Schneier on Security
A blog covering security and security technology.
« An Ethical Code for Intelligence Officers |
| Man-in-the-Middle Trucking Attack »
August 12, 2009
Lockpicking and the Internet
Physical locks aren't very good. They keep the honest out, but any burglar worth his salt can pick the common door lock pretty quickly.
It used to be that most people didn't know this. Sure, we all watched television criminals and private detectives pick locks with an ease only found on television and thought it realistic, but somehow we still held onto the belief that our own locks kept us safe from intruders.
The Internet changed that.
First was the MIT Guide to Lockpicking, written by the late Bob ("Ted the Tool") Baldwin. Then came Matt Blaze's 2003 paper on breaking master key systems. After that, came a flood of lock picking information on the Net: opening a bicycle lock with a Bic pen, key bumping, and more. Many of these techniques were already known in both the criminal and locksmith communities. The locksmiths tried to suppress the knowledge, believing their guildlike secrecy was better than openness. But they've lost: Never has there been more public information about lock picking -- or safecracking, for that matter.
Lock companies have responded with more complicated locks, and more complicated disinformation campaigns.
There seems to be a limit to how secure you can make a wholly mechanical lock, as well as a limit to how large and unwieldy a key the public will accept. As a result, there is increasing interest in other lock technologies.
As a security technologist, I worry that if we don't fully understand these technologies and the new sorts of vulnerabilities they bring, we may be trading a flawed technology for an even worse one. Electronic locks are vulnerable to attack, often in new and surprising ways.
Start with keypads, more and more common on house doors. These have the benefit that you don't have to carry a physical key around, but there's the problem that you can't give someone the key for a day and then take it away when that day is over. As such, the security decays over time -- the longer the keypad is in use, the more people know how to get in. More complicated electronic keypads have a variety of options for dealing with this, but electronic keypads work only when the power is on, and battery-powered locks have their own failure modes. Plus, far too many people never bother to change the default entry code.
Keypads have other security failures, as well. I regularly see keypads where four of the 10 buttons are more worn than the other six. They're worn from use, of course, and instead of 10,000 possible entry codes, I now have to try only 24.
Fingerprint readers are another technology, but there are many known security problems with those. And there are operational problems, too: They're hard to use in the cold or with sweaty hands; and leaving a key with a neighbor to let the plumber in starts having a spy-versus-spy feel.
Some companies are going even further. Earlier this year, Schlage launched a series of locks that can be opened either by a key, a four-digit code, or the Internet. That's right: The lock is online. You can send the lock SMS messages or talk to it via a Website, and the lock can send you messages when someone opens it -- or even when someone tries to open it and fails.
Sounds nifty, but putting a lock on the Internet opens up a whole new set of problems, none of which we fully understand. Even worse: Security is only as strong as the weakest link. Schlage's system combines the inherent "pickability" of a physical lock, the new vulnerabilities of electronic keypads, and the hacking risk of online. For most applications, that's simply too much risk.
This essay previously appeared on DarkReading.com.
Posted on August 12, 2009 at 5:48 AM
• 87 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
What about a public key/private key system with a wireless discussion between the physical lock and the physical key?
"but there's the problem that you can't give someone the key for a day and then take it away when that day is over"
My parents have a keycode lock which is not electronic, and you can change that combination. So you can "revoke" the key by changing your lock combination
Edit: Well, I assume it's not electronic. I could be wrong tho
The problem of securing homes is an old one, with a mature solution set which may in fact have something to teach us in securing computers.
While widely-distributed lock-picking information may be new, it has always been the case that locks and alarm systems only protect homes against casual, amateur assault. Homeowners are, generally speaking, aware that if someone competent is determined to get in, it's not really possible to keep them out.
That's why "security" of physical property doesn't stop at locked doors. The second "line of defense" is home insurance against theft. This works rather well, hedging and spreading the risk of loss, while the insurance companies use premium differentials as price signals to encourage people to upgrade doors, locks, etc., marginally increasing the average barriers to (breaking and) entry.
The point is that focusing on just physical perimeter security is a mugs game, and there are more complex responses to the home security problem that have evolved over the long time in which the problem has been recognized. There is presumably an analogy to securing computers on the Internet, offering secondary lines of defense against break-in risk that go beyond merely hardening all network software.
@Marq "change that combination"
Easier with an electronic lock than a manual cipher lock. Even where there are firm, clear regulations...it doesn't happen.
DoD says "Change cipher locks every 12 months or whenever anyone with the combination leaves" Yet a friend returned to visit a former contract assignment years after the fact and found (in the Pentagon) the lock combo was what he used before.
