Entries Tagged "locks"

Page 4 of 12

1971 Social Engineering Attack

From Betty Medsger’s book on the 1971 FBI burglary (page 22):

As burglars, they used some unusual techniques, ones Davidon enjoyed recalling years later, such as what some of them did in 1970 at a draft board office in Delaware. During their casing, they had noticed that the interior door that opened to the draft board office was always locked. There was no padlock to replace, as they had done at a draft board raid in Philadelphia a few months earlier, and no one in the group was able to pick the lock. The break-in technique they settled on at that office must be unique in the annals of burglary. Several hours before the burglary was to take place, one of them wrote a note and tacked it to the door they wanted to enter: “Please don’t lock this door tonight.” Sure enough, when the burglars arrived that night, someone had obediently left the door unlocked. The burglars entered the office with ease, stole the Selective Service records, and left. They were so pleased with themselves that one of them proposed leaving a thank-you note on the door. More cautious minds prevailed. Miss Manners be damned, they did not leave a note.

Posted on February 5, 2014 at 6:02 AMView Comments

Scientists Banned from Revealing Details of Car-Security Hack

The UK has banned researchers from revealing details of security vulnerabilities in car locks. In 2008, Phillips brought a similar suit against researchers who broke the Mifare chip. That time, they lost. This time, Volkswagen sued and won.

This is bad news for security researchers. (Remember back in 2001 when security researcher Ed Felten sued the RIAA in the US to be able to publish his research results?) We’re not going to improve security unless we’re allowed to publish our results. And we can’t start suppressing scientific results, just because a big corporation doesn’t like what it does to their reputation.

EDITED TO ADD (8/14): Here’s the ruling.

Posted on August 1, 2013 at 6:37 AMView Comments

Bluetooth-Controlled Door Lock

Here is a new lock that you can control via Bluetooth and an iPhone app.

That’s pretty cool, and I can imagine all sorts of reasons to get one of those. But I’m sure there are all sorts of unforeseen security vulnerabilities in this system. And even worse, a single vulnerability can affect all the locks. Remember that vulnerability found last year in hotel electronic locks?

Anyone care to guess how long before some researcher finds a way to hack this one? And how well the maker anticipated the need to update the firmware to fix the vulnerability once someone finds it?

I’m not saying that you shouldn’t use this lock, only that you understand that new technology brings new security risks, and electronic technology brings new kinds of security risks. Security is a trade-off, and the trade-off is particularly stark in this case.

Posted on May 16, 2013 at 8:45 AMView Comments

Shared Lock

A reader sent me this photo of a shared lock. It’s at the gate of a large ranch outside of Victoria, Texas. Multiple padlocks secure the device, but when a single padlock is removed, the center pin can be fully lifted and the gate can be opened. The point is to allow multiple entities (oil and gas, hunting parties, ranch supervisors, etc.) access without the issues of key distribution that would arise if it were just a single lock. On the other hand, the gate is only as secure as the weakest padlock.

EDITED TO ADD (9/14): A less elegant way to do the same thing.
A slightly different implementation of same idea: removal of any one lock allows locking bar to retract from pole and gate to open. And an interesting comment from someone who deals with this in his work.

Posted on August 29, 2012 at 6:37 AMView Comments

Unsafe Safes

In a long article about insecurities in gun safes, there’s this great paragraph:

Unfortunately, manufacturers and consumers are deceived and misled into a false sense of security by electronic credentials, codes, and biometrics. We have seen this often, even with high security locks. Our rule: electrons do not open doors; mechanical components do. If you can compromise the mechanisms then all the credentials, encryption, fingerprint readers, and other gizmos and gimmicks mean nothing.

In other words, security is only as strong as the weakest link.

EDITED TO ADD (8/13): DefCon 19 talk on the security of gun safes.

Posted on August 3, 2012 at 12:57 PMView Comments

Making Handcuff Keys with 3D Printers

Handcuffs pose a particular key management problem. Officers need to be able to unlock handcuffs locked by another officer, so they’re all designed to be opened by a standard set of keys. This system only works if the bad guys can’t get a copy of the key, and modern handcuff manufacturers go out of their way to make it hard for regular people to get copies of the key.

