I must admit I have been so busy last week that making the sunday evening deadline was not easy.
But hey, a promise is a promise … so here goes another posting …

I was planning on writing something about Marc Tobias his hack on alarm systems. The weak spot are the wireless sensors (operating on 433.92 Mhz). Maybe I will get back to that later.

Today I want to talk about some of the fun things at Toool: factory visits!

Dutch lock company Anker invited us last year for a factory visit. Even while most of the well respected brands on the market have lots of their parts made in China, Dutch lock company Anker is an exception. They still do most of the work in their own factory, and are very proud of that. At least in the Netherlands they are unique in that respect.

The following video will show you how the key profile is cut into a lock core. Anker is known by us lockpickers by their nasty to pick profiles: very narrow, lot of zig-zag’s and six pins. Not completely impossible, but by no means easy.

In this video you will learn how the profile is cut in the lock core (quicktime or youtube).

Do you remember the mysterious Russian lock?
The one used by Russian Government to safeguard their (nuclear) secrets?

Over a year ago I did a posting on this special and very rare lock. I strongly encourage you to read this previous posting if you don’t know what I am talking about. (Click on this link)

In the previous video (windows media 77 MB) the lock is only slightly disassembled.

Today, safe technician Oliver Diederichsen will show you more. He will try to go all the way and fully disassemble the Russian lock to make it reveal it’s secrets.

Personally I was very curious what locking mechanisms were inside.

Keep in mind, this is/was the top of the line in ‘cold war’ Russian lock technology, meant to keep out some of the most clever adversaries (with unlimited budgets). Someone who is not into locks probably thinks this is a boring video. For me, it comes close to viewing an autopsy on a space alien.

See the autopsy of the Russian lock in: The Russian lock part II … (9 minutes, Quicktime movie 55 MB)

More high quality images of this lock (and many other interesting things) can be found on the webpage of Eric Schmiedl (Toool.US).

unpickable locks get picked, unstealable cars get stolen ….

‘Theft-proof’ police car stolen

A high tech, theft-proof £75,000 police car was stolen in Berlin – after officers left it unlocked with the key in the ignition.

The special BMW, which features high-tech surveillance equipment and sophisticated electronic locks and immobilisers to make it theft proof, was the pride of the Berlin police force.

But it was stolen in the city’s Wedding district when two officers jumped out to chase a joy-rider on foot after he had abandoned a stolen car.

The criminal got away and when the officers went back they found the expensive BMW gone.

The pair are facing disciplinary action. Police chiefs say they have no leads on who may have stolen the car and are still looking for it.

* note Barry: The car was an unmarked police car, used for traffic enforcement. The ‘high-tech surveillance equipment ‘ is probably nothing more then the latest generation video and speed measurement gear. My suggestion for the traffic police: keep an eye out on ebay.de ….)

Maybe from now on UK locksmiths will be wearing rubber gloves ….

BURGLAR? NOT ME, I’M JUST THE LOCKSMITH

18 January 2008

Locksmith Lee Hicks was arrested for burglary when police found his fingerprints on locks he’d fixed – after the raid.Officers swooped on his Tewkesbury home and held him in custody for three hours.

They’d found his fingerprints at a garage that had been burgled, and assumed he was their man.

But he had been called to replace the locks the real burglars had broken.

His frightened wife and two young children looked on in disbelief as officers rummaged through wardrobes searching for evidence at 6am on Wednesday.

He tried to explain to the police why his fingerprints were at the scene of the crime.

But Lee was bundled into the back of a van and whisked off to Cheltenham Police Station.

The 33-year-old says he was shown no sympathy and treated like a criminal during his four hours in custody.

Now he is considering suing Gloucestershire Police for wrongful arrest. He said the whole thing was “unbelievable” .

He was called to change the locks at a petrol station in Newent on June 4 last year.

Raiders had smashed their way in and stolen a large number of cigarettes.

Because Lee had been in trouble with the law when he was younger, the police had his fingerprints on file.

Officers found his prints at the garage but Lee said they did not ask staff if a locksmith had been there.

Instead, they mounted a dawn raid, seven months later.

He said: “There was a loud bang on the door. There were three male police officers and one female officer. I was put into the back of a van with a cage in it.”

