You are on page 1of 132

Open in 30 Seconds Cracking One of the Most Secure Locks in America

Marc Weber Tobias Matt Fiddler Tobias Bluzmanis

Agenda
Part I: The Beginning Part II: Key Control and Key Security Part III: Locks Lies and Videotape

PART I

The Beginning

WHY THE MEDECO CASE STUDY IS IMPORTANT


Insight into design of high security locks Patents are no assurance of security Appearance of security v. Real World Undue reliance on Standards Manufacturer knowledge and Representations Methodology of attack More secure lock designs

CONVENTIONAL v. HIGH SECURITY LOCKS


CONVENTIONAL CYLINDERS
Easy to pick and bump open No key control Limited forced entry resistance

HIGH SECURITY CYLINDERS


UL and BHMA/ANSI Standards Higher quality and tolerances Resistance to Forced and Covert Entry Key control

HIGH SECURITY LOCKS:


Protect Critical Infrastructure, high value targets Stringent security requirements High security Standards Threat level is higher Protect against Forced, Covert entry Protect keys from compromise

HIGH SECURITY: Three Critical Design Factors


Resistance against forced entry Resistance against covert and surreptitious entry Key control and key security Vulnerabilities exist for each requirement

HIGH SECURITY LOCKS: Critical Design Issues


Multiple security layers More than one point of failure Each security layer is independent Security layers operate in parallel Difficult to derive intelligence about a layer

ATTACK METHODOLOGY
Assume and believe nothing Ignore the experts Think out of the box Consider prior methods of attack Always believe there is a vulnerability WORK THE PROBLEM
Consider all aspects and design parameters Do not exclude any solution

ATTACKS: Two Primary Rules


The Key never unlocks the lock
Mechanical bypass

Alfred C. Hobbs: If you can feel one component against the other, you can derive information and open the lock.

METHODS OF ATTACK: High Security Locks


Picking and manipulation of components Impressioning Bumping Vibration and shock Shim wire decoding (Bluzmanis and Falle) Borescope and Otoscope decoding Direct or indirect measurement of critical locking components

ADDITIONAL METHODS OF ATTACK


Split key, use sidebar portion to set code Simulate sidebar code Use of key to probe depths and extrapolate Rights amplification of key

EXPLOITING FEATURES
Codes: design, progression Key bitting design Tolerances Keying rules
Medeco master and non-master key systems

Interaction of critical components and locking systems Keyway and plug design

STANDARDS REQUIREMENTS
UL and BHMA/ANSI STANDARDS TIME is critical factor
Ten or fifteen minutes Depends on security rating

Type of tools that can be used Must resist picking and manipulation Standards do not contemplate or incorporate more sophisticated methods

COVERT and FORCED ENTRY RESISTANCE


High security requirement

CONVENTIONAL PICKING

SOPHISTICATED DECODERS
John Falle: Wire Shim Decoder

TOBIAS DECODER: Crackpot@security.org

DECODE PIN ANGLES

FORCED ENTRY RESISTANCE

FORCED ENTRY ATTACKS: Deficiencies in standards


Many types of attacks defined Mechanical Bypass - Not Contemplated Must examine weakest links Do not cover hybrid attacks
Medeco deadbolt attacks Medeco mortise attack

SIDEBAR: Bypass and Circumvention


Direct Access
Decoding attacks Manipulation Simulate the sidebar code (Medeco) Use of a key (Primus and Assa)

Indirect access
Medeco borescope and otoscope decode issues

FORCED ENTRY ATTACKS


Direct compromise of critical components Medeco deadbolt 1 and 2 manipulate tailpiece Hybrid attack: two different modes Medeco reverse picking Defeat of one security layer: result Medeco Mortise and rim cylinders, defeat shear line

MEDECO CASE HISTORY


Exploited vulnerabilities Reverse engineer sidebar codes Analyze what constitutes security Analyze critical tolerances Analyze key control issues Analyze design enhancements for new generations of locks: Biaxial and m3 and Bilevel

MEDECO MISTAKES
Failed to listen Embedded design problems from beginning Compounded problems with new designs with two new generations: Biaxial and m3 Failed to connect the dots Failure of imagination Lack of understanding of bypass techniques

DESIGN = VULNERABILITY
Basic design: sidebar legs + gates
How they work: leg + gate interface Tolerance of gates

Biaxial code designation Biaxial pin design: aft position decoding M3 slider: geometry M3 keyway design Deadbolt design

MEDECO DESIGN: Exploit design vulnerabilities


EXPLOIT BEST DESIGN FEATURES Sidebar leg true gate channel Code assignment: Biaxial 1985 Gate sidebar leg tolerance M3 design 2003
Widen keyway .007 Slider geometry, .040 offset

MEDECO TIMELINE
1970 Original Lock introduced 1985 Biaxial, Second generation 2003 m3 Third generation

MEDECO LOCKS: Why are they Secure?