If the military won't do it consistently can we expect your parents to?
I do like the lock feature where you can assign someone their own combination and revoke it after their access is removed. Some of the GSA security containers have it and you no longer have to fill out the sf702 every time you open the safe.
If the lock were vpn protected, isolated from usual internet traffic I would like to know if some just let themselves into my house. Two or 3 months ago a woman checked her house webcam with her cell phone saw a bunch of guys robbing her and called the police.
About the worn buttons on the keypad: This could be avoided by keys that randomly change their number every time someone types in the key (they would need a small LED display or something similar for this).
You forgot to mention that the type of lock you use on your home is an "advert" as to what you think the contents are worth...
To a burgler a the sdvert tels them if it's worth paying a visit.
Also there is a limit on what locks can do for you, a burgler will simply find another way in if the locks or other security measures are too strong in one place.
Also people realy should remember that a nice looking house on the outside is also an advert to what the contents are likley to be worth...
Also think about what you chuck out in the rubbish (garbage/trash/whatever). If a burgler sees a 60" plasma TV box waiting to be taken away the chances are he will come and take the contents likewise with computers and their boxes.
Sometimes it realy does not pay to advertise...
And what you do when power fail? Or when neighbor turn on microwave oven? Or when your door (and lock) is flooded by rain/snow/blizzard?
Or when .... you've got an idea. There's a reason why electronic locks are not very popular.
Nine99 - they exist and are quite commonly used. However, it slows down the entry of the code enough that it makes it trivial to shoulder-surf the code.
Sometimes you need to step back from a problem and ask "why am I doing this?"
The same applies to fastening your door.
If you think about it door fastening comes in two types,
1, lockless fasteners (latches),
2, lock and key fasteners (locks).
These can be further sub divided into,
A, Accessable from one side only.
B, Accessable from both sides.
Even for high security a faster of type 1A is sufficient in a permanantly maned place.
The point being do not confuse what you are trying to achive with your pre-conceved needs.
There are three perfactly good reasons why ordinary house locks are as vulnerable as they are.
1, There level of security is on par with other security in the house (like windows etc).
2, The conveniance of operation of the lock (including failure modes)
3, The ordinary mature market forces that determin the price against the production cost.
For fastenings not used on (most) homes there are sometimes other considerations.
4, zoned access control (ie house keeping / maintanence in hotels etc).
5, Audited access.
6, Remote access control (prisons security check points etc).
7, Guard rotation.
8, Easily configurable access and zoning.
For some of these a fastener dependent token (a key) is actually the wrong way to go. You need a person based token.
The simple fact is that fastening an access point is not a simple excercise and if you do not know the "why" of what you are doing then you will end up with a non optimal solution be it for security or use.
I'm not security expert, so I don't know the ups and downs of this approach, but what about something like the GoldKey for locks?
Intuitively at least, it seems like a similar multi-factor solution makes sense.
I recall the show "To Catch a Thief" on Discovery, and these thieves-turned-consultants basically explained it like this: we look for high reward/ low risk. Good locks, a security system, no hiding places all equal inordinate time to enter and assess values and make the getaway. Bad locks, no security system, great hiding places all equal plenty of time to get in, figure out what's worth stealing, then get away clean.
This is a form of security in depth: locks, alarms, and zero cover all work in concert. The fourth element is one that you have to foster over time and is highly relative: good neighbors.
Why not just adapt modern remote car locking systems and have a (rechargeable) battery backup for the electric lock to cover power failures.
Electronic lock enclosures make good ants nests. I have seen this a few times - unfortunately an ant seems to be a reasonable (onetime) electricity conductor , rendering the lock unusable. (and leaving the user wishing he had a simple key).
Bruce, I find you very...very....attractive.
Are there any contactless smartcard based home security systems? That would seem to offer the same sort of convenience as physical keys but with potentially better security.
In the defence of the Schlage locks described above.
Just as public-key encryption, which is weaker than secret-key encryption, has it uses, the locks produced by the Schlage company may be very useful in some scenarios.
I have heard about a program that allows pensioners to remain in their homes instead of going to the care homes, by using technology to help these elderly people. These houses have CCTV at the entrances, most of the time there is somebody inside (i.e. the pensioner) and there is not a lot of valuables in the property.
Now, why do you need physical key, keypad, and the way to open the doors over the Internet:
- A pensioner would prefer to use an ordinary key, to gain access to their property
- Service personnel could use the keypad and save on trips to fetch the keys
- If the motion sensors detect that the pensioner collapsed an ambulance may be called and the doors may be opened over the internet to allow access for paramedics, before the service crew can arrive to open the doors. Also, if the pensioner cannot move a lot, and there is somebody at the door, let say a welcome, but rare guest, then a person in the remote control room may authenticate the guest and him/her in.
