Just returned from a week of Gitex in Dubai. Always interesting but also tiring and internet is not the same as we know it. And quite busy with a million different things … and not everything in my life is lockpick related you know …
This weekend lockpicking will play a role of importance again. If you can pick locks and want to earn the last available ‘free’ ticket to the 2010 European Lockpick Championships in Turkey … Cologne is the place to be this weekend. Our friends of the biggest and oldest locksport organisation “Sportsfreunde der Sperrtechnik – Deutschland e.V” organize their championships in the friendly environment of the NaturFreundehaus (youth hostel) in the ‘Kalk’ area of Cologne. Even if you don’t want to pick locks … just come and have a look. It is always a spectacular sight to see locks opened in seconds. During two days quite a lot of different games are played (as you can see on the schedule). The person winning the prestigious “Handöffnung” games (hand opening) will win a ticket to ELF/LockCon 2010!
Personally I put my money on this friendly gentleman ….
Wednesday a Toool delegation went to the 11th Pecha Kucha night in Amsterdam. For those who do not know pecha kucha: it a series of small presentations. Each presentation contains of twenty slides and each slide will be shown for exactly twenty seconds. And I can tell you: twenty seconds is fast when you are on stage. I also did a presentation and it went ok, although I must admit it was not my best performance ever.
After the presentation we put up a lockpick table and did a hands on session. From the three hundred attendees quite a large number learned to pick locks that evening. Worth mentioning is that the evening was organized in a former bank building. Guess who we found drooling over the huge safe (containing Lips four wheel combination locks)?
The last slide of my presentation was about an idea we have for quite some time now. We are looking for a ‘mechanical hacker space’ (or a Toool playground, hardware shop etc). A room to have our toool meetings but also a permanent workshop and possibly even training room.Currently we are exploring all sorts of relatively low costs rooms (like a 40m2 and 90m2 room at the Volkskrant building). After the presentation someone came to us and gave some more leads to cheap places were creative people come together. Lets see if this place ever becomes more then just an idea. If you have a nice space for rent we are interested to hear about it …
I was wondering how to call this post: Lockpicker-paranoia or paranoia lockpick-zophrenia. But in all seriousness, ever since we have been in the New York times (that was followed up on by various media) I have received lots of calls and e-mails from people who are ‘troubled by a lockpicker’. The story all these people tell is more or less the same and basically boils down to this: there is a lockpicker who picks the lock of their house, goes inside and does nothing but just move the furniture a little or leave subtle clues they have been inside. And all people who contact me have one burning question: What lock should I buy to keep this evil lockpicker out. *sigh*
I know that no matter what lock I will advise, they will always come back to ask more questions as the lockpicker will always be able to get in and ‘move stuff’. In one case I advised to install a 3KS+ lock and ensured them that I personally do not know people who can open them without damaging the lock. Yet, one day later I received a call from the same person questioning my advice. *more sighs*
Now the interesting part: I spoke with some people about this, and they too receive inquiries like this once in a while. What intrigued me most was one quote from someone who told me he personally knew of two cases where there actually was someone picking the lock (or duplicating a key) and moving stuff! In one case the ‘lockpicker’ even cleaned the house of his victim and used a vacuum cleaner to clean the carpet! Asked why these ‘lockpickers’ went to all this trouble to harass someone the motive was a little vague. Someone who does not like their neighbors or personal motives concerning intimate relationships.
I was baffled to hear about this an am very curious if other sources can confirm stories like this. Anyone got juicy stories to tell?
I wrote about public research before. As far as I am concerned research should be done out in the open. And all parties involved should know the vulnerabilities in detail. And parties involved for me are: the (potential) customers, the manufacturer and the rest of the research field (in other words: everybody). It is a fact that if you make a public announcement revealing eighty (or more) percent of your discovery, some clever person will stand up and fill in the missing part. And the more common a lock is, the sooner this will happen (as people have hardware to compare and try attacks on).
