Lock Designs for Government and Commerce: Deconstructing Insecurity

Video thumbnail (Frame 0) Video thumbnail (Frame 2299) Video thumbnail (Frame 3387) Video thumbnail (Frame 5689) Video thumbnail (Frame 8075) Video thumbnail (Frame 10119) Video thumbnail (Frame 11665) Video thumbnail (Frame 16764) Video thumbnail (Frame 18357) Video thumbnail (Frame 19969) Video thumbnail (Frame 21277) Video thumbnail (Frame 24256) Video thumbnail (Frame 28475) Video thumbnail (Frame 29782) Video thumbnail (Frame 31183) Video thumbnail (Frame 33152) Video thumbnail (Frame 34473) Video thumbnail (Frame 36775) Video thumbnail (Frame 39148) Video thumbnail (Frame 41105) Video thumbnail (Frame 43214) Video thumbnail (Frame 46071) Video thumbnail (Frame 49213) Video thumbnail (Frame 50155) Video thumbnail (Frame 51110) Video thumbnail (Frame 52595) Video thumbnail (Frame 57192) Video thumbnail (Frame 58215) Video thumbnail (Frame 62536) Video thumbnail (Frame 63602) Video thumbnail (Frame 65828) Video thumbnail (Frame 66832) Video thumbnail (Frame 68113) Video thumbnail (Frame 69260) Video thumbnail (Frame 71258) Video thumbnail (Frame 72389)
Video in TIB AV-Portal: Lock Designs for Government and Commerce: Deconstructing Insecurity

Formal Metadata

Title
Lock Designs for Government and Commerce: Deconstructing Insecurity
Subtitle
An Analysis of design failures that can affect the security of critical infrastructure and result in legal liability for manufactures
Alternative Title
Insecurity: An Analysis Of Current Locks
Title of Series
Author
License
CC Attribution 3.0 Unported:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor.
Identifiers
Publisher
Release Date
2013
Language
English

Content Metadata

Subject Area
Abstract
Lock manufacturers continue to produce insecure designs in both mechanical and electro-mechanical locks. While these devices are designed to provide secure access control to commercial and government facilities, in fact many do not. Recent disclosures with regard to extremely popular push-button locks have led to an expanded investigation into their technology and security by our research team. As a consequence, it appears that mechanical locks, as well as electro-mechanical locks that are compliant with government standards, may be subject to several different forms of compromise, thereby placing commercial and government facilities at risk. In this presentation, we will examine specific design parameters that are supposed to provide a high level of protection against covert entry for both commercial and government facilities, but do not. It would be logical to assume that the electronics and physical hardware within physical access security devices would work together and present a high level of difficulty in circumventing the requirements of these standards. Our research has disclosed that such is not the case in certain devices. Our investigation with regard to a specific manufacturer of extremely popular hardware discloses a lack of understanding with regard to security engineering and an inability to produce hardware that is immune to different forms of attack. We document three serious occurrences of security engineering failures with regard to different product designs, all intended to provide a certain level of security for commercial and government facilities. We will examine different designs, both mechanical and electronic, and why there is a basic failure in the most basic fundamentals of designing a secure device. Marc Weber Tobias is an investigative attorney and security specialist living in Sioux Falls, South Dakota. He is the principal attorney for Investigative Law Offices, P.C. and as part of his practice represents and consults with lock manufacturers, government agencies and corporations in the U.S. and overseas regarding the design and bypass of locks and security systems. Marc and his associates also conduct technical fraud investigations and deal with related legal issues. Marc has authored five police textbooks, including Locks, Safes, and Security, which is recognized as a primary reference for law enforcement and security professionals worldwide. The second edition, a 1400 page two volume work, is utilized by criminal investigators, crime labs, locksmiths and those responsible for physical security. A ten-volume multimedia edition of his book (LSS+) is also available online. Marc has written extensively about the security vulnerabilities of products and has appeared in numerous television and radio interviews and news reports as well as magazine articles during the past thirty years. He is a member of several professional organizations including the American Bar Association (ABA, American Society for Industrial Security (ASIS), Associated Locksmiths of America (ALOA), Association of Firearms and Tool mark Examiners (AFTE), American Polygraph Association (APA) and the American Police Polygraph Association (APPA). Matt Fiddler is a certified and registered locksmith and Security Professional with over 19 years of experience. Mr. Fiddler's research into lock bypass techniques have resulted in many public and private disclosures of critical lock design flaws. Mr. Fiddler began his career as an Intelligence Analyst with the United States Marine Corps. Since joining the commercial sector in 1992, he has spent the last 19 years enhancing his extensive expertise in the areas of Covert Entry Tool Design, Physical Security Consulting, Computer Forensics and Intrusion Analysis. Born in Caracas, Venezuela, Tobias came to the United States in 1995 and was granted citizenship in 2000. He has been a professional locksmith for the past 20 years. Tobias is an expert in Covert Methods of Entry and has developed many unique forms of bypass, custom tools, including a decoder for Medeco locks, which was the impetus for the book "Open in Thirty Seconds".
