Open in 30 Seconds Cracking One of the Most Secure Locks in America Marc Weber Tobias Matt Fiddler Tobias Bluzmanis

Agenda • Part I: The Beginning • Part II: Key Control and Key Security • Part III: Locks Lies and Videotape

PART I

The Beginning

WHY THE MEDECO CASE STUDY IS IMPORTANT • • • • • • •

Insight into design of high security locks Patents are no assurance of security Appearance of security v. Real World Undue reliance on Standards Manufacturer knowledge and Representations Methodology of attack More secure lock designs

CONVENTIONAL v. HIGH SECURITY LOCKS • CONVENTIONAL CYLINDERS – Easy to pick and bump open – No key control – Limited forced entry resistance

• HIGH SECURITY CYLINDERS – – – –

UL and BHMA/ANSI Standards Higher quality and tolerances Resistance to Forced and Covert Entry Key control

HIGH SECURITY LOCKS: • Protect Critical Infrastructure, high value targets • Stringent security requirements • High security Standards • Threat level is higher • Protect against Forced, Covert entry • Protect keys from compromise

HIGH SECURITY: Three Critical Design Factors • Resistance against forced entry • Resistance against covert and surreptitious entry • Key control and “key security” Vulnerabilities exist for each requirement

HIGH SECURITY LOCKS: Critical Design Issues • • • • •

Multiple security layers More than one point of failure Each security layer is independent Security layers operate in parallel Difficult to derive intelligence about a layer

ATTACK METHODOLOGY • • • • • •

Assume and believe nothing Ignore the experts Think “out of the box” Consider prior methods of attack Always believe there is a vulnerability WORK THE PROBLEM – Consider all aspects and design parameters – Do not exclude any solution

ATTACKS: Two Primary Rules • “The Key never unlocks the lock” – Mechanical bypass

• Alfred C. Hobbs: “If you can feel one component against the other, you can derive information and open the lock.”

METHODS OF ATTACK: High Security Locks • • • • • • •

Picking and manipulation of components Impressioning Bumping Vibration and shock Shim wire decoding (Bluzmanis and Falle) Borescope and Otoscope decoding Direct or indirect measurement of critical locking components

ADDITIONAL METHODS OF ATTACK • Split key, use sidebar portion to set code • Simulate sidebar code • Use of key to probe depths and extrapolate • Rights amplification of key

EXPLOITING FEATURES • • • •

Codes: design, progression Key bitting design Tolerances Keying rules – Medeco master and non-master key systems

• Interaction of critical components and locking systems • Keyway and plug design

STANDARDS REQUIREMENTS • UL and BHMA/ANSI STANDARDS • TIME is critical factor – Ten or fifteen minutes – Depends on security rating

• Type of tools that can be used • Must resist picking and manipulation • Standards do not contemplate or incorporate more sophisticated methods

COVERT and FORCED ENTRY RESISTANCE • High security requirement

CONVENTIONAL PICKING

SOPHISTICATED DECODERS • John Falle: Wire Shim Decoder

TOBIAS DECODER: “[email protected]”

DECODE PIN ANGLES

FORCED ENTRY RESISTANCE

FORCED ENTRY ATTACKS: Deficiencies in standards • • • •

Many types of attacks defined Mechanical Bypass - Not Contemplated Must examine weakest links Do not cover “hybrid attacks” – Medeco deadbolt attacks – Medeco mortise attack

SIDEBAR: Bypass and Circumvention • Direct Access – Decoding attacks – Manipulation – Simulate the sidebar code (Medeco) – Use of a key (Primus and Assa)

• Indirect access – Medeco borescope and otoscope decode issues

FORCED ENTRY ATTACKS • Direct compromise of critical components – Medeco deadbolt 1 and 2 manipulate tailpiece • Hybrid attack: two different modes – Medeco reverse picking • Defeat of one security layer: result – Medeco Mortise and rim cylinders, defeat shear line

