insecurity engineering: locks, lies, and videotape con 18/def con 18 presentations/de… · lock...
TRANSCRIPT
![Page 1: INSECURITY ENGINEERING: Locks, Lies, and Videotape CON 18/DEF CON 18 presentations/DE… · LOCK DESIGN: MECHANICAL v. SECURITY ENGINEERING ¨ PRIOR DefCon PRESENTATIONS ¨ Vulnerabilities](https://reader034.vdocuments.net/reader034/viewer/2022051913/6003fc9f65ee3163ee2cfd2d/html5/thumbnails/1.jpg)
INSECURITY ENGINEERING:
Locks, Lies, and Videotape
![Page 2: INSECURITY ENGINEERING: Locks, Lies, and Videotape CON 18/DEF CON 18 presentations/DE… · LOCK DESIGN: MECHANICAL v. SECURITY ENGINEERING ¨ PRIOR DefCon PRESENTATIONS ¨ Vulnerabilities](https://reader034.vdocuments.net/reader034/viewer/2022051913/6003fc9f65ee3163ee2cfd2d/html5/thumbnails/2.jpg)
LOCK DESIGN:MECHANICAL v. SECURITY ENGINEERING
¨ PRIOR DefCon PRESENTATIONS
¨ Vulnerabilities in mechanical and electro-
mechanical locks
¨ Resulted from Defective or Deficient
engineering
¨ All-encompassing standards problem
¨ Failure to understand “why” locks can be
opened, rather than “how”
![Page 3: INSECURITY ENGINEERING: Locks, Lies, and Videotape CON 18/DEF CON 18 presentations/DE… · LOCK DESIGN: MECHANICAL v. SECURITY ENGINEERING ¨ PRIOR DefCon PRESENTATIONS ¨ Vulnerabilities](https://reader034.vdocuments.net/reader034/viewer/2022051913/6003fc9f65ee3163ee2cfd2d/html5/thumbnails/3.jpg)
INSECURITY ENGINEERING
¨ DEFICIENT OR DEFECTIVE
PRODUCTS
– Intersection of mechanical and security
engineering
¨ FALSE SENSE OF SECURITY
– What appears secure is not
– How do you know the difference?
– Undue reliance on standards
¨ MISREPRESENTATIONS BY MFG
![Page 4: INSECURITY ENGINEERING: Locks, Lies, and Videotape CON 18/DEF CON 18 presentations/DE… · LOCK DESIGN: MECHANICAL v. SECURITY ENGINEERING ¨ PRIOR DefCon PRESENTATIONS ¨ Vulnerabilities](https://reader034.vdocuments.net/reader034/viewer/2022051913/6003fc9f65ee3163ee2cfd2d/html5/thumbnails/4.jpg)
SPECIFIC DESIGN FAILURES
¨ KWIKSET SMART KEY®
¨ KABA IN-SYNC
¨ AMSEC ELECTRONIC SAFE ES813
¨ ILOC ELECTRO-MECHANICAL LOCK
¨ BIOLOCK FINGERPRINT LOCK
– Examine each lock for security vulnerability
– Statements from the manufacturers about their
security
![Page 5: INSECURITY ENGINEERING: Locks, Lies, and Videotape CON 18/DEF CON 18 presentations/DE… · LOCK DESIGN: MECHANICAL v. SECURITY ENGINEERING ¨ PRIOR DefCon PRESENTATIONS ¨ Vulnerabilities](https://reader034.vdocuments.net/reader034/viewer/2022051913/6003fc9f65ee3163ee2cfd2d/html5/thumbnails/5.jpg)
LOCKS:THE FIRST LINE OF DEFENSE
¨ LOCKS: FIRST SECURITY BARRIER
¨ OFTEN, THE ONLY SECURITY LAYER
¨ MEASURED BY STANDARDS
¨ WHAT IF NOT RATED BY UL or BHMA
¨ HOW DO YOU KNJOW THAT LOCKS
ARE SECURE?
¨ WHAT DOES “SECURE” MEAN?