So, this technology may be valuable in some scenarios, where the security of assets is not so important.
"These have the benefit that you don't have to carry a physical key around, but there's the problem that you can't give someone the key for a day and then take it away when that day is over."
This is nice as an option, but keys can be copied, and housekeys can be copied relatively cheaply in most cases.
An easy solution to the numeric pad with worn keys problem is to place a number indicator above each key, and randomly change which key is associated with each number. So the keys over time will be worn evenly, and also a person at a distance will not be able to guess the combination by seeing the approx. location pressed by the person.
So if I'm watching someone press a keypad, and I see that they start in the upper right corner, then I would not know the first digit of the code, since the location of each digit is randomly changed.
Uh, have any of you ever installed professional electronic security systems or keypads? Such as SDC or Corby? Easy to program. Easy to revoke. Permission structures like a Unix OS. Hooking in something like an Aurora Technologies WAKI as a brain gives all kinds of remote and logistic capabilities on the owner/admin end. Electromag and other locks can fail-safe or secure. Can run on backup power for weeks; especially electronic bolts. You wana easy fix for keypad wear. Use a dustguard cover like on computer keyboars. Replace it when it shows wear. Or use a metal outdoor keypad. If the keys ever show wear, buff them. You could also make the keycode use all nine or ten keys as well( even wear).
The biggest concern about control keypads is the chips inside and drilling out the screws. There arent that many keypad oem's. If a criminal drilled out the screws and took the keypad out of the j-box, and he knew which wire shunt will set the keypad to factory zero(usually listed in every manufacturer manual), he will have entry using the factory reset code. There is also the possibility the spooks could mandate a universal entry code to be stored in every keypad in the US, for their benefit or your local LEO. Probably not an issue, but wouldnt suprise me in the least if it happened.
Of course, this actually assumes that your Asian produced lock-a-majigs hold up and dont fail in someway that you dont have to ram down a door, break through a wall or other creativity because one of your wires had a patch of bad insulation and was draining the backup battery to ground. Great fun.
What is the point of having strong locks on a residential building? The door frames normally aren't even strong enough to withstand a good kick... the average man with a five pound sledge hammer can open nearly any residential door in less than 3 seconds. Notice that on all the police reality shows the cops just bash the doors open.
That's where "defense in depth" comes in. Your locks just need to be good enough. Your alarm system needs to be able to detect breaking glass, etc. Your house needs to be visible to your neighbors, and your neighbors need to care enough to call the police if they see someone trying to get into your house.
Everyone I know has a USB thumb drive. For some reason it doesn't appear that anyone has bothered to try using them as keys. You could even set it up such that the key powers the system, thereby negating the need to maintain a power supply in the locking mechanism itself.
Why no discussion of...security? I don't worry about the ability of my front door lock to defeat tricky attacks, or forcible attacks, because I live in a neighborhood.
In actual fact, friends trying to feed the cat, but who have lost their key and are then in the back yard trying to find another way in have been stopped by neighbors, and we got a phone call to verify their authority to be there. I presume if they didn't cooperate, police would have been called instead of us.
Clearly, hidden entraces, and having your whole house out of sight or far from others reduces this, but I take advantage of a system of layered security, like any other security apparatus. And am aware of it, so I can take advantage of it to assure I have higher security than the mechanical devices alone.
Professional electronic security products where the control electronics are on the non-secure side of the door?
Nearly all medium and high cost electronic keypad locks only have the keypad on the non-secure side, so resetting the code isn't possible.
My garage keypad allows me to generate a temporary password that works for x uses or x days. I can't imagine house keypads wouldn't have this feature.
One thing that I've never understood is how the locksmith industry is trying to cover up the facts here. Wouldn't it be a boon to their business if more and more people wanted to upgrade their security to more secure (and expensive) systems?
@Zibi K: Or you could just use a perfectly normal key safe which attaches to the wall outside the front door.
The lock & locksmith industry doesn't want to be held accountable for selling you a product that doesn't perform as advertised and puts the risk on them. Therefore, obscurity and obfuscation is the rendering from industry to protect their profits.
" ... you can't give someone the key for a day and then take it away when that day is over."
How do you know that someone has not made a copy of the key? It takes five minutes at the local hardware store. My electronic locks allow me to set up and delete codes. I do this for contractors/cleaning staff/family all the time.
They certainly aren't perfect but in that regard, I think that they are better than physical keys.
