Flaw in Winkhaus Blue Chip Lock

The Winkhaus Blue Chip Lock is a very popular, and expensive, 128-bit encrypted door lock. When you insert a key, there is a 128-bit challenge/response exchange between the key and the lock, and when the key is authorized it will pull a small pin down through some sort of solenoid switch. This allows you to turn the lock.

Unfortunately, it has a major security flaw. If you put a strong magnet near the lock, you can also pull this pin down, without authorization -- without damage or any evidence.

The worst part is that Winkhaus is in denial about the problem, and is hoping it will just go away by itself. They've known about the flaw for at least six months, and have done nothing. They haven't told any of their customers. If you ask them, they'll say things like "it takes a very special magnet."

From what I've heard, the only version that does not have this problem is the model without a built-in battery. In this model, the part with the solenoid switch is aimed on the inside instead of the outside. The internal battery is a weak spot, since you need to lift a small lid to exchange it. So this side can never face the "outside" of the door, since anyone could remove the batteries. With an external power supply you do not have this problem, since one side of the lock is pure metal.

A video demonstration is available here.

Posted on March 2, 2005 at 3:00 PM • 18 Comments

Comments

Israel TorresMarch 2, 2005 3:41 PM

wow... the link provided above:
http://connectmedia.waag.org/toool/21c3.wmv
links to a file that is 621.9 MB...

anyone have a smaller demo clip?

Meanwhile, with any type of magnetic lock you are going to be dealing with which field is stronger, the internal one, or the attacking one.

Israel Torres


Saar DrimerMarch 2, 2005 3:58 PM

Bruce,
from their standpoint they are doing the only thing they can - denial. if they admit there is a flaw, they will have to recall/fix all the doors and face public humiliation
that would ruin their business. if they don't admit, they will only need to deal/fix on a case-by-case basis complaints coming from the people who read your
weblog.
Their "next generation" will be fixed (we all hope.)
I am not advocating this kind of corporate irresponsibility, but that is business.

C. DrakeMarch 2, 2005 4:04 PM

Well, the key to this is that an neodymium magnet is oh, I dunno... about 10 dollars from the right dealer. They come in numerous shapes and sizes, from the size of a hearing aid battery and probably capable of this feat, to the size of a wheel bearing on a car and able to move metal filings from a dozen feet away (only a slight exageration). I bet 10 dollars is a lot cheaper than one of these locks, as well as anything you might have behind one.

The best fix for this would be for the company to more heavily plate the outsides of the lock in the most magnetic-sensitive metal they can find. If the outer layers suck up the magnetics, it will just bleed off into the door. You could never move a piece of metal inside it with a magnet. The more advanced nerds to get their hands on it might just polarize the lock to prevent it. But that would likely suck up energy, and chance damaging certain media put near it.

Someone could make a killing selling metal doorplates with fittings to cover these locks closely.

Brad MillsMarch 2, 2005 4:21 PM

Ouch! 607 Megs for the above-mentioned .wmv! It would be great to see a some key stillphotos. Not knowing this lock, but knowing some other things, one could deduce strong magnets (such as in hard drives, after you've stripped the former owners' data off, of course) could be useful to create a skeleton key for these.

Alternately, there are items for bulk erasing magnetic cassette tapes (sound recordings, etc) that would likely do the trick, but require a power supply.

Else, in a pinch, one could wrap a winding of wire around the device, induce an electrical current thru that winding, and create as strong of a magnetic field as you might require.

Seems a non-ferrus mechanical interlock (for the magnetic solenoid) might be a cost-effective way to harden this, without making it brittle. Maybe something that required a hand to depress/slide a device right where you'd place your magnet.

Better, three polarity-opposed solenoids, one 'left' one 'right' and one 'up/down', in very close physical proximity, thus using magnetic lines of flux to "tighten" at least 1 solenoid, in event of external magnetic bypass attempt.

Chinese finger-trap, anyone?

Davi OttenheimerMarch 2, 2005 4:38 PM

I am watching the video and would post stills but it's just a guy talking. He's wearing a t-shirt, so maybe that's of interest to some.

Um, for these "expensive" locks, how about just using a pin/mechanism that is non-metallic (e.g. ceramic)?

