computers in use in the Netherlands. Other
proof of this claim is that the keys are nickled over, meaning they
were mass-produced with the cuts already made. Something you only do
when you make large batches.

Getting your hands on that key is simple. Order yours online now ….
For just one euro you can order the key from multiple different online
sources. All you have to do is google for ‘C&K’ and key number ‘A126’.
Looking at the datasheet of this key you can learn its part number is
115140126. We ordered 100 and gave each and every journalist a
personal Nedap voting computer key at the press conference we held
this morning. As if you needed keys for locks like this…

technical drawing of key

 

We all worked real hard on this project and I will post some more of
our findings in greater detail during the days to come. Stay tuned …