I have a security system not mentioned here - his name is Scruffy and he doesn't like unattended strangers.
I know this because he allegedly bit a maintenance guy at an old apartment complex I lived. I told the complex to call me so I knew when to be there or put up the dog. But hey, at least I know Scruffy is earning his food :)
This is in addition to the usual locks and alarms we have. Full proof? Nope, plenty ways to get around a dog. But why rob the guy with a potentially viscious dog, locks, and a very loud alarm when the neighbors aren't using similar precautions. This also assumes the robbery isn't targetted.
But generally, the random criminal wants the low hanging fruit.
What really should be done is add a few digits to the code and have everyone have unique codes. That way when someone leaves you just take out their code, nobody else's changes and you don't make a whole bunch of people memorize new codes.
Something I haven't seen yet that I think would be a good idea--a crypto RFID system. A device in the wall sits there broadcasting encrypted numbers. You have a little device you carry with you that can decrypt them and reply--you get near the door and it unlocks. At this point the broadcaster changes numbers so a replay attack doesn't work. You still need power but it can use a backup battery. It would require redesigning doors, though--the locking mechanism would be in the wall, not the door.
There's also no point in anything really secure for home use--few people have bars on the windows and if there aren't bars they can just break a window.
I don't think there's that much of a difference between an electronic lock and a mechanical one.
Sure, there's greater risk if I'm careless and don't change the code.. or if I let the keypad wear out unevenly.
But I don't think it's safer to constantly leave a key under the mat or inside a nearby pot.
The real advantage of an electronic lock would be tangible if I tend to loose or forget my keys.
Internet / SMS sounds fine, but only to let me know stats, not letting me control it.
Is there no way we can persuade people to stop stealing things? Save a lot of wasted time with flawed technology and an unwieldy keyring.....
So now someone can leave a key under the door mat AND wear down the four keypad numbers that comprise the entry code AND stick the password on a Post-It on their work PC.
-- Michael Seese, author of "Scrappy Information Security"
Nothing beats the effectiveness of vigilant neighbors -- ask Professor Gates of Boston...
Assuming a sufficiently-long bootup timer and retry timer, electronic locks are safe from brute-force attacks.
"For most applications, that's simply too much risk"
I have to question that. For residential applications the primary consideration is convenience not security. The door lock is not the weakest link in my homes security, all it has to be is as good as the rest and that's not a very high threshold to meet.
Unless I bar all the windows, reinforce the door frames and exterior walls an unbeatable door lock is a waste of money.
I've worked with a few electronic keypad and radio dongle locks, and been singularly unimpressed with them all. They have thin plastic or aluminium casings, they're screwed onto the outer surface of the building, and their output is a pair of wires which they short out to open the door; all the code-checking logic is contained within the casing.
You don't waste your time figuring out the code. You cut into the casing and short the wires together. It takes about ten seconds with a hammer and punch to get in, and a sharp tug to extract the wires.
I imagine there are more secure devices out there. I also expect that almost nobody will bother with them, since people don't know how to think about security, and buy the cheapest option.
I think the takeaway isn't "we need better locks" but "we need to expect less of locks."
I bet electronic locks will be ubiquitous someday, but not necessarily for security's sake.
I find RFID keyfobs to be the most convenient entry devices I've ever worked with or seen. Most concerns about covertly stealing the key's ID for break-in or tracking purposes could be addressed by casing the key in metal with a spring-loaded retractable cover, so that it can only transmit when the cover is held open. Then the easiest attack available would be to conceal a signal-recording device in the proximity of the door and return later to collect it. The 0.001% of the population for whom this represents the weakest link in their home security can use a smart card and a challenge-response protocol in place of RFID.
>Nothing beats the effectiveness of
>vigilant neighbors -- ask Professor
>Gates of Boston...
There's more truth to that then I think the poster may have intended.
Couldn't tell you where the key to my house is. Haven't used it in about 9 years.
It sits 500' back from the road, heavily wooded area. You could back a moving truck up to the front door and no neighbor or passerby would notice.
If the two medium sized dogs inside aren't enough detterent, there isn't anything that would be a detterent that would be cost justifiable.
What dire offence from amorous causes springs!
What mighty contests rise from trivial things!
After an encounter with a "lever lock" which is considered nigh unpickable, I concluded that society wants locks that are pickable. Lever locks are simple and have been around forever, so why are they used on deposit boxes but not our front doors?
Bruce, isn't it 256 possible permutations on the worn keypads (vs. the 24 you suggested)? Or maybe it's different since if some numbers were used twice there wouldn't be 4 worn keys... But 24 doesn't seem right.
