Schneier on Security
A blog covering security and security technology.
« Korea Solves the Identity Theft Problem |
| Leon County, FL Dumps Diebold Voting Machines »
December 14, 2005
Weakest Link Security
At the airport where this pilot fish works, security has gotten a lot more attention since 9/11. "All the security doors that connect the concourses to office spaces and alleyways for service personnel needed an immediate upgrade," says fish. "It seems that the use of a security badge was no longer adequate protection.
"So over the course of about a month, more than 50 doors were upgraded to require three-way protection. To open the door, a user needed to present a security badge (something you possess), a numeric code (something you know) and a biometric thumb scan (something you are).
"Present all three, and the door beeps and lets you in."
One by one, the doors are brought online. The technology works, and everything looks fine -- until fish decides to test the obvious.
After all, the average member of the public isn't likely to forge a security badge, guess a multidigit number and fake a thumb scan. "But what happens if you just turn the handle without any of the above?" asks fish. "Would it set off alarms or call security?
"It turns out that if you turn the handle, the door opens.
"Despite the addition of all that technology and security on every single door, nobody bothered to check that the doors were set to lock by default."
Remember, security is only as strong as the weakest link.
Posted on December 14, 2005 at 11:59 AM
• 24 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
As Scotty said in Star Trek III: "The more they overthink the plumbing, the easier it is to stop up the drain."
That is great!
Reminds me of the story of the secure bank vault... Dual Key Access, Bio-metric, Number pad, and Time Locked. Not to mention the walls were 2ft re-enforced contrete with 2in steel plateing and the door has some special glass pieces inside to prevent tampering.
The bank robbers came in with a hydralic jack and lifted the door off it's hinges...opps
Oh surveillance, where art thou when preventive controls are lacking...
"Oh surveillance, where art thou when preventive controls are lacking."
Defense in depth is a good thing.
Is the fish liable under the DMCA for demonstrating a circumvention technique?
Reminds me of a story about a burglar who said that, while the locks are getting tougher, the doors and doorframes are getting weaker and a good kick usually does the trick.
"Reminds me of a story about a burglar who said that, while the locks are getting tougher, the doors and doorframes are getting weaker and a good kick usually does the trick."
I live in a pretty quiet, rural area. Few (if any) people can see my front door. I have large windows big enough for a big screen tv to be passed through, that no-one can see.
Locking my doors up is pretty much useless. I don't have to worry about people stumbling in off the street, and anyone that wanted to break in could just shatter a very large and expensive window, and have a much larger opening for stealing things through than a door.
My weakest link definitely isn't the door. Anyone who decides to steal from me, isn't going to be deterred by a locked door, and so I assume will just come through a window. If they DO find the door unlocked, then they're less likely to go through the windows.
Now, of course, this is also a neighborhood that has had 4 known thefts in 30 years. Three were thefts late at night, from cars left unlocked or slashed through the convertible top. The other was a neighborhood kid sneaking into my house when the previous owner lived there, to steal one of his playboys that the kid knew were there, from when the kid house-sat for the previous owner (quasi-inside job).
A similar story of fuzzy thinking:
At a site where I work, there are many rooms with access card readers. You wave your card in front of the reader and a mechanism unlatches the magnetic striker plate for a few seconds, allowing the door to be opened. The door handle is locked from the outside only, so once inside the room you can exit--e.g. in case of emergency, even if the power is out--by simply turning the handle. There is no card reader inside the room. Each door has one or more magnetic sensors in the jamb to detect if the door is opened. The idea is that if the jamb sensors detect that the door is opened without a badge having been swiped, it could indicate one of two things: 1) someone opened the door from the inside by turning the handle, or 2) someone forced the door open by bypassing or forcing the lock. The security people want to avoid a false alarm every time 1) happens, so they place an infrared/RF motion sensor inside the room, above the door where it can "see" anyone approaching the door. If the door is opened while the motion sensor is active, it's regarded merely as someone exiting the room, and no force-open alarm is raised.
