Forgot your password?
typodupeerror
Security Hardware

Defcon Hacks Defeat Card-And-Code Locks In Seconds 144

Posted by timothy
from the hey-tsa-locks-are-awesome dept.
Sparrowvsrevolution writes "At the Defcon security conference in Las Vegas, Marc Weber Tobias and Toby Bluzmanis plan to demonstrate simple hardware hacks that expose critical security problems in Swiss lock firm Kaba's E-plex 5800 and its older 5000. Kaba markets the 5800 lock, which Bluzmmanis says can cost as much as $1,300, as the first to integrate code-based access controls with a new Department of Homeland Security standard that goes into effect next year and requires identifying credentials be used in secure facilities to control access. One attack uses a mallet to 'rap' open the lock, another opens the lock by putting a pin through the LED display light to ground a contact on the circuit board, and a third uses a wire inserted in the lock's back panel to hit a switch that resets its software."
This discussion has been archived. No new comments can be posted.

Defcon Hacks Defeat Card-And-Code Locks In Seconds

Comments Filter:
  • by retroworks (652802) on Friday August 05, 2011 @09:02PM (#37003104) Homepage Journal
    Legally speaking, an "unhackable" security system is starting to resemble an attractive nuisance. Design utmost security, you are inviting hackers, thereby defeating your trespass claims...
    • by sribe (304414)

      I'd like to see the hacker that could defeat my home security system [remingtonle.com]!

      • Re: (Score:2, Funny)

        by Anonymous Coward

        Well, since you're probably american, the hacker can have a gun as well, if he shoot first, no one give a shit about YOUR gun.

        • by chill (34294)

          Han? Is that you?

          • by kvezach (1199717)
            No, he's Greedo. Don't you know? We've always been at war with, err... Greedo always shot first.
      • by Carnildo (712617)

        Easy [wikipedia.org].

        • by siddesu (698447)

          Even easier and not so exotic, I'll always bet on a thug who is used to violence against a regular guy with a gun. The thug wins because he has advantage in ruthlessness. I have a reasonably good command of a martial art, yet I got surprised this year in the street by a guy roughly twice my size who tried to mug me. I took one in the teeth just because I just refused to believe what was happening. In the end he wasn't really successful and is probably still productively employed in a brick prison factory, b

          • Exactly... Nice door lock there... Crowbar works just fine on the WINDOW too.

            The difference it that real criminals have no problem leaving a broken mess...

            Locks like these still miss the point that a big enough hammer is going to take the lock off the door.. Then a plain screwdriver can open it!

            • by rubycodez (864176)
              And a 25 kilo or more dog can open the veins on a bar-wielding perp before he knows or can see what attacked him.

              You want to see ruthless, that's a dog who thinks his owner is in mortal danger. Something flips in their brain, and they get as hard to put down as a wolf.
          • how long did his mouth hurt then? Surely you laid him out and subdued him until the police came, since you eluded to his incarceration?
          • by Joce640k (829181)

            I have a reasonably good command of a martial art...

            How come I never saw a headline in a paper which said something like: "Martial Arts master defeats gang of crooks!"

            There's a decent percentage of the population practicing martial arts...where's the flaw?

            • by siddesu (698447)

              I guess most people just don't bump into gangs of crooks, and those unlucky to do so do it under circumstances that are against them. In my case, this was my first "real" fight in 20 years, I do the martial art as a form of exercise. Also, I imagine if there were three or four of them that big and armed, I'd be in deeper shit if I tried to fight.

          • by rubycodez (864176)
            I"ll bet on the one who has spent hundreds or thousands of hours training with a weapon or martial arts system. Ruthlessness toward the enemy can be trained. As former range officer I've seen that people who haven't fired a gun much have absurdly huge groups at average gunfighting distance. The gang gunfights we have in the nearby huge city bear that out, intended targets usually don't get hit at seven meters plus distance while other people and things do.
        • by ewanm89 (1052822)
          I raise you by this, [wikipedia.org]
      • Won't work if you're not home.
      • by AvitarX (172628)

        http://en.wikipedia.org/wiki/Sleep [wikipedia.org]

        or

        http://en.wikipedia.org/wiki/Vacation [wikipedia.org]

        or even better reflexes +

        http://www.remingtonle.com/shotguns/1187.htm [remingtonle.com]

    • by Ja'Achan (827610)
      This might be true. But for every smart hacker out there, there's a thousand script kiddies. You might not be able to keep everyone out, but if you have low end security, everyone will take a crack at it.
    • So the solution is to design things that are so obviously insecure no hacker will even bother to play with it? That's not the security I'd feel comfortable with.