![Page 6: INSECURITY ENGINEERING: Locks, Lies, and Videotape CON 18/DEF CON 18 presentations/DE… · LOCK DESIGN: MECHANICAL v. SECURITY ENGINEERING ¨ PRIOR DefCon PRESENTATIONS ¨ Vulnerabilities](https://reader034.vdocuments.net/reader034/viewer/2022051913/6003fc9f65ee3163ee2cfd2d/html5/thumbnails/6.jpg)
MANUFACTURER
RESPONSIBILITIES¨ UNIQUE RESPONSIBILITY FOR
COMPETENCE
– MECHANICAL ENGINEERING
– SECURITY ENGINEERING
¨ IMPLIED REPRESENTATIONS
– “WE ARE EXPERTS”
– SECURITY OF THEIR PRODUCTS
– REPRESENTATIONS
– “WE MEET OR EXCEED STANDARDS”
![Page 7: INSECURITY ENGINEERING: Locks, Lies, and Videotape CON 18/DEF CON 18 presentations/DE… · LOCK DESIGN: MECHANICAL v. SECURITY ENGINEERING ¨ PRIOR DefCon PRESENTATIONS ¨ Vulnerabilities](https://reader034.vdocuments.net/reader034/viewer/2022051913/6003fc9f65ee3163ee2cfd2d/html5/thumbnails/7.jpg)
EXPERTISE REQUIRED IN
LOCK DESIGN¨ MECHANICAL ENGINEERING
¨ SECURITY ENGINEERING
¨ MINIMUM INDUSTRY STANDARDS
REQUIRE LEVEL OF KNOWLEDGE
¨ SECURITY ENGINEERING REQUIRES:
– UNDERSTAND USE OF WIRES,
MAGNETS, PAPERCLIPS, BALL POINT
PENS, ALUMINUM FOIL
– BYPASS TECHNIQUES
![Page 8: INSECURITY ENGINEERING: Locks, Lies, and Videotape CON 18/DEF CON 18 presentations/DE… · LOCK DESIGN: MECHANICAL v. SECURITY ENGINEERING ¨ PRIOR DefCon PRESENTATIONS ¨ Vulnerabilities](https://reader034.vdocuments.net/reader034/viewer/2022051913/6003fc9f65ee3163ee2cfd2d/html5/thumbnails/8.jpg)
ENGINEERING FAILURES:RESULTS AND CONSEQUENCES
¨ INSECURITY ENGINEERING
– Insecure products
– Often easily bypassed
– Use standards as the measure when they do not
address the relevant issues
– Products look great but not secure
– False sense of security
![Page 9: INSECURITY ENGINEERING: Locks, Lies, and Videotape CON 18/DEF CON 18 presentations/DE… · LOCK DESIGN: MECHANICAL v. SECURITY ENGINEERING ¨ PRIOR DefCon PRESENTATIONS ¨ Vulnerabilities](https://reader034.vdocuments.net/reader034/viewer/2022051913/6003fc9f65ee3163ee2cfd2d/html5/thumbnails/9.jpg)
COST AND APPEARANCE v.
QUALITY AND SECURITY¨ DO YOU GET WHAT YOU PAY FOR?
¨ 2$ LOCKS ARE 2$ LOCKS!
¨ SHORTCUTS DO NOT EQUAL
SECURITY
¨ CLEVER DESIGNS MAY REDUCE
SECURITY
¨ PATENTS NOT GUARANTEE
SECURITY
![Page 10: INSECURITY ENGINEERING: Locks, Lies, and Videotape CON 18/DEF CON 18 presentations/DE… · LOCK DESIGN: MECHANICAL v. SECURITY ENGINEERING ¨ PRIOR DefCon PRESENTATIONS ¨ Vulnerabilities](https://reader034.vdocuments.net/reader034/viewer/2022051913/6003fc9f65ee3163ee2cfd2d/html5/thumbnails/10.jpg)
SECURITY GRADES v.