Unfortunately, the control system they use has a lousy default, which is that, in addition to the card reader, the motion sensor also unlatches the striker plate. This renders every room trivial to enter--all you need to do to unlatch the striker plate is to trigger the motion sensor from the outside. Since it is always mounted just above and in front of the door, this is easy to do a number of ways. One way is to just slide a piece of plain white paper over the top of the door. In a room with anything producing infrared (e.g. a computer or LAN room), this reflects some of the infrared from elsewhere in the room, triggering the motion sensor, which unlatches the striker plate, and in you go. In cold, dark rooms, just heat up the paper. Running 20 or so sheets out of a copier produces a nice warm sheaf that works just dandy. I'm sure you can think of many other ways to accomplish the same thing.
That this system has a poor default is disturbing enough. But even worse is that even after having the problem explained to them slowly and repeatedly, the security people still don't understand why it's wrong, and continue to install new doors with the same problem.
i'll just kidnap you, take your badge, torture your password out of you and cut off your thumb. next!
Entering a building on a major American university campus, I was once made to walk through a metal detector, as well as being generally looked over by two armed security guards. Before passing through the metal detector, I handed my backpack to one of the guards. After walking through, I was dumbfounded to have it handed back to me unexamined in any way. Probably more an example of indolence than incompetence, but it illustrates the same point.
"One way is to just slide a piece of plain white paper over the top of the door. ... Running 20 or so sheets out of a copier produces a nice warm sheaf that works just dandy."
On the assumption that you're referring to a standard door, have you actually tried sliding a piece of paper *over* a door, let alone a sheaf? The frame will force the paper down, and most likely away from the sensor. Maybe that's why the security folk have been ignoring you - your attack most likely will not work.
OTOH if it's the kind of door with a gap at the top (such as a lot of glass doors) then your attack might work.
Jim Hyslop> On the assumption that you're referring to a standard door, have you actually tried sliding a piece of paper *over* a door, let alone a sheaf? The frame will force the paper down, and most likely away from the sensor.
Of course I've tried it. I suggest you try it too. Yes, it is a standard door, which opens into the protected room. From the outside, the paper must go up between the stop and the door, bend in toward the room, from which it is a straight shot between the door and the jamb into the room. Nothing forces the paper down other than gravity. And it /helps/ that the paper sags--that's what reflects infrared from the rest of the room into the sensor. As for the sheaf, it is not necessary to feed the entire sheaf of paper over the door; a single sheet from the middle of the pack is fine. The point of the sheaf is to keep the inner pages warm while you mosey from the copy room down to the room you want to enter.
Perhaps you are imagining that the door opens outward, in which case you would have to pre-curve the paper, or push it all the way through so it falls free inside the room, or come up with a variant method. I suggested that people would be able to think of other ways to trigger a motion sensor on the far side of a door, but perhaps that was too generous, so here are a few: you can also slide a warm sheet under the bottom of the door, light a sheet of paper on fire and slide it under the door, pour some hot water from the nearby coffee maker on the floor so it runs under the door, etc. The latter attacks are messy, but they are also unnecessary, since the attack, as I described it, /works/, demonstrably, with a plain old sheet of white paper.
Jim Hyslop> Maybe that's why the security folk have been ignoring you - your attack most likely will not work.
It's not a matter of probability. Naturally I proved to myself that it does work, reliably, before I informed the security people, as I'm not the sort to act based on untested surmises. The security people ignore it because they don't have the ability to think critically. An exception is the manager of the security folks, who actually understood the attack and made an effort to correct some cases where the system default was left in place. The lower-level folks, however, are simply not able to visualize this attack unless you demonstrate it to them, and the turnover is high enough that it fails to become institutional knowledge.
Some years ago a two storey building I worked in had an elevator which also serviced the underground car park which was openly accessible. The security problem here was that after the elevator doors shut, the elevator would stay on that floor. Someone with a sheet of paper only had to wait in the car park for an employee to exit the building via the lift in the underground car park, then slide the piece of paper between the elevator doors. The infra red sensor which prevented the elevator doors accidentally closing on people would trigger and open the elevator doors. Presto! instant access to the building. When the elevator company were alerted they changed all the elevators in the city to make sure they homed to a secure floor.
