Schneier on Security

Clive Robinson • September 22, 2008 5:46 AM

@ Cybergibbons,

Your other statment of interest,

“nearly all electromagnetic locks are not vulnerable to attack by a magnet, no matter how strong.”

Have you actually tested this?

Because I’m very doubtfull that you have.

Less than a year ago I demonstrated to somebody that their battery powered electronic door lock was vulnerable to just this attack. And I advised them to look for one with a UL mark (it’s one of the first tests UL used to do on battery powered electronic locks way back in the 1980’s when they first started to appear for the Hotel Industry, and I’m assuming they still do it as most electronic locks failed the test).

There are very few experts when it comes to electronic locks and most locksmiths do not have a clue about their vulnarabilities. Usually a locksmith doesn’t care either as they fit what has been selected by somebody else like the architect who likewise is not an expert on locks electronic or otherwise.

I don’t know where you are but in the U.K. I have looked at quite a few of these battery powered “security locks” with keypads or even fingerprint readers and as I noted in my above post you commented on,

“Most electronic locks use very low power solenoid or other form of electromagnetic actuator.”

And having tried the magnetron magnet on a number of them I can say as I did,

“A strong external magnetic field will (unless you take suitable precautions) act in the same way as energising the coil.”

You will note I used the expression “suitable precautions”. These can be quite expensive to get right if you just go for the obvious solutions.

So often the more cost effective locks do not have them or they are only partialy effective (ie a suitably strong magnet still works).

One of the main reasons they are vulnarable is proximity. That is to reduce costs and increase reliability the lock mechanisum is in the unit on which the keypad or fingerprint reader is mounted. This usually means there is only a small amount of metal between the electromagnetic actuator and the attacker and they can get the magnet around quite a bit of it. Usually the metal casing is made of materials that are low cost to cast/mold and machine. And will have little or no magnetic sheilding ability.

As for magnetic door locks powered of the mains electricity supply these are very few in number and tend to use a different method of operation which often makes them slow to operate.

Due to the fact you don’t want to be fried by broken wiring in the lock when touching the handle or using a key to overide the actuator they are quite bulky due to safety segregation distances. Often two bulky to fit inside a standard door or frame and need to be mounted on the back or inset into the wall. Which although it significantly reduces the proximity issue has the unfortunate side effect that they often cannot be used with standard doors frames or door furniture further increasing the expense.

Further due to this bulk and the substantial wiring involved on the surface of the door, mains powered electronic locks are seen by many architects etc as being to ugly to use. The infrequent use tends to make them quite expensive so their use is further limited by cheaper options (which might further account for their scarcity).

Most doors opened remotly using mains power are either “entry systems” or lashed up using commanly available parts and invariably do not use electronic locks but door or bolt holders mounted in or on the frame of the door. You often see this sort of instalation on server room doors. The unit that actually holds the door closed is mounted at the top or open side of the door on the inside of the room.

Often due to the component parts have been designed for holding doors open and being subject to various statuts, building and fire codes (which ever is appropriate to the area you are in) they often have to fail safe (ie open) under several circumstances. This usually means that they are permanently energised, as such an extra magnetic field will not open them.

Therefor they can (when not properly designed in) sometimes be opened simply by removing the power (as is the case with a lot of server room doors). Quite often the door holders are wired into a seperate mains circuit to that of the server room and simply flipping a fuse in the distrubution board / consumer unit etc is enough to get the door open or even just activating the fire alarm can do it.

Commanly available door entry systems (the sort used to buzz people through from the street to a lobby) do not use electronic locks but bolt holders (or whatever name they go by in your area). That is they are designed to be built into the door frame and hold either a bolt or the locking bolt/tounge from the lock or emergancy door push mechanisum. They are not designed to be used as “security devices” just “nusance prevention devices” to keep uninvited people out of communial areas.

They tend to use a simple solenoid and lever based mechanical system. One big failing they have is that they “bind” easily that is if you push on the door the mechanical system sticks and when the operator presses the button the solenoid cannot pullback the lever so the door remains shut untill the preasure is taken of the door. These are not fail safe devices and are not permantly energised so might be succeptable to a strong magnetic field. I have never tested them with a magnet for three reasons. First I have not seen them used on doors to “secure” areas, secondly as they are hidden away in the door frame they don’t need to look pretty and are often in a quite thick steel case which is folded and partialy welded, thirdly usually they are easier to get around another way.

That is due to the fact they bind easily and are designed to be used with many sizes and shapes of lock they are usually sloppy in operation and inserting a piece of not to stiff plastic in the right place usually forces back the lock. Or in some cases a good series of shoves can bounce them or the lock open.