Slide rule Group action State of matter Multiplication sign Videoconferencing Software testing Mathematical analysis Figurate number Office suite Information security Vulnerability (computing)
Revision control Simplex algorithm Synchronization Multiplication sign Right angle
Ramification Standard deviation Game controller Building Group action Presentation of a group Observational study View (database) Mereology Thomas Kuhn Number Product (business) Zugriffskontrolle Revision control Mechanism design Arithmetic mean Simplex algorithm Different (Kate Ryan album) Energy level Statement (computer science) Information security Social class Complex analysis Standard deviation Building Mathematical analysis Control flow Group action Product (business) Data management Integrated development environment Personal digital assistant Radio-frequency identification Synchronization Website Self-organization Social class Information security Electric current
Ocean current Standard deviation Standard deviation Line (geometry) Multiplication sign Reflection (mathematics) Physicalism Line (geometry) Power (physics) 2 (number) Latent heat Arithmetic mean Self-organization Software testing Whiteboard Information security Associative property Proxy server Information security Vapor barrier
Medical imaging Arithmetic mean Dependent and independent variables Touchscreen Video projector Telecommunication Expert system Representation (politics) Information security
Ocean current Standard deviation Group action Proxy server Variety (linguistics) Correspondence (mathematics) Multiplication sign Real number Maxima and minima Mathematical analysis Client (computing) Rule of inference Vibration Number Product (business) Element (mathematics) Mathematics Different (Kate Ryan album) Videoconferencing Software testing Statement (computer science) Proxy server Information security YouTube Installable File System Rule of inference Curve Information management Standard deviation Information Point (geometry) Maxima and minima Line (geometry) Measurement Product (business) Category of being Personal digital assistant Energy level Information security Address space
Greatest element Key (cryptography) 1 (number) Physicalism Bit 8 (number) Login Type theory Mechanism design Arithmetic mean Radio-frequency identification Synchronization Telecommunication Radio-frequency identification Synchronization Key (cryptography) Extension (kinesiology) Information security
Installation art Trail Key (cryptography) Military base Plotter Cartesian coordinate system Mechanism design Medical imaging Radio-frequency identification Synchronization Right angle Key (cryptography) Simulation Spacetime
Covering space Key (cryptography) Block (periodic table) Mereology Open set Neuroinformatik Telecommunication Blog Videoconferencing Right angle Figurate number Resultant Physical system
Slide rule Group action Proxy server Key (cryptography) Connectivity (graph theory) Range (statistics) Group action Mereology Rule of inference Spektrum <Mathematik> Product (business) Programmer (hardware) Goodness of fit Mechanism design Simplex algorithm Simplex algorithm Information security
Sign (mathematics) Email Standard deviation Group action Euclidean vector Multiplication sign Videoconferencing Combinational logic Computer programming Number Product (business) Social class
Group action Computer file Internetworking Multiplication sign Factory (trading post) Simplex algorithm Combinational logic Right angle Simulation Proxy server Order of magnitude Social class
Ramification Electric generator Proxy server Multiplication sign Client (computing) Mereology Cartesian product Flow separation Product (business) Software Personal digital assistant Telecommunication Computing platform Office suite Series (mathematics) Proxy server
Trail Slide rule Trail Proxy server Server (computing) Direction (geometry) Plastikkarte Attribute grammar Funktionalanalysis Code Product (business) Revision control Centralizer and normalizer Computer configuration Personal digital assistant Telecommunication Computer hardware Computing platform Energy level Game theory Information security Computing platform Hydraulic jump
Standard deviation Trail Game controller Connectivity (graph theory) Price index Parallel port Plastikkarte Information privacy Mereology Zugriffskontrolle Mechanism design Electronic meeting system Formal verification Smart card Information Process (computing) System identification Information security Physical system Identity management Personal identification number Standard deviation Ramification Uniqueness quantification Plastikkarte Physicalism Attribute grammar Line (geometry) Logic Personal digital assistant Telecommunication Interface (computing) National Institute of Standards and Technology Statement (computer science) Computing platform System identification Hill differential equation Formal verification Game theory Information security Physical system
Personal identification number Proxy server Code Multiplication sign Connectivity (graph theory) Plastikkarte Cartesian product Flow separation Open set Computer programming Pentagon Number Sign (mathematics) Type theory Term (mathematics) Factory (trading post) Order (biology) Energy level Key (cryptography) Information security Proxy server Information security Physical system
Personal identification number Key (cryptography) Code Forcing (mathematics) Multiplication sign Physical law Funktionalanalysis Mereology Product (business) Product (business) Sign (mathematics) Telecommunication Videoconferencing Backup Proxy server Macro (computer science)
Mechanism design Mechanism design Group action Multiplication sign Order (biology) Drop (liquid) Position operator Connected space
Newton, Isaac
Link (knot theory) Proxy server Link (knot theory) Multiplication sign Cartesian product Cartesian product Revision control Mechanism design Order (biology) Computer hardware Videoconferencing Proxy server Computing platform Vulnerability (computing)
