Open in Thirty Seconds Defcon 16

Download Open in Thirty Seconds Defcon 16

Post on 07-Apr-2018

213 views

Category:

Documents

0 download

Embed Size (px)

TRANSCRIPT

  • 8/4/2019 Open in Thirty Seconds Defcon 16

    1/132

    Open in 30 Seconds

    Cracking One of the

    Most Secure Locks in America

    Marc Weber Tobias

    Matt Fiddler

    Tobias Bluzmanis

  • 8/4/2019 Open in Thirty Seconds Defcon 16

    2/132

    Agenda

    Part I: The Beginning Part II: Key Control and Key Security

    Part III: Locks Lies and Videotape

  • 8/4/2019 Open in Thirty Seconds Defcon 16

    3/132

    PART I

    The Beginning

  • 8/4/2019 Open in Thirty Seconds Defcon 16

    4/132

    WHY THE MEDECO CASESTUDY IS IMPORTANT

    Insight into design of high security locks Patents are no assurance of security

    Appearance of security v. Real World

    Undue reliance on Standards

    Manufacturer knowledge and Representations

    Methodology of attack

    More secure lock designs

  • 8/4/2019 Open in Thirty Seconds Defcon 16

    5/132

    CONVENTIONAL v.HIGH SECURITY LOCKS

    CONVENTIONAL CYLINDERS Easy to pick and bump open

    No key control

    Limited forced entry resistance

    HIGH SECURITY CYLINDERS UL and BHMA/ANSI Standards

    Higher quality and tolerances

    Resistance to Forced and Covert Entry

    Key control

  • 8/4/2019 Open in Thirty Seconds Defcon 16

    6/132

    HIGH SECURITY LOCKS:

    Protect Critical Infrastructure, highvalue targets

    Stringent security requirements

    High security Standards

    Threat level is higher

    Protect against Forced, Covert entry

    Protect keys from compromise

  • 8/4/2019 Open in Thirty Seconds Defcon 16

    7/132

    HIGH SECURITY:Three Critical Design Factors

    Resistance against forced entry Resistance against covert and

    surreptitious entry

    Key control and key security

    Vulnerabilities exist for each requirement

  • 8/4/2019 Open in Thirty Seconds Defcon 16

    8/132

    HIGH SECURITY LOCKS:Critical Design Issues

    Multiple security layers More than one point of failure

    Each security layer is independent Security layers operate in parallel

    Difficult to derive intelligence about a

    layer

  • 8/4/2019 Open in Thirty Seconds Defcon 16

    9/132

    ATTACK METHODOLOGY

    Assume and believe nothing Ignore the experts

    Think out of the box

    Consider prior methods of attack

    Always believe there is a vulnerability

    WORK THE PROBLEM

    Consider all aspects and design parameters

    Do not exclude any solution

  • 8/4/2019 Open in Thirty Seconds Defcon 16

    10/132

    ATTACKS:Two Primary Rules

    The Key never unlocks the lock Mechanical bypass

    Alfred C. Hobbs: If you can feel onecomponent against the other, you canderive information and open the lock.

  • 8/4/2019 Open in Thirty Seconds Defcon 16

    11/132

    METHODS OF ATTACK:High Security Locks

    Picking and manipulation of components Impressioning

    Bumping

    Vibration and shock Shim wire decoding (Bluzmanis and Falle)