@Sean Tierney: Bruce, isn't it 256 possible permutations on the worn keypads (vs. the 24 you suggested)? Or maybe it's different since if some numbers were used twice there wouldn't be 4 worn keys... But 24 doesn't seem right.
Actually, 24 is correct. If it is a 4 digit code and there are 4 numbers used, there are no repeats so 4*4*4*4 is not the calculation.
The calculation is actualy 4*3*2*1. (1 in 4 for first number, only 3 left for second, only 2 left for third, remaining number is the fourth number).
If numbers were used more than once, only 1, 2, or 3 numbers would be worn.
Strange, you write about locks and beliefs about security...and you even mention a school in Massachusetts, but you do not say anything about the situation with Professor Henry Louis Gates. Remember the incident with his door in Cambridge?
"somehow we still held onto the belief that our own locks kept us safe from intruders"
Yes, somehow, but not because of locks alone.
Just wanted to let you know that the title of this post contains a misspelling: Internet is misspelled as "Intenet", without the r.
@ J. Andrew Evans,
"Lever locks are simple and have been around forever, so why are they used on deposit boxes but not our front doors?"
Simple answer "conveniance".
A snap lock (Yale) is little more than a self closing latch, with the private side has a handle/knob the public side a key. It offers conveniance but generaly little security
Which is why in many parts of the world they are hardly used. But lever locks are used, next time you are in Italy, Portugal or Spain you will see lever door locks with keys that would put a US safe to shame and the doors they are in generaly have atleast six locking bolts that go into substantial frames controled by the lock.
In the UK we tend to use both "snap locks" (Yale) and "lever locks".
That is because the snap lock is conveniant for poping in and out when people are in the house and the lever lock is used to "lock up" when people are not at home.
"Strange, you write about locks and beliefs about security...and you even mention a school in Massachusetts, but you do not say anything about the situation with Professor Henry Louis Gates. Remember the incident with his door in Cambridge?"
I actually wrote the piece before the incident. It would have made a great news hook, had I only thought of it.
Regarding the security of residential doors, I recall a saying: "Don't go through doors. People watch doors. People shoot people who go through doors. Blow a hole in the wall and go through that instead." I cannot remember the source, though.
I also know of a group that keeps tigers at an animal sanctuary and takes them in for the winter. Apparently one year they had an attempted break-in, and have an entertaining video of the robber opening an unlocked window, stepping through quietly, turning around, seeing a full-grown tiger watching him /with interest/, and stepping back quietly through the window before closing it.
You can't buy that kind of security.
Is there a standard cost/benefit analysis of the social value of locks? I'm starting to wonder if we might not be better off generally if no one locked their doors. I never lock mine.
Interestingly in the case of a normal keypad it is better to use only 3 different digits instead of 4 (repeating one digit)
That way only 3 digits are worn out rather than four.
This gives 36 combinations rather than 24 - not much better, but at least someone looking at it may get confused and try all 3-digit combinations as well.
I don't bother to spend a lot of money on a complicated, secure lock for the home (keypad or otherwise), because I know anyone who really wants to get in will walk around the back of my house and throw a brick through the large glass sliding patio door.
A discussion of the security of locks for the home totally disregards the fact that they're so easily bypassed in most cases (by forcing the door itself, going through a window, etc).
Now for a high-security facility the story may be different, but for a house, there's not much point in a lock that's more difficult to pick.
Two Big DOGS(who will lay down their lives to protect their family)= best security you can have(along with a handgun of somekind or a 12 gauge).
@savanik, the pilot of the TV show "Burn Notice".
Funny story about the tiger.
But you've hit on the point of a door lock: you force someone to increase their risk--of exposure, which is their risk point--in order to enter your house.
I used to work for a company that installed access control systems with proximity cards. Then at a later workplace I called in the former company to install their system and reinforce it with biometric readers on certain doors - data center etc. The biometric reader wasn't well integrated, so there were two possible modes of use: make the biometric reader enable the proximity reader which we tried first, or make the proximity reader enable the biometric reader - which was harder but we used later.
The proximity reader had an input to disable/enable the scanner. We hooked that up to the biometric device, so that you entered a pin and scanned your hand on that and then it enabled the proximity scanner to scan your card and open the door. That was clumsy because the biometrics were standalone and we had to give everyone pins.
Then we figured out how to send the card number from the proximity reader to the biometric reader and use that instead of a pin. We then hooked it up that the biometric reader's output drove the door lock.
The problem, which I realised later, is that you can unlock the biometric reader with a physical key to access the back of the device for service, using a key. The lock is one of those bic-pen-openable types, and all the readers had the same key. The installers no doubt kept one, and I kept a couple - I don't know for sure how many there were, but it should have been easy to get one. When I left the company I kept one.
