Slashdot Mirror

← Back to Stories (view on slashdot.org)

AT&T Identifies Widespread Security Hole - In Locks

Posted by timothy on from the analogies-reversed dept.

__roo writes "The New York Times has an article [free registration required] about a researcher at AT&T Labs Research who has discovered a little-known vulnerability in many locks that lets a person create a copy of the master key for an entire building by starting with any key from that building, and it requires little more than a file and a few key blanks."

27 of 462 comments (clear)

  1. i suppose that by mrpuffypants · · Score: 5, Funny

    so now Master is going to have to release patches and hotfixes?

    "Hey steve, check out my new lock!"

    "pffft, is it v.3.21.7?"

    "no"

    "that's like an invite for key kiddies and 1337 crackers"

    1. Re:i suppose that by HermDog · · Score: 4, Funny

      I must have missed the CERT advisory. Which Linux distros are affected? OpenBSD, of course, is not vulnerable as long as you use the default installation inside the welded safe.

      --
      JADBP
    2. Re:i suppose that by sg_oneill · · Score: 4, Funny

      No it was a "crack" that went around more in underground circles.

      It didn't come to attention till a spate of Office buildings found the safe hidden and the words "Ownzed by l337 b3rgl@rz!!!" spraypainted in foyers.

      I believe Scotland yard are preparing a deb update.

      --
      Excuse the Unicode crap in my posts. That's an apostrophe, and slashdot is busted.
  2. Re:I'm locked out of the article.. by fistynuts · · Score: 2, Funny

    How did you post that message then?

    --
    "You heard the man, Tubbs.. get undressed."
  3. Of course.. by tomknight · · Score: 0, Funny
    ..it's all Microsoft's fault.

    Tom.

    --
    Oh arse
  4. d00d I have your brass k0d3z by Anonymous Coward · · Score: 0, Funny

    And eye will own your barbies!#()!)(% PHEYUR!!! this is a sig line this is a sig line this is a sig line

  5. Upgrade quickly by angelsdescent · · Score: 4, Funny


    In the cert advisory, The Microsoft Corporation are quoted "Those who upgrade to Windows XP Service Pack One should be unaffected by this exploit"

    :-)

    1. Re:Upgrade quickly by squiggleslash · · Score: 5, Funny

      I think everyone should be made aware that this vulnerability largely affects doors rather than windows...

      --
      You are not alone. This is not normal. None of this is normal.
  6. better get your copy of the paper while you can by Anonymous Coward · · Score: 1, Funny

    http://www.crypto.com/papers/

  7. little known? by Talisman · · Score: 4, Funny

    "...a little-known vulnerability in many locks..."

    Yeah, until now.

    Talisman

    --

    "Study your math, kids. Key to the universe." -The Archangel Gabriel
    1. Re:little known? by stud9920 · · Score: 4, Funny
      "...a little-known vulnerability in many locks..."
      Yeah, until now.
      You do not actually believe ./ folks read the article, do you ?
  8. security by v(*_*)vvvv · · Score: 5, Funny

    This is hilarious.

    I mean, anyone can break a window and jump right in!!

    We can call that a "backdoor", and the plywood to cover them "patches".

  9. In other news... by grahamlee · · Score: 4, Funny

    Xerox PARC have issued an advisory stating that any combination lock can be "cracked" by a malicious terrorist with a finger. Due to the digital [sigh...] nature of this crime, it is now illegal to own a finger under the terms of the DMCA and patriotic Americans are being asked to remove all their fingers in a show of solidarity. U.S. President, George W. Bush, is said to be having some difficulty removing his finger from his arse. £:-)

    BTW did the original story remind anyone else of the safe-cracking chapter in "Surely you're joking, Mr. Feynman"?

  10. This is clearly illegal! by Lethyos · · Score: 5, Funny

    I think that the manufacturer of the locks should sue AT&T under the DMCA for exposing weaknesses in an access control device. Furthermore, AT&T are terrorists for releasing this sensitive security information to the Net before other sites using the same locks are able to correct the vulnerability. I demand that the perpetrators that discovered the weakness with these locks be sentenced to life in prison. We can't have these hackers running free, finding security holes and disrupting national security!

    --
    Why bother.
  11. Schlage to Invoke DMCA by Bob9113 · · Score: 3, Funny

    A Schlage employee, on condition of anonymity, said that they were consulting with their legal team on the feasibility of invoking the DMCA against Matt Blaze and AT&T. "Schlage locks are frequently used as a technological measure to protect copyrighted materials. By trafficking in information which allows the compromise of these locks, Mr. Blaze and AT&T are clearly violating the Digital Millenium Copyright Act."

    --
    Stop-Prism.org: Opt Out of Surveillance
  12. Re:Great Satire! by Anonymous Coward · · Score: 1, Funny

    You must have low self-esteem to believe that everybody else in the world knows the same things you do.