At the recent HOPE conference, someone made copies of these keys using a 3D printer:

In a workshop Friday at the Hackers On Planet Earth conference in New York, a German hacker and security consultant who goes by the name “Ray” demonstrated a looming problem for handcuff makers hoping to restrict the distribution of the keys that open their cuffs: With plastic copies he cheaply produced with a laser-cutter and a 3D printer, he was able to open handcuffs built by the German firm Bonowi and the English manufacturer Chubb, both of which attempt to control the distribution of their keys to keep them exclusively in the hands of authorized buyers such as law enforcement.

[…]

Unlike keys for more common handcuffs, which can be purchased (even in forms specifically designed to be concealable) from practically any survivalist or police surplus store, Bonowi’s and Chubb’s keys can’t be acquired from commercial vendors. Ray says he bought a Chubb key from eBay, where he says they intermittently appear, and obtained the rarer Bonowi key through a source he declined to name. Then he precisely measured them with calipers and created CAD models, which he used to reproduce the keys en masse, both in plexiglass with a friend’s standard laser cutter and in ABS plastic with a Repman 3D printer. Both types of tools can be found in hacker spaces around the U.S. and, in the case of 3D printers, thousands of consumers’ homes.

EDITED TO ADD (7/29): Interesting comment.

EDITED TO ADD (8/13): Comment from the presenter.

Posted on July 25, 2012 at 6:42 AMView Comments

Hacking BMW's Remote Keyless Entry System

It turns out to be surprisingly easy:

The owner, who posted the video at 1addicts.com, suspects the thieves broke the glass to access the BMW’s on-board diagnostics port (OBD) in the footwell of the car, then used a special device to obtain the car’s unique key fob digital ID and reprogram a blank key fob to start the car. It took less than 3 minutes to accomplish the feat. (That said, despite their sophistication, the thieves were, comically, unable to thwart the surveillance cameras, though they tried.)

[…]

Jalopnik reports that BMW thieves are likely exploiting a gap in the car’s internal ultrasonic sensor system to avoid tripping its alarm when they access the car.

But there’s another security flaw in play. The OBD system doesn’t require a password to access it and program a key fob. According to Jalopnik, this is a requirement in Europe so that non-franchised mechanics and garages can read the car’s digital diagnostic data.

More details here.

Posted on July 13, 2012 at 6:51 AMView Comments

Russian Nuclear Launch Code Backup Procedure

If the safe doesn’t open, use a sledgehammer:

The sledgehammer’s existence first came to light in 1980, when a group of inspecting officers from the General Staff visiting Strategic Missile Forces headquarters asked General Georgy Novikov what he would do if he received a missile launch order but the safe containing the launch codes failed to open.

Novikov said he would “knock off the safe’s lock with the sledgehammer” he kept nearby, the spokesman said.

At the time the inspectors severely criticized the general’s response, but the General Staff’s top official said Novikov would be acting correctly.

EDITED TO ADD (7/14): British nukes used to be protected by bike locks.

Posted on June 27, 2012 at 6:30 AMView Comments

Interview with a Safecracker

The legal kind. It’s interesting:

Q: How realistic are movies that show people breaking into vaults?

A: Not very! In the movies it takes five minutes of razzle-dazzle; in real life it’s usually at least a couple of hours of precision work for an easy, lost combination lockout.

[…]

Q: Have you ever met a lock you couldn’t pick?

A: There are several types of locks that are designed to be extremely pick-resistant, as there are combination safe locks that can slow down my efforts at manipulation.

I’ve never met a safe or lock that kept me out for very long. Not saying I can’t be stumped. Unknown mechanical malfunctions inside a safe or vault are the most challenging things I have to contend with and I will probably see one of those tomorrow since you just jinxed me with that question.

Posted on May 29, 2012 at 6:03 AMView Comments

1 2 3 4 5 6 12

Sidebar photo of Bruce Schneier by Joe MacInnis.