MEDECO CASE HISTORY • • • • • •

Exploited vulnerabilities Reverse engineer sidebar codes Analyze what constitutes security Analyze critical tolerances Analyze key control issues Analyze design enhancements for new generations of locks: Biaxial and m3 and Bilevel

MEDECO MISTAKES • Failed to listen • Embedded design problems from beginning • Compounded problems with new designs with two new generations: Biaxial and m3 • Failed to “connect the dots” • Failure of imagination • Lack of understanding of bypass techniques

DESIGN = VULNERABILITY • Basic design: sidebar legs + gates – How they work: leg + gate interface – Tolerance of gates

• • • • •

Biaxial code designation Biaxial pin design: aft position decoding M3 slider: geometry M3 keyway design Deadbolt design

MEDECO DESIGN: Exploit design vulnerabilities • • • • •

EXPLOIT BEST DESIGN FEATURES Sidebar leg – true gate channel Code assignment: Biaxial 1985 Gate – sidebar leg tolerance M3 design 2003 – Widen keyway .007” – Slider geometry, .040” offset

MEDECO TIMELINE • 1970 Original Lock introduced • 1985 Biaxial, Second generation • 2003 m3 Third generation

MEDECO LOCKS: Why are they Secure? • • • • • • •

2 shear lines and sidebar for Biaxial 3 independent security layers: m3 Pins = 3 rotation angles, 6 permutations Physical pin manipulation difficult False gates and mushroom pins ARX special anti-pick pins High tolerance

MODERN PIN TUMBLER

MEDECO BIAXIAL

MEDECO LOCKS: 3 Independent Layers • Layer 1: PIN TUMBLERS to shear line • Layer 2: SIDEBAR: 3 angles x 2 positions • Layer 3: SLIDER – 26 positions Opened By; Lifting the pins to shear line Rotating each pin individually Moving the slider to correct position

MEDECO TWISTING PINS: 3 Angles + 2 Positions

SIDEBAR Technology • • • • •

Blocks rotation of the plug One or two sidebars Primary or secondary locking Only shear line or secondary Integrated or separate systems – Assa, Primus, Mul-T-Lock MT5, Evva MCS= split – Medeco and 3KS = integrated

• Direct or indirect relationship and access by key bitting

SIDEBAR LOCKING: How does it work • • • •

One or two sidebars Interaction during plug rotation Direct or indirect block plug rotation Sidebar works in which modes – Rotate left or right – Pull or push

• Can sidebar be neutralized: i.e. Medeco – Setting sidebar code – Pull plug forward, not turn

SIDEBAR LOCKING Information from the lock? • Feel picking: sense interactions • Medeco, 3KS, Primus, Assa = direct link • MCS = indirect link: sidebar to component • Sidebar + pins/sliders interaction to block each other: ability to apply torque?

SECURITY CONCEPTS: Sidebar “IS” Medeco Security • • • • • •

GM locks, 1935, Medeco re-invented Heart of Medeco security and patents Independent and parallel security layer Integrated pin: lift and rotate to align Sidebar blocks plug rotation Pins block manipulation of pins for rotation to set angles

PLUG AND SIDEBAR: All pins aligned

SIDEBAR RETRACTED

PLUG AND SIDEBAR: Locked

MEDECO CODEBOOK: At the heart of security • All locksmiths worldwide must use • All non-master keyed systems • New codes developed for Biaxial in 1983 • Chinese firewall: MK and Non-MK • Codebook defines all sidebar codes

MEDECO RESEARCH: Results of Project • Covert and surreptitious entry in as little as 30 seconds: standard requires 10-15 minutes • Forced entry: four techniques, 30 seconds, affect millions of locks • Complete compromise of key control – Duplication, replication, simulation of keys – Creation of bump keys and code setting keys – Creation of top level master keys

M3 SLIDER: Bypass with a Paper clip

SECURITY OF m3:

