Lock Designs for Government and Commerce: Deconstructing Insecurity
This is a modal window.
The media could not be loaded, either because the server or network failed or because the format is not supported.
Formal Metadata
| Title |
| |
| Subtitle |
| |
| Alternative Title |
| |
| Title of Series | ||
| Number of Parts | 122 | |
| Author | ||
| License | CC Attribution 3.0 Unported: You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor. | |
| Identifiers | 10.5446/40522 (DOI) | |
| Publisher | ||
| Release Date | ||
| Language |
Content Metadata
| Subject Area | ||
| Genre | ||
| Abstract |
|
DEF CON 19120 / 122
3
5
10
11
12
22
23
24
30
31
32
38
43
46
47
49
51
54
56
59
60
62
71
73
76
84
85
88
92
93
96
97
98
104
106
109
112
113
115
119
00:00
Mathematical analysisGroup actionState of matterOffice suiteVulnerability (computing)Slide ruleSoftware testingMultiplication signInformation securityVideoconferencingFigurate number
01:32
BuildingInformation securityControl flowZugriffskontrolleArithmetic meanProduct (business)Group actionSocial classThomas KuhnElectric currentStatement (computer science)SynchronizationStandard deviationVapor barrierLine (geometry)RamificationObservational studyGroup actionIntegrated development environmentStandard deviationRevision controlAssociative propertyWebsiteSoftware testingGame controllerOcean currentInformation securityMathematical analysisLevel (video gaming)View (database)Product (business)Different (Kate Ryan album)Data managementPresentation of a groupNumber2 (number)Power (physics)Proxy serverLatent heatMultiplication signSelf-organizationReflection (mathematics)WhiteboardSynchronizationSimplex algorithmMechanism designSocial classLine (geometry)PhysicalismBuildingMereologyComplex analysisRight angleRadio-frequency identificationCASE <Informatik>Real number
06:45
TouchscreenVideo projectorReal numberExpert systemArithmetic meanRepresentation (politics)TelecommunicationDependent and independent variablesInformation securityMedical imagingLecture/Conference
07:47
Maxima and minimaStandard deviationInformation securityProxy serverInstallable File SystemPoint (geometry)Level (video gaming)Information managementProduct (business)Address spaceMathematical analysisRule of inferenceStatement (computer science)Line (geometry)Information securityStandard deviationInformationYouTubeVideoconferencingRule of inferenceVariety (linguistics)Maxima and minimaProduct (business)Different (Kate Ryan album)Mechanism designCASE <Informatik>Software testingLatent heatOcean currentReal numberGroup actionOpen setMathematicsPoint (geometry)Element (mathematics)NumberProxy serverCorrespondence (mathematics)Client (computing)MeasurementCategory of beingCurveVibrationMultiplication signLecture/Conference
11:11
8 (number)SynchronizationRadio-frequency identificationKey (cryptography)Mechanism designKey (cryptography)Greatest elementLoginRadio-frequency identificationExtension (kinesiology)SynchronizationBitArithmetic meanTelecommunicationPhysicalism1 (number)Type theoryInformation securityOpen set
13:19
SynchronizationSimulationKey (cryptography)TrailRadio-frequency identificationMechanism designOpen setSimplex algorithmMilitary baseInstallation artKey (cryptography)Cartesian coordinate systemRight anglePlotterNeuroinformatikFigurate numberBlogBlock (periodic table)ResultantTelecommunicationCovering spaceRange (statistics)VideoconferencingPhysical systemMereologyRule of inferenceMechanism designSimplex algorithmProgrammer (hardware)Slide ruleSpektrum <Mathematik>Group actionConnectivity (graph theory)Goodness of fitSpacetimeMedical imagingPerfect groupDrill commandsLecture/Conference
18:59
Simplex algorithmGroup actionProxy serverProduct (business)Information securitySign (mathematics)Euclidean vectorComputer programmingCombinational logicGroup actionNumberSocial classMultiplication signStandard deviationInternetworkingVideoconferencingEmailProduct (business)Lecture/Conference
21:20
SimulationSimplex algorithmFactory (trading post)Proxy serverCombinational logicRight angleOrder of magnitudeMultiplication signDivisor
22:06