When he told officers at the police station they had made a mistake, the desk sergeant told him everyone claimed to be innocent.

Lee, who lives in Sallis Close, Northway, spent three hours in a cell waiting to be questioned.

He said: “They took my top from me because it had cords attached. I was shivering.

“When they finally questioned me, it was for less than five minutes.”

He is angry and amazed that the police took seven months to arrest the wrong man.

He said: “They took four hours of my life and the impression I got was they just didn’t care.

“I want someone from the police’s hierarchy to read this and think ‘this needs looking into and we can’t treat people like this’.

“It was hard to accept being locked up when you hadn’t done anything wrong.”

But Gloucestershire Police say they were right to arrest him.

Spokeswoman Kate Nelmes said he was released without charge after officers got proof he was a locksmith.

She said: “His fingerprints were picked up at the garage. It’s obvious he would be arrested. We wouldn’t know he was a locksmith or what he was doing there.”

Sunday is blackbag day, so here is my sunday posting:

Impressioing is still part of my daily routine. I used to open at least one lock per day, now I sometimes skip a few days and open five locks in a row… Occasionally I have to open a lock a different way and take it apart to see why impressioning did not work, but it does not happen often.

I keep experimenting with new techniques and try to open more sophisticated locks. And I invest a lot of time learning about blanks, and keep searching for exotic keyblanks. (if you have any interesting european or US blanks, please drop me a mail)

This weekend I experimented a little on using ultraviolet light and UV ink.

I was hoping ultraviolet light would point out some marks that are difficult to see under normal light conditions. So far this is has not been very successful as I could see approximately 80% of the marks I normally see. And it slows me down as it takes the ink between 45 and 60 seconds to dry. Then again, I just started using this technique … and it is nothing more then an experiment and gaining knowledge and experience.

I shot some images for my dear readers, so you might want to click on them:

1) First round of impressioning (UV and TL view)
2) Second round of impressioning (UV and TL view)
3) Sixth round of impressioning (before and after)
4) Marker, includes advice (Edding 8280)
5) Forensic evidence, ink residue on the lock

For this experiment I used a Q22 inspection light (UVA light, 360 nm, the least harmful of the ultraviolet spectrum) and an edding 8280 marker.

Next week on blackbag: video revealing more of the inner workings of the mysterious ‘russian lock‘ ….

This is getting embarrassing… Yesterday Roel Verdult of Nijmegen’s radboud university demonstrated on Dutch television (WMV or Youtube) how he hacked the disposable RFID public transport card. Roel created a small device called ‘ghost’ that is capable of cloning disposable cards and re-use them over and over again. Total hardware costs around 40 euro. And Roel thinks as soon as the German researchers release their information on Mifare classic, the ‘more secure’ subscription tickets can also be cloned . Some english information from his hand is available here (pdf).

This is the second time this card is hacked in a short time, yet the designers of the system (translink systems) say there is nothing to worry about, and the system still is ‘very secure’. *sigh*.

Talking about depressive: some information just came out about privacy issues with the OV Chipkaart (WMV). All travel data is stored for seven(!) years. And the stored data is ‘not very well protected’ ….

Ok, I made my Sunday evening deadline …. hope you like the topic …

I wrote about the korean lock tool company “13 song’s tool” before. Very clever, very bright. It is just too bad to see cheap knock-offs of their original design floating around all over the place …

When I met with the people behind “13 song’s tool” some time ago, they were kind enough to demonstrate some of their tools.

The toool you see on this blackbag video (High Quality quicktime or low quality youtube) is a decoder tool for two track Audi and Opel locks.

The theory behind this decoder is the same as the VW decoder covered on this website before. The inner shape of the wafer is dependent of the code. So a wafer ‘code one’ has a bigger opening as a ‘code four’. This tool simply ‘reads’ the size of the opening of the wafer. And instead of using pre-defined setup keys (as with the VW tool), this kit comes with thin pieces of metal to cut a key from. Two of these pieces back to back will open the lock ….

Thank you for visiting … next week (Sunday evening) more video’s on blackbag … stay tuned …

Ok, it is all very important … crappy bicycle locks, public transport cards based on toy crypto, etc etc etc …

However, today and yesterday these topics are of no relevance, as my youngest son Melle turned five and demanded a big celebration party 😉

What do you think, will I make the ‘sunday blackbag posting’ with all these festivities ?!? …. lets see ….

