How The Lock Industry Put Its Head In The Sand, Rather Than Deal With Vulnerabilities To Locks
from the bump,-bump-away dept
We've discussed in the past how locksmiths are apparently upset that geeks online have revealed that lockpicking is really easy, but it's not just the locksmiths. It's the lock makers themselves. Wired has a fascinating article about one of the world's most well known lock picker, who makes it a practice to publicly expose how vulnerable certain locks are. Not so long ago, he and a colleague figured out how to quickly open Medeco locks, which many had considered to be the most secure locks of all -- and are used all over the world in gov't high security buildings. So how has Medeco responded? Basically by trying to ignore the guy... then to insult him and then to discount what he clearly has done. It's just like software companies who try to deny software vulnerabilities, except that it's much easier to patch some software that to patch a vulnerable lock. While many in the lock world are apparently pissed off at this guy, Marc Weber Tobias, they should be happy that he's making sure the locks are really secure. Because, you can pretty much be assured that he's not the only one doing all of this -- but the others who are figuring it out aren't talking about it, but are using the knowledge to their own advantage.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: lock picking, marc weber tobias, obscurity, security
Companies: medeco
Reader Comments
Subscribe: RSS
View by: Time | Thread
[ link to this | view in chronology ]
Re:
Locks are really intended to keep out the casual thief, someone who would just walk in. Most people are not going to pick locks or bust down a door to get in, they aren't interested in attracting attention to themselves. Think of doorlocks as a solution that is 99% effective. The last 1% will get in pretty much no matter what you do.
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re:
Such as?
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re: Re: Re:
If you've been told (by the manufacturer) that the lock takes at least half an hour to pick and you have fifteen-minute security patrols you're going to feel pretty safe, right.
You're not going to feel quite so safe when Marc Weber Tobias walks in and picks that lock in fifteen seconds.
[ link to this | view in chronology ]
Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re:
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re: Re:
[ link to this | view in chronology ]
If it were simply the case that locks are there to keep out someone who would otherwise just stroll in, but can't be bothered forcing a door, then all locks would be simple ones. But they're not.
Some people, and companies, have gone out of their way to use locks that are supposedly hard to pick or otherwise force. And apparently, they're not that hard to pick or force at all. It's an important thing that the manufacturers and consumers need to realise, rather than just ignore.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
You don't need locks to keep honest people out.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Locks
[ link to this | view in chronology ]
Re: Locks
This little cliche never made any sense to me. An honest person wouldn't enter someone's home uninvited regardless of whether there was a lock or not.
[ link to this | view in chronology ]
Uhhh... Article Fail.
Why the fuck is this on Techdirt?
[ link to this | view in chronology ]
Re: Uhhh... Article Fail.
[ link to this | view in chronology ]
Re: Uhhh... Article Fail.
[ link to this | view in chronology ]
Re: Uhhh... Article Fail.
The Wired article is new and does a good job relaying the story, and adding a bit to it, showing the guys actually break the locks, after Medeco denied it was possible.
Why the fuck is this on Techdirt?
Because I found it interesting. We're not a news site, but a discussion and opinion site. I thought it was an interesting concept that deserved some discussion. Apparently you feel otherwise.
[ link to this | view in chronology ]
Re: Re: Uhhh... Article Fail.
Your blue background highlights should be flashing. Don't make me contact Mr. Ho to have it actually done for you, as that would be a disappointment for all here.
[ link to this | view in chronology ]
Re: Re: Uhhh... Article Fail.
[ link to this | view in chronology ]
Re: All comments to my comment.
@ Mike: Umm, maybe you missed the Wired article when Medeco first responded. They crunched the numbers and worked to figure out how many different keys it would take to bump the locks. Then, they were faced with the Medecoder tool that was disclosed responsibly to them. They met with the person and have begun putting the milled(rather than broached) pins in the new locks. Not exactly ignoring the issues...are they?