Computing platformRamificationProxy serverAttribute grammarTrailServer (computing)Computer configurationInformationProcess (computing)Standard deviationElectronic meeting systemHill differential equationZugriffskontrolleInformation securityParallel portPhysical systemPlastikkarteFormal verificationSystem identificationInterface (computing)Price indexSmart cardOpen setKey (cryptography)Mechanism designLine (geometry)PlastikkarteIdentity managementRight angleFormal verificationSystem identificationProxy serverPersonal identification numberLevel (video gaming)Standard deviationStatement (computer science)Game theoryTelecommunicationLogicIdentifiabilityPhysical systemInformation securityMultiplication signCodeMereologyFlow separationTerm (mathematics)TrailOffice suiteConnectivity (graph theory)CASE <Informatik>NumberOrder (biology)Computer programmingFactory (trading post)SoftwareClient (computing)Cartesian productProduct (business)Key (cryptography)Series (mathematics)Electric generatorRevision controlCodeComputing platformFunktionalanalysisComputer hardwareUniqueness quantificationCentralizer and normalizerNational Institute of Standards and TechnologyGame controllerPentagonPhysicalismHydraulic jumpDirection (geometry)Information privacySlide ruleLecture/Conference
28:49
Sign (mathematics)Product (business)Level (video gaming)Connectivity (graph theory)Type theoryNumberTelecommunicationPersonal identification numberProduct (business)Physical lawKey (cryptography)BackupMultiplication signVideoconferencingMacro (computer science)MereologyFunktionalanalysisCodeForcing (mathematics)Proxy serverOpen setLecture/Conference
30:43
Gamma functionMechanism designMultiplication signPersonal identification numberComputer clusterOrder (biology)Revision controlMacro (computer science)VideoconferencingNewton, IsaacDrop (liquid)Mechanism designVulnerability (computing)Connected spaceComputing platformComputer hardwareGroup actionFlip-flop (electronics)Position operatorInternational Date LineComputer animation
35:04
Cartesian productLink (knot theory)Proxy serverDevice driverOpen setCartesian productLink (knot theory)Proxy serverComputer hardwareFaculty (division)Key (cryptography)Online helpCodeFactory (trading post)Order (biology)Physical systemFunktionalanalysisLoginMoment (mathematics)Power (physics)Vulnerability (computing)CodeRight angle2 (number)Computer animation
38:08
Open setPasswordTrailSet (mathematics)PlastikkarteData storage deviceComputer programmingCodeMilitary basePhysical systemBuildingMeeting/Interview
38:49
Complex analysisMereologySet (mathematics)Process (computing)CodeOperator (mathematics)Physical lawMessage passingDifferent (Kate Ryan album)Asynchronous Transfer ModePhysical systemCovering spaceVideoconferencingConnectivity (graph theory)Coefficient of determinationGreatest elementRange (statistics)Closed setOpen setComputer animation
41:48
Set (mathematics)CASE <Informatik>2 (number)Statement (computer science)VideoconferencingPhysical lawAngleMultiplication signMereologyInverter (logic gate)Group actionComputer animation
43:53
Software development kitOpen setComputer configurationWhiteboardComputer programmingComputer configurationOpen setLecture/Conference
44:33
Open setComputer configurationPersonal identification numberSeries (mathematics)Computer animation
45:32
MereologyConfiguration spaceFactory (trading post)VideoconferencingRemote procedure callRevision controlType theoryCodeComputer animationLecture/Conference
46:10
Point (geometry)VideoconferencingRadical (chemistry)Ferry CorstenComputer animation
47:30
Information securityCartesian productMaxima and minimaStandard deviationProxy serverSoftware testingVulnerability (computing)Product (business)CAN busVideoconferencingExecution unitInformation securityLine (geometry)Tracing (software)2 (number)TrailLecture/Conference
Transcript: English(auto-generated)
00:00
My name is Mark Tobias. This is our team, Tobias Blusmanis, Matt Fidler. We engage in the testing of mainly high security locks. We have a lab and we do testing for the major lock companies of the world to figure out how to open them when they can't be opened, figure out vulnerabilities and then figure out how to fix them. That's
00:28
both as a lawyer and as a criminal investigator for the Office of Attorney General in my state. Toby is a locksmith for many, many years in Miami. We wrote the Medeco book
00:41
together a couple years ago when we broke that lock. Matt Fidler is with our group for a long time also. He works for a very large corporation on the East Coast doing security testing. And we're going to talk today about some engineering problems
01:02
regarding one company as an example. We're not intending to pick on this company. We don't have any issues with them. They've been around for a very long time. But they're a prime example of what we call insecurity engineering. And so we're going to go through a lot of slides and some video today to talk about design problems that can
01:23
cause real problems both from a liability standpoint and from a security vulnerability standpoint. And we've targeted four locks. The company that we're going to talk about today is Kaba. They're a Swiss company. As I said, they've been around for a very long time, very respected company, very competent at making things work. We don't think