The greatest and most clever ‘lock hack’ I have even seen is a method to bypass some Medeco sidebar locks (on locks with bi-axial pins, filled by the official codebook, manufactured before Q4 2007). Marc Tobias and Tobias Bluzmanis hacked the lock and even wrote a book about it … an all time classic and ‘must read’ if you ask me (and I wrote the foreword). However, the book does not reveal the last twenty percent needed to actually make the so called ‘code setting keys’ that are needed to bump and/or pick open the locks.
I learned some time ago someone did his/her homework and published the findings on the net. A document called ‘code set.zip‘ appeared on a site called ‘mega upload’….
I wonder how long it takes before someone will post a cliq.zip there ….
My poor macbook died. I keep backups, so no harm is done, but it sucks to have to work on an old company windows machine for now.
So my posting is going to be a simple one today, using some images I uploaded to blackbag before the crash. One of the things I wanted to share is a couple of pictures taken at HAR from the by now famous ‘transparten lock’. These one, two, three, four images give you a much better idea how nice this lock is than in my original posting. And many people took the opportunity to play with the lock at HAR. If you have large demo locks like this please let me know!
German SSDeV member Ray is known all around the world for his impressive collection of handcuffs and his fun ways of opening most of them. On top of that he gives great presentations and always manages to add a lot of humor into them!
At HAR he pulled another stunt: He used a 3D printer to print handcuff keys. And not just any ordinary handcuff key … no, it’s the official handcuff key from the Dutch police! At first the police officers at HAR were a little reluctant to event try out the plastic key he printed. But he found another way to verify the key he printed was the correct one. I guess these officers never thought about wearing keys concealed, especially when talking with Mr. Handcuff himself. Given the megapixel camera’s on the market today it was not so difficult to verify the key he printed was the correct one.
At the end of the day he talked the officers into trying the key on their handcuffs and … it did work! At least the Dutch Police now knows there is a plastic key on the market that will open their handcuffs. A plastic key undetectable by metal detectors….
And Ray made it easy for you. For those of you wanting to print your own Dutch police handcuff key … the STL file is available online at http://ke.y.nu/
The New York Times just came out with an article on European lockpickers, quoting a Dutch Police officer who was not too negative about the lockpick scene. Lets hope they still feel this way after this post …
*Warning* Before you print out your keys please check your local law! Reading the article below (pdf mirror) should be a fair warning! In some places it is not quite healthy to run around wearing police handcuffs ….
Homeless man could get 5 years for wearing handcuff keys
Wed, Sep. 09, 2009
BY DAVID OVALLE
For wearing handcuff keys on a necklace draped around his neck, a homeless Miami Beach man could face years in prison.
Prosecutors on Tuesday formally charged Michael Gonzalez, 22, with disorderly intoxication, marijuana possession and two counts of possession of a concealed handcuff key — a third-degree felony punishable by up to five years in prison.
“It’s an actual felony,” prosecutor Barbara Teresa Govea explained to Miami-Dade Circuit Judge John Thornton, who questioned the charge.
“There’s got to be some kind of constitutional violation in there somewhere,” Assistant Public Defender Michelle Prescott grumbled to the court.
Actually, the Florida Legislature passed the law after the 1998 murders of two Tampa deputies and a state trooper. Hank Earl Carr shot and killed them after he escaped his cuffs using a universal handcuff key hidden on a necklace.
Gonzalez was arrested Aug. 16 after Miami Beach police said he was harassing women on the South Beach sand. In a report, Officer Errol Vidal wrote that he found a small amount of marijuana in the man’s pocket and “two handcuff keys concealed under his shirt on a necklace.”
Also under Gonzalez’s shirt: a tattoo on his right shoulder, with the word “anarchy” and shooting flames.
A little delay updating blackback as I am quite busy with non-lock related stuff. But looking back at Hacking At Random’ still makes me smile … it was great! The people, the championships, the lockpick village, the presentations, the atmosphere … it all was magic.