SECURITY RATINGS¨ UL 437 AND BHMA 156.30 SECURITY
STANDARDS
¨ BHMA SECURITY GRADES
¨ DEADBOLT SECURITY
– Lock cylinder v. locking hardware
– Locks and hardware are different
– “The key never unlocks the lock”
![Page 11: INSECURITY ENGINEERING: Locks, Lies, and Videotape CON 18/DEF CON 18 presentations/DE… · LOCK DESIGN: MECHANICAL v. SECURITY ENGINEERING ¨ PRIOR DefCon PRESENTATIONS ¨ Vulnerabilities](https://reader034.vdocuments.net/reader034/viewer/2022051913/6003fc9f65ee3163ee2cfd2d/html5/thumbnails/11.jpg)
LOCK MFG OFTEN CANNOT OPEN
THEIR OWN LOCKS
¨ MEET STANDARDS BUT NOT SECURE
¨ MISREPRESENTATIONS
¨ PRODUCE INSECURE PRODUCTS
¨ TODAY: FIVE EXAMPLES OF
DEFICIENT OR OF INCOMPETENT
SECURITY ENGINEERING
![Page 12: INSECURITY ENGINEERING: Locks, Lies, and Videotape CON 18/DEF CON 18 presentations/DE… · LOCK DESIGN: MECHANICAL v. SECURITY ENGINEERING ¨ PRIOR DefCon PRESENTATIONS ¨ Vulnerabilities](https://reader034.vdocuments.net/reader034/viewer/2022051913/6003fc9f65ee3163ee2cfd2d/html5/thumbnails/12.jpg)
FIVE EXAMPLES:
INSECURITY ENGINEERING¨ CONVENTIONAL PIN TUMBLER LOCK
¨ ELECTRO-MECHANICAL LOCK
¨ BIOMETRIC FINGERPRINT LOCK
¨ ELECTRONIC RFID LOCK
¨ CONSUMER ELECTRONIC SAFE
– All appear secure: None are!
– This year, focus on wider problem
– Representative sample
– Hundreds of bypass tools based upon insecurity
![Page 13: INSECURITY ENGINEERING: Locks, Lies, and Videotape CON 18/DEF CON 18 presentations/DE… · LOCK DESIGN: MECHANICAL v. SECURITY ENGINEERING ¨ PRIOR DefCon PRESENTATIONS ¨ Vulnerabilities](https://reader034.vdocuments.net/reader034/viewer/2022051913/6003fc9f65ee3163ee2cfd2d/html5/thumbnails/13.jpg)
ANALYSIS OF EACH LOCK
¨ HOW IT WORKS
¨ WHY DEFICIENT OR DEFECTIVE
¨ BYPASS VULNERABILITIES
¨ STATEMENTS BY MANUFACTURERS
¨ MUST UNDERSTAND THE
METHODOLOGY
¨ REMEMBER FIRST RULE: “THE KEY
NEVER UNLOCKS THE LOCK”
![Page 14: INSECURITY ENGINEERING: Locks, Lies, and Videotape CON 18/DEF CON 18 presentations/DE… · LOCK DESIGN: MECHANICAL v. SECURITY ENGINEERING ¨ PRIOR DefCon PRESENTATIONS ¨ Vulnerabilities](https://reader034.vdocuments.net/reader034/viewer/2022051913/6003fc9f65ee3163ee2cfd2d/html5/thumbnails/14.jpg)
EXAMPLE #1: KWIKSET
SMART KEY®
![Page 15: INSECURITY ENGINEERING: Locks, Lies, and Videotape CON 18/DEF CON 18 presentations/DE… · LOCK DESIGN: MECHANICAL v. SECURITY ENGINEERING ¨ PRIOR DefCon PRESENTATIONS ¨ Vulnerabilities](https://reader034.vdocuments.net/reader034/viewer/2022051913/6003fc9f65ee3163ee2cfd2d/html5/thumbnails/15.jpg)
KWIKSET SMART KEY®
¨ $2 TO MANUFACTURER
¨ CLEVER DESIGN: OUR OPINION:
POOR SECURITY
¨ NOT JUST OURS: READ MANY
COMMENTS ON WEB
¨ MANY SECURITY VULNERABILTIES
¨ MILLIONS SOLD EVERY YEAR
¨ EXTREMELY POPULAR LOCK
![Page 16: INSECURITY ENGINEERING: Locks, Lies, and Videotape CON 18/DEF CON 18 presentations/DE… · LOCK DESIGN: MECHANICAL v. SECURITY ENGINEERING ¨ PRIOR DefCon PRESENTATIONS ¨ Vulnerabilities](https://reader034.vdocuments.net/reader034/viewer/2022051913/6003fc9f65ee3163ee2cfd2d/html5/thumbnails/16.jpg)
KWIKSET ATTRIBUTES
¨ CLEVER DESIGN
¨ PROGRAMMABLE
¨ COPIED AND MODIFIED EARLIER
DESIGNS
¨ CANNOT BUMP
¨ DIFFICULT TO PICK
¨ RATINGS
![Page 17: INSECURITY ENGINEERING: Locks, Lies, and Videotape CON 18/DEF CON 18 presentations/DE… · LOCK DESIGN: MECHANICAL v. SECURITY ENGINEERING ¨ PRIOR DefCon PRESENTATIONS ¨ Vulnerabilities](https://reader034.vdocuments.net/reader034/viewer/2022051913/6003fc9f65ee3163ee2cfd2d/html5/thumbnails/17.jpg)
KWIKSET
REPRESENTATIONS¨ “ANSI Grade 1 deadbolt for the ultimate in
security. Secure your home in seconds with
SmartKey.”
