How to Open a Padlock with a Coke Can
A nice tutorial on making and using shims to open padlocks.
Entries Tagged "locks"
Page 5 of 12
Lockable USB Hard Drive
Just in time for Christmas, a USB drive housed in a physical combination lock.
Attacking PLCs Controlling Prison Doors
Embedded system vulnerabilities in prisons:
Some of the same vulnerabilities that the Stuxnet superworm used to sabotage centrifuges at a nuclear plant in Iran exist in the country’s top high-security prisons, according to security consultant and engineer John Strauchs, who plans to discuss the issue and demonstrate an exploit against the systems at the DefCon hacker conference next week in Las Vegas.
Strauchs, who says he engineered or consulted on electronic security systems in more than 100 prisons, courthouses and police stations throughout the U.S. including eight maximum-security prisons says the prisons use programmable logic controllers to control locks on cells and other facility doors and gates. PLCs are the same devices that Stuxnet exploited to attack centrifuges in Iran.
This seems like a minor risk today; Stuxnet was a military-grade effort, and beyond the reach of your typical criminal organization. But that can only change, as people study and learn from the reverse-engineered Stuxnet code and as hacking PLCs becomes more common.
As we move from mechanical, or even electro-mechanical, systems to digital systems, and as we network those digital systems, this sort of vulnerability is going to only become more common.
Duplicating Physical Keys from Photographs (Sneakey)
In this demonstration, researchers photographed keys from 200 feet away and then made working copies. From the paper:
The access control provided by a physical lock is based on the assumption that the information content of the corresponding key is private—that duplication should require either possession of the key or a priori knowledge of how it was cut. However, the ever-increasing capabilities and prevalence of digital imaging technologies present a fundamental challenge to this privacy assumption. Using modest imaging equipment and standard computer vision algorithms, we demonstrate the effectiveness of physical key teleduplication—extracting a key’s complete and precise bitting code at a distance via optical decoding and then cutting precise duplicates. We describe our prototype system, Sneakey, and evaluate its effectiveness, in both laboratory and real-world settings, using the most popular residential key types in the U.S.
The design of common keys actually makes this process easier. There are only ten possible positions for each pin, any single key uses only half of those positions, and the positions of adjacent pins are deliberately set far apart.
EDITED TO ADD (7/26): I seem to have written about this in 2009. Apologies.
Physical Key Escrow
This creates far more security risks than it solves:
The city council in Cedar Falls, Iowa has absolutely crossed the line. They voted 6-1 in favor of expanding the use of lock boxes on commercial property. Property owners would be forced to place the keys to their businesses in boxes outside their doors so that firefighters, in that one-in-a-million chance, would have easy access to get inside.
We in the computer security world have been here before, over ten years ago.
Biometric Wallet
Not an electronic wallet, a physical one:
Virtually indestructible, the dunhill Biometric Wallet will open only with touch of your fingerprint.
It can be linked via Bluetooth to the owner’s mobile phone sounding an alarm if the two are separated by more than 5 metres! This provides a brilliant warning if either the phone or wallet is stolen or misplaced. The exterior of the wallet is constructed from highly durable carbon fibre that will resist all but the most concerted effort to open it, while the interior features a luxurious leather credit card holder and a strong stainless steel money clip.
Only $825. News article.
I don’t think I understand the threat model. If your wallet is stolen, you’re going to replace all your ID cards and credit cards and you’re not going to get your cash back—whether it’s a normal wallet or this wallet. I suppose this wallet makes it less likely that someone will use your stolen credit cards quickly, before you cancel them. But you’re not going to be liable for that delay in any case.
Brute-Force Safecracking
This safecracking robot tries every possible combination, one after another:
Combination space optimization is the key. By exploiting of the mechanical tolerances of the lock and certain combination “forbidden zones”, we reduced the number of possible combinations by about an order of magnitude.
Opening the safe took “just a few hours.”
Along the same lines, here’s a Lego robot that cracks combination locks. I wrote about another, non-Lego, brute-force combination lock cracker a few years ago. The original link is broken, but the project is here.
EDITED TO ADD (2/13): In this video, champion safecracker Jeff Sitar opens a similar safe by feel and sound in just 5 minutes and 19 seconds.
Electronic Car Lock Denial-of-Service Attack
Inspector Richard Haycock told local newspapers that the possible use of the car lock jammers would help explain a recent spate of thefts from vehicles that have occurred without leaving any signs of forced entry.
“We do get quite a lot of car crime in the borough where there’s no sign of a break-in and items have been taken from an owner’s car,” Inspector Haycock said. “It’s difficult to get in to a modern car without causing damage and we get a reasonable amount of people who do not report any.
“It is a possibility that central locking jamming is being used,” he added.
Devices that block the frequency used by a car owner’s key fob might be used to thwart an owner’s attempts to lock a car, leaving it open for waiting thieves. A quick search of the internet shows that devices offering to jam car locks are easily available for around $100. Effectiveness at up to 100m is claimed.
I thought car door locks weren’t much of a deterrent to a professional car thief.
EDITED TO ADD (10/22): The thieves are not stealing cars, they’re stealing things left inside the cars.
EDITED TO ADD (11/10): Related paper.
Breaking into a Garage
In seconds.
Garage doors with automatic openers have always seemed like a lot of security theater to me.
Sidebar photo of Bruce Schneier by Joe MacInnis.