01:45
they're quite so competent as in making them secure. And we're going to look at four of their locks to talk about that. So the four locks that we're looking at today, one of them we did last DEFCON, which is in the upper left-hand corner, which is called the Kaba InSync. It's an RFID-based lock. And then we're going to talk about
02:05
the push-button lock that many of you may recognize, upper right, which is called the Kaba Simplex. Then we're going to talk about the two electronic versions of that lock, which was really our target this year. So the markets, they design for
02:21
the access control market, commercial buildings, business complex, government facilities. And the real question is access control and exactly what does it mean. And in our view, especially because of the locks we're going to talk about today, it means access control in government facilities and high-level commercial facilities that
02:42
are secure environments. So Kaba, who are they? They're the third largest lock manufacturer in the world. And they have a very large presence in the United States, as well as in Europe. As I said, they're based out of Zurich, Switzerland. They do have engineering expertise. Why is this important? As we'll talk about, there was a very major
03:04
class-action lawsuit that was filed November of 2010 against this company by a group of lawyers around the United States in regard to their Simplex 1000 mechanical push-button lock, which we'll talk about in a little while. So the Kaba case study, it's engineering
03:22
failures and the ramifications that flow from that. Engineering failures, why are they important in lock design? Because they can lead to serious liability and breach of security in facilities. And this PowerPoint, obviously, will be on DEFCON's site and will be on our site. So we have four different designs. We're going to do an analysis of
03:45
each of the designs and what the problem is. So we look at this as escalating insecurity, defects in critical design. So again, we've got the Kaba, the mechanical push-button lock, the RFID lock, and then two versions of their electronic lock, which is essentially
04:03
what's called the Eplex 5000, which is the electronic version of the mechanical. So our real problem in going through this today is a failure of imagination. And it's not just Kaba. It's a lot of lock companies that we deal with around the world. And
04:22
the real problem is, and we've talked about this on a number of DEFCON presentations in the past, it's the engineers go to engineering school to learn how to make things work properly, but they don't know how to break them so that they can really make them secure. So deficient or defective products. It's an intersection of mechanical and security
04:46
engineering. Both of them have to be there. And the problem is that you can have a false sense of security, especially if the standards organizations, whether government or civilian, say the lock is secure and fit for the purpose intended.
05:03
So what appears unfortunately secure is often not in our world. And the real question for, especially those of you that are security or risk managers, how do you know the difference? There is an undue reliance on the standards, and that is part of the problem. There's
05:22
also a problem of misrepresentation by a lot of manufacturers. Matt? So we've talked about this before, but typically physical security or locks are the first line of defense. Oftentimes, they're the only security layer. We talked in detail about
05:40
U.S. standards, underwriter laboratories, and BHMA in the past, and specific lock manufacturers' adherence to those standards and reliance. And ultimately, you as the consumer, how do you know if those locks are secure? Yeah, the real problem, and they're going to switch the power, so we're going to break for like one second here. The real problem is that, and I'm on one of the underwriters'
06:06
laboratory testing boards for locks and safes. The real problem is all of you in an organization that buy locks based on standards, they don't test for the kinds, or most the kinds of bypass attacks that we use to open these locks, mainly covertly. So the standards
06:26
can be essentially meaningless. We've petitioned the Builders Hardware Manufacturers Association to change the high security standard to reflect current attack technologies. Okay, go ahead, you guys go ahead and cut your power, or switch it over. Yeah, we'll switch.
06:49
Okay, we just crashed Hoover Dam. The lights are dimming in Las Vegas. Okay, this is perfect.