¨ INCREASED SECURITY
¨ BUMP RESISTANT
¨ PICK RESISTANT
![Page 18: INSECURITY ENGINEERING: Locks, Lies, and Videotape CON 18/DEF CON 18 presentations/DE… · LOCK DESIGN: MECHANICAL v. SECURITY ENGINEERING ¨ PRIOR DefCon PRESENTATIONS ¨ Vulnerabilities](https://reader034.vdocuments.net/reader034/viewer/2022051913/6003fc9f65ee3163ee2cfd2d/html5/thumbnails/18.jpg)
HOW SMART KEY WORKS
![Page 19: INSECURITY ENGINEERING: Locks, Lies, and Videotape CON 18/DEF CON 18 presentations/DE… · LOCK DESIGN: MECHANICAL v. SECURITY ENGINEERING ¨ PRIOR DefCon PRESENTATIONS ¨ Vulnerabilities](https://reader034.vdocuments.net/reader034/viewer/2022051913/6003fc9f65ee3163ee2cfd2d/html5/thumbnails/19.jpg)
VULNERABILITIES
¨ COMMERCIAL TOOLS AVAILABILE
¨ EASY TO COMPROMISE WITH
SIMPLE IMPLEMENTS, RAPID ENTRY
– COVERT ENTRY
– FORCED ENTRY
– KEY SECURITY
![Page 20: INSECURITY ENGINEERING: Locks, Lies, and Videotape CON 18/DEF CON 18 presentations/DE… · LOCK DESIGN: MECHANICAL v. SECURITY ENGINEERING ¨ PRIOR DefCon PRESENTATIONS ¨ Vulnerabilities](https://reader034.vdocuments.net/reader034/viewer/2022051913/6003fc9f65ee3163ee2cfd2d/html5/thumbnails/20.jpg)
KWIKSET SECURITY
¨ TINY SLIDERS
¨ THIN METAL COVER AT END OF
KEYWAY
¨ OPEN RELATIVELY EASILY AND
QUICKLY
– Wires
– Small screwdriver
– $.05 piece of metal
![Page 21: INSECURITY ENGINEERING: Locks, Lies, and Videotape CON 18/DEF CON 18 presentations/DE… · LOCK DESIGN: MECHANICAL v. SECURITY ENGINEERING ¨ PRIOR DefCon PRESENTATIONS ¨ Vulnerabilities](https://reader034.vdocuments.net/reader034/viewer/2022051913/6003fc9f65ee3163ee2cfd2d/html5/thumbnails/21.jpg)
KWIKSET SLIDERS:
The Critical Component
![Page 22: INSECURITY ENGINEERING: Locks, Lies, and Videotape CON 18/DEF CON 18 presentations/DE… · LOCK DESIGN: MECHANICAL v. SECURITY ENGINEERING ¨ PRIOR DefCon PRESENTATIONS ¨ Vulnerabilities](https://reader034.vdocuments.net/reader034/viewer/2022051913/6003fc9f65ee3163ee2cfd2d/html5/thumbnails/22.jpg)
EXAMPLE #2: ILOQ
![Page 23: INSECURITY ENGINEERING: Locks, Lies, and Videotape CON 18/DEF CON 18 presentations/DE… · LOCK DESIGN: MECHANICAL v. SECURITY ENGINEERING ¨ PRIOR DefCon PRESENTATIONS ¨ Vulnerabilities](https://reader034.vdocuments.net/reader034/viewer/2022051913/6003fc9f65ee3163ee2cfd2d/html5/thumbnails/23.jpg)