Video Demo: • Medeco Slider Bypass

RESULTS OF PROJECT: Picking • Pick the locks in as little as 30 seconds • Standard picks, not high tech tools • Use of another key in the system to set the sidebar code • Pick all pins or individual pins • Neutralize the sidebar as security layer

PICKING A MEDECO LOCK

Video Demo: • Picking Medeco Locks

RESULTS OF PROJECT: “Reverse Picking”

Video Demo: • “Reverse Picking” Medeco Locks

RESULTS OF PROJECT: Bumping • Reliably bump open Biaxial and m3 locks • Produce bump keys on Medeco blanks and simulated blanks • Known sidebar code • Unknown sidebar code

MEDECO BUMP KEY

Video Demo: • Bumping Medeco Locks – Jenna Lynn – Tobias

RESULTS OF PROJECT: Decode Top Level Master Key • Determine the sidebar code in special system where multiple sidebar codes are employed to protect one or more locks • Decode the TMK • PWN the system

RESULTS OF PROJECT: Forced Entry Techniques • Deadbolt attacks on all three versions – Deadbolt 1 and 2: 30 seconds – Deadbolt 3: New hybrid technique of reverse picking

• Mortise and rim cylinders – Prior intelligence + simulated key

• Interchangeable core locks

DEADBOLT ATTACK

DEADBOLT BYPASS: 2$ Screwdriver + $.25 materials

Video Demo: • Deadbolt Bypass: – Original – Interim Fix – Current Production

MEDECO BILEVEL • 2007 Bilevel locks introduced • Integrate low and high security to compete • Flawed design, will affect system security when integrated into high security system • Borescope decoding of aft pins to compromise security of entire system

CONNECTING THE DOTS: The Results • Biaxial Code assignment: Reverse Engineer for all non-master key systems • Gate tolerance: 4 keys to open • NEW CONCEPT: Code Setting keys • Sidebar leg-gate interface: NEW CONCEPT: Setting sidebar code • M3 Wider keyway: Simulated blanks • Slider design: paper clip offset

4 KEYS TO THE KINGDOM

PART II

Key Control and Key Security

KEY CONTROL: The Theory • PROTECTION OF BLANKS OR CUT KEYS FROM ACQUISITION OR USE: – Unauthorized duplication – Unauthorized replication – Unauthorized simulation • restricted keyways • proprietary keyways • sectional keyways

MEDECO INSECURITY: Real World Threats - Keys • VIOLATION OF KEY CONTROL and KEY SECURITY – Compromise of entire facility – Improper generation of keys

KEYS and KEY CONTROL KEYS: EASIEST WAY TO OPEN LOCKS – Change key or master key – Duplicate correct bitting – Bump keys – Rights amplification: modify keys

PROTECTION OF KEYS – Side bit milling: Primus and Assa – Interactive elements: Mul-T-Lock – Magnets: EVVA MCS

0WN THE SYSTEM: Obtaining the Critical Data TECHNIQUES TO OBTAIN KEY DATA • Impressioning methods • Decoding: visual and Key Gauges • Photograph • Scan keys • Copy machine

KEYS: CRITICAL ELEMENTS • • • • •

Length = number of pins/sliders/disks Height of blade = depth increments = differs Thickness of blade = keyway design Paracentric design Keyway modification to accommodate other security elements – Finger pins – Sliders

KEY CONTROL

KEY CONTROL “KEY SECURITY” • Duplicate • Replicate • Simulate “Key control” and “Key Security” may not be synonymous!

KEY SECURITY: A Concept • • • • •

Key control = physical control of keys Prevent manufacture and access to blanks Control generation of keys by code Patent protection Key security = compromise of keys – Duplication – Replication – Simulation

MEDECO KEY CONTROL: Appearance v. Reality • WHAT IS IT SUPPOSED TO MEAN? • ARE THE STANDARDS SUFFICIENT? • REAL WORLD VULNERABILITIES

MEDECO KEY CONTROL: Virtually Impossible to Copy “High security starts with key control; a process that insures that keys cannot be duplicated without proper permission. Clearly, if anyone can have a lock’s key copied, then it truly doesn’t matter how tough the lock itself is built. Medeco’s patented key control makes it virtually impossible for someone to duplicate a commercial or residential key without proper permission.”

