
Defcon Lockpickers Open Card-And-Code Government Locks In Seconds - rosser
http://blogs.forbes.com/andygreenberg/2011/08/05/defcon-lockpickers-open-card-and-code-government-locks-in-seconds/
======
Groxx
There seems to be one consistency in all these kinds of stories. The moral, it
seems, is: if you want to have security, _do not_ buy what your government
does.

~~~
jpitz
Not so true. When the government REALLY wants to secure something, like, say,
nukes, no matter what the technical security measures, there are always guys
with guns.

~~~
Groxx
I wonder, though, if that's _their_ reasoning, or if they'd rather have
another complicated layer in place instead. It might just be mimicry - people
doing illegal things have hired guns, and it seems to work reasonably well for
_them_ \- without actually understanding why it works when expensive
techniques (which they don't fully comprehend) fail.

~~~
fourk
I think that it has less to do with _why_ the technical obstacles can be
overcome and more to do with the fact that they _can_ be overcome. Unless a
technical obstacle can be 100% secure, having an additional layer of security
in the form of armed gunmen is useful.

The layer of armed gunmen is obviously not 100% reliable either, but requires
an entirely separate domain of skills/knowledge/resources to overcome than
technical obstacles.

------
jrockway
I like how causing the LED to fail causes the microcontroller to decide to
open the lock. And it even turns on the green LED when it does so!

~~~
Natsu
I like how they say they haven't even disclosed the _worst_ of the flaws,
because they want the company to have a chance to fix this stuff.

And how the company is trying to tell us that these flaws can only be
exploited _in the lab_. I can just imagine the security bulletins banning
rubber mallets from the facility.

~~~
Cushman
It's kind of frightening to imagine what exploits these locks have are that
are quieter and less detectible than sticking it with a paperclip.

It's also funny to imagine the company's security experts who just can't seem
to reproduce the stick-it-with-a-paperclip trick outside of a laboratory
environment. I'm surprised guys that sharp let the hammer trick slip through!

~~~
Someone
It does not have to be less detectable to be worse.

Imagine if there were a way to remotely disable all such locks in a building,
keeping them locked, or to remotely make them burst into flames (or both).

------
Hominem
A company I worked for once installed a super secure magnetic locking system
on a server room door. One day I tripped and fell, knocked into the door and
it popped right open. Must have been a pretty weak magnet.

------
mattbot5000
The article says that certain other techniques weren't demonstrated because
they were "too sensitive to show to the Defcon audience before giving Kaba a
chance to fix the problems." What is worse than a whack on the top opening it?

~~~
jonknee
I'd assume ways to fake the access logs. It's bad to allow unauthorized
access, but it's really bad to allow unauthorized access that appears to be
authorized (a great vector for framing people).

~~~
pyre
What do the logs look like when the door is opened with a mallet though? If
the access isn't logged because there was no card swipe, then the last person
to access the door could get blamed/framed.

------
Adaptive
If I was going to bootstrap a lock company, I'd start by presenting my designs
at hacker conferences and offering bounties for exploits, just like an
opensource project.

Manufacturers really should embrace this kind of testing.

------
Cushman
It's just possible this is a title which deserves to be editorialized to
"Defcon Lockpickers Open Card-And-Code Government Locks In Seconds _With a
Hammer_." Edit: Make that "With a Rubber Mallet."

~~~
dlsspy
There were three different security exploits. The first was rapping with a
mallet to compress the springs and release the pins (similar concept to
bumping).

But don't forget:

"In another bypass, they insert a wire into a silicon cover for an LED light
that blinks red when the user enters an invalid code. That wire can ground a
contact on the circuit board behind the light that triggers a function
intended to allow the door to be opened with a remote button, bypassing all
its security measures."

and

"A third attack allows an insider to open the back side of the lock and insert
a wire that flips a microswitch intended as an override for power failures.
That trick resets the lock’s software, tampering with its audit trail and
allowing it to be reprogrammed with different codes. Bluzmanis demonstrated in
a video that the more elaborate microswitch attack could be performed in under
a minute."

~~~
Cushman
Yeah, that's what I'm saying— all these exploits are _absurd_. The security
guys are experts, of course, but I just think implying this is "lockpicking"
is giving the locks a little too much credit.

~~~
thatjoshguy
Well, it's not 'lockpicking' in the traditional sense, but they still
demonstrated that you can open it just by stabbing a bit of wire into the
light. It's absurd in the sense that it actually works.

------
samstave
The sample is on a small demo cutout of a door, thus has a lot of give/spring.
I would like to see the Rapping flaw demo'd on a lock on a full size, mounted
door which does not have the same resonant spring which would drop the lock.

~~~
HN_Addict
The demo cutout is also resting on carpet, not mounted to a steel frame. It
does appear to require a fairly sturdy whack.

------
samstave
>" _He argues that Kaba’s locks claim only to be “access control devices, not
high security locks,” and says less than 500 have been sold to government
customers._ "

Haha, he justified the vulnerabilities by stating that few have been sold.

It would be interesting to know where the ~500 locks have been deployed, or,
rather, what has supposedly been protected with them.

I think these guys are taking the best possible method of working with Kaba on
these vulns, but typical security PR from Kaba is as laughable as HBGary.

------
bennyfreshness
Cool, but I don't understand $1,300 locks. If somebody can breech a permitter
and actually physically get to the door I think maybe you should allocate
resources elsewhere.

~~~
jonknee
These locks are frequently meant to keep out / track people you already pay to
be inside a physical perimeter.

~~~
shareme
They are also in some heavy duty data centers in Las Vegas..except that
company uses armed guards in combination with the locks.

~~~
jrockway
Are you allowed to shoot someone for trying to unlock your data center's door?

~~~
count
Some private security services are deputized law enforcement, so, potentially,
yes.

------
skhan
The design was probably outsorced!