Key (cryptography) Code Moment (mathematics) Online help Funktionalanalysis Device driver Login Cartesian product Open set Power (physics) Faculty (division) Factory (trading post) Order (biology) Proxy server Physical system
Building Trail Military base Set (mathematics) Data storage device Password Plastikkarte Code Open set Computer programming Physical system
Covering space Greatest element Code Connectivity (graph theory) Range (statistics) Physical law Mereology Complex analysis Coefficient of determination Message passing Process (computing) Different (Kate Ryan album) Operator (mathematics) Videoconferencing Asynchronous Transfer Mode Physical system
Personal digital assistant Physical law Statement (computer science) Videoconferencing Set (mathematics) Mereology Complex analysis 2 (number)
Group action Angle Multiplication sign Mereology Inverter (logic gate) 2 (number)
Software development kit Computer configuration Whiteboard Computer configuration Open set Computer programming
Personal identification number Computer configuration Series (mathematics) Open set
Revision control Type theory Code Factory (trading post) Videoconferencing Configuration space Mereology
Point (geometry) Radical (chemistry) Trail Ferry Corsten Videoconferencing Information security Cartesian product 2 (number)
Standard deviation CAN bus Vulnerability (computing) Execution unit Proxy server Maxima and minima Software testing Line (geometry) Information security Videoconferencing Information security Product (business)
my name is Mark Tobias this is our team Tobias blues Manus met fiddler we engage in the testing of mainly high-security locks we have a lab and we do testing for the major lock companies of the world to figure out how to open them when they can't be opened figure out vulnerabilities and then figure out how to fix them that's our primary mission my background is both as a lawyer and a criminal investigator for the Office of Attorney General in my state toby is a locksmith for many many years in Miami we wrote the medico book together a couple years ago when we when we broke that lock Matt fiddler is with our group for a long time also he works for a very large corporation on the East Coast doing security testing and we're going to talk today about a some engineering problems regarding one company as an example we're not intending to pick on this company we don't have any issues with them they've been around for a very long time but they're a prime example of what we call in security engineering and so we're going to go through a lot of slides and some video today to talk about design problems that can cause real problems both from a liability standpoint and from a security vulnerability standpoint and we're going to we've targeted for locks the company
that we're going to talk about today is Kaaba there are a Swiss company as I said they've been around for a very long time very respected company very competent of making things work we don't think they're quite so competent as in making them secure and we're going to look at four of their locks to talk about that so the four locks that we're
looking at today one of them we did last def con which is in the upper left hand corner which is called the Kaaba in sync it's an rfid-based lock and then we're going to talk about the push button lock that many of you may recognize upper right which is called the cop of simplex then we're going to talk about the two electronic versions of that lock which was really our target this year so the
markets does they design for access the access control market commercial buildings business complex government facilities and the real question is access control and exactly what does it mean and in our view especially because of the locks were going to talk about today it means access control and government facilities and high level commercial facilities that are secure environments so Cabo who are they the third largest lock manufacturer in the world and they have a very large presence in the United States as well as in Europe as I said they're based out of Zurich Switzerland they do have engineering expertise why is this important as we'll talk about there was a very major class action lawsuit that was filed November of 2010 against this company by a group of lawyers around the United States in regard to their simplex 1000 but lock which we'll talk about a little while so the Kaaba case study its engineering failures and the ramifications that flow from that engineering failures why are they important in lock design because they can lead to serious liability and breach of security and facilities and in this in this PowerPoint obviously will be on Def Con site it will be on our site so we have four different designs we're going to do an analysis of each of the designs and what the problem is so we
look at this as escalating in security defects and critical design so again we've got the Kaaba the mechanical push button lock the RFID lock and then two versions of their electronic lock which is essentially what's called the 55 thousand which is the electronic version of the kanika so our real problem and going through this today is a failure of imagination and it's not just Kaaba it's a lot of lock companies that we deal with around the world and the real problem is and we've talked about this on a number of Def Con presentations in the past it's the engineers go to engineering school to learn how to make things work properly but they don't know how to break them so that they can really make them secure so deficient or defective products it's an intersection of mechanical and security engineering both of them have to be there and the problem is that you can have a false sense of security especially if the standards organizations whether government or civilian say the lock is secure and fit for the purpose intended so what appears unfortunately secure is often not in our world and the real question for especially those of you that are security or risk managers how do you know the difference and there is an undue reliance on the standards and that is part of the problem there's also a problem of misrepresentation by a lot