Now, since the biometric now drives the door lock, it's quick and simple to unlock that reader, and bridge the (normally open) contact that leads to the door lock, opening the door without authenticating to the proximity reader or the biometric reader - and even without schematics, it's easy to know which contacts you need to bridge because there's a separate cable coming out the wall connected to only two contacts - which goes to the maglock.
A 1" piece of wire, or even a bent staple, would be sufficient to bridge the contacts and open the door.
I kept my mouth shut when I realised this because there was no easy solution, and the installers were sufficiently non-intellectual to figure this out.
I still have my key though.
I recall once several of us showed up a friend's apartment for his birthday party. There was a note on the door that said "Be back in 5 min." Well one of us was a locksmith and said "There's no reason to wait outside." Less than 30 seconds later we were inside. When our host showed up he said "how did you get inside?"
"umm...The door was unlocked when we came in," --but not when we got there.
I've never thought of locks the same since.
> ... tigers ... You can't buy that kind of security.
My sister has a mastiff (formerly had two), which she didn't buy, but adopted from the pound. I call it the "carnivorous pony." Had a burglar one day, and to piece together from eyewitness reports and physical evidence, the dog (which could get into the back of the house to get out of the heat) actually burst out through the picture window to pursue him, and the only reason he got away was that it was taught strictly not to go past the fence.
Usually just the sound of it baying is enough to scare anyone back to honesty!
> I don't think there's that much of a difference between an electronic lock and a mechanical one.
In principle, there could be a considerable difference. Electronic locks could be made much more secure than mechanical ones. In a mechanical lock, the key has to directly manipulate the working parts, and the depth of defence between the exterior and the bolt is limited by the practical length of a key.
In an electronic lock, the attacker can be limited to a narrow and tightly restricted communications channel with the internal logic, and the distance between the access point and the mechanism can be made arbitrarily large.
The actual interaction between key and lock logic can be a complex cryptographic protocol instead of simple matching.
Additionally, it is far simpler to change out compromised keys for an electronic lock, and while there is no practical way to make a mechanical lock keep audit trails more sophisticated than "something is wrong", electronic locks can keep extensive audits, and even integrate with alarm systems.
In practice, nearly all of these potential benefits are ignored in place of cheapness. Keypad systems and some higher end commercial systems allow rapid key repudiation, most systems don't. Some better commercial systems keep audit trails, cheaper ones and domestic systems don't. Very few use cryptographic authentication protocols; it's all just sniffable plaintext passwords. Very few use the signal path to prevent access to the lock logic; instead the logic is often just sitting in a diecast box. Apart from safes, pretty well none extend the distance to the bolts in order to harden against destructive entry, in fact many of the more popular ones are designed as a slip-in retrofit that keeps the original mechanical boltwork.
All of those features could have been done very cheaply, but instead they were omitted to make things dirt cheap, or because the designers didn't understand information security.
So instead of getting systems which eliminate many of the unavoidable flaws of mechanical locks, we get systems which have all the old flaws, and add new ones as well. At the moment these attack vectors look exotic and low risk because you aren't used to them, but many really aren't all that technically hard. RFID sniffer recipes are already floating around the 'net; believe you me it won't be long before the black market sells idiot-proof RFID sniffer kits for a low, low price.
I disagree with all the comments that the security of locks on your house is not an issue.
Nearly all buildings contents insurance in the UK requires proof of forced entry. Without this proof, you will not get an insurance payout.
Without forensic investigation, you won't be able to see that the locks have been picked, and you won't get any money.
As RF said above:
'I think the takeaway isn't "we need better locks" but "we need to expect less of locks."'
i.e. both users and insurance companies need to expect less of locks.
I run the sites http://www.lockwiki.com and http://www.lockpickingforensics.com . One site is a reference for locks, safes, AND compromise methods, as well as a reference for which locks are vulnerable to which methods of attack. This hopefully helps consumers who aren't expert locksmiths understand what they are buying, and that there is a difference between the 40$ Master Lock and a 50$ Abloy/Mul-T-Lock/Medeco/etc. The forensics site is there to show that almost all of these methods of attack are detectable, and that lockpicking and safecracking are certainly not guaranteed ways of getting away with a crime.
