Professional Documents
Culture Documents
Open in Thirty Seconds Defcon 16
Open in Thirty Seconds Defcon 16
Agenda
Part I: The Beginning Part II: Key Control and Key Security Part III: Locks Lies and Videotape
PART I
The Beginning
ATTACK METHODOLOGY
Assume and believe nothing Ignore the experts Think out of the box Consider prior methods of attack Always believe there is a vulnerability WORK THE PROBLEM
Consider all aspects and design parameters Do not exclude any solution
Alfred C. Hobbs: If you can feel one component against the other, you can derive information and open the lock.
EXPLOITING FEATURES
Codes: design, progression Key bitting design Tolerances Keying rules
Medeco master and non-master key systems
Interaction of critical components and locking systems Keyway and plug design
STANDARDS REQUIREMENTS
UL and BHMA/ANSI STANDARDS TIME is critical factor
Ten or fifteen minutes Depends on security rating
Type of tools that can be used Must resist picking and manipulation Standards do not contemplate or incorporate more sophisticated methods
CONVENTIONAL PICKING
SOPHISTICATED DECODERS
John Falle: Wire Shim Decoder
Indirect access
Medeco borescope and otoscope decode issues
MEDECO MISTAKES
Failed to listen Embedded design problems from beginning Compounded problems with new designs with two new generations: Biaxial and m3 Failed to connect the dots Failure of imagination Lack of understanding of bypass techniques
DESIGN = VULNERABILITY
Basic design: sidebar legs + gates
How they work: leg + gate interface Tolerance of gates
Biaxial code designation Biaxial pin design: aft position decoding M3 slider: geometry M3 keyway design Deadbolt design
MEDECO TIMELINE
1970 Original Lock introduced 1985 Biaxial, Second generation 2003 m3 Third generation
MEDECO BIAXIAL
SIDEBAR Technology
Blocks rotation of the plug One or two sidebars Primary or secondary locking Only shear line or secondary Integrated or separate systems
Assa, Primus, Mul-T-Lock MT5, Evva MCS= split Medeco and 3KS = integrated
SIDEBAR RETRACTED
SECURITY OF m3:
Video Demo:
Medeco Slider Bypass
Video Demo:
Picking Medeco Locks
Video Demo:
Reverse Picking Medeco Locks
Video Demo:
Bumping Medeco Locks
Jenna Lynn Tobias
DEADBOLT ATTACK
Video Demo:
Deadbolt Bypass:
Original Interim Fix Current Production
MEDECO BILEVEL
2007 Bilevel locks introduced Integrate low and high security to compete Flawed design, will affect system security when integrated into high security system Borescope decoding of aft pins to compromise security of entire system
PART II
PROTECTION OF KEYS
Side bit milling: Primus and Assa Interactive elements: Mul-T-Lock Magnets: EVVA MCS
KEY CONTROL
Video Demo:
Medeco Key Copy Promo
KEY Control:
Duplicate - Replicate - Simulate
REPLICATION TECHNIQUES
Easy entrie milling machine Silicone casting Plastic and epoxy copies Facsimile copy
Dont leave home without one What is behind the locked door: Priceless Go anywhere you want to be The card that can get you cash The card is key
CAPTURE AN IMAGE
COPIER TRACE THE KEY CELL PHONE CAMERA SCANNER / FAX
BLACKBERRY CURVE
RESULTING IMAGE
REPRODUCE THE IMAGE
On Paper On credit card or plastic card On plastic sheet On Adhesive Labels On Shrinky Dinks plastic On a piece of copper wire On a simulated metal key
HYBRID ATTACK:
Set the Shear Line, Open the Lock for Mortise, IC, Rim Cylinders
CONVENTIONAL LOCKS
KWIKSET = 1 Layer of Security
Video Demo:
Kwikset Plastic Key
Video Demo:
Medeco Plastic on key Machine Medeco Plastic on Door
PART III
RESPONSIBILITIES
Locksport and hacker responsibility
Disclose vulnerability in new lock design or upgrade What about current locks that are installed Give time to fix? When relevant?
2008:
LESSONS LEARNED
THE MEDECO CASE
Nothing is impossible Corporate arrogance does not work
Thank You!