2 shear lines and sidebar for Biaxial 3 independent security layers: m3 Pins = 3 rotation angles, 6 permutations Physical pin manipulation difficult False gates and mushroom pins ARX special anti-pick pins High tolerance

MODERN PIN TUMBLER

MEDECO BIAXIAL

MEDECO LOCKS: 3 Independent Layers


Layer 1: PIN TUMBLERS to shear line Layer 2: SIDEBAR: 3 angles x 2 positions Layer 3: SLIDER 26 positions Opened By;
Lifting the pins to shear line Rotating each pin individually Moving the slider to correct position

MEDECO TWISTING PINS: 3 Angles + 2 Positions

SIDEBAR Technology
Blocks rotation of the plug One or two sidebars Primary or secondary locking Only shear line or secondary Integrated or separate systems
Assa, Primus, Mul-T-Lock MT5, Evva MCS= split Medeco and 3KS = integrated

Direct or indirect relationship and access by key bitting

SIDEBAR LOCKING: How does it work


One or two sidebars Interaction during plug rotation Direct or indirect block plug rotation Sidebar works in which modes
Rotate left or right Pull or push

Can sidebar be neutralized: i.e. Medeco


Setting sidebar code Pull plug forward, not turn

SIDEBAR LOCKING Information from the lock?


Feel picking: sense interactions Medeco, 3KS, Primus, Assa = direct link MCS = indirect link: sidebar to component Sidebar + pins/sliders interaction to block each other: ability to apply torque?

SECURITY CONCEPTS: Sidebar IS Medeco Security


GM locks, 1935, Medeco re-invented Heart of Medeco security and patents Independent and parallel security layer Integrated pin: lift and rotate to align Sidebar blocks plug rotation Pins block manipulation of pins for rotation to set angles

PLUG AND SIDEBAR: All pins aligned

SIDEBAR RETRACTED

PLUG AND SIDEBAR: Locked

MEDECO CODEBOOK: At the heart of security


All locksmiths worldwide must use All non-master keyed systems New codes developed for Biaxial in 1983 Chinese firewall: MK and Non-MK Codebook defines all sidebar codes

MEDECO RESEARCH: Results of Project


Covert and surreptitious entry in as little as 30 seconds: standard requires 10-15 minutes Forced entry: four techniques, 30 seconds, affect millions of locks Complete compromise of key control
Duplication, replication, simulation of keys Creation of bump keys and code setting keys Creation of top level master keys

M3 SLIDER: Bypass with a Paper clip

SECURITY OF m3:

Video Demo:
Medeco Slider Bypass

RESULTS OF PROJECT: Picking


Pick the locks in as little as 30 seconds Standard picks, not high tech tools Use of another key in the system to set the sidebar code Pick all pins or individual pins Neutralize the sidebar as security layer

PICKING A MEDECO LOCK

Video Demo:
Picking Medeco Locks

RESULTS OF PROJECT: Reverse Picking

Video Demo:
Reverse Picking Medeco Locks

RESULTS OF PROJECT: Bumping


Reliably bump open Biaxial and m3 locks Produce bump keys on Medeco blanks and simulated blanks Known sidebar code Unknown sidebar code

MEDECO BUMP KEY

Video Demo:
Bumping Medeco Locks
Jenna Lynn Tobias

RESULTS OF PROJECT: Decode Top Level Master Key


Determine the sidebar code in special system where multiple sidebar codes are employed to protect one or more locks Decode the TMK PWN the system

RESULTS OF PROJECT: Forced Entry Techniques


Deadbolt attacks on all three versions
Deadbolt 1 and 2: 30 seconds Deadbolt 3: New hybrid technique of reverse picking

Mortise and rim cylinders


Prior intelligence + simulated key

Interchangeable core locks

DEADBOLT ATTACK

DEADBOLT BYPASS: 2$ Screwdriver + $.25 materials

Video Demo:
Deadbolt Bypass:
Original Interim Fix Current Production

MEDECO BILEVEL
2007 Bilevel locks introduced Integrate low and high security to compete Flawed design, will affect system security when integrated into high security system Borescope decoding of aft pins to compromise security of entire system