About 150 years ago (mid 1800s) the locksmith community had a pretty similar discussion with regards to disclosure and the dissemination of knowledge on locks, safes, and compromise methods to outsiders. It was equally scary to them, perhaps more so given the times. They came to pretty much the same conclusions as we have today: it is unreasonable to assume attackers don't already know this, or that they would need to come to us to learn it (paraphrasing Joseph Bramah). Alfred Hobbs, a legendary lockpicker, has this to say:
"A commercial, and in some respects a social doubt has been started within the last year or two, whether or not it is right to discuss so openly the security or insecurity of locks. Many well-meaning persons suppose that the discussion respecting the means for baffling the supposed safety of locks offers a premium for dishonesty, by showing others how to be dishonest. This is a fallacy. Rogues are very keen in their profession, and know already much more than we can teach them respecting their several kinds of roguery.
Rogues knew a good deal about lock-picking long before locksmiths discussed it among themselves, as they have lately done. If a lock, let it have been made in whatever country, or by whatever maker, is not so inviolable as it has hitherto been deemed to be, surely it is to the interest of honest persons to know this fact, because the dishonest are tolerably certain to apply the knowledge practically; and the spread of the knowledge is necessary to give fair play to those who might suffer by ignorance."
There have been a few occasions that the lock manufacturers have taken steps to correct issues thanks the locksport folks. Jaakko Fagerlund's Abus exploit and my Medecoder tool were two recent (1 year ago) examples. For more information on the tool I designed and built that could open almost every Medeco and how the company positively reacted, check out this page: http://theamazingking.com/medecoder.html
The reason not locking your door works for you is because everyone else locks theirs.
If no one else did either, theft would go way up, and your chances of staying lucky would go way down.
It's true that there's a limit to the amount of theft that can occur, even in a lockless society (only a certain number of people will thieve,(even if it's easy) and they can only rob so many houses in a day), but the amount of theft that will occur in a lockless society is a lot higher than in a locking one.
Assuming similar policing, social stigma against theft, punishments, etc.
"I don't think there's that much of a difference between an electronic lock and a mechanical one."
It depends on which bit of the lock you are talking about...
When it comes to the actual part that fastens the door (latch/strike) then yes they are in most cases the same or similar.
However in some electronic locks they are actually weaker...
The reason being "energy to operate"
Electric strikes come in two forms those that are powered from a mains supply and those from batteries.
Obviously you don't want to be shut out (or in) at an inconveniant time (black/brown out) nore do you want to be topping up landfill with zinc or cadmium on a regular basis.
This kind of mandates a minimum of power (energy x time) in the operation of the strike.
Which has a number of consiquences. The first being the use of low power solenoids without magnetic shielding (therefor susceptable to big magnatron magnets etc)
Like wise this also mandates a light weight (mag/aluminium alloys etc ) low friction (nylon delrin) mechanism.
Which in a cost sensitive market usually means low tolerance (sloppy fit) on parts.
So the lightness of the parts and sloppy mechanism gives rise to a better oportunity to undesirables getting past the latch/strike and compleatly ignoring the "high security" electronics...
As a case in point, next time you get to have a look at an electronic "home safe" examine the mechanical "by pass" lock. In many cases it's a cheep file cabinet lock...
As is often observed the weakest link in the chain is where it is most likley to fail...
Babbage's "Passages from the Life of a Philisopher" is available on Google Books.
Chapter XVIII is titled "Picking Locks and Deciphering"
The claim of 10,000 possibilities vs. 24 is erroneous. The correct comparison is either 10*9*8*7 combinations vs. 4*3*2*1 combinations for the worn keypad (i.e. no repeated digits) or 10^4 vs. 4^4 combinations if repeated digits are allowed. Of course, if repeats are allowed, then one could see less than 4 worn digits on the keypad. In any event, as written the comparison is not quite apples to apples.
Most Home security systems I have seen (be it an electronic lock or a burglar alarm) are all but useless.
With the lock, the lock is the input device, decision maker, and output device. Simplest way to get past it is to smash the input device and connect the two wires behind it.
With the home security alarm -- you break into the target house and the first thing you do is smash the central alarm console (the one that hooks to the phone line). Once this is disabled -- no alarm.
There is another security issue with locks that I have not seen mentioned in this discussion: availability. I've been locked out of places a number of times because the physical key had been forgotten, lost, or stolen. I've never forgotten a code that I used on an (almost) daily basis.
Keeping the bad guys out is nice, but letting the good guys in may be even more important. Again, I've been locked out a number of times, but, by contrast, to my knowledge, nobody has ever tried to pick any of my locks without my authorization.
I had a car that had a deep cut in the keys that would result in their breaking after six months or a year of use. First time it happened cost me about four hours, in taking the bus home, and then back with my spare key.
Since then, I've always carried a spare car key in my wallet.