  • by magarity (164372) on Friday August 05, 2011 @09:08PM (#37003146)

    a new Department of Homeland Security standard that goes into effect next year
     
    How many places will buy them because they meet this government spec without regard to these problems? Government planning at its finest!

    • Re: (Score:2, Interesting)

      by camperdave (969942)
      Seems odd to me that DHS standards specify a Swiss lock. Are there no American lock manufacturers?
      • DHS doesn't specify any lock. They define standards that manufacturers can choose to implement if they want to market a standards-compliant lock. FTFA:

        Zurich-based Kaba markets the 5800 lock... as the first to integrate code-based access controls with a new [DHS] standard

    • by Anonymous Coward

      a new Department of Homeland Security standard that goes into effect next year

      How many places will buy them because they meet this government spec without regard to these problems? Government planning at its finest!

      I couldn't find a link to this standard (though I didn't try that hard), so I'm not sure it's fair to criticize the standard without reading and understanding it.

      The "attacks" mentioned in the summary don't seem to be against the standard itself, but are physical attacks against one particular

    • Lock specification:

      1) Submit production samples of your candidate locks to several Defcon conferees, particularly those who have defeated lock mechanisms in the past.
      2) A decision on whether your locks meets the specification will be rendered after next year's Defcon.
    • by hey! (33014)

      What I don't understand is, why spend $1300 on an untested design?

      What I'd do is put an RFID tag on the user's key, then take a high quality conventional lock and add an RFID reader to it and a pawl which prevents the lock cylinder from turning unless an RFID on the allow list is present.

      The point would be the lock would fail to a safe, or relatively safe condition. If the electronic system were defeated you'd still have a functioning lock.

      • by aaarrrgggh (9205)

        Something you have plus something you know required. If both authentication mechanisms are integrated all you have is a more secure key.

    • How many places will buy them because they meet this government spec without regard to these problems? Government planning at its finest!

      That's pretty common with (non-classified) government security standards. A bunch of guys, often ones whose last industry experience occurred twenty years ago, get together and, after 2-3 years of often acrimonious committee meetings, throw together enough random features to call it a standard. Far too frequently what gets certified for govt.standards is whatever's possible to itemise in a checkbox rather than what would actually add security (I've seen stuff that's little removed from EU banana-bentness r

      • You left out the part where the biggest player in that industry produces a product that doesn't technically meet the standards, but is accepted anyway for your choice of reasons.
        • You left out the part where the biggest player in that industry produces a product that doesn't technically meet the standards, but is accepted anyway for your choice of reasons.

          Oh, you can do much better than that: If you're the largest vendor, create a broken implementation of the spec, declare yourself to be fully compliant in your sales literature, and then threaten to prosecute any competitors who download your product in order to figure out what the fsck it's doing under the DMCA. This actually happened - your tax dollars at work.

  • It's nice to know that those in charge of building the United States' very own Gestapo are also security experts. Too bad they're so good at the first task and so lousy at the second.

  • Look, I can defeat the lock by kicking the door in! It must be an insecure design.
    • by micheas (231635)
      If you have a few hundred pounds of gold behind the door that would be a safe conclusion.
    • Your post reminded me of something I haven't seen mentioned here -
      In pretty much any system you're going to have numerous vulnerabilities, which you will mitigate with controls(being generic here).

      Take a house or building. Incomplete list, of course:
      Depending on attack, all of these are vulnerabilities:

      • Doors - Lock, Door Body, Frame
      • Windows - Glass, Lock, Frame
      • Walls & Roof

      Now, there's also covert and non-covert entry. Picking a lock is covert, busting a window isn't. It's a sliding scale really; busti

  • You know, the ones where the character (usually a young, bright geek) rips the cover off the card swipe/keypad unit, shorts a few wires, and opens the door? ..bruce..