As for your insinuation in the original post that others are not talking about it... Perhaps look up how many talks have been given at conventions in the past 5 years related to locks, responsible disclosure, access control, lock forensics(I just attended a talk on that), and other similar issues(or just go to a forum). Plenty of people are talking about it. And there has not been a surge in crime(nor is it even reasonable to suspect such). For a thief, what is easier, picking a lock and being hunched down in front of a house, or breaking a window and walking right in? This is all without mentioning that Medeco locks have been picked since... before I got into lockpicking(ca. 2004). Not exactly something surprising.
It was an interesting concept that deserved discussion 2 years ago, now it is just over played and sensationalized. Congrats.
[ link to this | view in chronology ]
Re: Re: All comments to my comment.
They refused to take part in the experiment run here and the article described plenty of stuff that was happening in the space. We had not discussed it here, and I thought it was interesting, so I wrote about it.
Once again, this site is my site, and I write about what I find interesting. This was interesting to me. And, given the comments from others -- to plenty of others as well.
It's great that you're so knowledgeable on the subject. It would have been nicer if rather than a pointless insult, you actually added to the conversation.
[ link to this | view in chronology ]
Re: Re: All comments to my comment.
No he didn't. Read the book again.
[ link to this | view in chronology ]
Tamper evident
As long as the lock shows evidence it has been bypassed then its a good lock.
If I wanted to stop someone from geting into my house I would fill my door and walls with concrete, install extra strong hinges and motion detection security cams with email notification. (or a security guard)
[ link to this | view in chronology ]
Re: Tamper evident
[ link to this | view in chronology ]
Re: Re: Tamper evident
[ link to this | view in chronology ]
Re: Re: Tamper evident
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Locks
Thank you.
[ link to this | view in chronology ]
Re: Locks
To be entirely honest with everyone, unless you are a *very* important person(who should have other security measures than locks) or a large, influential company, you do not need to worry too much about surreptitious entry. The amount of break-ins that involve lockpicking or bumping are still such a small percentage of the whole that they should not be a huge concern to the average, everyday homeowner.
(My front door has a simple Schlage deadbolt pinned up with two security pins, I am not worried about my lock being picked but rather my front window being smashed, or one of the ones on the side of our house.)
[ link to this | view in chronology ]
Kinda funny how that works.....
[ link to this | view in chronology ]
Re: Kinda funny how that works.....
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Locks and Bagels
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re: Disk locks
As for the Abloy Protec, the only real way to get in is to bypass the lock(has been fixed after it was brought to Abloy's attention) and the destructive method that can be found on YouTube(involves significant damage to the lock). In the US you may have trouble sourcing them, but there are a decent number of locksmiths that carry them.
Another lock to look into is BiLock, which uses two rows of pins and a sidebar system, as far as I know, it has never been picked or decoded when fully pinned(though, someone has worked out a system for certain pinnings, it does not work all the time).
[ link to this | view in chronology ]
Interesting Article
I've lost the skill since then since I haven't had a use for it... but it really opened my eyes.
[ link to this | view in chronology ]
"Gov't high security buildings?"
[ link to this | view in chronology ]
Medeco's Response
Just wanted to point that Medeco's head is not completely in the sand on this stuff (though it may be in Marc's case). If you're interested in my tool and the company's response, check out http://theamazingking.com/medecoder.html
[ link to this | view in chronology ]
Kicking Down Sandcastles
Let's see these hackers and lock pickers design a better lock instead of just saying the best locks in the world are not good enough.
Medeco has earned the UL 437 rating. That means that it is good enough for the insurance companies.
It is not easy to get a UL 437 rating and they should have earned your respect for investing the money, time and expertise in making one of the best locks in the world.
I am not a Medeco dealer. I prefer Mul-T-Lock. I realize that if I am called out to open a door for a customer and there is a UL437 rated lock on the door I am not picking that lock. I am opening the door using a bypassing technique.
I look forward to seeing the perfect lock that Marc Weber Tobias invents - if he ever does.