of manufacturers Matt so we've talked about this before but typically physical security or locks are the first line of defense often times they're the only security layer we talked in detail about us standards underwriter laboratories and bhma in the past and and specific lock manufacturers adherence to those standards and reliance and ultimately you as the consumer how do you know if those locks are secure yeah the real problem we're going to they're going to switch the power so we're going to break for like one second here the real problem is that and I'm on one of the underwriters laboratories testing boards for locks and safes the real problem is all of you in an organization that by locks based on standards and they don't test for the kinds or most the kinds of bypass at acts that we use to open these locks mainly covertly so the standards can be essentially meaningless we've petitioned the builders hardware manufacturers association to change the high-security standard to reflect current attack technologies okay go ahead go you guys go ahead and cut your power or switch it over yeah now we're stretched okay we
just crashed Hoover Dam the lights are dimming in Las Vegas okay this is perfect no this is the blue screen of death on the projector okay so so the
real question is what is secure mean and the supposed to projector will catch up with us to find the image so manufacturers of locks have really unique responsibilities one they obviously have to understand mechanical engineering and electronic engineering but more importantly they have to understand security engineering because if the lock isn't secure we don't care how well it works it doesn't do what it's supposed to do there are implied representations by every lock manufacturer and that is that we are experts when you buy a lot from a company like Kaaba assa abloy
ingersoll-rand which are the major lock
companies of the world you expect that they know what they're talking about and they know how to design locks often this isn't the case and the problem is that a lot of well all of the lock companies always claim we meet or exceed the standards the problem as we noted the standards may not protect you against some fairly non sophisticated methods of bypass so expertise is required mechanical engineering security engineering understanding minimal engineering standards when you design a lot and security engineering requirements means one that you test the products against curve methods of bypass and that you understand and know what those current methods of bypass are we employ a variety of techniques and our work to test locks for our clients and it's everything from shock vibration wires air magnets hair dryer which we open one lock with believe it or not notice no it's for real because the engineers never ever ever could believe that we could do this well in a very specific lock overseas because of the kind of elements they used as a locking device we were able to heat it up change its physical properties and open the lock so yeah they weren't really pleased with it when we found it opening a lock with a hair dryer dryer is not really cool from their standpoint it it was from ours so the bottom line is they need to understand bypassed techniques and that's why we get hired by a lot of different groups to figure out if there is a vulnerability because as a lawyer I can tell you and I tell my clients and have for a long long time if a lock is defectively designed from the security standpoint and somebody gets hurt Rob injured killed or information is compromised or damages done to property somebody's going to pay for it and what you all need to really keep in mind is all security is about liability other than in the government sector which doesn't have any liability generally because of sovereign immunity all security really comes down to liability if there's a breach in security somebody's going to pay for it so there's insecure products they're often as we're going to show you today often easily bypassed they use the standards as a measure but they're no measure products look great but they're not secure and the bottom line is they're placing your facilities at risk so we're going to talk about these locks briefly we prepare a number of videos there was an article that was published this morning by Forbes by Andy Greenberg their security correspondent that y'all might want to read and there's a number of videos that they uploaded to YouTube so we're going to go through how these locks are supposed to work and how they don't the first rule that we teach design engineers is the key never unlocks the
lock now everybody says what does that mean of course the key unlocks lock no it really doesn't the key actuates the mechanism that allows the lock to be unlocked either the bolt retracted the latch whatever the locking fastening mechanism is the key allows you to rotate or move that but generally the key doesn't do that the mechanism that the key actuates of that so what we do in our work is we figure out in layers of the tax which we developed when we attack the medico lock the top high-security lock in the United States a few years ago we developed what we call a layer attack so we isolated each security layer in the lock whether its electronic or mechanical we attacked and neutralized each layer and once all the layers are neutralized the lock opens so told me why don't you talk about this lockrey flee the kaaba in sync well the divine think the one that you're seeing