    • by mea_culpa (145339) on Friday August 05, 2011 @10:20PM (#37003580)

      I got locked in my self-storage lot after staying past closing time (11 PM). There were no staff to let me out and I was trapped inside with only a keypad to open the gate which happily told me the lot was closed. After inspecting the gate I saw a what amounted to a key switch on a pole high enough for someone on a fire truck to access from the outside. I followed the conduit from that key switch to an electrical box near the gate motor. This small box was secured with one flat head screw, Armed with a paperclip I removed the screw and shorted the two wires coming from the key switch and the gate opened.

      I don't know if I would have thought to do that if I wasn't inspired by the movies. It sure beat camping there for the night,

    • by thygate (1590197)
      Normally these cheap devices directly control an actuator (coil or motor etc..) that is physically embedded in the door lock. If you can open the device, only little logic is needed to directly drive the actuator using the power supply, or gate the responsible transistor with a wire. It would be more secure if the scanning device had a digital link to a control system located somewhere else, that would verify the code and drive the actuator directly.
      • by WoOS (28173)

        An external verification controller isn't completely necessary to increase security. Just make the actuator more complicated to control.

        If you use e.g. a BLDC motor (see http://en.wikipedia.org/wiki/Brushless_DC_electric_motor [wikipedia.org]) at the door, just sending some power done the control lines is at most going to burn the coils. controls have to be activated and deactivated in correct fashion (and current measured) for the motor to turn. Obviously people skilled enough can reverse engineer this. But connecting al

        • by guruevi (827432)

          But think about the cost of that also not forgetting that if the control mechanism messes up, those motors if simply powered up can remain stationary and are virtually impossible to move. Most security is just to keep a simple thief out. An intelligent, dedicated, targeted attacker will always succeed if you give it enough resources. If nothing else I'll just get a plasma cutter and cut out your door.

    • "You know, the ones where the character (usually a young, bright geek) rips the cover off the card swipe/keypad unit, shorts a few wires, and opens the door?"

      I swear to FSM I've done this.

      I was meeting a friend of mine at a place. Door is protected by a keypad lock. When we get there he then realizes they just issued all new codes for the year, he can't remember his yet, and the paper with the new code is back at his place. I look at the box the keypad is mounted in, and notice it has two exposed screws.

      I whip out my Leatherman and take the keypad off. There are four wires running to the keypad. I try randomly shorting two of the pins on the connector.

      *clic

  • Attacks too easy? (Score:5, Interesting)

    by QuasiSteve (2042606) on Friday August 05, 2011 @09:39PM (#37003332)

    One attack uses a mallet to 'rap' open the lock

    Isn't this pretty much an old trick, similar to 'bumping'?

    another opens the lock by putting a pin through the LED display light to ground a contact on the circuit board

    This one's a lot more fun as you have to know where, approximately, that contact is - but then again, why is that contact accessible?

    and a third uses a wire inserted in the lock's back panel to hit a switch that resets its software."

    oh for pity's sake.

    The first has already been solved by lockmakers, the second is solved by making the PCB reasonably inaccessible (an individual cover plate will do) which would also deal with the third, but then the third shouldn't be a switch anyway - it should be two distinct female header points on the PCB that can be bridged only with a length of wire; this is not a crappy home wireless router that actually needs a user-accessible reset button.

    Whoever designed these $1k locks, electronically and mechanically, really need to go back to the drawing board... or school.

    • A few CCs of potting compound would really have saved them some embarrassment...
      • by guruevi (827432)

        And a Dremel in the correct place (once you know where the contact needs to be) would've fixed that. Also, it makes the unit practically unfixable if necessary for whatever reason, you don't want to be throwing out $1k worth of product every time it fails.

    • I thought of this when I saw the summary:

      http://www.youtube.com/watch?v=yp4LFuFCon0 [youtube.com]

      Come on guys, don't you watch any movies?
      From the movie Sneakers

    • by sjames (1099)

      Isn't this pretty much an old trick, similar to 'bumping'?

      Sadly, this is like bumping only with less finesse and no need to make a special bump key. For a $1300 lock, it's a damned sad showing. A $20 lock is actually a bitharder to crack.