CONNECTING THE DOTS: The Results


Biaxial Code assignment: Reverse Engineer for all non-master key systems Gate tolerance: 4 keys to open NEW CONCEPT: Code Setting keys Sidebar leg-gate interface: NEW CONCEPT: Setting sidebar code M3 Wider keyway: Simulated blanks Slider design: paper clip offset

4 KEYS TO THE KINGDOM

PART II

Key Control and Key Security

KEY CONTROL: The Theory


PROTECTION OF BLANKS OR CUT KEYS FROM ACQUISITION OR USE:
Unauthorized duplication Unauthorized replication Unauthorized simulation
restricted keyways proprietary keyways sectional keyways

MEDECO INSECURITY: Real World Threats - Keys


VIOLATION OF KEY CONTROL and KEY SECURITY
Compromise of entire facility Improper generation of keys

KEYS and KEY CONTROL


KEYS: EASIEST WAY TO OPEN LOCKS
Change key or master key Duplicate correct bitting Bump keys Rights amplification: modify keys

PROTECTION OF KEYS
Side bit milling: Primus and Assa Interactive elements: Mul-T-Lock Magnets: EVVA MCS

0WN THE SYSTEM: Obtaining the Critical Data


TECHNIQUES TO OBTAIN KEY DATA Impressioning methods Decoding: visual and Key Gauges Photograph Scan keys Copy machine

KEYS: CRITICAL ELEMENTS


Length = number of pins/sliders/disks Height of blade = depth increments = differs Thickness of blade = keyway design Paracentric design Keyway modification to accommodate other security elements Finger pins Sliders

KEY CONTROL

KEY CONTROL KEY SECURITY


Duplicate Replicate Simulate Key control and Key Security may not be synonymous!

KEY SECURITY: A Concept


Key control = physical control of keys Prevent manufacture and access to blanks Control generation of keys by code Patent protection Key security = compromise of keys
Duplication Replication Simulation

MEDECO KEY CONTROL: Appearance v. Reality


WHAT IS IT SUPPOSED TO MEAN? ARE THE STANDARDS SUFFICIENT? REAL WORLD VULNERABILITIES

MEDECO KEY CONTROL: Virtually Impossible to Copy


High security starts with key control; a process that insures that keys cannot be duplicated without proper permission. Clearly, if anyone can have a locks key copied, then it truly doesnt matter how tough the lock itself is built. Medecos patented key control makes it virtually impossible for someone to duplicate a commercial or residential key without proper permission.

MEDECO HIGH SECURITY KEYS v. STANDARD KEYS


A standard key can be copied at a million stores without restriction or proof of ownership. Unauthorized duplicate keys often result in burglaries, theft, vandalism, and even violent crimes.
Medeco advertising brochure

Video Demo:
Medeco Key Copy Promo

MEDECO KEY CONTROL: The Problem


CIRCUMVENTING SECURITY LAYERS Keyways can be bypassed Blanks can be simulated Sidebar codes are simulated Slider can be bypassed NO REAL LEGAL PROTECTION EXCEPT FOR M3 STEP Patent expired 2005 Keyways not protected Third party blanks

KEY Control:
Duplicate - Replicate - Simulate

SECURITY THREAT: Failure of Key Control: Duplicate


IMPROPER ACQUISITION OR USE OF KEYS BY EMPLOYEES OR CRIMINALS
Unauthorized access to facilities or areas Bump keys Use for rights amplification Compromise master key systems

SECURITY THREAT: Failure of Key Control: Replicate


HIGH SECURITY LOCKS AND KEYS
Designed to prevent replication

REPLICATION TECHNIQUES
Easy entrie milling machine Silicone casting Plastic and epoxy copies Facsimile copy

SECURITY THREAT: Failure of Key Control: Simulate M3 KEYWAY


Wider than Biaxial No paracentric keyway COMPONENTS OF MEDECO KEYS Ward pattern and paracentric keyway Bitting M3 Slider SECURITY THREAT Bypass wards in paracentric keyway Create new blanks

RESULT: Failure of Key Control


Restricted and proprietary keyways M3 Slider: bypass with paper clip Sabotage potential Availability of blanks Duplicate from codes or pictures TMK extrapolation Set the sidebar code Make keys to open your locks

MEDECO INSECURITY: Real World Threats - Keys


NO KEY CONTROL OR KEY SECURITY All m3 and some Biaxial keyways Keyways (restricted and proprietary) M3 Step = no security Copy keys Produce any blank Generate Top Level Master Key Cut any key by code