MEDECO HIGH SECURITY KEYS v. STANDARD KEYS “A standard key can be copied at a million stores without restriction or proof of ownership. Unauthorized duplicate keys often result in burglaries, theft, vandalism, and even violent crimes.” – Medeco advertising brochure

Video Demo: • Medeco Key Copy Promo

MEDECO KEY CONTROL: The Problem CIRCUMVENTING SECURITY LAYERS – Keyways can be bypassed – Blanks can be simulated – Sidebar codes are simulated – Slider can be bypassed NO REAL LEGAL PROTECTION EXCEPT FOR M3 STEP – Patent expired 2005 – Keyways not protected – Third party blanks

KEY Control: Duplicate - Replicate - Simulate

SECURITY THREAT: Failure of Key Control: Duplicate IMPROPER ACQUISITION OR USE OF KEYS BY EMPLOYEES OR CRIMINALS – Unauthorized access to facilities or areas – Bump keys – Use for rights amplification – Compromise master key systems

SECURITY THREAT: Failure of Key Control: Replicate HIGH SECURITY LOCKS AND KEYS – Designed to prevent replication

REPLICATION TECHNIQUES – Easy entrie milling machine – Silicone casting – Plastic and epoxy copies – Facsimile copy

SECURITY THREAT: Failure of Key Control: Simulate M3 KEYWAY – Wider than Biaxial – No paracentric keyway COMPONENTS OF MEDECO KEYS – Ward pattern and paracentric keyway – Bitting – M3 Slider SECURITY THREAT – Bypass wards in paracentric keyway – Create new blanks

RESULT: Failure of Key Control • • • • • • • •

Restricted and proprietary keyways M3 Slider: bypass with paper clip Sabotage potential Availability of blanks Duplicate from codes or pictures TMK extrapolation Set the sidebar code Make keys to open your locks

MEDECO INSECURITY: Real World Threats - Keys • • • • • • • •

NO KEY CONTROL OR KEY SECURITY All m3 and some Biaxial keyways Keyways (restricted and proprietary) M3 Step = no security Copy keys Produce any blank Generate Top Level Master Key Cut any key by code

MEDECO INSECURITY: The Threat from Within • COMPROMISE OF KEY CONTROL + HYBRID ATTACK – Mortise, Rim, Interchangeable cores • MEDECO KEY CONTROL v. CONVENTIONAL KEYS – Conventional keys = 1 layer of security – Medeco keys = 3 layers of security • Hybrid attacks • With key cutting machine

MORTISE, RIM, IC: A Special Form of Attack HYBRID ATTACK – Will damage the lock – Entry in ten seconds – Millions of Locks affected

“KEYMAIL”: The New Security Threat from Within • NEW AND DANGEROUS THREAT • FAILURE OF KEY CONTROL IN m3 and SOME BIAXIAL CYLINDERS – Duplicate keys easily • USE OF NEW MULTI-FUNCTION COPIERS – It scans, copies, prints, and allows the production of MEDECO keys

KEYMAIL: The Premise • EASILY CAPTURE AN IMAGE OF KEY • REPLICATE THE KEY IN PLASTIC • DIFFERENT METHODS TO OPEN LOCKS – No key control – Easy to accomplish with access to source key – Simple technique to replicate any key

MEDECO ACCEPTS PLASTIC!