[ link to this | view in chronology ]
Re: Kicking Down Sandcastles
As for designing better locks, there are ongoing efforts in the community to do just that. The problem is that megacorporations like Assa-Abloy dominate the market. They generally deny that there is a problem with the current locks. The result is an industry that cares more about making sure their patents stay current than security (see Medeco m3, Schlage Primus XP and MTL Interactive for examples). Designing locks is all good fun, but if they don't hit the market there isn't much point. Not to mention that hackers/locksporters aren't nearly as interested in money as they are in creative problem solving.
On the subject of UL437, it is failed standard from this perspective. One can argue that it was never meant to address dedicated attackers using unconventional methods, however.
Your line about "respect" caught my eye. Has Marc not earned your respect for investing the money, time and expertise in defeating one of the best locks in the world?
Also, it is generally recognized that locksmiths will not be using these experimental techniques and advanced tools (in other cases) on calls. The threat perspective that security researchers usually take is that of a well-funded sophisticated attacker (an intelligence agency for example).
[ link to this | view in chronology ]
Still Kicking Down Sandcastles
The skeleton key forced the industry to re-invent the lock and key. Bit keys were excellent security when they were first used.
When knowledge of skeleton keys became common people had to pay locksmiths to change their locks.
The saw-toothed para-centric key, commonly used today is being replaced by high security UL437 rated keys. High security locks and keys are not perfect.
Locksmiths keep secrets to protect their customers.
People who tell burglars how to get past locks are only helping the burglars, not earning my respect. If only he could keep a secret...
[ link to this | view in chronology ]
Re: Still Kicking Down Sandcastles
The ethics of disclosure are far more complex than the old guard trade-secrets mentality that most locksmiths have. Hackers and locksporters understand this which is why there is a constant debate about the impact of releasing various findings.
Let make this a little more personal. If I had a special tool that would allow the easy opening of the lock on your business (MTL I assume), would you want to know about it? If the company refused to fix or even acknowledge the problem; do you, as a consumer and dealer, have the right to know? Or should I just keep my mouth shut and hope that no one else figures it out that has ill intent?
For inspiration, look at the world of academic cryptanalysis. If a vulnerability is found in a cipher, it is generally published and modifications are made or a new one is used. The timeline for fixing the problem is shorter but the concept is exactly the same. The result is an improvement to the state-of-the-art in both attack and defense. The advantage is that the attack is no longer useful for the bad guys who aren't talking about it.
I'm not arguing for or against the release of a particular exploit. Just pointing out that the situation is more complicated than the typical locksmith stance: "just keep it a secret".
[ link to this | view in chronology ]
Re: Re: Still Kicking Down Sandcastles
If we tell the burglars how to exploit a vulnerability then we will have hundreds of thousands of burglaries instead of just a few.
There is no quick fix, like changing a cipher. Once the lock is improved it is often advertised as being superior to the prior model.
I just read an article saying that UL437 standards are not useful because they are not stringent enough for the author. In fact, the requirements of UL437 are simpler than one would expect - still they satisfy the insurance companies.
Remember that locks meeting the UL437 requirements are the best locks in the world. The manufactures have spent tens of thousands of dollars testing them against professional standards.
If the best locks in the world are not good enough then what are you really suggesting? Don't lock your door?
When better locks are available we offer them in place of the older locks. Some people are willing to invest in the better locks, some are not.
I am happy to recommend Mul-T-Lock products to my customers. My customers have not experienced a successful attack through this lock.
If you discover a tool that can open locks - let's call it a Sonic Screwdriver - should high security companies inform the public about this device? No of course not. Don't tell anyone! Behind closed doors attack the makers of this product. Anyone who makes burglary tools and sells them to the general public should be charged.
It is easy to kick down a sandcastle. It is much harder to build a better one to take it's place. In the meantime there is no sandcastle.
The lock manufactures are being blamed because an old picking technique has become public knowledge. '999' or lock bumping. Picking isn't new. The information that is now public is not new. Nothing has really changed except the public is aware that locks can be picked.