EXAMPLE #2: ILOQ
¨ MADE IN FINLAND
¨ VERY CLEVER DESIGN
¨ COST: $200+
¨ ELECTRO-MECANICAL DESIGN
¨ MECHANICAL KEY + CREDENTIALS
¨ NO BATTERIES: LIKE A CLOCK AND
MAGNETO, GENERATES POWER
![Page 24: INSECURITY ENGINEERING: Locks, Lies, and Videotape CON 18/DEF CON 18 presentations/DE… · LOCK DESIGN: MECHANICAL v. SECURITY ENGINEERING ¨ PRIOR DefCon PRESENTATIONS ¨ Vulnerabilities](https://reader034.vdocuments.net/reader034/viewer/2022051913/6003fc9f65ee3163ee2cfd2d/html5/thumbnails/24.jpg)
ILOQ: OUR SECURITY
![Page 25: INSECURITY ENGINEERING: Locks, Lies, and Videotape CON 18/DEF CON 18 presentations/DE… · LOCK DESIGN: MECHANICAL v. SECURITY ENGINEERING ¨ PRIOR DefCon PRESENTATIONS ¨ Vulnerabilities](https://reader034.vdocuments.net/reader034/viewer/2022051913/6003fc9f65ee3163ee2cfd2d/html5/thumbnails/25.jpg)
ILOC MECHANISM
![Page 26: INSECURITY ENGINEERING: Locks, Lies, and Videotape CON 18/DEF CON 18 presentations/DE… · LOCK DESIGN: MECHANICAL v. SECURITY ENGINEERING ¨ PRIOR DefCon PRESENTATIONS ¨ Vulnerabilities](https://reader034.vdocuments.net/reader034/viewer/2022051913/6003fc9f65ee3163ee2cfd2d/html5/thumbnails/26.jpg)
ALL KEYS IDENTICAL
![Page 27: INSECURITY ENGINEERING: Locks, Lies, and Videotape CON 18/DEF CON 18 presentations/DE… · LOCK DESIGN: MECHANICAL v. SECURITY ENGINEERING ¨ PRIOR DefCon PRESENTATIONS ¨ Vulnerabilities](https://reader034.vdocuments.net/reader034/viewer/2022051913/6003fc9f65ee3163ee2cfd2d/html5/thumbnails/27.jpg)
ILOQ VULNERABILITIES
¨ SET THE LOCK ONCE
¨ ANY KEY WILL OPEN
¨ NO NEED FOR CREDENTIALS
¨ VIRTUALLY NO SECURITY
¨ DIFFICULT TO DETECT
¨ LOCK OPERATES NORMALLY ONCE
SET
![Page 28: INSECURITY ENGINEERING: Locks, Lies, and Videotape CON 18/DEF CON 18 presentations/DE… · LOCK DESIGN: MECHANICAL v. SECURITY ENGINEERING ¨ PRIOR DefCon PRESENTATIONS ¨ Vulnerabilities](https://reader034.vdocuments.net/reader034/viewer/2022051913/6003fc9f65ee3163ee2cfd2d/html5/thumbnails/28.jpg)
EXAMPLE #3: KABA IN-
SYNC RFID-BASED LOCK
![Page 29: INSECURITY ENGINEERING: Locks, Lies, and Videotape CON 18/DEF CON 18 presentations/DE… · LOCK DESIGN: MECHANICAL v. SECURITY ENGINEERING ¨ PRIOR DefCon PRESENTATIONS ¨ Vulnerabilities](https://reader034.vdocuments.net/reader034/viewer/2022051913/6003fc9f65ee3163ee2cfd2d/html5/thumbnails/29.jpg)