there is a and use a RFID key it's like a plastic key this is a deadbolt type you can see they both a little bit extended it's not too complicated you have an air RFID tag in the key the logs read that attack if he's programming to the lock the lock will open now we're gonna versa also on the bottom there is an USB port where you can program that lot oh no but see all you guys think we're going to defeat it electronically no no no that would be where he's a ones and zeros guy we're physical security guys okay so why would we always bypass the electronics we neutralize them we bypass so keep going tobe there's a USB port okay so the US before we're going to use cables but not wife why bother yeah okay
so this is a commercial lock this use we
were told even in military installation installations very easy to bypass we were really stunned how we bypass this is a cob accompany this is the first one we actually looked at so these are used
all over the world they were very proud and telling me how secure this was and that you're just not going to open it without the right key so it's got very wide application so here's how this lock
is supposed to work Toby the image 44 space we have to put it sideways but actually the but that you see in next to that big brown plot that bar is what protects that plot to rotate and what it
does is move away for within a small motor and then you can turn and actuate
the ball and open it all locked in the system so we're going through they know and they have to see the video right
okay okay so how does everybody think
that we open the lock you guys all figure we did it with a computer no no no mags and magnets are coming soon electronic lock okay self-contained battery operated they use this on the small RFID tag that is inside like a regular key to unlock unlock the debtor basically the inside the result walking bar that blocks the blog I'm going to be using a small wire to push that locking bar wait so we can turn the fly we're going to do that so by inserting a very small wire through the difficult part is to remove the cover that the the rubber cover I mean USB port is then you just have to leave that well by the way because of what we did this year with kava they told us that they fix yeah they fix this we haven't seen what they did but they told oh we fix it yeah now and the problem with all of this and it can be locked back up again to the problem with all of this
and it's not as i said just khabar we just happen to be in our target range this year other companies as you guys know if you've seen us before here we've gone after a lot of the companies because of the same problem so it's not unique to Kaaba at all so we looked at this lock the problem is not that they fixed it the problem is that they had to fix it in the first place and that's really the issue so now we're it's November 2010 well let's back step 2 2009 because we'll go across some of these slides this is the cava simplex 1000 this lock was developed in nineteen about 1965 it is the most popular mechanical programmable push button lock ever just quick show of hands who's seen this lock before yeah okay so you all know okay have any of you read my articles and Forbes about this lock no no good great perfect yeah they'll be very happy at Forbes to hear that okay perfect okay so did anybody read the New York Times about this lock no okay so here's the deal in 2009 in Brooklyn where there's a high orthodox jewish population these locks have found a niche market for the Orthodox because on the Sabbath they can't use keys okay that's just part of the rules in the Orthodox religion but they can use push button locks okay as crazy as that sounds that's the way it works you can't use anything on the Sabbath that you normally use during the week you can't drive a car you can't push buttons on an elevator so these locks have become incredibly popular in in the Orthodox community around the country okay good for khabar okay bad for khabar so there's a group of technicians in Brooklyn that I referred to in one of the articles I wrote as the Jewish geek squad they go around and help the elderly open their houses and they figured out they could do it with a with a rare earth magnet okay because there's a design defect in this lock and it's been sitting there since nineteen sixty-five because there weren't any rare earth magnets in 1965 they came around late seventies early eighties there were electromagnets but there weren't rare earth magnets okay however the manufacturer never retested this lock because they say yeah I were selling millions on what the hell do we care it's broken it's not broken why fix it yeah so the problem is that there was a ferrous metal component as will show you in this lock and let's go to this ok
this is the combination chamber that actually controls the programming when you push the buttons and you can push one button two buttons at a time and up to what seven I think five you can use is fight button yes find numbers you can use combinations between one through five you cannot repeat numbers but you can use combination of two numbers like two and four and then one you can know routine numbers there's okay so who's seen them at airports they're everywhere DoD do II I got tons of mail from nuclear power plants they want to know what the DL is ok because we put out the video that it could be open with a mag and they use that same chamber in some
more not that commercial more residential style and devil that's what also that same piece is also presenting ok so this is inside this is a macro of inside the combination chamber and this plate that you see that goes across all five rotors if you move that with a magnet you're going to open the lock now they've fixed this we don't like the fix but they have fixed it okay after not telling anybody about it for about five months they figured it out last year so what happens the Jewish Geek Squad is opening doors and one of them happens to talk to his lawyer in 2010 the lawyer says this is a class action lawsuit so khabar gets sued in a huge complaint that is going to set the standard in the lock manufacturing industry in the United States for defective or deficient product so this