07:00
This is the blue screen of death on the projector. Okay, so the real question is, what does secure mean? And I suppose the projector will catch up with us to find the image. So manufacturers of locks have really unique responsibilities. One, they obviously
07:23
have to understand mechanical engineering and electronic engineering, but more importantly, they have to understand security engineering. Because if the lock isn't secure, we don't care how well it works, it doesn't do what it's supposed to do. There are implied representations by every lock manufacturer, and that is that we are experts. When you
07:45
buy a lock from a company like Kaba, Asa Obloy, Ingersoll Rand, which are the major lock companies of the world, you expect that they know what they're talking about and they know how to design locks. Often, this isn't the case. And the problem is that a lot of,
08:02
well, all of the lock companies always claim we meet or exceed the standards. The problem, as we noted, the standards may not protect you against some fairly non-sophisticated methods of bypass. So expertise has required mechanical engineering, security engineering, understanding minimal engineering standards when you design a lock. And
08:27
security engineering requirements means, one, that you test the products against current methods of bypass and that you understand and know what those current methods of bypass are. We employ a variety of techniques in our work to test locks for our clients. And
08:45
it's everything from shock, vibration, wires, air, magnets, hair dryer, which we open one lock with, believe it or not. No, that's the point. It's for real because the engineers never, ever, ever could believe that we could do this. Well, in a very specific lock overseas,
09:06
because of the kind of elements they used as a locking device, we were able to heat it up, change its physical properties, and open the lock. So, yeah, they weren't really pleased with it when we found it. Opening a lock with a hair dryer is not really cool from
09:23
their standpoint. It was from ours. So the bottom line is they need to understand bypass techniques and that's why we get hired by a lot of different groups to figure out
09:41
if there is a vulnerability. Because as a lawyer, I can tell you, and I tell my clients and have for a long, long time, if a lock is defectively designed from the security standpoint and somebody gets hurt, robbed, injured, killed, or information is compromised
10:00
or damage is done to property, somebody's going to pay for it. And what you all need to really keep in mind is all security is about liability. Other than in the government sector, which doesn't have any liability generally because of sovereign immunity, all security really comes down to liability. If there's a breach in security, somebody's
10:24
going to pay for it. So there's insecure products. They're often, as we're going to show you today, often easily bypassed. They use the standards as a measure, but they're no measure. Products look great, but they're not secure. And the bottom line is they're
10:41
placing your facilities at risk. So we're going to talk about these locks briefly. We prepared a number of videos. There was an article that was published this morning by Forbes, by Andy Greenberg, their security correspondent that you all might want to read, and there's a number of videos that they uploaded to YouTube. So we're going
11:01
to go through how these locks are supposed to work and how they don't. The first rule that we teach design engineers is the key never unlocks the lock. Now everybody says, what does that mean? Of course the key unlocks the lock. No, it really doesn't. The key actuates the mechanism that allows the lock to be unlocked, either the bolt retracted,
11:25
the latch, whatever the locking fastening mechanism is, the key allows you to rotate or move that. But generally the key doesn't do that. The mechanism that the key actuates does that. So what we do in our work is we figure out in layers of attacks, which we
11:45
develop when we attack the Medeco lock, the top high security lock in the United States a few years ago, we developed what we call a layer attack. So we isolated each security layer in the lock, whether it's electronic or mechanical, we attacked and neutralized
12:03
each layer, and once all the layers are neutralized, the lock opens. So Toby, why don't you talk about this lock briefly, the Kava InSync. Well, the Kava InSync, the one that you're seeing there is an RFID key. It's like a plastic key. It's a
12:24
deadbolt type. You can see the bolt a little bit extended. It's not too complicated. You have an RFID tag in the key. The locks read that tag. If it's programming to the lock, the lock will open. Now we're going to, there's also on the bottom, there is an USB
12:47
port where you can program that lock. Oh, no, but see, all you guys think we're going to defeat it electronically. No, no, no, no. That would be, he's a ones and zeros guy.
13:00
We're physical security guys. Okay? So why would we, we always bypass the electronics. We neutralize and we bypass. So keep going, Toby. There's a USB port. Okay. So the USB port, we're going to use cables, but not wires. Why bother? Okay. So this is a commercial lock. This use, uh, we were told even in, in, uh, military
13:27
installations, installations, uh, very easy to bypass. We were really stunned how we, we bypassed this lock. So this is a Kava company. This is the first one we actually looked at. So these are used all over the world. They were very proud in telling me how
13:43
secure this was and that you're just not going to open it without the right key. So, um, it's got very wide application. So here's how this lock is supposed to work. Toby? The image for, uh, for a space, we have to put it sideways, but actually the
14:01
part that you see, uh, uh, next to that big round, uh, uh, plug, that bar is what protects that plug to rotate. And what it does is move away for, uh, for, uh, for within a small motor and then you can turn and, uh, actuate the bolt, um, open it or lock
14:24
the, the, the system. So we're going through the, no, they have to see the video, right? Okay. Okay. So how does everybody think that we opened the lock? Uh, you guys all figure we did it with a computer? No, no, no, no. No, no, no, no magnets.