Mul-T-Lock has always been bump resistant. For many years it was un-pickable. Then some locksmiths invested hundreds of hours learning to pick the un-pickable locks.
Mul-T-Lock immediately improved it's pick-resistance. Adding top pins that create a false shear line. Then adding mushroom shaped bottom pins. More recently adding a pin that splits apart when bumped.
Cordless drills have become more powerful in the last few decades so Mul-T-Lock added stainless steel pins to make it harder to drill the cylinder.
When I reviewed high security locks to sell I became very impressed with all UL437 cylinders. They offer more quality than most common cylinders and great ideas to prevent unauthorized key copying, drilling and picking of the cylinder.
I chose Mul-T-Lock to sell because it offered more features to my customers. This has become more true over the years as Mul-T-Lock has improved it's products.
My question: "If the best locks in the world are not good enough, what do you recommend we replace them with?"
[ link to this | view in chronology ]
Re: Re: Re: Still Kicking Down Sandcastles
The only reason you or any other locksmith respects UL437 and ANSI 156.30 is because they are the ONLY high-security standards in the US. There is no alternative. Our issue is with the picking portion of the standard: 10 minutes of resistance using commercial tools. Who takes a stab at it? Is it a handful of crusty old ALOA locksmiths that think Medeco and MTL are pickproof? I can tell you that almost all of the UL437 locks have been picked by our community in under that time; sometimes with normal commercial tools as well. The main problem is that it does not address dedicated attackers that build their own tools or find vulns. Coincidentally, this standard is used by organizations that have exactly those sorts of adversaries to be concerned about.
I find it odd that you brought the bumping thing up. Most of us don't care about bumping at all. That said, the release of the technique did get a ton of publicity and directly resulted in lots of replacements and very few burglaries. Not to mention, the two largest residental lock companies (Kwikset and Schlage) now have bump-proof locks on the shelves of Home Depot for a decent price because of it. As for your stance that lockies knew about it; we perfected it and opened a ton of high-sec cylinders. You guys did not know about the minimal-movement method which is substantially more effective. Also remember that YOUR locksmith supply websites were selling (to the public) pickguns that work like bumpkeys long before bumping was disclosed.
The entire theory that we are just stealing super-secret locksmith info and releasing it is completely bogus. Here is a quick list of stuff you guys had/have no clue about: Medecoder, Michaud MTL overlift, Protec padlock vuln, Bilock vuln(unreleased), Smartkey decoding, Securekey decoding, Abus disc impressioning.
There is much more, but that'll do for now. We don't fault locksmiths for not looking for vulnerabilities these days. You guys have a business to run. On the other hand, we have all the time in the world to analyze and report.
"If the best locks in the world are not good enough, what do you recommend we replace them with?"
The answer is better locks or improved versions of the current locks. UL437 covers everything from Mul-T-Lock to Abloy Protec. The security in regard to picking is not even comparable between these. Protec is a far far better lock if pick resistance is a consideration. After MTL fixed the Michaud overlift problem, they got a lot better but are still quite pickable using the H&M tool.
Personally, I recommend Abloy Protec or Evva MCS. Assa makes good locks as well, but those two are the best right now.
If society settled for the "best locks in the world" and called it good; we would all still be using thieves knots to secure our doors.
[ link to this | view in chronology ]
Re: Re: Re: Re: Still Kicking Down Sandcastles
'"If the best locks in the world are not good enough, what do you recommend we replace them with?"
The answer is better locks'
By definition there are no better locks then the best.
You are telling burglars how to break into our homes and businesses. You could have chosen to tell the lock manufactures only - giving them time to improve their products before burglars found out.
Do a Google search for "Medecoder" and the first hit is "Build your own Medecoder".
Are you proud of teaching burglars how to defeat our best locks? You sound proud.