    • I mean when you deal with physical security, you accept that there is no 100%. There is no unbreakable lock, no invincible door, and so on. However that doesn't mean everything is shit and money should get quality.

      Compare that shit to a high security Medeco or Assa lock or the like. They can't be bumped, are hard to get keys copied for, can take a hell of a lot of physical abuse and so on, yet only cost about $200-300.

      You are going to roll out a $1000 lock it need to at least give you the same kind of secur

      • Uber locks (Score:5, Informative)

        by DragonHawk (21256) on Saturday August 06, 2011 @12:37AM (#37004178) Homepage Journal

        You are going to roll out a $1000 lock it need to at least give you the same kind of security you'd get from one of those. They may not be perfect, but you can't stick a wire in them to get by them at least.

        What's interesting is that Kaba Mas also makes the X-09, which is the current DoD uber-lock used for classified stuff. It is, by all reports, extremely hard to subvert.

        • * Self-powered. No battery or external power supply needed.
        • * The exposed side has an LCD and a dial. Everything else is inside the security boundary. If you break the dial off you just make entry harder.
        • * The LCD is designed to only be viewable by someone standing right at the lock. Someone standing next to you can't snoop the numbers.
        • * The rate at which the dial causes numbers to change varies randomly with each step of the combination. Someone standing next to you can't derive the numbers from the rate at which you turn the dial.
        • * If the dial is turned too at regular a pace, the lock assumes you're an auto-dialer and shuts down.
        • * Repeated wrong combinations result in progressively longer lockout delays.
        • * You can view how many unsuccessful attempts have been made (allows you to audit to see if someone's tried to get in).

        Neat stuff.

        • by Anonymous Coward

          The X-09 is just amazing - a bit of a pain in the ass, because the turning of the dial and the rate of numbers changing is never quite the same.

          The self - powered thing is cool too - you spin the knob hard 3 or 4 times - the lcd display will appear - and it is good to go.

          You are allowed to go past the number you want to n+3 where you can turn the dial 'backwards' and still pick-up the right number, at n+4 you have to start again.

          The earlier model X-08 is largely the same - Led display and not quite as fancy

          • FWIW - the numbers for the combination are almost always remembered using a dictionary word - next to almost all locks you will see a drawing of a 12 button phone number / letter pad.

            How sad that this piece of well-engineered technology can be subverted by something so simple... This drastically reduces the keyspace. It's not quite as bad as leaving the combination on a post-it, but it's still considerably degraded from what it should be.

      • by Jimbookis (517778)

        They can't be bumped, are hard to get keys copied for, can take a hell of a lot of physical abuse and so on, yet only cost about $200-300.

        You are going to roll out a $1000 lock it need to at least give you the same kind of security you'd get from one of those. They may not be perfect, but you can't stick a wire in them to get by them at least.

        Oh come one, do you know just how EXPENSIVE the cost of living is in Switzerland compared to the USA? The Swiss get in trouble if the pop over the border to Germany and buy cheaper petrol and groceries!

    • Isn't this pretty much an old trick, similar to 'bumping'?

      What's bumping? Is that like on NCIS when DiNozzo says something stupid while standing with his back to Gibbs?

  • by MobileTatsu-NJG (946591) on Friday August 05, 2011 @09:39PM (#37003336)

    Unfortunately these locks still happily open the door when fired on by a blaster.

    • Unfortunately these locks still happily open the door when fired on by a blaster.

      Gimme a light saber any day. This is the weapon of a Jedi Knight. Not as clumsy or random as a blaster; an elegant weapon for a more civilized age.

      (In addition you can use it to cut through the door directly, even if the lock is blaster-proof).

    • by couchslug (175151)

      "Unfortunately these locks still happily open the door when fired on by a blaster."

      A standard cutting torch can be run off a medical oxygen cylinder and a disposable propane cylinder. Merely a matter of using standard fittings (and is a great back-saver, which is why it's done). Not much can stop a cutting torch, and for those obstacles you can spend more money for an exothermic rescue outfit.

      Locks are intended to raise the barrier and require such messy means of entry.