KEYMAIL: How It Works for Medeco • • • • •

ACCESS TO THE TARGET KEY CAPTURE AN IMAGE PRINT THE IMAGE PRODUCE A KEY OPEN THE LOCK

MEDECO and KEY CONTROL? ® American Express, Master Card, Visa, Discover, and Diners Club

Don’t leave home without one What is behind the locked door: Priceless Go anywhere you want to be The card that can get you cash The card is key

CUT A FACSIMILE OF KEY • KEY REQUIREMENTS FOR MORTISE, RIM, and IC LOCKS – Vertical bitting only – No sidebar data – No slider data

Medeco Key Control?

PLASTIC KEYS: PROCEDURE • OBTAIN IMAGE OF THE KEY – Scan, copy, or photograph a Medeco key – Email and print the image remotely – Print 1:1 image on paper, label, Shrinky Dinks ® – Trace onto plastic or cut out the key bitting – Copy with a key machine or by hand • INSERT KEY INTO PLUG – Neutralize three layers of security – Open Mortise, Rim, IC cylinders

ACCESS TO TARGET KEY • • • •

BORROW BRIEFLY AUTHORIZED POSSESSION USE COLLUSION WITH EMPLOYEE WHO HAS ACCESS TO A KEY

CAPTURE AN IMAGE • • • •

COPIER TRACE THE KEY CELL PHONE CAMERA SCANNER / FAX

OBTAIN DATA - COPIER

OBTAIN DATA - SCANNER

OBTAIN DATA - CELL CAM

BLACKBERRY CURVE

RESULTING IMAGE • REPRODUCE THE IMAGE – On Paper – On credit card or plastic card – On plastic sheet – On Adhesive Labels – On Shrinky Dinks® plastic – On a piece of copper wire – On a simulated metal key

PRINT IMAGE ON PLASTIC OR PAPER

KEYS FROM PLASTIC CARDS • OPEN m3 and SOME BIAXIAL LOCKS • STANDARD KEY MACHINE – Hybrid attack, vertical bitting only • MEDECO CUTTER – Vertical bitting and angles • CUT BY HAND – Vertical bitting and angles • BYPASS SLIDER – Paper clip or wire

NEUTRALIZE SHEAR LINE

PRODUCE A KEY: Set the Shear Line

SET THE SHEAR LINE

SET THE SHEAR LINE

HYBRID ATTACK: Set the Shear Line, Open the Lock for Mortise, IC, Rim Cylinders

CONVENTIONAL LOCKS KWIKSET = 1 Layer of Security

KWIKSET PLASTIC KEY

Video Demo: • Kwikset Plastic Key

HIGH SECURITY KEYS • MULTIPLE SECURITY LAYERS – Many cannot be simulated…

Video Demo: • Medeco Plastic on key Machine • Medeco Plastic on Door

MEDECO INSECURITY: Protective Measures FACILITY RESTRICTIONS – No First Amendment – No paper clips! – No credit cards, key cards, hotel room cards – No Copiers, scanners, cameras – No scissors or X-Acto knives – No self-adhesive labels – No plastic report covers – No Shrinky-Dinks! – No printers or Multifunction Devices – No cell, email or Fax connections to outside world

PART III

Locks, Lies And Videotape

“Our locks are bump-proof, virtually bump-proof, and Virtually Resistant” – We Never claimed our Locks were bumpproof! – Our deadbolts are secure, no problem! – We have spent hundreds of hours and cannot replicate any of the Tobias attacks!

MEDECO RECOGNIZES LOCKSPORT: NDE: May, 2008 • BASED ON “RESPONSIBLE DISCLOSURE” ABOUT MEDECODER – Give Medeco time to fix the vulnerability – Right result, wrong reason – Not new: 15 year old bypass – Problem in millions of locks – Concept not applicable

KNOWN VULNERABILITIES IN MEDECO LOCKS • RESPONSIBLE DISCLOSURE v. IRRESPONSIBLE NON-DISCLOSURE – Serious vulnerabilities disclosed to Medeco – Notice to manufacturer for 18 months – Failure to disclose to dealers or customers – Misrepresentation, half truth, misleading advertising and use of language that means nothing

RESPONSIBLE DISCLOSURE: It’s a Two-Way Street • DISCOVERY OF VULNERABILITY – Locksport, hacker, security expert disclosure to manufacturers – Manufacturers to dealers and consumers • SIGNIFICANT QUESTIONS – When discovered – New lock or embedded base – Number of users affected – National security issues

RESPONSIBILITIES • Locksport and hacker responsibility – Disclose vulnerability in new lock design or upgrade – What about current locks that are installed – Give time to fix? When relevant?