Locksmiths are proud of being able to protect people and belongings. Yes we need new techniques. Perhaps one is to pass a law against groups that expose and publish break and enter techniques.
I can tell you from personal experience that Toronto locksmith suppliers do not sell pick guns, picks or other locksmith tools to the general public. They quickly get a service call from a police office if that happens. It is easy to enforce local laws.
I still have no idea what you are trying to do. There is no benefit to society from your public display of defeating locks.
Are you trying to help me sell alarm systems?
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Still Kicking Down Sandcastles
Actually, the first hit for your very specific query (without quotes or capital is different) is the medecoder page. The very first part of that page is about upgrading your locks.
Find me one burglary involving a medecoder and I'll buy you a beer. I'm more interested in getting locks upgraded from attacks by sophisticated and well-funded attackers; not thugs with a crack habit. My pride comes from discovering a 25 year old vulnerability and getting it fixed.
Trying to solve a technical problem with a legislative solution is silly. Do you think that dedicated people with an actual passion for locks are going to stop because a group of locksmiths lobbied to get a law passed? I'm not even going to go into how fascist a law like the one you proposed is.
Well great, I guess burglars that walk into a locksmith supply store in Toronto are screwed. The rest of the world has the internet.
We don't expect locksmiths to understand. Locksmiths don't spend all night hunched over a disassembled cylinder measuring tolerance errors looking for a way in. Locksmiths have invested too much money in their high-sec product lines to fathom a vulnerability. Locksmiths don't care about the far more secure locks used in Europe. Locksmiths don't tell the public that the American 5200 padlock they just bought has an easy bypass so they can protect themselves. Locksmiths don't care about locks. Just keep selling what the manufacturers send you and leave the technical work to us.
You joke about selling alarm systems. Frankly I think its a good idea to have one. Everyone knows that the bad guys are coming in by force not an elegant surreptitious attack they read about on the internet.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Still Kicking Down Sandcastles
Many locksmiths I know are well aware of bypassing and opening techniques. We are an organized and educated profession. Many of us became locksmiths because we have an interest in locks and opening them. Just because you found a vulnerability in a lock does not mean you are the first. Making the vulnerability public does not make you Robin Hood.
Real people get burgled. Real people have their prised possessions scattered around their house and lose thousands of dollars of valuables in burglaries. Real people.
That is why locksmiths are not so quick to tell the public "this is how you defeat this lock". We often help clean up the mess after a burglar has left.
Yes padlocks can be opened, and no I don`t tell my customer`s that it is possible for a padlock to be opened with bolt cutters. I also do not tell my customers that the lock they are buying is perfect.
I sell peace of mind. The old lady who is worried that a burglar is going to hurt her dog sleeps better believing that bad men cannot open her door. Why do you want to take that away?
Instead of tearing down the products that people have built, why not try to improve them. Work within the system. Don't kick down the sandcastle, grab a pale and put up a new turret.
Here is an example from my career: Mul-T-Lock keys have a larger plastic head than most keys. Since I also sell access control systems I recommended Mul-T-Lock add a proximity keyfob in the head of their keys. It took years, but now we have the Synerkey. Three keys in one!
It is not perfect but people like to have less keys in their pockets. It does the job.
Should we start talking about alarm system bypassing techniques?
There is a saying that I keep in mind when someone asks me if a lock is un-openable: Made by man, broken by man. Every lock that will ever be made will have a weakness.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Re: Still Kicking Down Sandcastles
Although its a fine ethical line to walk; public disclosure gets things fixed. Some company have the view that if most don't know about it, its not a problem. Combine this with the expense of implementing a fix and you have an ignored vulnerability after reporting it. By contacting a company early and working out a release date together, it ensures a fix will be made. During this process, however, it is important to not involve money. My opinion is that when money enters the equation, it strays too close to extortion and calls into question the ethics of both parties.
Of course we are not the first to discover some vulns (although in many cases we are). I was simply making the point that we don't go browsing copies of locksmith newsletters and releasing the juicy parts. Its not about being Robin Hood; its about informing the consumer that a better lock or an upgrade is available. We have no stake in any particular brand and thus can provide unbiased information.