And for us it was the ultimate dress rehearsal for the mega-event that is waiting for us at the 2010 ELF/LockCon conference in Turkey. The most important thing about that conference (for us) is that it will host the first official European lockpick championships. And we will be organizing it. Lockpickers from all over the globe could try to win three full paid ticket to that event at HAR.
From the beginning it was unclear if Julian Hardt could make it to Hacking At Random. But the moment he tapped on my shoulder and we greeted each other I said out loud: there go our tickets to Turkey.
And I was right. Julian won the most prestigious ticket to be won: that of the ‘unofficial european lockpick championships‘. And even though it was a hard battle, it was no surprise the winner would (most likely) be from Germany. And for me personally it was no surprise it would be Julian Hardt. I immediately admit that people like ‘Master of the universe’ Dr. Manfred Bölker or Arthur Meister also had a fair chance to win. But Julian is a multi-talent that keeps impressing us with his skills. He was the only one that managed to open the notorious Lips 6 pin in the finals (containing very nasty serrated pins). And on a side note: we just had another safe opening weekend where Julian proofed to be a bad-ass safecracker by picking open a couple of very high security safes (one of them containing a mauer variator B, 11 lever lock). The big surprise at the lockpick championships was to see Peter Fuhrmann from Labor/Bochum getting second! Arthur Meister and Gerhard Heperle became third and fourth.
Julian also became winner of the safe combination manipulation contest. In the qualifiers he opened his lock in 57 minutes … just three minutes before the end. In the finals he managed to dial open the lock in an impressive 21 minutes! But since Julian already won a ticket in the lockpick championships, second place winner Michael Huebler now won the ‘all in ticket’ to Turkey.
As the Germans have a tradition in winning lockpic games, the Dutch seem to have a reputation to protect when it comes to impressioning. Three out of the last four games were won by Toool members and the absolute world record time of 1 minute and 27 seconds is set by Jos Weyers from Toool too. It is interesting to note that both number two (Oliver Diederichsen) and three (Dr. Manfred Bölker) at HAR broke the previous record of 4:23 (by Olivier Diederichsen) by going well under the magical ‘four minute border’.
Still, we are not really clear about the future of these games in the current setup. For example: at the games in Sneek 2008 Oliver used 52 minutes to open a lock that would normally take him (much) less then ten minutes to open. And a few months ago in Hamburg Jos scored 46 minutes on a lock using six blanks … not to mention me not opening the lock at all.
This all makes it feel like some kind of lottery. So maybe we will sit down with some people before Turkey and work on a new style game to rule out this luck/bad luck factor (for example: people playing against each other on the same locks, using knock-out rounds).
There is so much more to say about HAR that I will split the post. The follow up will be about the presentations, the lockpick village and the more interesting things that happened there …
I have been looking forward to the HAR conference for a long time. After all, it was going to be the moment to publicly talk about our discovery on bypassing the electronic locking part on the first generation Mul-T-Lock Cliq. More then one year ago we discovered the samples we had in some instances could be opened with the so called ‘magnetic ring’ (you still needed to have the correct mechanical key or bypass the mechanical part). An important discovery as the attack would not show up in the electronic logfile in the lock. And the integrity of the logfile is a key issue in these kind of systems. So we immediately informed Mul-T-Lock about this problem. And even though communication did not always go smooth we came to an agreement. We agreed to go into full detail about this at the HAR conference in 2009. And that is what we just did. At the presentation we showed the problem was not magnetism … it was vibration!
In the meantime Mul-T-Lock came out with a new version and we even received some samples to test. How successful the fix was still has to be determined. And communication is still slow. Marc Tobias and Tobias Bluzmanis claimed at DefCon to be able to still open the latest generation Mul-T-Lock Cliq locks (and a wide range of other electronic and electromechanical locks). They briefed us behind closed doors and I can only say their claims look solid (as was to be expected from these clever and high-profile security experts!).