    Borescope and Otoscope decoding

    Direct or indirect measurement of criticallocking components

  • 8/4/2019 Open in Thirty Seconds Defcon 16

    12/132

    ADDITIONAL METHODS OFATTACK

    Split key, use sidebar portion to setcode

    Simulate sidebar code

    Use of key to probe depths andextrapolate

    Rights amplification of key

  • 8/4/2019 Open in Thirty Seconds Defcon 16

    13/132

    EXPLOITINGFEATURES

    Codes: design, progression Key bitting design

    Tolerances

    Keying rules Medeco master and non-master key systems

    Interaction of critical components and locking

    systems

    Keyway and plug design

  • 8/4/2019 Open in Thirty Seconds Defcon 16

    14/132

    STANDARDSREQUIREMENTS

    UL and BHMA/ANSI STANDARDS TIME is critical factor

    Ten or fifteen minutes

    Depends on security rating

    Type of tools that can be used

    Must resist picking and manipulation

    Standards do not contemplate orincorporate more sophisticated methods

  • 8/4/2019 Open in Thirty Seconds Defcon 16

    15/132

    COVERT and FORCEDENTRY RESISTANCE

    High security requirement

  • 8/4/2019 Open in Thirty Seconds Defcon 16

    16/132

    CONVENTIONAL PICKING

  • 8/4/2019 Open in Thirty Seconds Defcon 16

    17/132

    SOPHISTICATEDDECODERS

    John Falle: Wire Shim Decoder

  • 8/4/2019 Open in Thirty Seconds Defcon 16

    18/132

    TOBIAS DECODER:Crackpot@security.org

  • 8/4/2019 Open in Thirty Seconds Defcon 16

    19/132

    DECODE PIN ANGLES

  • 8/4/2019 Open in Thirty Seconds Defcon 16

    20/132

    FORCED ENTRYRESISTANCE

  • 8/4/2019 Open in Thirty Seconds Defcon 16

    21/132

    FORCED ENTRY ATTACKS:Deficiencies in standards

    Many types of attacks defined Mechanical Bypass - Not Contemplated

    Must examine weakest links

    Do not cover hybrid attacks

    Medeco deadbolt attacks

    Medeco mortise attack

  • 8/4/2019 Open in Thirty Seconds Defcon 16

    22/132

    SIDEBAR:Bypass and Circumvention

    Direct Access Decoding attacks

    Manipulation

    Simulate the sidebar code (Medeco) Use of a key (Primus and Assa)

    Indirect access

    Medeco borescope and otoscope decodeissues

  • 8/4/2019 Open in Thirty Seconds Defcon 16

    23/132

    FORCED ENTRY ATTACKS

    Direct compromise of critical components Medeco deadbolt 1 and 2 manipulate

    tailpiece

    Hybrid attack: two different modes Medeco reverse picking

    Defeat of one security layer: result

    Medeco Mortise and rim cylinders, defeatshear line

  • 8/4/2019 Open in Thirty Seconds Defcon 16

    24/132

    MEDECO CASE HISTORY

    Exploited vulnerabilities Reverse engineer sidebar codes

    Analyze what constitutes security

    Analyze critical tolerances

    Analyze key control issues

    Analyze design enhancements for newgenerations of locks: Biaxial and m3and Bilevel

  • 8/4/2019 Open in Thirty Seconds Defcon 16

    25/132

    MEDECO MISTAKES

    Failed to listen Embedded design problems from beginning

    Compounded problems with new designs

    with two new generations: Biaxial and m3 Failed to connect the dots

    Failure of imagination

    Lack of understanding of bypass techniques

  • 8/4/2019 Open in Thirty Seconds Defcon 16

    26/132

    DESIGN = VULNERABILITY

    Basic design: sidebar legs + gates How they work: leg + gate interface

    Tolerance of gates

    Biaxial code designation Biaxial pin design: aft position decoding

    M3 slider: geometry

    M3 keyway design

    Deadbolt design

  • 8/4/2019 Open in Thirty Seconds Defcon 16

    27/132

    MEDECO DESIGN:Exploit design vulnerabilities

    EXPLOIT BEST DESIGN FEATURES Sidebar leg true gate channel

    Code assignment: Biaxial 1985

    Gate sidebar leg tolerance

    M3 design 2003

    Widen keyway .007

    Slider geometry, .040 offset

  • 8/4/2019 Open in Thirty Seconds Defcon 16

    28/132

    MEDECO TIMELINE

    1970 Original Lock introduced 1985 Biaxial, Second generation

    2003 m3 Third generation

  • 8/4/2019 Open in Thirty Seconds Defcon 16

    29/132

    MEDECO LOCKS:Why are they Secure?