Details are released for a few reasons. People are generally skeptical of what they read. If I said "MTL is vulnerable, buy Protec"; you'd laugh at me. If I handed you a well-written whitepaper with photographs and a technical explanation of the problem, you'd take it a little more seriously. Other companies would be less likely to make similar design flaws. Details also allow for an improvement in the attacker state-of-the-art so that the improvement cycle can continue.
Peace of mind is not security. When a customer comes to you, they are looking for security. They aren't looking for lies to make them feel safer. I hope you don't take this same approach when .gov .mil and .com come looking for locks.
Excellent job on getting the prox feature added to MTL keys. The electronic side of things is emerging fast and is providing a sort of stop-gap for mechanical vulns. This technology must remain nimble, however. Once the hackers take notice, we should expect problems to be found and hopefully fixed.
As for alarms, there is already a cat-and-mouse game happening between the manufacturers and crooks. Alarm systems have the advantage of being a little more difficult to reverse engineer than mechanical locks. With locks, literally anyone and buy one, take it apart, and look for problems. Alarm systems tend to be a bit tougher to do this to. I'd like to see a sort of 'alarmsport' emerge but we haven't focused on the disclosure ethics for something like that yet.
Your saying is quite true and I keep that in mind when looking for issues. If we can find the obvious weaknesses, raise awareness, get them fixed, and recommend better alternatives; the result is improved security.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Re: Re: Still Kicking Down Sandcastles
My residential customers need more education. A good lock is a good start - the window beside the door also needs fortification.
Government, military and commercial customers are more aware of their vulnerabilities. Often the lock is the strongest part of their security system.
Government and military don't depend on a lock for security. They depend on human guards. That opens a whole other discussion about how dependable a human being is.
A good security system is like an onion. Layers make it difficult for a burglar to achieve his goals. A good lock, even if it is not UL437, an alarm system to let you know when the door has been opened and a safe for what the burglar really wants is a very effective system. These are all products that I sell.
Peace of mind is different.
I am sure the little old lady knows that a burglar can come in through the window she keeps open at night, but the burglar came through her front door last time. She needs a good night sleep, not top of the line security or a perfect lock.
Many customers are only looking to do their due diligence so their insurance company will cover their losses.
Peace of mind is not security. A full security system is too much for most people. All they want is peace of mind that they are not the easiest target.
It has been a pleasure discussing locks with you. All the best in your endeavors.
[ link to this | view in chronology ]
locksmith
[ link to this | view in chronology ]
Re: locksmith
We are open to suggestions.
Have you seen the SNL skit about the economy? "Fix it!"
Sometimes it feels like that in the lock industry. We know about the problems, recommend solutions, and the feedback we get from the public is "Fix it!"
There is a small fact that humans are resourceful animals who can figure out new ways of opening locks. That fact is not going to change because of a new lock design.
There are bigger problems in the industry than really good locks being less than perfect.
For one, there are look-a-like locks being sold to the public. These "locks" are designed to fool the consumer into thinking they have a measure of security. They often fail to keep the door closed when attacked.
Security locks that we, the professional locksmith, recommend you install on all exterior doors, are not being opened by burglars.
[ link to this | view in chronology ]
certification
[ link to this | view in chronology ]
Coming out of the Sand
In 2013 we will launch new products based almost entirely on the hundreds of ideas given to us by locksmiths around the world. We welcome the challenge and understand we will ultimately be defeated but in the long run, we're creating the best product with the help of the best people in the industry. These are locks want to take a beating.
patrick smith
commando lock company
[ link to this | view in chronology ]
Re: Coming out of the Sand
That is a great attitude and you make a good looking padlock.
I look forward to seeing what you come up with in 2013.
If you start making a deadbolt for residential and commercial doors I might be able to sell it for you.
[ link to this | view in chronology ]