At the HAR presentation we also demonstrated attacks on electronic locks that make use of the basic Dallas Ibutton key. This key is nothing more then a device that spits out a 64 bit number. If the number is on the list of the lock it will open. I read somewhere 175 million of these keys are in use. We found it is not difficult to duplicate these keys.
What is more interesting is that we found a way to scan for keys on some of these locks. Scanning a 64 bit key can take forever (at approximately one key per second!). However … we discovered sometimes these keys are handed out in batches with numbers following up or in close range of each other. In those cases it might be possible to scan for numbers in a known range.
To see the entire presentation you need to go to: www.rehash.nl , select ‘HAR2009’ and enter ‘lockpicking’. Unfortunately there is no deeplink to our presentation yet….
Presenting these hacks was nice, but more important to me we also tried to address a more serious topic. That of disclosure and dealing with lock manufacturers.
I like to keep things simple. If we discover a vulnerability in a lock we will notify the manufacturer. We will tell them what we know and most of the time an interesting and technical discussion is started. And sometimes the manufacturer is a little reluctant and barely wants (or dares) to communicate. Especially in the US the stakes can be high for them because of the ‘I will sue you’ culture. So in a way we understand both approaches and are fine with them, as long as it is clear we will go public on the vulnerability at one moment in time. In general we are talking giving them three to six months, although a longer period can be negotiated if that time is needed to update specific projects or customers.
The philosophy behind this is approach is to give the manufacturer some time to fix the problem, inform it’s customers, exchange locks or prepare a press statement. The fact they know a publication is coming should be enough to motivate them to do the right thing. Going public on the vulnerability will send out a clear signal: better make good locks! There are motivated people out there paying attention to what you do and who will write about it if weak spots are discovered.
So far so good ….
What we have seen lately is that lock manufacturers (try to) fix problems but no longer openly want to discuss their fixes. It could be because of this ‘I sue you culture’, but it also creates a lot of ‘security trough obscurity’. And to me that is a sign of weakness. After all, how can we evaluate the ‘new and improved’ product if the manufacturer is reluctant to release information on how they (supposedly?) fixed a problem? The ‘just trust us, we know what we are doing’ approach is not something that gives me a warm fuzzy feeling … at all.
By not saying anything about the fix the researchers are delayed. Or if they have a limited number of locks to test they might even miss an important new feature that is incorporated in some of the new locks. But at the end of the day the information leaks out or is distilled from a greater pool of locks. And since the researchers are highly motivated, the product will fall anyway. Only by it taking a little longer to fall, more locks are sold and more locks are affected when it happens.
Interestingly enough it now seems some security researchers are going the same route as the lock manufacturers. They claim specific locks can be bypassed but refuse to tell the manufacturer how they did it. Only if the manufacturer promises to exchange all the locks in the field (free of charge) they are willing to explain how the technique works. The idea behind this is they are trying to do the end customer a favor. After all, nobody knows how to bypass the customers lock and the manufacturer has to change it free of charge before anyone else hears about it. Logically the lock manufacturer will first try to find the problem itself, but now learns what it feels like to be kept in the dark. Even if they find a vulnerability they can never be sure it is the same one the researchers found. So a fix created does not necessarily means it actually works against the unknown attack…. or if the fix introduces an even bigger problem! And instead of being happy, the end customer is getting nervous. What if someone else finds out about the problem?
There may well be a few extreme cases where putting lots of pressure on some manufacturer is justified because they are really screwing over the public interest. But in general we feel everyone benefits if we try to keep as much information available to as many parties as possible, as quickly as possible. That way, consumers can make informed choices, manufacturers still make their own judgments (and face public scrutiny on them) and manufacturers and enthusiasts can continue to learn from eachother.
Let us try to keep the research area open and transparent and all learn from these discoveries…..
