RSS
Twitter
How The Lock Industry Put Its Head In The Sand, Rather Than Deal With Vulnerabilities To Locks
from the bump,-bump-away dept
We've discussed in the past how locksmiths are apparently upset that geeks online have revealed that lockpicking is really easy, but it's not just the locksmiths. It's the lock makers themselves. Wired has a fascinating article about one of the world's most well known lock picker, who makes it a practice to publicly expose how vulnerable certain locks are. Not so long ago, he and a colleague figured out how to quickly open Medeco locks, which many had considered to be the most secure locks of all -- and are used all over the world in gov't high security buildings. So how has Medeco responded? Basically by trying to ignore the guy... then to insult him and then to discount what he clearly has done. It's just like software companies who try to deny software vulnerabilities, except that it's much easier to patch some software that to patch a vulnerable lock. While many in the lock world are apparently pissed off at this guy, Marc Weber Tobias, they should be happy that he's making sure the locks are really secure. Because, you can pretty much be assured that he's not the only one doing all of this -- but the others who are figuring it out aren't talking about it, but are using the knowledge to their own advantage.
Reader Comments
(Flattened / Threaded)
If someone wanted to get in your house badly enough they'll simply break your window or something. If someone really had something to secure they would spend more money on more reliable security. Locks aren't meant to be foolproof but neither are Windows and doors. People can kick doors down, etc... People shouldn't rely on a lock to protect them from a determined burglar.
(reply to this comment) (link to this comment)
Re:
+1 on this.
Locks are really intended to keep out the casual thief, someone who would just walk in. Most people are not going to pick locks or bust down a door to get in, they aren't interested in attracting attention to themselves. Think of doorlocks as a solution that is 99% effective. The last 1% will get in pretty much no matter what you do.
(reply to this comment) (link to this comment)
Re: Re:
Exactly my point.
(reply to this comment) (link to this comment)
Re:
If someone really had something to secure they would spend more money on more reliable security.
Such as?
(reply to this comment) (link to this comment)
Re: Re:
Armed guards for a start. All a lock does is slow someone down. Ideally it will slow them down enough to catch them in the act. For a truely secure facility you plan you guard patrolls based on how long the lock will take to pick.
(reply to this comment) (link to this comment)
Re: Re: Re:
Exactly the point.
If you've been told (by the manufacturer) that the lock takes at least half an hour to pick and you have fifteen-minute security patrols you're going to feel pretty safe, right.
You're not going to feel quite so safe when Marc Weber Tobias walks in and picks that lock in fifteen seconds.
(reply to this comment) (link to this comment)
Re: Re: Re:
Or you have cameras with monitors in various places, like they do in stores, that allow employees to constantly watch things from various places.
(reply to this comment) (link to this comment)
Re: Re: Re:
I can't walk into a store without seeing a cameras pointed at me, and when I walk to the cashier there is a monitor, yes, a monitor that has like four windows each following different cameras.
(reply to this comment) (link to this comment)
Re: Re:
Surveillance (cameras), an alarm system, or even security guards (if it's that important). A gun.
(reply to this comment) (link to this comment)
Re: Re: Re:
Also a safe. In the case of money we have banks.
(reply to this comment) (link to this comment)
Re: Re: Re: Re:
in the case of money we have banks Have you been asleep for the last 2 years?
(reply to this comment) (link to this comment)
Those arguments about locks simply being there to stop casual thieves are rendered moot by the fact that complex locks exist.
If it were simply the case that locks are there to keep out someone who would otherwise just stroll in, but can't be bothered forcing a door, then all locks would be simple ones. But they're not.
Some people, and companies, have gone out of their way to use locks that are supposedly hard to pick or otherwise force. And apparently, they're not that hard to pick or force at all. It's an important thing that the manufacturers and consumers need to realise, rather than just ignore.
(reply to this comment) (link to this comment)
For some, it takes 5 minutes, others it may take 5 hours to break a lock. It depends on the skills of the user. Nonetheless, the result is all the same. It's all about the skill, right? Why not just be honest with us?
(reply to this comment) (link to this comment)
Locks only keep honest people out.
(reply to this comment) (link to this comment)
Re:
Locks only keep honest people out.
You don't need locks to keep honest people out.
(reply to this comment) (link to this comment)
No, there's hidden meaning here.
(reply to this comment) (link to this comment)
Kinda sad, actually.
(reply to this comment) (link to this comment)
Locks
...are only made to keep honest people out. If someone wants in bad enough, they'll get in. Period.
(reply to this comment) (link to this comment)
Re: Locks
> ..are only made to keep honest people out.
This little cliche never made any sense to me. An honest person wouldn't enter someone's home uninvited regardless of whether there was a lock or not.