MEDECO INSECURITY: The Threat from Within


COMPROMISE OF KEY CONTROL + HYBRID ATTACK Mortise, Rim, Interchangeable cores MEDECO KEY CONTROL v. CONVENTIONAL KEYS Conventional keys = 1 layer of security Medeco keys = 3 layers of security Hybrid attacks With key cutting machine

MORTISE, RIM, IC: A Special Form of Attack


HYBRID ATTACK Will damage the lock Entry in ten seconds Millions of Locks affected

KEYMAIL: The New Security Threat from Within


NEW AND DANGEROUS THREAT FAILURE OF KEY CONTROL IN m3 and SOME BIAXIAL CYLINDERS Duplicate keys easily USE OF NEW MULTI-FUNCTION COPIERS It scans, copies, prints, and allows the production of MEDECO keys

KEYMAIL: The Premise


EASILY CAPTURE AN IMAGE OF KEY REPLICATE THE KEY IN PLASTIC DIFFERENT METHODS TO OPEN LOCKS
No key control Easy to accomplish with access to source key Simple technique to replicate any key

MEDECO ACCEPTS PLASTIC!

KEYMAIL: How It Works for Medeco


ACCESS TO THE TARGET KEY CAPTURE AN IMAGE PRINT THE IMAGE PRODUCE A KEY OPEN THE LOCK

MEDECO and KEY CONTROL?


American Express, Master Card, Visa, Discover, and Diners Club

Dont leave home without one What is behind the locked door: Priceless Go anywhere you want to be The card that can get you cash The card is key

CUT A FACSIMILE OF KEY


KEY REQUIREMENTS FOR MORTISE, RIM, and IC LOCKS
Vertical bitting only No sidebar data No slider data

Medeco Key Control?

PLASTIC KEYS: PROCEDURE


OBTAIN IMAGE OF THE KEY Scan, copy, or photograph a Medeco key Email and print the image remotely Print 1:1 image on paper, label, Shrinky Dinks Trace onto plastic or cut out the key bitting Copy with a key machine or by hand INSERT KEY INTO PLUG Neutralize three layers of security Open Mortise, Rim, IC cylinders

ACCESS TO TARGET KEY


BORROW BRIEFLY AUTHORIZED POSSESSION USE COLLUSION WITH EMPLOYEE WHO HAS ACCESS TO A KEY

CAPTURE AN IMAGE
COPIER TRACE THE KEY CELL PHONE CAMERA SCANNER / FAX

OBTAIN DATA - COPIER

OBTAIN DATA - SCANNER

OBTAIN DATA - CELL CAM

BLACKBERRY CURVE

RESULTING IMAGE
REPRODUCE THE IMAGE
On Paper On credit card or plastic card On plastic sheet On Adhesive Labels On Shrinky Dinks plastic On a piece of copper wire On a simulated metal key

PRINT IMAGE ON PLASTIC OR PAPER

KEYS FROM PLASTIC CARDS


OPEN m3 and SOME BIAXIAL LOCKS STANDARD KEY MACHINE Hybrid attack, vertical bitting only MEDECO CUTTER Vertical bitting and angles CUT BY HAND Vertical bitting and angles BYPASS SLIDER Paper clip or wire

NEUTRALIZE SHEAR LINE

PRODUCE A KEY: Set the Shear Line

SET THE SHEAR LINE

SET THE SHEAR LINE

HYBRID ATTACK:
Set the Shear Line, Open the Lock for Mortise, IC, Rim Cylinders

CONVENTIONAL LOCKS
KWIKSET = 1 Layer of Security

KWIKSET PLASTIC KEY

Video Demo:
Kwikset Plastic Key

HIGH SECURITY KEYS


MULTIPLE SECURITY LAYERS
Many cannot be simulated

Video Demo:
Medeco Plastic on key Machine Medeco Plastic on Door

MEDECO INSECURITY: Protective Measures


FACILITY RESTRICTIONS No First Amendment No paper clips! No credit cards, key cards, hotel room cards No Copiers, scanners, cameras No scissors or X-Acto knives No self-adhesive labels No plastic report covers No Shrinky-Dinks! No printers or Multifunction Devices No cell, email or Fax connections to outside world

PART III

Locks, Lies And Videotape

Our locks are bump-proof, virtually bump-proof, and Virtually Resistant


We Never claimed our Locks were bumpproof! Our deadbolts are secure, no problem! We have spent hundreds of hours and cannot replicate any of the Tobias attacks!