We are on the verge of introducing a new payment system for public transport in the Netherlands. This so called ‘OV Chipkaart’ uses an RF-ID based payment system and is already deployed on a small scale. In less then a year it must be deployed nation wide.

As with all huge government IT projects, the stakes are high. We all know the government does not like to lose face, especially in large IT projects. This project already suffered from delay, but as it seems now this delay might be a blessing in disguise … as the OV-Chipkaart system uses Mifare classic (*) …

I guess we will soon hear more about this …

* source wikipedia: The OV-Chipkaart is based on Philips (currently NXP Semiconductors) Mifare technology. The regular cards (anonymous and personal) are Mifare Classic 4K cards with about 4 Kilobytes of available storage. These cards are locked for both reading and writing with keys only known by the card vendors. The temporary passes are cheaper Mifare Ultralight cards that do not employ encryption or keys, and can be read by anyone.

Update 21:00 Someone pointed out the OV-chipkaart FAQ (translated from dutch):

Q: Is the OV chipkaart protected?

A: Yes, because the OV-Chipkaart could potentially contain great value, we selected a chip that already uses a high security level (mifare). Besides that, additional security measurements are taken ‘in the application on the card’ as well as on the terminals.

Note: So I guess we have nothing to worry as they added some additional proprietary security measurements …

Life for us in the lockpick community is simple. If we want to tackle a specific lock we can just go buy a sample and study it.

During my search for lock knowledge, I have bought several locks simply because I felt the need to disassemble them and satisfy my curiosity. In some cases I had to use a small grinder to cut my way into the lock to make it reveal its secrets. But at the end of the day no lock ever was able to keep its inner working secret for me.

In that respect our life is easy compared to that of researchers that examine RF-ID systems. Most of the RF-ID vendors keep the inner working secret. Deep inside a one millimeter chip, a small proprietary encryption routine is held. Virtually impossible to reach, spread over five extremely thin wafers that are all interconnected.

Good luck taking that apart to see if you can reverse engineer the algorithm … or at least that must have been the thought of the inventors of the Mifare RF-ID system. Unfortunately for them, some German researchers did just that … take the one square millimeter chip apart.

And at the latest CCC congress in Berlin, Karsten Nohl and Henryk Plötz gave a brilliant and inspiring presentation about their findings (google video or MP4).

* Karsten Nohl pointing out the different layers

The researchers used a ‘simple’ setup. With lots of patience, they managed to slice off the top of the chip and reach the first layer. Using a 500X magnifying microscope they took a high resolution picture of this layer. They then used some very fine polish and ‘really really carefully’ polished away the first layer, making the second layer visible. And took another picture. And so on. The story does not say in how many tries they succeeded to make five high quality images, but it must have been a hell of a job. Not to mention laying these images on top of each other and trying to make sense out of it. According to the researchers this all was ‘painful work’. Well, I take my hat off for them as it the kind of research I greatly admire!

It took them some time, but they managed to reverse engineer the mifare encryption algorithm this way. And by that the Mifare system seems history (for serious applications).

Mifare heavily relies on keeping the encryption scheme secret. The problem is cheap/affordable RF-ID chips do not have enough CPU to do serious crypto, so keeping the inner working secret is the only defense. And during the research many more weaknesses in the Mifare system were found. Even if you do not understand everything, I strongly encourage everyone to view the video of the presentation. It is inspiring to say the least, and shows with determination even the most complex problem can be tackled (well …. almost).

The real lesson learned is that security through obscurity does not work, and only buys you some time. But it will bite you in the long run when using it in widely deployed systems. The problem now is millions of Mifare chips are deployed in the field in a huge install base. And most of the users are completely unaware of the disaster that is coming …

So far the users are ‘safe’. The researchers have not given out the full details on Mifare…. yet. But please take their advice serious: “If you rely on Mifare for anything, start migrating!”. More information about the mifare hack can be expected in the very near future.

And even though I am thrilled about this attack, I am not too happy. We use Mifare ourselves to secure some parts of some of our offices …. (sigh)

Still I would like to thank the researchers and compliment them for their excellent work and for giving us some time to migrate.

I can not wait to hear more about it!