Sometimes when used with emergancy push bars on the door you can simply hook the bar through the gap between the door and the frame.

Designing door systems for secure areas to be safe, reliable and effective is a subject that needs some thought and a little experiance, it is not something an architect, locksmith or security / facilities manager is likley to know much about.

Clive Robinson • September 23, 2008 5:40 AM

@ Anonymous,

“Silly comment, I know, but if you’re a burglar, why bother futzing with the keyless entry system? Just break a window.”

Actually not that silly at all.

In the U.K. it has been found that there is a lot of difference between female and male burglars in the way they go about things, and it appears that as it’s related to “risk evaluation” the women have the advantage.

Basicaly your switched on burglar knows that they are going to leave some trace of their activities at some point besides that of the items they take.

Well if you pick your targets and take small but valuable items that are not obviously on display, and providing your entrance and exit are not obvious. Then it might be some considerable time before the loss of the items is discovered. By which time the crime scene is so thoroughly contaminated it would be a rare piece of good fortune if trace evidence of the burglar is discovered.

It appears that a lot of female burglars have thought about this and tend to behave in a cautious manner, and as a result are seldom if ever caught. The exceptions being when “caught in the act”, “in possesion” or by being “grassed up” by the people they sell on to.

Which probably accounts for why they do not make a large percentage of “known burglars”.

A lot of male burglars however just go in like a bunch of storm troopers and usually shed large amounts of trace evidence as well as taking it away with them.

Usually as the crime scene is fresh due to their obvious activities the trace evidence left by them is easily found collected analysed and saved away for future times. Worse they are also usually “known” to the police therefore a quick visit to their known locations will either give rise to evidence from the crime scene in, on or around them or their clothing or abode. Therefore the chances of getting a conviction is considerably improved.

The thing about trace evidence is you cannot avoid leaving it behind 100% of the time and once it’s recorded it hangs over your head like the sword of Damaclease. Just waiting for you to get picked up for something else and then bang you get the whole lot on your head in one go. And in the U.K. we now have “bad charecter” where other evidence that might be otherwise be regarded as hearsay or not relevant is know fully admissable to show a “criminal mind”.

Oh and another difference between careful burglers who get caught and those that don’t is “bigging it up” or talking about their exploits to their mates. Dumb I know but somethiing like 95% of most police leads come from this activity…

Clive Robinson • September 24, 2008 7:43 AM

@ Cybergibbons,

For my sins I used to design electronic locks for the Hotel Industry.

The design limitations can be put simply as,

1, They must work with existing doors / furniture.

2, They must be estheticaly pleasing so that architects etc will design them in.

3, They must be cheap to manufacture (BOM < $30).

4, The Hotel should see a ROI within 3 years against “key loss”.

5, The maintance cost must be low.

6, The locks should be “guest proof” and the front desk unit should be “blond proof” (I know it’s un-pc but that’s what it was called in the industry and it’s still in use).

There are four main reasons why electronic locks in Hotels fail to work once installed,

A, Mistakes by front desk staff, or guests not understanding how to use the lock (or being incapable due to being “tired and emotional” 😉

B, Static from soft furnishings carpets etc.

C, Abuse / misuse by Guests.

D, Battery life.

When a guest cannot get access to their room they usually use a phone to call the front desk or visit in person (which is bad news for the hotel as it’s one of the biggest gripes on CustSat forms). Due to this speed of entry is the name of the game, a member of front desk or security staff will be at the room within five minutes, and if they cannot get in maintanence is called.

If you have met the avarage hotel maintanence man you will know that the solution to a door lock not working is to “drill it” and “replace it”. As the former gets an existing guest into the room quickly and the latter keeps room occupancy high, this policy is usually supported by managment.

So the lock mechanisum either must be a “throw away item” or have a way to stop either the front desk or security staff calling maintanence when a guest / staff can not get in the room.

There are two ways one is electrical the other is mechanical. Unfortunatly the high tech electrical way is often the designers choice. That is there is a small connector socket at the bottom of the lock (RJ11 etc) into which security can plug the “override device” and enter a security code.

Of the mechanical methods the most sensible is simply to have an ordinary mechanical key. Other times it is the removal of the knob a finishing plate which hides a small hole that alows access to the clutch mechanisum. In the case of some locks the hole might start life as a mark or slight depression in the hidden part of the lock casing so the maintanence man knows where to drill with his 5mil drill. In some early locks it was an odd shaped screw head that had to be turned a set number of times with a special screwdriver.