      • by rubycodez (864176)
        Try your oxygen lance on a modern bank vault door, you'll be embarrassed at your lack of progress after many hours (when all your cylinders have run out). The material of choice is now a special concrete, the metal you see on the outside is just to make it look pretty. The stuff has over ten times the strength of normal concrete, and conducts heat well so quite difficult to get small area up to melting point. See the mythbusters episode when they tried to get into that type of safe, much thinner than vau
  • by Anonymous Coward

    In other news, people who attend Defcon are too cheap to use a Mac, upload bizarrely interlaced videos to YouTube because mencoder's command line cannot be understood by humans.

  • If you could just implement a identifying credentials into these locks...
    toool.nl/images/f/f3/Abloypart2.pdf (PDF)

    • by Keruo (771880)
      It exists, abloy specific product is called protec. The key operating the disks is special shaped, quad toothed, double grooved with head pin. The metal in the key works as i-wire or similar digital contact which controls the magnetic part of the door.(has string encrypted on it, which the server uses to validate access times for that specific key).
  • The Swiss can make good rolexes but high priced locks where you can get to bypass wire real easy.

    any ways slots machines used to be easy to short out by doing some thing like this and they fixed them.

  • by fuzzyfuzzyfungus (1223518) on Friday August 05, 2011 @10:19PM (#37003578) Journal
    The fact that somebody managed to get a "secure" lock out the door with electrical contacts trivially accessible from the hostile side of the door is pretty damn pathetic... Couldn't they have potted the thing? Worse, it isn't as though designing systems that are supposed to be resistant to physical/electrical attacks isn't exactly an unknown field. The Nevada Gaming Commission, for example, would laugh a slot machine out of their office if it had externally accessible PCBs. The standards specifically mention that, among numerous other considerations. Heck, these super-advanced locks would seem to be rather more vulnerable than contemporary consumer hardware DRM, of the sort that protects a few bucks worth of pop-culture drivel. FFS...
    • how about hardwired so there less need for a some what easy to get to battery door / panel. Still can use a backup battery that is more sealed up.

      But make so the lock can be in place where some one will see messing with it to bypass it and make take a little bit of time to bypass it as well.

    • It's pretty easy to put together a basic security system. Require an identity token of some sort, and require proof of knowledge of a secret, and you have the makings of a security system!

      Security is not a boolean. Security is a variable, ranging from non at all to mild, moderate, to extremely secure.

      Little things can greatly add greatly to real security (such as free permits for concealed weapons and password strength requirements), and big, obvious, "secure" things can easily be nothing more than theater.

      • I think the problem in this case is that our Swiss friends managed to build a ~$1300 lock that is as vulnerable to paperclips as a base model two factors of ten cheaper.

        Obviously, one has to be realistic in one's demands of devices built of pitifully limited matter; but even realistic demands won't save this design...
  • I'd think that these guys are missing the point. Getting through a door is easy. Getting through a door without making it obvious that someone got through the door, is an entirely different matter. When I was a kid my parents had the all the whiskey in a locked cabinet. The doors were glass, and the lock was the flimsiest padlock you'd ever seen. I sure as hell could have gotten into it with a mallet... would that achieve my goals? No.

    My guess is that no matter how hack-proof they make this lock, with a 6l
    • NOPE. The point of "terror" is to be known, not to remain undetected. Breaching the damn lock is almost as good as getting to, busting, etc. whatever the lock is supposed to keep safe, inaccessible to the unauthorized, etc....

      • Most of this is to protect isolated control rooms... Think the water testing valve for a city wellhead. Once you are in and deal damage, you'll have plenty of time to flee, damage will actually happen up to miles away from here.

        The USA is dotted with power, telco, gas, water lines that cross miles of country. Hell, most of my local utility offices are "unattended" now. Just plain brick buildings.

    • If what's being "protected" is a part of the Dept of Homeland Security I'd say my few nickles worth of pop culture is far more valueable. Of course I have a more tamper-resistent lock, from Ace hardware....

    • My father locked certain power tools in a steel 'sea chest' because he didn't want me using them. I quickly sanded down one end of the hinge pins on the two hinges on the chest. Thus I could easily slip the hinges and get access to the tools when needed. I didn't tamper with the lock in any obvious way, and from then on always had access to those tools.

    • Did you watch the videos? The first two don't leave any visible damage and the third one is hard to detect.