is the magnet that opens the lock and actually I interviewed one of the plaintiffs and he told me that his 13 year old kid he gave him a magnet that he bought off the internet for fifty dollars and commanded him to open the lock didn't tell him how to do it commanded him you know like in the Bible or the Torah I command you to open this lock four minutes later the 13 year old kid had the lock open that's when I went public with this because it's such a threat so class action lawsuit was filed
here's the deal lomo use this is a clutch lock the dip the right combination factories two and four at the same time three we can open the lock once if we're making a mistake every time that we depress the lever it resets so we can enter the right combination again okay so on the clock as well said this easily bypass using the magnet and have the magnitude scrap in the bag just going to depress the lever the lock is hope that's yeah that's a big problem
and that was that so our office initiated an investigation separately were not hooked up with the lawyers in this case we weren't involved in the litigation I've met with a lawyer several times to get a briefing because all of our clients were concerned about the liability issue that this raises because this is leveled across coppa millions and millions of dollars okay and it's not the cost of the part to fix the lock it's who's going to pay to put it in and this is always the problem with LOX LOX aren't like software we can send out a patch you have to physically take them apart to fix them ok so our office launched an investigation to protect all of our clients and because the pleadings were amended a couple of weeks later from the mechanical lock to also add the cop electronic lock so now
we have their new generation called the e plaques and this is the 5000 series which is a very heavy duty very very nice piece of work it's a push button lock it's got a lever handle where the bypass cylinder in it it's programmable told me to talk about it for two minutes this is a programmable depending on the model that you're getting you can either get like I think you can program 300
codes or only gives you out a trail also for like three thousand in this basic model okay they use the same platform for scale models that we're going to talk also about it yeah so they develop the 5000 this is typical in a lot of lock companies because it's very efficient and saves money a designer lock once and then you add enhancement and sell it as an enhanced version of the lock so they Hanson is more in the in the electronics they just change electronics and the lock that has that totally untrue function but the hardware platform is the same and that's what's important in this case so along comes a homeland security presidential directive in 2004 that's enacted in 2005 and khabar jumps into the game to use their 5000 platform to supply the government with locks okay
and this is the and it's called the e plex 5800 and Matt will talk about this Matt yeah so hspd-12 as Mark said was signed in 2005 and it really mandated the the government and department of defense to move towards a central access card it was very high level it just defined we go to the next slide just to
find the requirements to protect privacy drive efficiency and increase security of facilities so after hspd-12 was was signed phipps 201 comes along and so NIST working on phipps 201 defined ultimately what what we have and many of you have in your pocket out there I'm sure are is the common access card and even at wit card for that matter and it's a smart card that provides unique access control physical logical security and kava was the first manufacturer to to create a standalone locking device that is phipps 201 compliant so the bottom line is the government in 2012 has to replace all their mechanical locks for electronic locks phipps 201 so that there's an audit of who opened the door exactly this is the game they want to know personal identification verification and the card has to be secure and reliable so they know it was actually a validly issued card by a federal agency so
we're basically saying the same thing here so personal identity identity verification was the mandate from hspd-12 identified verification and security the other thing you'll read in hspd-12 that i mentioned is really the efficiency play here to drive a standard access card across all government and contractors right now here's the deal phipps 201 has nothing to do a security it's personal identity verification and a secure card system however when you marry that to a lock just like Kaaba and other companies are doing it does have a security component because if you can bypass the audit trail and open the lock or they don't know who opened it then there's a problem it's a security breach and in back to the beginning part of the lecture if we stamp a compliance statement from Kaaba that says this is Phipps 201 compliant there's an implied assumption that we're secure that's just not the case so when you walk up to one of these these new Phipps 201 compliant locks you can use a pin and use your card but you can't just use a pin okay so if it said the purpose but they need the car and they take another step that
you can use pin and car but no not never appeal only only for the mess and I don't know what they did it one when you get the lock and you're going to start the lock it comes from the factory program 123456 emanate okay then you have you're forced to change that master code in order to do any other programming okay and we're going to talk about that soon okay so because we don't wanna run time we looked at this log in detail in depth for several months we identified nine really what we consider pretty serious security issues some of them you have to look at in terms of where these locks are going to be used if it's at the Pentagon maybe it's not such a problem for some of them it's a lot of problem for others so khabar says you can only the open these locks with a car keep it keypad and or key okay unfortunately we figured out this lock can be wrapped open we can dlink the bypass cylinder from the latching system we can reset the master code to open there's an internal lever handle attack that we're going to show you there's a remote open feature so the girl and the receptionist of the desk and have a push button to open the lock we defeated that