    2 shear lines and sidebar for Biaxial 3 independent security layers: m3

    Pins = 3 rotation angles, 6 permutations

    Physical pin manipulation difficult

    False gates and mushroom pins

    ARX special anti-pick pins

    High tolerance

  • 8/4/2019 Open in Thirty Seconds Defcon 16

    30/132

    MODERN PIN TUMBLER

  • 8/4/2019 Open in Thirty Seconds Defcon 16

    31/132

    MEDECO BIAXIAL

  • 8/4/2019 Open in Thirty Seconds Defcon 16

    32/132

    MEDECO LOCKS:3 Independent Layers

    Layer 1: PIN TUMBLERS to shear line Layer 2: SIDEBAR: 3 angles x 2 positions

    Layer 3: SLIDER 26 positions

    Opened By;Lifting the pins to shear line

    Rotating each pin individually

    Moving the slider to correct position

  • 8/4/2019 Open in Thirty Seconds Defcon 16

    33/132

    MEDECO TWISTING PINS:3 Angles + 2 Positions

  • 8/4/2019 Open in Thirty Seconds Defcon 16

    34/132

    SIDEBAR Technology

    Blocks rotation of the plug One or two sidebars

    Primary or secondary locking

    Only shear line or secondary Integrated or separate systems

    Assa, Primus, Mul-T-Lock MT5, Evva MCS= split

    Medeco and 3KS = integrated

    Direct or indirect relationship and access bykey bitting

  • 8/4/2019 Open in Thirty Seconds Defcon 16

    35/132

    SIDEBAR LOCKING:How does it work

    One or two sidebars Interaction during plug rotation

    Direct or indirect block plug rotation

    Sidebar works in which modes Rotate left or right Pull or push

    Can sidebar be neutralized: i.e. Medeco Setting sidebar code

    Pull plug forward, not turn

  • 8/4/2019 Open in Thirty Seconds Defcon 16

    36/132

    SIDEBAR LOCKINGInformation from the lock?

    Feel picking: sense interactions Medeco, 3KS, Primus, Assa = direct link

    MCS = indirect link: sidebar tocomponent

    Sidebar + pins/sliders interaction to

    block each other: ability to applytorque?

  • 8/4/2019 Open in Thirty Seconds Defcon 16

    37/132

    SECURITY CONCEPTS:Sidebar IS Medeco Security

    GM locks, 1935, Medeco re-invented Heart of Medeco security and patents

    Independent and parallel security layer

    Integrated pin: lift and rotate to align

    Sidebar blocks plug rotation

    Pins block manipulation of pins forrotation to set angles

  • 8/4/2019 Open in Thirty Seconds Defcon 16

    38/132

    PLUG AND SIDEBAR:All pins aligned

  • 8/4/2019 Open in Thirty Seconds Defcon 16

    39/132

    SIDEBAR RETRACTED

  • 8/4/2019 Open in Thirty Seconds Defcon 16

    40/132

    PLUG AND SIDEBAR: Locked

  • 8/4/2019 Open in Thirty Seconds Defcon 16

    41/132

    MEDECO CODEBOOK:At the heart of security

    All locksmiths worldwide must use All non-master keyed systems

    New codes developed for Biaxial in1983

    Chinese firewall: MK and Non-MK

    Codebook defines all sidebar codes

  • 8/4/2019 Open in Thirty Seconds Defcon 16

    42/132

    MEDECO RESEARCH:Results of Project

    Covert and surreptitious entry in as little as30 seconds: standard requires 10-15 minutes