    • by Osgeld (1900440)

      um yea if your liquor lock issue had a big squishy silicone window to a "opps reset to unlock mode" that you could trip with a key-chain swiss army knife, cost a grand doing it, while being marketed to our dumb government, then you would have a point.

    • by tibit (1762298)

      A 6lb maul? You joking? I have an 8lb demolition hammer, and I wished I had something bigger when doing a rather "simple" remodel of a room and demolition of a deck. 8lb was barely enough to get a slightly curvy 6.5' 2x10 header in place...

      I've seen plenty of doors where even a 24lb demolition hammer would perhaps dent them and scratch the paint, and not much else. Since I had to replace the front doors on my house, I did try the 8lb hammer on them. By my estimate, it'd take me half a day of pounding and sw

  • by superdave80 (1226592) on Friday August 05, 2011 @11:29PM (#37003924)
    In their demo video, the locking mechanism isn't attached to anything, so the whole mechanism bounces around when they whack it. I'd be interested to see if this method still works when it is attached to a solid door.
  • Still prefer the "Sneakers" solution to a locked, secured room sporting a very hard to crack keypad combination lock on the door.

    It was not only one of the best scenes in the movie but should cause anyone faced with an impossible problem to stop for a moment and think outside the box. If your problem is in the box, then move the box. You will eventually find a way to crush it.

    For those who have not seen the film or won't bother, the secret solution to the ultra secure keypad lock is to.... kick the door i

    • by ShakaUVM (157947)

      One of my old BJJ instructors always carries a knife to make emergency exits through drywall. Kept his ads from being jumped by a gang of guys in Brazil, once.

    • by tibit (1762298)

      Even if the wall is made of cement blocks, it should only take a good chisel and a 4lb hammer to get through. Perhaps if you're in shape a 6lb hammer will make the job quicker, but I don't recommend it if you don't use it regularly. Once you get two blocks out, the rest will be like eating cheesecake: smooth and easy goin'. Brick walls are easier once you start, but may be harder to break through the first brick or two. If there's two of you -- to start let one hold the chisel, while the other one uses an 8

    • by putaro (235078)

      Our front door is steel, in a concrete wall and opens out. Before you break your leg or get the jack hammer out, though, I'd recommend jumping onto our balcony and breaking the glass in the sliding doors.

    • With proper security, you shouldn't be left unattended with that axe very long.

      But in this case the intention is to protect utility control rooms and such... What protects a cell phone tower from hackers just going inside and plugging in? Or just turning the thing OFF? That's what these are marketed for, the HUGE amount of infrastructure in the USA that is basically kept in "doghouses".

    • For those who have not seen the film or won't bother, the secret solution to the ultra secure keypad lock is to.... kick the door in.

      Sometimes it can be almost as useful to know that a lock has been compromised as it is to have it remain secure.

      Kicking in the door (and variations on that theme) certainly provides access to the locked space, but it provides undetected, unaudited access only until the security guard or cleaning staff make their next trip down the hall. Depending on what's on the other side of that door, a few minutes of readily-detected, one-time access may be quite a bit less harmful than months of covert access.

  • by 517714 (762276) on Saturday August 06, 2011 @01:37AM (#37004424)
    I am not convinced that the locks in the You Tube videos were actually locked. The plunger on the deadlatch was not depressed, and many locks respond differently in this mode since there is no purpose served in making the lock secure while the door is open. Last week I performed a modification to the front door lock of my parents' home to allow opening the door by either raising or depressing the handle that was similar to the third attack and the plunger function is critical to the locking function on that lock. The techniques may work with the deadlatch engaged to the striker plate, but without seeing the demonstrations repeated in that arrangement I remain a little dubious.
  • 1300$ lock ... I would need to buy a lock to protect the lock but that lock would be 1300$ so I would need to buy another lock to protect the lock but that lock would be 1300$, more so I would need to buy another lock to protect the lock but that lock would be 1300$, more so I would need to buy another lock to protect the lock but that lock would be 1300$, more so I would need to buy another lock to protect the lock but that lock would be 1300$, more so I would need to buy another lock to protect the lock b
  • Turning it off and on again, usually helps :)

A sheet of paper is an ink-lined plane. -- Willard Espy, "An Almanac of Words at Play"

Working...