HIGH SECURITY LOCK MANUFACTURERS • Responsibility of high security lock manufacturer are different – High security is different than normal mfg or corporation – Protect high value targets, critical infrastructure • Duties – Tell the truth – Disclose security vulnerabilities to customers and dealers

RESPONSIBLE DISCLOSURE: REALITY, AND LIABILITY • WHAT TO DISCLOSE AND TO WHOM • TWO COMPONENTS • PUBLIC RIGHT AND NEED TO KNOW – Security by Obscurity – Assume the risk: only based upon knowledge – Bad guys already know • LOCKS NOT LIKE SOFTWARE – Notice is only prospective to fix a problem

DISCLOSURE TO MANUFACTURER: Prospective or Retroactive Effect • PROSPECTIVE IMPLEMENTATION OF FIX BY MANUFACTURER – Only applies to new locks or new product – Does not apply to embedded base – Does not help the consumer unless manufacturer does a recall or field fix • QUESTION OF LIABILITY AND COST – Who will pay for retroactive upgrade? – “Enhancement” to new bypass technique or liability to remedy?

MEDECO: Responsible or Irresponsible Actions? • WHAT IS THE TRUTH? – August 4, 2006 press release: “Bumpproof” – February 2007 - Retroactively changed the language: “Virtually Bump-proof” – The Medeco Problem: www.archive.org

• TV, Advertising, DVD, Medeco website

August 2006: Bump Proof

Feb 2007:Virtually BumpProof

2008:

“WE NEVER SAID OUR LOCKS WERE BUMPPROOF” • AUGUST 15, 2006 • U.S. Patent and Trademark Office filing by Medeco Security Locks, Inc. lawyer G. Franklin Rothwell, Application 78952460 – Word mark: BUMP PROOF – Abandoned: February 9,2007

BUMP PROOF: USPTO FILING FOR THE WORD MARK

ABOUT CLAIMS OF PICKING MEDECO LOCKS • NOBODY HAS PROVED THEY CAN PICK OUR LOCKS IN 40 YEARS – False demonstrations, special locks – They are lying – We cannot replicate anything

• THE REAL PROBLEM – They cannot open their own locks – Failure of imagination

RESPONSIBLE DISCLOSURE BY LOCK MANUFACTURERS • KNOWLEDGE OF VULNERABILITY – Known or suspected – Make responsible notifications – Let users and dealers assess risks – Duty to tell the truth – Duty to fix the problem

MEDECO LOCKS ARE VULNERABLE • MEDECO KNOWS – Vulnerability from Bumping, Picking, Key control, Forced Entry techniques – Should be candid with dealers and users so they understand the potential risks – Failure to tell the truth = irresponsible nondisclosure – Dealers and customers have a need and a right to know

VULNERABILITIES: Full Disclosure Required • SECURITY BY OBSCURITY – It does not work with Internet – It is the User’s security – They have a right to assess their own risks – Criminals already have information – Disclosure: benefits outweigh risks – Liability for failure to disclose

LESSONS LEARNED • THE MEDECO CASE – Nothing is impossible – Corporate arrogance does not work

• HIGH SECURITY LOCK MAKERS – Engineering, Security, Integrity – Duty to tell the truth

Thank You!

[email protected] [email protected] [email protected] © 2008 Marc Weber Tobias, Matt Fiddler and Tobias Bluzmanis