(reply to this comment) (link to this comment)
Uhhh... Article Fail.
Medeco being cracked, old news. Lock companies not liking it, old news.
Why the fuck is this on Techdirt?
(reply to this comment) (link to this comment)
Re: Uhhh... Article Fail.
It's a metaphor for DRM.
(reply to this comment) (link to this comment)
Re: Uhhh... Article Fail.
Techdirt isn't a news site. Epic fail for you.
(reply to this comment) (link to this comment)
Re: Uhhh... Article Fail.
Medeco being cracked, old news. Lock companies not liking it, old news.
The Wired article is new and does a good job relaying the story, and adding a bit to it, showing the guys actually break the locks, after Medeco denied it was possible.
Why the fuck is this on Techdirt?
Because I found it interesting. We're not a news site, but a discussion and opinion site. I thought it was an interesting concept that deserved some discussion. Apparently you feel otherwise.
(reply to this comment) (link to this comment)
Re: Re: Uhhh... Article Fail.
Mike,
Your blue background highlights should be flashing. Don't make me contact Mr. Ho to have it actually done for you, as that would be a disappointment for all here.
(reply to this comment) (link to this comment)
Re: Re: Uhhh... Article Fail.
Or perhaps because we will see a link in a future story that says "DMR is like a door lock, easily picked in the end"?
(reply to this comment) (link to this comment)
Re: All comments to my comment.
@ Esahc: How so? Because MWT went straight to news outlets instead of the company?(Unlike someone I will mention later) Rather than abide by the concept "responsible disclosure" he decided to go for sensationalism and profit(via his book that contains information freely available on the internet). Yes, lets encourage that.
@ Mike: Umm, maybe you missed the Wired article when Medeco first responded. They crunched the numbers and worked to figure out how many different keys it would take to bump the locks. Then, they were faced with the Medecoder tool that was disclosed responsibly to them. They met with the person and have begun putting the milled(rather than broached) pins in the new locks. Not exactly ignoring the issues...are they?
As for your insinuation in the original post that others are not talking about it... Perhaps look up how many talks have been given at conventions in the past 5 years related to locks, responsible disclosure, access control, lock forensics(I just attended a talk on that), and other similar issues(or just go to a forum). Plenty of people are talking about it. And there has not been a surge in crime(nor is it even reasonable to suspect such). For a thief, what is easier, picking a lock and being hunched down in front of a house, or breaking a window and walking right in? This is all without mentioning that Medeco locks have been picked since... before I got into lockpicking(ca. 2004). Not exactly something surprising.
It was an interesting concept that deserved discussion 2 years ago, now it is just over played and sensationalized. Congrats.
(reply to this comment) (link to this comment)
Re: Re: All comments to my comment.
@ Mike: Umm, maybe you missed the Wired article when Medeco first responded. They crunched the numbers and worked to figure out how many different keys it would take to bump the locks. Then, they were faced with the Medecoder tool that was disclosed responsibly to them. They met with the person and have begun putting the milled(rather than broached) pins in the new locks. Not exactly ignoring the issues...are they?
They refused to take part in the experiment run here and the article described plenty of stuff that was happening in the space. We had not discussed it here, and I thought it was interesting, so I wrote about it.
Once again, this site is my site, and I write about what I find interesting. This was interesting to me. And, given the comments from others -- to plenty of others as well.
It's great that you're so knowledgeable on the subject. It would have been nicer if rather than a pointless insult, you actually added to the conversation.
(reply to this comment) (link to this comment)
Tamper evident
Locks need to show evidence of tamper, Nothing can stop someone with a crowbar, C4 charge, or basic lock smith training.
As long as the lock shows evidence it has been bypassed then its a good lock.
If I wanted to stop someone from geting into my house I would fill my door and walls with concrete, install extra strong hinges and motion detection security cams with email notification. (or a security guard)
(reply to this comment) (link to this comment)
Re: Tamper evident
These days you can have a camera that sends the motion picture over the Internet where you can monitor it from a remote location I suppose (or pay someone else to monitor it. In fact, that's not a bad idea. A service where someone sits at a desk and gets paid to monitor a bunch of home cameras for burglars where the signal is sent to them over the Internet. If they see something suspicious, they call the police. Perhaps alarm companies can add this to their already existing service, since they already need someone to sit around and wait for an alarm to call them up and then they call the police if an alarm does dial in).
(reply to this comment) (link to this comment)
Re: Re: Tamper evident
All locks have *some* evidence of being tampered with, I suggest you go look at this nice site run by a friend of mine: http://www.lockpickingforensics.com/
(reply to this comment) (link to this comment)
Re: Re: Tamper evident
Yeah, and you will be oh so satisfied when you can review in the casual comfort of your friends' house how an unidentifiable disguised person picked your lock and took all your valuables. Even a 911 call placed at the time of entry takes longer than it will take a burglar to get in and out of your home.