KABA IN-SYNC ATTRIBUTES
¨ WIDE APPLICATOIN
¨ AVAILABLE FOR SEVERAL YEARS
¨ MILITARY AND CIVILIAN
APPLICATIONS
¨ USE SIMULATED PLASTIC KEY WITH
RFID
¨ AUDIT TRAIL
![Page 30: INSECURITY ENGINEERING: Locks, Lies, and Videotape CON 18/DEF CON 18 presentations/DE… · LOCK DESIGN: MECHANICAL v. SECURITY ENGINEERING ¨ PRIOR DefCon PRESENTATIONS ¨ Vulnerabilities](https://reader034.vdocuments.net/reader034/viewer/2022051913/6003fc9f65ee3163ee2cfd2d/html5/thumbnails/30.jpg)
IN-SYNC INTERNAL
MECHANISM: LOCKING
![Page 31: INSECURITY ENGINEERING: Locks, Lies, and Videotape CON 18/DEF CON 18 presentations/DE… · LOCK DESIGN: MECHANICAL v. SECURITY ENGINEERING ¨ PRIOR DefCon PRESENTATIONS ¨ Vulnerabilities](https://reader034.vdocuments.net/reader034/viewer/2022051913/6003fc9f65ee3163ee2cfd2d/html5/thumbnails/31.jpg)
BOLT RETRACTS
![Page 32: INSECURITY ENGINEERING: Locks, Lies, and Videotape CON 18/DEF CON 18 presentations/DE… · LOCK DESIGN: MECHANICAL v. SECURITY ENGINEERING ¨ PRIOR DefCon PRESENTATIONS ¨ Vulnerabilities](https://reader034.vdocuments.net/reader034/viewer/2022051913/6003fc9f65ee3163ee2cfd2d/html5/thumbnails/32.jpg)
TURN TO OPEN
![Page 33: INSECURITY ENGINEERING: Locks, Lies, and Videotape CON 18/DEF CON 18 presentations/DE… · LOCK DESIGN: MECHANICAL v. SECURITY ENGINEERING ¨ PRIOR DefCon PRESENTATIONS ¨ Vulnerabilities](https://reader034.vdocuments.net/reader034/viewer/2022051913/6003fc9f65ee3163ee2cfd2d/html5/thumbnails/33.jpg)
EXAMPLE #4: AMSEC ES813
CONSUMER “SAFE”
![Page 34: INSECURITY ENGINEERING: Locks, Lies, and Videotape CON 18/DEF CON 18 presentations/DE… · LOCK DESIGN: MECHANICAL v. SECURITY ENGINEERING ¨ PRIOR DefCon PRESENTATIONS ¨ Vulnerabilities](https://reader034.vdocuments.net/reader034/viewer/2022051913/6003fc9f65ee3163ee2cfd2d/html5/thumbnails/34.jpg)
ELECTRONIC KEYPAD
![Page 35: INSECURITY ENGINEERING: Locks, Lies, and Videotape CON 18/DEF CON 18 presentations/DE… · LOCK DESIGN: MECHANICAL v. SECURITY ENGINEERING ¨ PRIOR DefCon PRESENTATIONS ¨ Vulnerabilities](https://reader034.vdocuments.net/reader034/viewer/2022051913/6003fc9f65ee3163ee2cfd2d/html5/thumbnails/35.jpg)
AMSEC SAFE ES813 AND
OTHERS¨ CONSUMER LEVEL SAFE
¨ $100 FOR SMALLEST UNIT
¨ ELECTRONIC KEYPAD
¨ HOW MUCH SECURITY EXPECTED?