MEDECO RECOGNIZES LOCKSPORT: NDE: May, 2008


BASED ON RESPONSIBLE DISCLOSURE ABOUT MEDECODER
Give Medeco time to fix the vulnerability Right result, wrong reason Not new: 15 year old bypass Problem in millions of locks Concept not applicable

KNOWN VULNERABILITIES IN MEDECO LOCKS


RESPONSIBLE DISCLOSURE v. IRRESPONSIBLE NON-DISCLOSURE
Serious vulnerabilities disclosed to Medeco Notice to manufacturer for 18 months Failure to disclose to dealers or customers Misrepresentation, half truth, misleading advertising and use of language that means nothing

RESPONSIBLE DISCLOSURE: Its a Two-Way Street


DISCOVERY OF VULNERABILITY Locksport, hacker, security expert disclosure to manufacturers Manufacturers to dealers and consumers SIGNIFICANT QUESTIONS When discovered New lock or embedded base Number of users affected National security issues

RESPONSIBILITIES
Locksport and hacker responsibility
Disclose vulnerability in new lock design or upgrade What about current locks that are installed Give time to fix? When relevant?

HIGH SECURITY LOCK MANUFACTURERS


Responsibility of high security lock manufacturer are different High security is different than normal mfg or corporation Protect high value targets, critical infrastructure Duties Tell the truth Disclose security vulnerabilities to customers and dealers

RESPONSIBLE DISCLOSURE: REALITY, AND LIABILITY


WHAT TO DISCLOSE AND TO WHOM TWO COMPONENTS PUBLIC RIGHT AND NEED TO KNOW Security by Obscurity Assume the risk: only based upon knowledge Bad guys already know LOCKS NOT LIKE SOFTWARE Notice is only prospective to fix a problem

DISCLOSURE TO MANUFACTURER: Prospective or Retroactive Effect


PROSPECTIVE IMPLEMENTATION OF FIX BY MANUFACTURER Only applies to new locks or new product Does not apply to embedded base Does not help the consumer unless manufacturer does a recall or field fix QUESTION OF LIABILITY AND COST Who will pay for retroactive upgrade? Enhancement to new bypass technique or liability to remedy?

MEDECO: Responsible or Irresponsible Actions?


WHAT IS THE TRUTH?
August 4, 2006 press release: Bumpproof February 2007 - Retroactively changed the language: Virtually Bump-proof The Medeco Problem: www.archive.org

TV, Advertising, DVD, Medeco website

August 2006: Bump Proof

Feb 2007:Virtually BumpProof

2008:

WE NEVER SAID OUR LOCKS WERE BUMPPROOF


AUGUST 15, 2006 U.S. Patent and Trademark Office filing by Medeco Security Locks, Inc. lawyer G. Franklin Rothwell, Application 78952460
Word mark: BUMP PROOF Abandoned: February 9,2007

BUMP PROOF: USPTO FILING FOR THE WORD MARK

ABOUT CLAIMS OF PICKING MEDECO LOCKS


NOBODY HAS PROVED THEY CAN PICK OUR LOCKS IN 40 YEARS
False demonstrations, special locks They are lying We cannot replicate anything

THE REAL PROBLEM


They cannot open their own locks Failure of imagination

RESPONSIBLE DISCLOSURE BY LOCK MANUFACTURERS


KNOWLEDGE OF VULNERABILITY
Known or suspected Make responsible notifications Let users and dealers assess risks Duty to tell the truth Duty to fix the problem

MEDECO LOCKS ARE VULNERABLE


MEDECO KNOWS
Vulnerability from Bumping, Picking, Key control, Forced Entry techniques Should be candid with dealers and users so they understand the potential risks Failure to tell the truth = irresponsible nondisclosure Dealers and customers have a need and a right to know

VULNERABILITIES: Full Disclosure Required


SECURITY BY OBSCURITY
It does not work with Internet It is the Users security They have a right to assess their own risks Criminals already have information Disclosure: benefits outweigh risks Liability for failure to disclose

LESSONS LEARNED
THE MEDECO CASE
Nothing is impossible Corporate arrogance does not work

HIGH SECURITY LOCK MAKERS


Engineering, Security, Integrity Duty to tell the truth

Thank You!

mwtobias@security.org mjfiddler@security.org tbluzmanis@security.org


2008 Marc Weber Tobias, Matt Fiddler and Tobias Bluzmanis