so Toby number one wrapping well this is the critical component of the lock thus a plunger type and inside the lock and that plunger really engages the outside level with the internal components
that's done by the electronics it's a
little model that dropped that pin and then we can open the lock we have to
tell us on this lock that we don't rely us only in DEKRA dential they have a bypass key one of the reason if the lock fails you cannot you know take time to attack the lock and open it you have a key as a backup to open the lock and also we can reset the lock if the master code or the master code to program the lock is lost they tied those two together in the function of the law okay so here's what cop we fed all of our videos to Kaaba as a courtesy we wanted the comments okay so frankly they made the mistake in analyzing our videos and sending us written comments that was a mistake okay so Kaaba basically said as far as wrapping hate we fixed it and we need to tell you it depends on what kind of door these locks are mounted on and what kind of timing and forces applied to wrap it open sometimes you can do it sometimes you can it's not a hundred percent threat but here's what Kaaba said this issue was detected by Kaaba shortly after the product launch and for and was attributed to a steel blocking device the blocking device was changed to aluminium and implemented in production over five years ago with the aluminum part this attack is not successful mm-hmm this is a macro video
demonstrating the design problem with the clutch mechanism this is what open discussion when it's engaged versus not engaged and how we're able to bounce that out of position Toby and what we're seeing is the back of the lock we have here they have that where we attach the latch we're going to remove the back cover and what we see in there is the plunger that we are bouncing in order to open the lock now let me remotely open that you can see that piece moving that plunger opened down that actions engages the outside level okay let me put everything together in so right now there's no connection between the lever and that hall when we open the locks then we get that connection simple designs vary some hand stays in the idle locked position so now let's just show on pre verse in the back so there's the part that we're bouncing and this is the handle so what the lock does is pressing that plunger and then you can engage the handle with that plunger assembly that moves and retracts the latch then it releases the connection and then the handle can go free what we're doing is we're bouncing
that pain but the timing is very important we have to bounce that pin and at the same time grabbing in order to open it if we balance that pain and we're late turning the handle the ping is going to go home now it's like lot longer to open it or if we go too fast on the handle the handle will turn we cannot drop that pain and the lock will remain in the locked state okay so they
obviously didn't consult with Sir Isaac Newton when they designed this lock
this will demonstrate the first very serious problem with this lock Toby we have to do it in slow motion was to yes we had to do it in slow motion well but as us as I said before is timing
it's its timing it's just like lock bumping now the problem is that the hardware platform for the e Plex 5800 which is the government version of this lock it's the same problem now we put this on a stand this is the e Plex 5800 demonstrating the same vulnerability with regard to applying a shock to lift the your bounce the locking plunger assembly in order to open the mechanism Toby this one again is its timing that day that we were doing that video I couldn't open it so I at the NSA well this this should be the last video and continuously we were open the lock okay so that's our first problem now we go to
the bottom our first bro never figure that surfers prolly okay so this is the next attack where we used a cheap screwdriver to physically break the link inside the bypass cylinder to the tailpiece okay so this is like a three dollar ace hardware screwdriver I'm why
we want to do that because because we
got two extra screwdrivers so we have two functions for this key one is factory reset and the other is to open the lock in order to reset the log with the key we just have to turn counterclockwise retracting the bowl we've gotta press pound we're going to release on the key on a second let me do it again power release on the key and you see the two LED is flashing back and forth and this moment we have to put 1 2 3 4 5 6 7 8 pound and that comment resets a lot of faculty our new master code or factory master code is one two three four five six seven eight okay okay so Toby how are you going to defeat the system well we're just going to put up on a screwdriver through the key way we're just going to break the help is on the way so we utilize the next inexpensive screwdriver about two three dollars to break the linkage between the tail piece on the bypass cylinder to the plug now what happens here is once you break that linkage then you have the capability of going through the key way with a screwdriver and we can directly control the bolt right there just like that okay let's do it again okay now what I'm going to do it i would like to reset the lock but here I'm Kristin button key and now we put in a new master code so you can see the motor ability we just reset the lock now I can open this login 123456 simile under low key so and the lock is over by resetting the log what we're doing is
all the codes that we're programming in the lock we just delete it yeah nobody can enter okay okay this is the next one