14:44
They're coming soon. It's an electronic lock. Okay. Self-contained, very operated. It uses a small RFID tag that is inserted like a regular key to
15:00
unlock, unlock the dead drill. Um, basically the inside, there's a locking bar that blocks the plug. We're going to be using a small wire to lock the locking bar away so we can turn the plug. We're going to do that by inserting a very
15:25
small wire through the, the difficult part is to remove the cover that the rubber cover on the USB port. Then you just have to leave that piece, right? Well, by
15:52
the way, uh, because of what we did this year with, uh, Kava, uh, the, uh, they told us that they fixed it. Yeah, they fixed it. We haven't seen what they did, but
16:03
they told us, no, we fixed it. Yeah, no. And, and the problem with all of this, and it can be locked back up again too. The, the problem with all of this, and it's not, as I said, just Kava, they just happen to be in our target range this year. Other companies, as you guys know, if you've seen us before here, we've gone after a lot of
16:23
the companies because of this same problem. So it's not unique to Kava at all. So we looked at this lock. The problem is not that they fixed it. The problem is that they had to fix it in the first place. And, and that's really the issue. So now we're, it's
16:41
November 2010. Well, let's back step to 2009 because we'll go across some of these slides. This is the Kava Simplex 1000. This lock was developed in 19, about 1965. It is the most popular mechanical programmable push button lock ever. Just, just quick show of
17:04
hands, who's seen this lock before? Yeah. Okay. So you all know. Oh, okay. Have any of you read my articles in Forbes about this lock? No one. No. Good. Great. Perfect. Yeah. I'll be very happy at Forbes to hear that. Okay. Perfect. Okay. So did anybody read the
17:26
lock? No. Okay. So here's the deal. In 2009 in Brooklyn where there's a high Orthodox Jewish population, these locks have found a niche market for the Orthodox because on the
17:40
Sabbath, they can't use keys. Okay. That's just part of the rules in the Orthodox religion. But they can use push button locks. Okay. As crazy as that sounds, that's the way it works. You can't use anything on the Sabbath that you normally use during the week. You can't drive a car. You can't push buttons on an elevator. So these locks have
18:02
become incredibly popular in the Orthodox community around the country. Okay. Good for Kava. Okay. Bad for Kava. So there's a group of technicians in Brooklyn that I referred to in one of the articles I wrote is the Jewish Geek Squad. They go around and help the
18:23
elderly open their houses and they figured out they could do it with a rare earth magnet. Okay. Because there's a design defect in this lock. And it's been sitting there since 1965 because there weren't any rare earth magnets in 1965. They came around late 70s,
18:40
early 80s. There were electromagnets but there weren't rare earth magnets. Okay. However, the manufacturer never retested this lock because they were selling millions of them. What the hell do we care? It's not broken. Don't fix it. Yeah. So the problem is that there was a ferrous metal component as we'll show you in this lock. And let's go to
19:03
this. Okay. This is the combination chamber that actually controls the programming when you push the buttons. And you can push one button, two buttons at a time and up to what, seven I think. Or five? You can use, it's five buttons. Yeah. Five numbers. You can
19:21
use combinations between one through five. You cannot repeat numbers but you can use combination of two numbers like two and four and then one. You cannot repeat numbers. Yeah. There's. Okay. So who's seen them at airports? They're everywhere. Did you see them? DOD, DOE. I got tons of mail from nuclear power plants. They want to know
19:46
what the deal is. Okay. Because we put out the video that it could be opened with a magnet. And they use that same chamber in some more, not that commercial, more residential style. That's also, that same piece is also present. Okay. So this is
20:04
inside, this is a macro of inside the combination chamber and this plate that you see that goes across all five rotors, if you move that with a magnet, you're going to open the lock. Now, they've fixed this, we don't like the fix, but they have fixed it,
20:20
okay, after not telling anybody about it for about five months. They figured it out last year. So what happens? The Jewish Geek Squad is opening doors and one of them happens to talk to his lawyer in 2010. The lawyer says this is a class action lawsuit. So Kaba gets sued in a huge complaint that is going to set the standard in the lock
20:44
manufacturing industry in the United States for defective or deficient product. So this is the magnet that opens the lock. And actually I interviewed one of the plaintiffs and he told me that his 13-year-old kid, he gave him a magnet that he bought off the internet for $50 and commanded him to open the lock. Didn't tell him how to do it,
21:04
commanded him, you know, like in the Bible or the Torah. I command you to open this lock. Four minutes later, the 13-year-old kid had the lock open. That's when I went public with this because it's such a threat. So class action lawsuit was filed, here's the
21:30
clutch lock. The right combination factor is two and four at the same time. Three, we can open the lock. Once, if we're making a mistake, every time that we depress
21:43
the lever, it resets so we can enter the right combination again. Okay. So on this lock, as we said, it's easily bypassed using the magnet. I have the magnet just wrapped in a bag. I'm just going to depress the lever, the lock is open. And that's it.
22:08
That's a big problem. And that was that. And that was that. So our office initiated an investigation separately. We were not hooked up with the lawyers in this case. We
22:21
weren't involved in the litigation. I've met with a lawyer several times to get a briefing because all of our clients were concerned about the liability issue that this raises. Because this is liable to cost Kaba millions and millions of dollars. Okay. And it's not the cost of the part to fix the lock, it's who's going to pay to put it in. And this is always the problem with locks. Locks aren't like software where you can
22:43
send out a patch. You have to physically take them apart to fix them. Okay. So our office launched an investigation to protect all of our clients. And because the pleading were amended a couple weeks later from the mechanical lock to also add the Kaba electronic lock. So now we have their new generation called the E-Plex. And this is
23:04
the 5000 series which is a very heavy duty, very, very nice piece of work. It's a push-button lock. It's got a lever handle with a bypass cylinder in it. It's programmable. Toby, talk about it for two minutes. It's programmable depending on the
23:24
model that you're getting. You can either get like, I think you can program 300 codes and it gives you audit trail also for like 3,000 in this basic model. Okay. But they use the
23:41
same platform for scale models that we're going to talk also about. Yeah. So they developed the 5000. This is typical in a lot of lock companies because it's very efficient and saves money. You design a lock once and then you add enhancement and sell it as an enhanced version of the lock. So they. The enhancing is more in the electronics.