Basicaly appart from the key these are all usually “security theater”. Esspecialy in the electronic case as all the “override device” usually does is supply power and reset the internal micro before actuating the electromagnetic actuator.

In some locks this works directly by powering the actuator, others by putting a logic voltage on the micro, some rare ones by sending a data comand to the micro to open. The “security” for this is usually not in the lock but the override device. Even where a data command is used it will be standard to all the locks…

Therefor If you have access to the override device the or a lock you can easily come up with an analoge to the override device.

On examining a lock circuit (diagram) it is often illuminating to see just how simple the override can be. In some locks simply connecting a battery the wrong way around energises the actuator through the snuber protection diode…

The actuator can be of a number of types but it boils down to battery life and speed of of operation (and sometimes noise). Essentialy for a number of locks the actuator acts as a clutch to link human mechanical power to the traditional lock mechanisum in the door.

Battery life is a vital consideration and in modern systems >95% is used by the actuator. Realisticaly it should last a minimum of six months on ten actuations a day (five if inside handle is directly connected to the traditional lock mechanisum).

Motors are usually seen as being slow and power hungry but importantly resistant to a magnet (they are not).

Solenoid type actuators are seen as fast and low power but suceptable to magnets (true in all respects).

So broadly the solenoid wins on power and the motor wins on low susceptability to magnets. Further the solenoid wins outright on mechanical simplicity and reliability and cost. But a lot of designers are scared off by “the problem of magnets”.

This is silly as even motors are susceptable and often the mechanics following the motor have considerably more issues as well.

The clasic one being “jiggling” whereby spinning or jerking the handle might, using inertia or transmitting sufficient mechanical energy as a pulse overcome the clutch (I’ve actually seen this being done in a very large Hotel in China).

The real problems with motors are they are not mechanicaly simple to operate requiring cams / switches and all sorts of other gubbins depending on just how inventive or knowledgable the deigner is. They are of lower reliability and have all sorts of attendant problems over and above a solenoid design.

The simplest motor system to think of uses a gear train with a final drive wheel with teeth missing on part of it’s circumfrance this pulls a toothed pin back against a spring and stops part way, after a time interval it turns the wheel around further to the part with no teeth and the pin returns under the spring. The pin is used to activate the clutch mechanisum.

Although it’s easy to describe and visualise it’s full of Gotchas, as are all the motor mechanical trains and some (if not nearly all) clutches.

The first problem is what sort of motor to use?

Traditionaly it would have been a simple DC “brush” motor but they have realy horible charecteristics such as the current required when they start under load or stall (this caused some early locks with lithium batteries to catch fire releasing large amounts of toxic and acrid smoke as well as burn significant amounts of the door).

Due to their reliability issues DC “brush” motors are not used much. Even in low cost PC’s the fans these days are contactless and in some cases have ac inverters built in and use AC “squirl cage” motors.

Stepper motors have been used but these are quite expensive and require extra control circuitry and still have most of the problems other motors have.

If using a DC “brush” motor a first thought would be to start the motor when there are no teath engaged with the pin, thus getting over the high start on load current problem. Also you could use inertia etc to get you over the teeth engage bump.

Unfortunatly this is gotcha number two, if you do not have the teeth engaged on the pin and it is metal containing iron chromium etc then a magnet can be used to draw it back. If not made of magnetic material but of sufficient mass then it might be possible to vibrate it back (the same way an electric pick gun works on traditional barrel and pin locks).

There are a whole load of others gotchas such as what position is the toothed wheel in. As the battery wears out a simple time based system will not work. Mechanical switches require force to be operated which means more energy from the batter, they also have reliability issues. Optical switches are energy hungry and have other issues. A smart deigner might use a micro with an analoge input and monitor the motor current to determin when the teeth engage / disengage thus obviating the switches and their problems but this has other issues.

I could go on at considerable length but

A, it’s duller than watching paint dry.

B, The Moderator might well block it on length / suitability.

C, It might be seen by the industry as giving away “trade secrets” (the old security via law suit game).

In reality the big issue with most of these battery operated locks is that they have design compromises or deficiencies that can be exploited by a knowledgable attacker. Usually the more low tech it is the more likley it is to succede and much worse be virtually undetectable…

Magnets, Vibrators / Shakers and jiggling attack the clutch mechanics and are therefore virtually undetectable post attack. Likewise attacks against the override port might not be detectable post attack. Even the reversed battery power trick might not damage the lock electronics so again be undetectable post attack.

My original point was that it was not realy worth discussing high tech theoretical attacks against a new lock when the older and well proven low tech attacks might well work even better and from the attackers point of view less detectably.