    Forced entry: four techniques, 30 seconds,

    affect millions of locks Complete compromise of key control

    Duplication, replication, simulation of keys

    Creation of bump keys and code setting keys Creation of top level master keys

  • 8/4/2019 Open in Thirty Seconds Defcon 16

    43/132

    M3 SLIDER:Bypass with a Paper clip

  • 8/4/2019 Open in Thirty Seconds Defcon 16

    44/132

    SECURITY OF m3:

  • 8/4/2019 Open in Thirty Seconds Defcon 16

    45/132

    Video Demo:

    Medeco Slider Bypass

  • 8/4/2019 Open in Thirty Seconds Defcon 16

    46/132

    RESULTS OF PROJECT:Picking

    Pick the locks in as little as 30 seconds Standard picks, not high tech tools

    Use of another key in the system to set

    the sidebar code

    Pick all pins or individual pins

    Neutralize the sidebar as security layer

  • 8/4/2019 Open in Thirty Seconds Defcon 16

    47/132

    PICKING A MEDECO LOCK

  • 8/4/2019 Open in Thirty Seconds Defcon 16

    48/132

    Video Demo:

    Picking Medeco Locks

  • 8/4/2019 Open in Thirty Seconds Defcon 16

    49/132

    RESULTS OF PROJECT:Reverse Picking

  • 8/4/2019 Open in Thirty Seconds Defcon 16

    50/132

    Video Demo:

    Reverse Picking Medeco Locks

  • 8/4/2019 Open in Thirty Seconds Defcon 16

    51/132

    RESULTS OF PROJECT:Bumping

    Reliably bump open Biaxial and m3locks

    Produce bump keys on Medeco blanks

    and simulated blanks Known sidebar code

    Unknown sidebar code

  • 8/4/2019 Open in Thirty Seconds Defcon 16

    52/132

    MEDECO BUMP KEY

  • 8/4/2019 Open in Thirty Seconds Defcon 16

    53/132

    Video Demo:

    Bumping Medeco Locks Jenna Lynn

    Tobias

  • 8/4/2019 Open in Thirty Seconds Defcon 16

    54/132

    RESULTS OF PROJECT:Decode Top Level Master Key

    Determine the sidebar code in specialsystem where multiple sidebar codesare employed to protect one or more

    locks Decode the TMK

    PWN the system

  • 8/4/2019 Open in Thirty Seconds Defcon 16

    55/132

    RESULTS OF PROJECT:Forced Entry Techniques

    Deadbolt attacks on all three versions Deadbolt 1 and 2: 30 seconds

    Deadbolt 3: New hybrid technique of

    reverse picking Mortise and rim cylinders

    Prior intelligence + simulated key

    Interchangeable core locks

  • 8/4/2019 Open in Thirty Seconds Defcon 16

    56/132

    DEADBOLT ATTACK

  • 8/4/2019 Open in Thirty Seconds Defcon 16

    57/132

    DEADBOLT BYPASS: 2$Screwdriver + $.25 materials

  • 8/4/2019 Open in Thirty Seconds Defcon 16

    58/132

    Video Demo:

    Deadbolt Bypass: Original

    Interim Fix

    Current Production

  • 8/4/2019 Open in Thirty Seconds Defcon 16

    59/132

    MEDECO BILEVEL

    2007 Bilevel locks introduced Integrate low and high security tocompete

    Flawed design, will affect systemsecurity when integrated into highsecurity system

    Borescope decoding of aft pins tocompromise security of entire system

  • 8/4/2019 Open in Thirty Seconds Defcon 16

    60/132

    CONNECTING THE DOTS:The Results Biaxial Code assignment: Reverse

    Engineer for all non-master key systems

    Gate tolerance: 4 keys to open

    NEW CONCEPT: Code Setting keys Sidebar leg-gate interface: NEW CONCEPT:

    Setting sidebar code

    M3 Wider keyway: Simulated blanks Slider design: paper clip offset

  • 8/4/2019 Open in Thirty Seconds Defcon 16

    61/132

    4 KEYS TO THE KINGDOM

  • 8/4/2019 Open in Thirty Seconds Defcon 16

    62/132

    PART II

    Key Control

    andKey Security

  • 8/4/2019 Open in Thirty Seconds Defcon 16

    63/132

    KEY CONTROL: The Theory

    PROTECTION OF BLANKS OR CUTKEYS FROM ACQUISITION OR USE:

    Unauthorized duplication

    Unauthorized replication Unauthorized simulation

    restricted keyways

    proprietary keyways sectional keyways

  • 8/4/2019 Open in Thirty Seconds Defcon 16

    64/132

    MEDECO INSECURITY:Real World Threats - Keys

    VIOLATION OF KEY CONTROL andKEY SECURITY

    Compromise of entire facility

    Improper generation of keys

  • 8/4/2019 Open in Thirty Seconds Defcon 16

    65/132

    KEYS and KEY CONTROLKEYS: EASIEST WAY TO OPEN LOCKS

    Change key or master key

    Duplicate correct bitting

    Bump keys

    Rights amplification: modify keysPROTECTION OF KEYS

    Side bit milling: Primus and Assa

    Interactive elements: Mul-T-Lock

    Magnets: EVVA MCS

  • 8/4/2019 Open in Thirty Seconds Defcon 16

    66/132

    0WN THE SYSTEM:Obtaining the Critical Data

    TECHNIQUES TO OBTAIN KEY DATA Impressioning methods

    Decoding: visual and Key Gauges

    Photograph

    Scan keys

    Copy machine

  • 8/4/2019 Open in Thirty Seconds Defcon 16

    67/132

    KEYS: CRITICAL ELEMENTS

    Length = number of pins/sliders/disks

    Height of blade = depth increments = differs

    Thickness of blade = keyway design

    Paracentric design Keyway modification to accommodate other

    security elements

    Finger pins Sliders

  • 8/4/2019 Open in Thirty Seconds Defcon 16

    68/132

    KEY CONTROL

  • 8/4/2019 Open in Thirty Seconds Defcon 16

    69/132

    KEY CONTROLKEY SECURITY

    Duplicate Replicate

    Simulate

    Key control and Key Security may not

    be synonymous!

  • 8/4/2019 Open in Thirty Seconds Defcon 16

    70/132

    KEY SECURITY: A Concept

    Key control = physical control of keys

    Prevent manufacture and access to blanks

    Control generation of keys by code

    Patent protection

    Key security = compromise of keys Duplication

    Replication

    Simulation

  • 8/4/2019 Open in Thirty Seconds Defcon 16

    71/132

    MEDECO KEY CONTROL:Appearance v. Reality WHAT IS IT SUPPOSED TO MEAN?

    ARE THE STANDARDS SUFFICIENT?

    REAL WORLD VULNERABILITIES

  • 8/4/2019 Open in Thirty Seconds Defcon 16

    72/132

    MEDECO KEY CONTROL:Virtually Impossible to Copy

    High security starts with key control; a processthat insures that keys cannot be duplicatedwithout proper permission. Clearly, if anyone

    can have a locks key copied, then it trulydoesnt matter how tough the lock itself isbuilt. Medecos patented key control makes itvirtually impossible for someone to duplicatea commercial or residential key withoutproper permission.

  • 8/4/2019 Open in Thirty Seconds Defcon 16

    73/132

    MEDECO HIGH SECURITYKEYS v. STANDARD KEYS

    A standard key can be copied at a millionstores without restriction or proof of

    ownership. Unauthorized duplicate keys

    often result in burglaries, theft, vandalism,and even violent crimes.

    Medeco advertising brochure

  • 8/4/2019 Open in Thirty Seconds Defcon 16

    74/132

    Video Demo:

    Medeco Key Copy Promo

  • 8/4/2019 Open in Thirty Seconds Defcon 16

    75/132

    MEDECO KEY CONTROL:The ProblemCIRCUMVENTING SECURITY LAYERS

    Keyway...

Recommended

View more >