This exploit takes us back to the liability issue we discussed a few days ago. Does the manufacturer have any liability for selling a device that has high risk (a widely known vulnerability, and probably likely threat), especially when it is designed specifically to lower risk for valuable assets? If not, why?

mphMarch 2, 2005 4:56 PM

From their "Customer Care" page:

"At Winkhaus our customers come first. At Winkhaus we listen to our customers. At Winkhaus we take action. We want to be the best."

Davi OttenheimerMarch 2, 2005 5:29 PM

I especially like the part of the movie where the presenter shows a key that should be hard to pick, except for the fact that blanks are issued regionally. He then says something like "the thing that makes them so secure is also their weakness".

Did anyone capture the Winkhaus blue chip page before it was changed to "This page is in the process of being up-dated please return soon Thank you."

Felix I. WyssMarch 2, 2005 5:47 PM

The german site is still up (http://www.winkhaus.de/produktframe/produkte.htm). It's also in the google cache (search for Winkhaus blue chip"). What's interesting: on their features page (http://www.winkhaus.de/produktframe/pages/bluechip/sicherheit.htm) they mention that the BlueChip uses the same technology as the electronic car keys (quote: "...acknowledged to be the most secure data transfer mechanism"). I wonder whether they use the same Texas Instrumets RFIDs for which an attack has been published recently.

Chris WalshMarch 2, 2005 7:26 PM

This is all a sophisticated campaign by Bruce to sap the energy of the locksmiths who've gotten into a lather over Matt Blaze's recent work :^)

Felix I. WyssMarch 2, 2005 9:29 PM

Davi, I think you misread the blurb. It says that the cylinder registers (i.e. stores the fact) that it was opened with an authorized emergency key.

MichaelMarch 3, 2005 5:34 AM

Nice looking gadget
just replace your cylinder with one of these ... so simple
well, beside from the magnetic problem -
what happens if its battery runs low ?
I think, the lock will open - and there seems to be no mechanism for alerting someone ...
Anybody knows of a means of drawing lots of power from an RF(ID)-Field ?
:-)

michael

Curt SampsonMarch 3, 2005 7:24 PM

This actually makes me wonder, it would be more expensive, but perhaps it would make sense to put the power supply in the key, not the lock? At least you'd be able to carry a spare battery with you, and though the key would "fail locked," someone else with a key could still open the door.

Clive RobinsonMarch 6, 2005 5:36 PM

Sorry folks but this is extreamly old news I used to work for a company called Uniqey (Pronounced Uni Key) who's head office was in Park Royal West London. This was back when 286's where the latest and greatest thing on the block.

Uniqey supplied electronic locks to the Hotel industry whilst the likes of VingCard where still using punch cards. The company still exists and can be found on the web http://www.uniqey.com/

The Unique lock was tested by UL and they found this very same problem ie a big magnet, we tried many things including all of the above suggestions but they all had disadvantages. The two most obvious solutions that people always suggest are,

1, Increase metal thickness,
it's way to expensive and there
is always a bigger magnet.
2, Multiple solanoids,
These are expensive and they draw
the most power from the battery
so using more than one means high
cost and a shorter battery life.

The two solutions we found to work reliably where,

1, Stop using electromagnetic components

2, Make a simple interlock

The first involved the development of a piezo clutch which was unfortunatly a very expensive item to manufacture at the time.

The second involved a loop of magnetic material a week spring and a steel screw, nut and washer. Which was nice and inexpensive and very easy to retro fit into the design.

Basically any magnet brought close to the lock caused the the screw to pull up against the spring to try and close the magnetic loop. The screw came up against part of the lock mechanisum and stopped the solenoid engaging the door handle to the lock lever.

The way it worked enabled it to be fitted into less expensive housings so actually saved money in the long run.

On another point with electronic locks and batteries, sometimes you will see a "security port" on the bottom of the locks so that they can be opened by some gizzmo (a Psion Organiser in the Unique case). Well these ports have a disadvantage, in that the solenoid needs to be connected close to the battery and is usually conected in series with a transistor that operates it. To increase the battery life etc there is usually no other protective circuit elements in series, and sometimes there is a helpfull snuber network in there as well.

Often an examination of the circuit will show that applying an external voltage of a sufficient level on the security port in an unintended way will cause the solenoid to be activated.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..