(reply to this comment) (link to this comment)
I enjoyed Robert Heinlein's definition of "ownership"... (I paraphrase) "what you can carry comfortably and securely at a dead run."
(reply to this comment) (link to this comment)
Locks
This was a good story to read and I wonder if Mr. Marc Weber Tobias reads these blogs and would answer a question. I am sure that every lock can be picked but what is the best and is it possible to make a keyed lock that can not be picked. I'm guessing no because I have not seen any "Tobias" locks around.
Thank you.
(reply to this comment) (link to this comment)
Re: Locks
Thomas, it is a popular belief, and in my opinion, a correct one that any locking system will have flaws. There will never be a lock that cannot be picked, decoded, bypassed, or otherwise compromised. There have been many novel approaches to it, many by companies like Abloy, EVVA, Fichet, Dom, and Emhart. But in the end, all these locks have shortcomings and failings.
To be entirely honest with everyone, unless you are a *very* important person(who should have other security measures than locks) or a large, influential company, you do not need to worry too much about surreptitious entry. The amount of break-ins that involve lockpicking or bumping are still such a small percentage of the whole that they should not be a huge concern to the average, everyday homeowner.
(My front door has a simple Schlage deadbolt pinned up with two security pins, I am not worried about my lock being picked but rather my front window being smashed, or one of the ones on the side of our house.)
(reply to this comment) (link to this comment)
Kinda funny how that works.....
You know what I love about this article? It points out the ridiculousness of the anti-circumvention laws in the DMCA. This guy can video tape himself picking a lock, and you can pick a lock in your own home and it's perfectly legal (as long as you aren't committing some other crime by doing so). However, if I own a DVD or Blue-Ray, I cannot legally circumvent the locks on that disc to be able to make my Home Theater PC into a Video Jukebox. Could you imagine the flurry of legal notices this guy would have gotten if he made a video showing how to "unlock" a Blu-Ray!!
(reply to this comment) (link to this comment)
Re: Kinda funny how that works.....
great point
(reply to this comment) (link to this comment)
Lock picking is fun. I picked my teacher's cabinet locks to practice (i told him about it of course; he thought it was cool)
(reply to this comment) (link to this comment)
Locks and Bagels
If this fellow is correct he is actually doing the public a great service. Its the Bagel Brains that run these Lock Manufacturing Companys that should take this issue seriously.
(reply to this comment) (link to this comment)
Is there a type of lock that uses disks instead of pins, that cant be picked. At least by normal ways like found on that site posted above? The kind my safety deposit box uses that spins freely?
(reply to this comment) (link to this comment)
Re: Disk locks
Paul, yes there are a few types of locks that utilize disks. Look into the Abloy Protec system(forget Cliq, it is next to worthless). There is a similar system made by Abus, but it is considered less secure and it can be picked by someone with moderate skill.
As for the Abloy Protec, the only real way to get in is to bypass the lock(has been fixed after it was brought to Abloy's attention) and the destructive method that can be found on YouTube(involves significant damage to the lock). In the US you may have trouble sourcing them, but there are a decent number of locksmiths that carry them.
Another lock to look into is BiLock, which uses two rows of pins and a sidebar system, as far as I know, it has never been picked or decoded when fully pinned(though, someone has worked out a system for certain pinnings, it does not work all the time).
(reply to this comment) (link to this comment)
Interesting Article
My eyes were really opened to the vulnerability of common every day locks a couple years ago. My girlfriend found her old Master Lock combination lock and wanted to use it again, unfortunately she had no idea what the combination for it was. I did a little research online and had the combination cracked in about 20 minutes. I practiced the skill a bit more and was eventually able to open most Master Lock dial-combination with in 2 minutes. I was really shocked at how easy it was to do.
I've lost the skill since then since I haven't had a use for it... but it really opened my eyes.
(reply to this comment) (link to this comment)
"Gov't high security buildings?"
Not quite. More like X-09 locks.
(reply to this comment) (link to this comment)
Medeco's Response
As What pointed out, Medeco has responded to some of the vulnerabilities being released lately. My research (Medecoder) came out around the same time Marc's did (different exploit). I worked with them and demonstrated the flaw (which was thought to be not easily exploitable) with my tool. They responded by upgrading the pins coming off the assembly line going into cylinders and pin kits. Marc's work was not met with anywhere near as friendly a response (and he did contact them multiple times).
Just wanted to point that Medeco's head is not completely in the sand on this stuff (though it may be in Marc's case). If you're interested in my tool and the company's response, check out http://theamazingking.com/medecoder.html
(reply to this comment) (link to this comment)
Add Your Comment