24:06
They just change electronics and the lock has totally different functions. But the hardware platform is the same and that's what's important in this case. So along comes a Homeland Security Presidential Directive in 2004 that's enacted in 2005 and Caba jumps into
24:25
the game to use their 5000 platform to supply the government with locks. Okay. And this is, and it's called the E-Plex 5800. And Matt will talk about this. Matt? Yeah. So HSPD 12, as Mark said, was signed in 2005 and it really mandated the, um, the
24:45
government and Department of Defense to move towards a central access card. Um, it was very high level. It just defined, you want to go to the next slide? Yeah. Just defined the requirements to protect privacy, drive efficiency and increase security of
25:01
facilities. So after HSPD 12 was, uh, was signed, FIPS 201 comes along. And so NIST, uh, working on FIPS 201 defined ultimately what we have and many of you have in your pocket out there I'm sure, are, is the common access card and even the TWIC card for that matter. And it's a, a smart card, um, that provides unique access control, physical,
25:26
logical security and Caba was the first manufacturer to, um, to create a standalone locking device that is FIPS 201 compliant. So the bottom line is the government in 2012 has to
25:42
replace all their mechanical locks for electronic locks, FIPS 201, so that there's an audit of who opened the door exactly. This is the game. They want to know personal identification verification and the card has to be secure and reliable so they know it
26:03
was actually a validly issued card by a federal agency. Um, so, um, we're basically saying the same thing here. So personal identity, um, identity verification was the mandate from HSPD 12. Identify verification and security. The other thing you'll read
26:21
in HSPD 12 that I mentioned is, um, really the efficiency play here to drive a standard access card, um, across all government, um, and contractors. Right. Now, here's the deal. FIPS 201 has nothing to do with security. It's personal identity verification and a secure card system. However, when you marry that to a lock, just like
26:45
Caba and other companies are doing, it does have a security component because if you can bypass the audit trail and open the lock or they don't know who opened it, then there's a problem. It's a security breach. And, and back to the beginning part of the lecture, if we stamp a compliance statement from Caba that says this is FIPS 201
27:05
compliant, there's an implied assumption that we're secure. And it's just not the case. So, when you walk up to one of these, these new FIPS 201 compliant locks, you can use a PIN and use your card. But you can't just use a PIN. Okay? So. It, it, it, it
27:21
defeats the purpose. They need the card and they take another step that you can use PIN and card. But no, no, never a PIN only. Only for the master, I don't know when they did it. One, when you get the lock and you're going to stop the lock, it comes from the factory program 12345678. Okay? Then you have, you're forced to
27:42
change that master code in order to do any other program. Okay? And we're going to talk about that soon. Okay. So, because we don't want to run out of time. We looked at this lock in detail, in depth for several months. We identified nine, really
28:00
what we consider pretty serious security issues. Some of them you have to look at in terms of where these locks are going to be used. If it's at the Pentagon, maybe it's not such a problem for some of them. It's a lot of problem for others. So, Kaba says you can only these, open these locks with a card, keypad, keypad and, or key. Okay?