Where art thou, secure defaults?
And why has thou tarried so long?
I wonder if it's a safety issue. If the doors also count as emergency exits, perhaps the safety regulation says they have to always be openable, even thought the security regulation says you must have/be/know XYZ.
Rich> I wonder if it's a safety issue. If the doors also count as emergency exits, perhaps the safety regulation says they have to always be openable, even thought the security regulation says you must have/be/know XYZ.
Indeed, as I originally posted, the door handles are not latched from the inside. So one can always exit the protected room in an emergency, regardless of the state of the security system--just open the door as you would any other door.
@aeschylus: "Of course I've tried it. I suggest you try it too. Yes, it is a standard door, which opens into the protected room. From the outside, the paper must go up between the stop and the door, bend in toward the room"
Right, of course - I was visualizing it from the wrong side of the door. Sorry about my muddled thinking.
Sometimes "lo-tech" is better, I worked for an armoured truck service a few years ago in a newly renovated branch building. security began with a large open space paved parking lot covered by live monitored cctv, the same for the personell entrance, which was controlled by electronic locks operated at the manned cctv station. entrance was into an "airlock" to face another locked door and all visitors were manually frisked by an armed guard while under observation by camera. once frisked visitors were placed in an "interview room" cut off from the rest of the facility by an armoured door, if it was necessary for a visitor to enter the main area of the facility they were escorted by an armed guard at all times, when the only exit to the street for trucks was opened it was covered by armed guards, (shotguns or drawn pistols) vehicles entering came in via a fenced area through a remote controlled rolling gate and entry to the garage area was past an armed guard with drawn weapon and remote controlled door. no "electronic passes", "fingerprint scanners" etc. just cameras, mark one eyeballs and alert people with guns, all personell armed from management to us road dogs. even that was not perfect but it was simple and dependable. the actual money handling area was seperate and i'm not going to discuss that here, or anywhere.
"torture your password out of you and cut off your thumb."
Along the same lines, but old school.
when I was in the USMC stationed in Albany GA. If you lost your room key you were charged $10 to replace it. this was an issue (for drunken Marines who lost many more things than keys) untill we found out that any plastic card (drivers License, credit card, etc...) could actually open the door faster than a key.
I actually spent 4 months without a key for my own room at all, I could walk up to the door and open it without even breaking my stride, even easier when drunk.
I only paid the $10 fee at the end when I had to turn over the room with key to check off the base.
Ahhh good times, good time.
All this discussion of less then effective security systems reminds me of an old saying
'Trust not in fences for security but neighbours'
Apparently Yale (from memory) built a lock in the 1800s that was not pciked for about a hundred years, modern locks have been known to be pciked before released to the market due
All this discussion of less then effective security systems reminds me of an old saying
'Trust not in fences for security but neighbours'
'Trust not in fences for security but neighbors'
I'd never heard that one before... I like it!
Happy new year.
Local burglers are simply carrying around a bottle jack and lump of wood. Mount the jack horizontally in the door frame half way up with the wood as padding. You can then simply jack the walls apart , and either swing the door open or it breaks its hinges and falls off.
Conclusions: House locks have two uses :deterring the casual thief and reassuring the ignorant homeowner . Window locks on the inside are for reassuring the particularly dumb or particularly paranoid homeowners.
Oldie but a goodie, new money holding site for a number of banks in a particular area, roughly 10-20 million in storage at any time. Toughened walls, doors, glass, etc, etc. Over a three day weekend the thieves broke in through the roof, explaining to curious passerby's that they were repairing it. There were no reports to the police about this activity.
Three weeks later, when the events were being re-enacted for a TV show the local police station was flooded with helpful locals informing them that the robbers were back.
A revolutionary striker plate entering the market. Check out this site: www.sure-strike.com It's a new striker plate that not only self-adjusts to your door when it shifts season to season but it adds more security to your home. Awesome new product! You never have to adjust your old striker plate again and turning your deadbolt when your door is misaligned is so easy. Brilliant product!
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.