¨ INCOMPETENT DESIGN
¨ FOUND IN MANY OTHER SAFES
![Page 36: INSECURITY ENGINEERING: Locks, Lies, and Videotape CON 18/DEF CON 18 presentations/DE… · LOCK DESIGN: MECHANICAL v. SECURITY ENGINEERING ¨ PRIOR DefCon PRESENTATIONS ¨ Vulnerabilities](https://reader034.vdocuments.net/reader034/viewer/2022051913/6003fc9f65ee3163ee2cfd2d/html5/thumbnails/36.jpg)
EXAMPLE #5: BIOLOCK
![Page 37: INSECURITY ENGINEERING: Locks, Lies, and Videotape CON 18/DEF CON 18 presentations/DE… · LOCK DESIGN: MECHANICAL v. SECURITY ENGINEERING ¨ PRIOR DefCon PRESENTATIONS ¨ Vulnerabilities](https://reader034.vdocuments.net/reader034/viewer/2022051913/6003fc9f65ee3163ee2cfd2d/html5/thumbnails/37.jpg)
BIOMETRIC LOCK
¨ FINGERPRINT + BYPASS CYLINDER
¨ LOOKS SECURE
¨ $200 OR MORE
¨ INSECURITY ENGINEERING AT ITS
BEST
![Page 38: INSECURITY ENGINEERING: Locks, Lies, and Videotape CON 18/DEF CON 18 presentations/DE… · LOCK DESIGN: MECHANICAL v. SECURITY ENGINEERING ¨ PRIOR DefCon PRESENTATIONS ¨ Vulnerabilities](https://reader034.vdocuments.net/reader034/viewer/2022051913/6003fc9f65ee3163ee2cfd2d/html5/thumbnails/38.jpg)
LESSONS LEARNED
¨ CLEVER SECURITY
¨ LOCKS REQUIRE BOTH
MECHANICAL AND SECURITY
ENGINEERING
¨ PATENTS DON’T GUARANTEE
SECURITY
¨ STANDARDS DO NOT MEAN
SECURITY
![Page 39: INSECURITY ENGINEERING: Locks, Lies, and Videotape CON 18/DEF CON 18 presentations/DE… · LOCK DESIGN: MECHANICAL v. SECURITY ENGINEERING ¨ PRIOR DefCon PRESENTATIONS ¨ Vulnerabilities](https://reader034.vdocuments.net/reader034/viewer/2022051913/6003fc9f65ee3163ee2cfd2d/html5/thumbnails/39.jpg)
INDUSTRY UPDATE
¨ STANDARDS
– BUMPING
– PROPOSED BHMA CHANGES
¨ MANUFACTURERS ARE PAYING
ATTENTION AND MAKING CHANGES
¨ CORRECT PROBLEMS AT PRIOR
DEFCON PRESENTATIONS
¨ WORKING WITH MANUFACTURERS
TO TEST LOCKS “REAL WORLD”
![Page 40: INSECURITY ENGINEERING: Locks, Lies, and Videotape CON 18/DEF CON 18 presentations/DE… · LOCK DESIGN: MECHANICAL v. SECURITY ENGINEERING ¨ PRIOR DefCon PRESENTATIONS ¨ Vulnerabilities](https://reader034.vdocuments.net/reader034/viewer/2022051913/6003fc9f65ee3163ee2cfd2d/html5/thumbnails/40.jpg)
SECURITY LABS: REAL
WORLD TESTING¨ MISSION OF SECURITY LABS
– TEST LOCKS FOR MAJOR COMPANIES
AND VENDORS
– LEVEL ABOVE UL, BHMA, AND OTHERS
– DETERMINE AND EXPOSE
VULNERABILITIES
– WORK WITH CLIENTS IN NEW
PRODUCT DESIGN
– PURSUE ACTIONS FOR DEFECTIVE
PRODUCTS
![Page 41: INSECURITY ENGINEERING: Locks, Lies, and Videotape CON 18/DEF CON 18 presentations/DE… · LOCK DESIGN: MECHANICAL v. SECURITY ENGINEERING ¨ PRIOR DefCon PRESENTATIONS ¨ Vulnerabilities](https://reader034.vdocuments.net/reader034/viewer/2022051913/6003fc9f65ee3163ee2cfd2d/html5/thumbnails/41.jpg)
CONCLUSIONS
¨ MISREPRESENTATIONS BY MANY
MANUFACTURERS
¨ HIGH-TECH DESIGNS SECURITY
¨ BYPASS TOOLS FOR MANY LOCKS,
RELY ON INSECURITY
¨ MANY MFG DON’T KNOW OF
VULNERABILITIES
¨ INSECURITY = LIABILITY
¨ CAVEAT EMPTOR
![Page 42: INSECURITY ENGINEERING: Locks, Lies, and Videotape CON 18/DEF CON 18 presentations/DE… · LOCK DESIGN: MECHANICAL v. SECURITY ENGINEERING ¨ PRIOR DefCon PRESENTATIONS ¨ Vulnerabilities](https://reader034.vdocuments.net/reader034/viewer/2022051913/6003fc9f65ee3163ee2cfd2d/html5/thumbnails/42.jpg)
INSECURITY
ENGINEERING: Locks, Lies,
and Videotape
© 2010 MarcWeber Tobias, Tobias
Bluzmanis, Matthew Fiddler