28:24
Unfortunately, we figured out this lock can be wrapped open. We can de-link the bypass cylinder from the latching system. We can reset the master code to open. There's an internal lever handle attack that we're going to show you. There's a remote open
28:42
feature so the girl, the receptionist of the desk can have a push button to open the lock. We defeated that. So, Toby, number one, wrapping. Well, this is the critical component of the lock. There's a plunger type inside the lock and that plunger really
29:03
engages the outside lever with the internal components. That's done by the electronics. It's a little motor that drop that pin and then we can open the lock. We
29:21
don't rely only in the credentials. They have a bypass key. One of the reasons if the lock fails, you cannot, you know, take time to attack the lock and open it. You have a key as a backup to open the lock. And also, we can reset the lock if the master code
29:43
or the master code to program the lock is lost. They tied those two together in the function of the lock. Okay. So, here's what, we fed all of our videos to Kaba as a courtesy. We wanted the comments, okay? So, frankly, they made the mistake in analyzing
30:03
our videos and sending us written comments. That was a mistake. Okay? So, Kaba basically said as far as wrapping, hey, we fixed it. And we need to tell you, it depends on what kind of door these locks are mounted on and what kind of timing and forces applied to wrap it open. Sometimes you can do it, sometimes you can't. It's not a
30:23
100% threat. But here's what Kaba said. This issue was detected by Kaba shortly after the product launch in 2004 and was attributed to a steel blocking device. The blocking device was changed to aluminum and implemented in production over five years ago. With the aluminum part, this attack is not successful. Mm-hmm. This is a
30:48
macro video demonstrating the design problem with the clutch mechanism. Yeah, this is what Toby just talked about. When it's engaged versus not engaged and how we're able to
31:01
bounce that out of position. Toby? What we're seeing is the back of the lock. We have here the hub where we attach the latch. We're going to remove the back cover. And what we're seeing there is the plunger that we are bouncing in order to open
31:24
the lock. Now let me remotely open that. And you can see that piece moving that plunger up and down. That action engages the outside lever. Okay, let me put
31:46
everything together again. So right now there's no connection between the lever and that hub. When we open the locks, then we get that connection. Simple design. Very simple.
32:07
And stays in the idle lock position. So now let's just show on reversing the back. So
32:21
this is the handle. So what the lock does is pressing that plunger and then you can engage the handle with that plunger assembly. That moves and retracts the latch. Then
32:43
it releases the connection and then the handle can go free. What we're doing is timing is very important. We have to bounce that pin and at the same time grab it in
33:01
order to open it. If we bounce that pin and we're late turning the handle, the pin is going to go up, down. It's like lock bumping. Or if we go too fast on the handle, the handle will turn. We cannot drop that pin and the lock will remain in the lock state.
33:26
Okay, so they obviously didn't consult with Sir Isaac Newton when they designed this lock. This will demonstrate the first very serious problem with this lock. Toby? We
33:58
need to do it in slow motion. Well, but as I said before, it's timing. It's timing. It's
34:07
just like lock bumping. Now, the problem is that the hardware platform for the E-Plex 5800 which is the government version of this lock, it's the same problem. Now we put this on a stand. This is the E-Plex 5800 demonstrating the same vulnerability with
34:25
regard to applying shock to lift the or bounce the locking plunger assembly in order to open the mechanism. Toby? That's one. Again, it's timing. That day that we were doing
34:51
that video, I couldn't open it. So at the end I said, well, let's shoot the last video and continuously we were opening the lock. Okay. So that's our first problem. Now
35:05
we go to the ‑‑ it's not our first problem. That's our first problem. Okay. So this is the next attack where we use a cheap screwdriver to physically break the link inside the bypass cylinder to the tail piece. Okay? So this is like a $3 Ace hardware
35:26
screwdriver. And why do we want to do that? Because ‑‑ Because we got extra screwdrivers. So we have two functions for this key. One is factory reset and the other
35:42
is to open the lock. In order to reset the lock with the key, we just have to turn counterclockwise retracting the bolt. We're going to press pound. We're going to release on the key. Hold on a second. Let me do it again. Pound, release on the key. And you see the two LEDs flashing back and forth. In this moment we have to
36:04
put one, two, three, four, five, six, seven, eight, pound. And that comment resets the lock to factory. Our new master code or factory master code is one, two, three, four, five, six, seven, eight. Okay? Okay. So Toby, how are we going
36:26
to defeat the system? Well, we're just going to put a screwdriver through the keyway. We're just going to break the tail piece on the back. Okay? So we
36:49
utilized an inexpensive screwdriver about two, three dollars to break the linkage between the tail piece on the bypass cylinder to the plug. Now, what
37:06
happens here is once you break that linkage, then you have the capability of going through the keyway with a screwdriver and we can directly control the bolt. Right there. Just like that. Okay, let's do it again. Now
37:34
what I'm going to do, I would like to reset the lock. Right here.
37:49
Button, the key. And now we put in a new master code. So you can see the vulnerability. We just reset the lock. Now I can open this lock in one, two, three, four, five, six, seven, eight. And the lock is open.