  13. Re:MIT Guide to Lockpicking by slothbait · · Score: 2, Funny

    Ah that guide was great fun back in high school. How did that guy running for president get flyers in the faculty bulleting board? Simple says I, Ninjas!
    The MIT guide mentions the file down master key trick, that was 1991.

    With this new article I may have to try again, the last time I tried to do something with the a master key at my university I ended up matching the right pattern for the key that pulled the cylinder (used to change the lock). It was not fun to explain why my dorm lock had 'magically' come out of my door to the Office of the Physical Plant.
    Lesson learned don't pick your own nose if it is exposed, err locks I mean locks.

  14. Kevin Again? by aburnsio.com · · Score: 2, Funny
    Kevin's only been on the net a few days now, and look what happens!

    No need to "Free Kevin" anymore... he's got the master key!

    "No, Officer, I didn't steal the key to the prison, I didn't take any hostages, all I had to do to get out was use this file here that Randall sent me in a Perl 6.0 Birthday Cake..."

  15. Re:HOW TO DO IT by mav[LAG] · · Score: 1, Funny

    5) insert key2, rinse, lather repeat.

    So all we have to do is be on the lookout for suspicious looking characters with soapsuds still in their hair?

    *duck* - the rest of your points well taken.

    --
    --- Hot Shot City is particularly good.
  16. Re:I have been doing it all wrong!!! by Hellkitten · · Score: 2, Funny

    Well as en evil overlord you should know that it's always preferable to get the key to the restroom, make a master key, and then copy the plans of the good guys without them ever knowing

    You break down the door and steal the plans: they change the plans and install stronger door. That's a vicious circle

    You make a master key and steal their plan, they know nothing, plan stays the same, locks stays the same. You screw their plan over without letting on you know it, then next week when they have a new plan you go get that too.

    pff evil overlords these days, no respect for finesse. You should be EvlUndrLrd instead

    And no Occams razor doesn't apply, "Out of two possible explanations the simplest one is most likely to be true". You seem to be thinking along the lines of "Out of two methods of breaking and entering, the simplest one has to be better" which may not be true depending on the situation

    Compare the time it takes to make a master key and enter 100 rooms to the time to break down 100 doors

    --
    - We are the slashdot. Resistance is futile. Prepare to be moderated -
  17. In fact ... by A+nonymous+Coward · · Score: 2, Funny

    ... this is the vaunted back door or front door exploit ... side doors too.

    --
    Infuriate left and right
  18. Re:Social Engineering by Anonymous Coward · · Score: 1, Funny
    Let's not forget that with a little social engineering you can get the same results. When I was in High School I obtained the master keys for both the Middle School and the High School, even had the alarm codes at one time. It's all about who you know (or sleep with).


    So did you sleep with the principal, or the janitor? :-)
  19. As long as you can get the blank keys, yes .. by AftanGustur · · Score: 2, Funny


    The method as described on other comments, is just brilliant.. But there is one problem that nobody has mentioned..

    How do you get the blanks ?
    You see, with master-key systems the keys have other shapes than ordinary keys (often a mirror pattern if you look at the end of the key, so ordinary keys won't fit in master locks) Keys in master-key systems are often also a little longer than ordinary keys.

    And Joe sixpack just can't walk into any hardware store and ask for the blanks.. The hardware store has limited numbers (if any at all) and has to get the paper-certificate that was delivered with the key-system, before they will cut you a new copy.

    And, no, just bringing the master key to them and asking for a copy doesn't work (I already tried that ;-)

    --
    echo '[q]sa[ln0=aln80~Psnlbx]16isb572CCB9AE9DB03273snlbxq' |dc
  20. Nope, (D)MCA doesn't apply... by Starman9x · · Score: 1, Funny
    looking for scratches at various heights is an ANALOG process -- the DIGITAL millenium crap doesn't apply :)

    1. Re:Nope, (D)MCA doesn't apply... by Reziac · · Score: 2, Funny

      But just wait til they plug the analog hole ;)

      --
      ~REZ~ #43301. Who'd fake being me anyway?
  21. Re:Oh, one more thing... by Obfuscant · · Score: 3, Funny
    ...cut the hilt off so that the key will go in too far to work.

    This is still too dangerous, since they can see that you cut off the hilt and they can just compare your key to theirs (if they have a master of their own.)

    Much better to cut the key backwards -- that is, the cut normally at the end appears next to the hilt, etc. Unless the master is symmetrical, they won't be able to compare it to theirs, and it won't work when they try it.

    Of course, you'll have to insert it from the back of the lock to use it, but that's a minor inconvenience compared to prison time.

  22. Re:I brute force guessed a medico in college. by commodoresloat · · Score: 2, Funny

    I brute forced the lock on my dorm room door when I was in college. It took a few tries, but I kicked and kicked until the door broke open.