this is an internal attack which we're really most concerned about rather than somebody walking up to the door this is somebody this is the bad guy that's in your banking system that once he has authorized access into the building nobody's watching them and he goes down to a room that's not particularly protected that stores all the blank credit cards okay or a remote military base and we sabotage the handle to open the lock the way it's not supposed to so
this involves removing the lever handle on the back with a set screw inserting a
wire through the back of the lock
putting the handle back on retightening
the set screw very detailed it's a very difficult process to do this very very
difficult okay so actually this was the
video that we show cover yeah this was
the video we showed khabar so this next
attack with the 5800 is a right hand opening door attack involves removing the lever handle on the inside of the door inserting a piece of wire closing it up again and that will allow the lock to be opened in a way it is not normal that is lifting the lever handle upwards rather than downwards most employees would not even think to try to access the locking system with the lever up versus down okay go eat let's do it Oh colon again this method 1 111 okay the lever which is clutch now the clutch is not engaged so in this mode so now if it was programmed for passes mode that it would be entirely different this is so small and score range on the bottom would remove that we just have to unscrew that remove the inside handle we are going to push down the outside ever and when gonna it's a very sophisticated piece of wire it some day long as you can see if I pull on the lever opens we can just hover dog wire putting they handle back we could decipher yeah there's no there's there's nothing different in the operation of the law but it's now been set so anybody can open it by lifting the lever upwards what does non standard operation so people's the same one is not opening open with the massive code 01 so the lock works normally if I decided that I don't want this is the cook I can just so these are the four components that
you have to deal with we know this is really really difficult ok this is cabas
statement it takes five to ten minutes to do this in the video the removal and reinstallation of the inside lever was shown to occur in seconds this is not the case a small set screw must be removed first to reinstall the set screw the lever must be carefully positioned and then the screw installed to the correct depth or lever binding will occur this may take five to ten minutes to accomplish while on your knees behind the law ok so we test their their pre
tested their premise I called topi I said okay here's what we're going to do
well we never show how how how long it takes to and this is the weber all time so here we go on top we have the total time to accomplish it in the attack now the first group 10 seconds 12 seconds well seconds to remove yep we didn't tell how long it takes to remove the handle so on because actually they said it has to be very carefully very careful inverter so we put the wire we check that the wires working is working now the difficult part against putting back never so again we're and I'm using one hand because the thing is they the camera angle was okay if I'm covering it's not going to show that I'm putting the wire okay and we stop the 59fifty one
now you can do it in 10 minutes also yeah so we saved the best for last so all of these we think are really serious design deficiencies that could be exploited by bad guys okay this is the best one so khabar offers a programming option to allow remote open so you like I said you push the push button just like an electric strike the receptionist pushes the button opens the lock okay so
there's two LEDs at the top of the lock to show status okay so this is what
happens the next demonstration is another design defect that we perceive in this lock in the e Plex series this is the remote open option you gotta love those engineering and shorting out the pin which the engineers aqaba decided to place directly in back of the LED port
now come on old so tell us you guys are
doing it wrong yeah so here's cabas
answer we fixed it okay a part of the factory configuration yeah what I thought it fit a part of the factory configuration for remote unlock a metal blocking device is installed in the way of the LED parts to prevent this type of attack the version tested in the video was not factory configured for remote unlock like maybe somebody got the master code and entered the the 01 to code for remote unlock and they didn't even know it okay so they said you can't
do this so this will be the last video if we ordered the log to Kaaba and asked to ship the cable because we want to use they have requested feature of the bark they would provide you with the cable to be hooked at the terminal on the back of the lock but also it would provide a protector a protector it will cover the contact point that we're looking for to trigger the requester exit which is right here now the way that we are triggering that is through the LED and we just grounded the first pope now if I put the protector on top we have to notice the thing first of all there is a gap between the dangers of the secret war so we can feel so it's the same thing west winds it from the outside so that's a problem they think
they fixed it they didn't fix it so let us just tell you we have found three or four other covert entry attacks on this lock that we're not disclosing except to the government in the Kaaba we can open this lock literally in five seconds no audit trail no damage no trace well without local with their club would be like 15 yeah with their five so the
bottom line is security engineering failures have consequences they have consequences in the protection of your facilities they have and they can also cause legal liability so you really need
to understand what you're buying what secure and what's not secure we'd like to thank you guys for coming again if you have any questions you
Feedback