38:05
And the lock is open. By resetting the lock, what we're doing is all the codes that we're programming in that lock, we just delete it. Yeah. Nobody can enter. Okay? Okay. This is the next one. This is an internal attack which we're really
38:20
most concerned about rather than somebody walking up to the door. This is somebody, this is the bad guy that's in your banking system that once he has authorized access into the building, nobody's watching him and he goes down to a room that's not particularly protected that stores all the blank credit cards. Okay? Or a remote military base. And we
38:44
sabotage the handle to open the lock the way it's not supposed to. So this involves removing the lever handle on the back with a set screw, inserting a wire through the back of the lock,
39:04
putting the handle back on, retightening the set screw. Very detailed process. It's a very difficult process to do this. Very, very difficult. Okay. So actually this was the video that we showed Kaba. Yeah. This was the video we showed Kaba. So this
39:26
next attack with the 5800 is a right hand opening door attack involves removing the lever handle on the inside of the door, inserting a piece of wire, closing it up again and that will allow
39:41
the lock to be opened in a way that is not normal, that is lifting the lever handle upwards rather than downwards. Most employees would not even think to try to access the locking system with the lever up versus down. Okay? Toby, let's do it.
40:01
Our code again with semester 111 is the lever clutch. Yeah, the clutch is not engaged in this mode. So now if it was programmed for passage mode, then it would be
40:24
entirely different. This is a small screw range on the bottom. We'll remove that. We just have to unscrew that, remove the inside handle. We're going to push down
40:41
the outside lever. It's a very sophisticated piece of wire. You can see if I pull on the lever, we can just cover that wire, put in
41:01
the handle back, we put the set screw. Yeah, there's no, there's nothing different in the operation of the lock, but it's now been set so anybody can open it by lifting the lever upwards which is non-standard operation. So it works the same
41:21
one. It's not opening. Open with the master code. So the lock works normally. If I decided that I don't want to use the code, I can just lift the handle. So these are the
41:43
four components that you have to deal with. We know this is really, really difficult. This is Kaba's statement. It takes five to ten minutes to do this. In the video, the removal and reinstallation of the inside lever was shown to occur in seconds. This is not the case.
42:04
A small set screw must be removed first. To reinstall the set screw, the lever must be carefully positioned and then the screw installed to the correct depth or lever binding will occur. This may take five to ten minutes to accomplish while on your knees behind the lock.
42:25
Okay. We tested their premise. I called Toby, I said, okay, here's what we're going to do. We never show how long it takes to
42:42
remove the screw. And this is liberal time. So here we go. On top we have the total time to accomplish the attack. Now the first screw, ten seconds. Twelve seconds.
43:03
Twelve seconds to remove. We didn't tell how long it takes to remove the handle. Because actually they said it has to be very carefully. So we put the wire, we check that the wire is working,
43:23
it's working. Now the difficult part again, putting back the... So again, we're... And I'm using one hand. The thing is, the camera
43:42
angle was, okay, if I'm covering, it's not going to show that I'm putting the wire. Okay, and we stop the clock. Fifty-nine, fifty-one. Now you can do it in ten minutes also.
44:00
Yeah. So we saved the best for last. So all of these we think are really serious design deficiencies that could be exploited by bad guys, okay? This is the best one. So Kaba offers a programming option to allow remote open. So like I said, you push the push button just like an electric strike, the
44:24
receptionist pushes the button, opens the lock, okay? So there's two LEDs at the top of the lock to show status, okay? So this is what happens.
44:43
The next demonstration is another design defect that we perceive in this lock in the E-Plex series. This is the remote open option.
45:04
The LED... You've got to love this engineering. ...and shorting out the pin, which the engineers at Kaba decided to place directly in back of the LED port.
45:32
I also told you guys are doing it wrong. Yeah. So here's Kaba's answer. We fixed it.
45:41
Okay? A part of the factory configuration... A part of the factory configuration for remote unlock, a metal blocking device is installed in the way of the LED parts to prevent this type of attack. The version tested in the video was not factory configured for remote unlock. Like maybe somebody got the master code and entered
46:05
the 012 code for remote unlock and they didn't even know it, okay? So they said you can't do this. So this will be the last video. If we ordered the lock to Kaba and asked to ship the cable because we want to use the request
46:25
to exit feature of the lock, they will provide you with the cable to be hooked at the terminal on the back of the lock. But also it will provide a protector. A protector. It will cover the contact point
46:44
that we're looking for to trigger the request to exit, which is right here. Now, the way that we are triggering that is through the LED and we just grounded the first
47:02
post. Now, if I put the protector on top, we have to notice two things. First of all, there is a gap between the protector and the circuit board.
47:24
So it's the same thing. So that's the problem. They think they fixed it. They didn't fix it. So let us just tell you. We have found three or four other covert entry
47:41
attacks on this lock that were not disclosing except to the government and to Kaba. We can open this lock literally in five seconds. No audit trail, no damage, no trace. Well, with our clock, with their clock will be like 15.
48:01
So the bottom line is security engineering failures have consequences. They have consequences in the protection of your facilities. And they can also cause legal liability. So you really need to understand what you're buying, what's secure and what's not secure.
48:22
We'd like to thank you guys for coming again. If you have any questions, we're offline.