I visited relatives a few years ago in an older area of Berkeley. They strongly advised me not to lock my car doors. Standard practice there was to drive an older car, leave nothing in it to steal, and never to lock the doors. That avoided damage to your car by hopeful thieves.
I used to live there and had forgotten over the years. In my middle class surroundings where theft is possible but not likely, we all lock our car doors.
So economic class determines whether or not locks are used. It was a "doh" moment for me because I knew that but had forgotten. I had to relearn.
Why do we want our lock to be secure?
It's only there to prevent the issurance company from not paying and to keep drunken kids out.
As long as the building has windows, without bars in front of it, it's completely pointless to talk about the door. The door is not the weakest link. (And normally, the door is also much more visible from the street than backyard windows.)
I once stayed at a hotel with an in-room safe where the guest chooses his own 4-digit code each time to lock the safe. Same code opens the safe. Next time the guest is free to choose a different code. Not bad. The funny part is that each key of the keypad plays a distinct musical tone. Someone listening in the corridor could hear the 4 notes and know the code!
@ Infrequent Traveler,
"The funny part is that each key of the keypad plays a distinct musical tone. Someone listening in the corridor could hear the 4 notes and know the code!"
I thought nobody had been this daft since the James Bond movie "Moonracker". Where the "Oh so British humor" of the director came through.
Such a musical keypad lock was on the door of the "baddie" Hugo Drax's secret lab in Wien.
The reason it was mildly amusing was that it took a side swipe at another famous film director by playing the famous five note sequnce from "Close encounter's of the Third Kind". (All together "Dah dee dah dee dhaaa" 8)
Traditionally the security of a wholly mechanical locks have been limited by cost and convience. A paper (mine) "Security Through Transparency: An Open Source Approach" which appeared in the latest edition of the Journal For Physical Security http://jpl.anl.gov describes an alternative to the status quo. The RKS (Robotic Key System) is comprised of a wholly mechanical lock cylinder which is very simple and highly resistent to manipulation and an intellegent electro-mechanical key. The key is an open source device and may change and improve (independent of the lock) as technology evolves. The system is in it's early stages and the key could be much smaller than depicted in the paper. I encourage anyone interested in an alternative approach to traditional lock and key systems to visit the link above.
I learned lock picking from my neighborhood library 30 years ago. No internet required.
Being a locksmith myself, I placed high quality locks on my house and also had home insurance. When we were burgled, they didn't come through any locked doors, but found a weak spot (the overhead garage door at that time) and forced their way in.
As for insurance, my lawyer said it would cost me more to fight their arguments than the claim was worth. So insurance was a bust and the fees payed to the lawyer got us no money.
In a way were were taken three times in one incident.
Now I just accept the fact that on any given day I may come home to find stuff gone. And as I get older I see my friends trying to figure out what to do with their stuff as they reach for the grave. I watch as those they thought were close family/friends start squabbling about what they will get.
Makes me think of Matthew 6:20.
Sure.. you *can* make an electronic lock safer than the average mechanical lock.
And you can also make the average mechanical lock safer.
The way I feel it, the problem with electronic locks is that they are invented out of fashion or confort, not out of need.
.. if you make your door lock nearly impossible to open; burglars will try to open windows.
.. or try to break the hinges.
.. or break a window.
"The way I feel it, the problem with electronic locks is that they are invented out of fashion or confort, not out of need."
The purpose behind some of the newer electronic locks is "audit".
In essence a mechanical lock has a sensor built in and the keys have RFID's in them. When the key is used in the lock the sensor logs the RFID ID and time and makes it available for audit purposes.
It kind of gets around issuing both a key card and mechanical key for the door but it is a very expensive option usually costing 10-20 times as much per lock cylinder...
The Schlage internet connected lock is interesting, there's a clear benefit to receiving a message when someone opens your door or attempts and fails to unlock the door.
But why not simply have the lock send messages, but make it incapable of receiving messages? (i.e. by not actually having "receiver" hardware). I don't care how good the attack is, if the lock is physically unable to receive electronic input, no attacker will be able to unlock the door or gain information via the internet. With this scenario, I don't see how your lock would be more insecure, and you'd have the added benefit of being warned if someone is trying to break into your house.
I agree with Nomen Publicus. It seams car locks work fairly well. I want the convienience of unlocking the door without having to stick the key in not not having to carry a key around.
@Tony I am pretty sure there are computer hacking devices that steal your car's key code as long as they are within a certain distance range of you locking/unlocking your car.
As far as locks that send and receive messages go, they work like Remote PC Access Software, and safeguarding them could be difficult...or not, depending on how tech-savvy your neighborhood burglars are.
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.