Slashdot Mirror
AT&T Identifies Widespread Security Hole - In Locks
__roo writes "The New York Times has an article [free registration required] about a researcher at AT&T Labs Research who has discovered a little-known vulnerability in many locks that lets a person create a copy of the master key for an entire building by starting with any key from that building, and it requires little more than a file and a few key blanks."
Looks like there is a way to hack without worying about the DMCA!
I see several problems with the article.
He said the technique could open doors worldwide for criminals and terrorists.
All in all, the article sounds more like fearmongering than a real concern.
There is an old proverb in *.ee
Locks are against wildlife. Humans will have no problems with them.
-S
--- What parts of "shall make no law", "shall not be infringed", and "shall not be violated" don't you understand?
Am I the only one that wants bluetooth everywhere, including on my door locks, so that I can unlock my door either auto (when my cell phone + my key get close) or by entering a password (user preference)?
Among all the other cool data sync things I think bluetooth enables, the death of keys is the other cool thing I really want bluetooth for.
The ultimate network admin tool needs HELP!
this is absolutely hilarious because of the fact that this so plainy illustrates the hypocrisy inherent in the DMCA.
if this guy were publishing a similar article about virtual locks in operating systems, he would be in JAIL already, awaiting trial and facing billions of dollars of charges against him.
gotta love it
A year spent in artificial intelligence is enough to make one believe in God.
> Everybody knows that.
Indeed. I knew it when I was ten, and I'd never even met an actual
locksmith.
The solution is equally simple: if security actually matters, you
sacrifice the convenience of having a single master key and install
locks that use a completely different key in the places that matter.
Your "master key" is then a whole ring of keys, but hey.
Next they'll start talking about how the social engineering technique
used by computer crackers can be used in the real world too...
just phone up the front desk and ask 'em to unlock the side door
and let in the plumber...
Cut that out, or I will ship you to Norilsk in a box.
I don't think this was a joke. I think the two pointst that the article really made was that this is the first comprehensive analysis of the problem and that it provides a formula for building a master key without disassembling the lock. Anyone given enough time and an actual lock to work with can certainly make a master key. The article indicated that using this approach it was not necessary to dissasemble the lock and that the number of iterations needed to arrive at a solution has been reduced when compared to a brute force attack. The article indicated that the attack has been executed by others but that this is the first formal analysis of the vulnerability.
Never disturb your enemy while he is busy making a mistake.
Most Scottish railway stations have bins in them, as Scotland is not seen as an IRA target (apparently, we have a common cause - liberation from England - and that means the IRA sees us as kindred spirits).
It's a big deal because regular people, people that trust the system, *don't* know about it. I didn't know about it, and though I knew locks could be picked, I didn't know that they could be circumvented so easily.
Sure, locksmiths knew this. A good sysadmin also knows the weaknesses in their systems. But as a user of both locks and ecommerce, I blindly put my trust in those systems in part because I *don't* know their weaknesses!
How many sysadmins know that the door to their server closet can be opened by an employee with a regular key?
It's like with PGP: what can you trust? Regular people know now that you cannot trust master-key systems.
The master key does not necessarily suffer the same limits. Consider a lock where your key has a (trivial) code of 11111 (minimal cuts) and the master key has a code of 99999 (all cut to the maximum depth; I'm using Schlage codes here, just because the only key I have handy with a code stamped on it happens to be a Schlage.) In that case, none of your test keys will open the door because they will all have a 9 next to a 1 and wouldn't fit into the lock (or worse, would stick in the lock and not come back out) but neither the individual key nor the master key will have any large transitions (in fact, they won't have any transitions at all.)
I would guess that ensuring a condition like this exists is one of the suggested workarounds in the original paper.
A lifelong friend of mine is a locksmith. He taught me how to pick a lock in under three minutes.
You have no idea just how vulnerable these locks really are to someone who even remotely knows what he's doing. The locks you see in schools, offices and places like car dealerships are the easiest to pick, believe it or not.
"People should be allowed to keep midgets as pets."
- Gov. Jesse Ventura
There's another aspect to this article besides the lock-hacking technique.
The writer speaks of the familiar dilemma of whether to publish to the "Good Guys," which notifies the "Bad Guys" simultaneously, or keep the information secret, knowing the "Bad Guys" could be sharing it already. Same old story we know from cyber security.
Then there's the "Locksmith" angle, "We've been teaching our students this for years, nothing new here." One wonders how the teachers sorted the trustworthy students from the evil students.
Good guys, bad guys, locksmiths, students, trustworthy, evil.
The enormous elephant here is whether people and their motives can be categorized this way. The truth is, these categories aren't cut and dried distinctions.
Take your government agent, for instance. When we're thinking about wiretapping mad bombers, they look more like good guys. When we're thinking about wiretapping political dissidents, they're bad guys. Same people, same behaviors, different categories.
Even discussing the distinction brings up more fuzzy categories: "bombers," "dissidents," "we."
As long as security is addressed from a good-guys vs bad-guys distinction, the argument will go in circles, because you can't really sort out the good guys from the bad guys without a clear value context. If you're diligent, you'll get mired in the values debate, and if you're not, you'll end up drawing biased conclusions.
The best stragegy in the good guys vs. bad guys debate is not to play the game.
When making powerful tools like locks, master keys, and cryptography, you have to bite the bullet that you can't really manage the motives of the tool users.
Oh, one more thing. If you do decide to make yourself a grand master key, and are tempted to carry it around on your key ring, cut the hilt off so that the key will go in too far to work. Then only you will know that you have to put it in only part way. So if you get stopped and someone thinks you might have a master key and tries the keys on your ring, their natural human thing of "go all the way" will prevent them from detecting that your key works the lock.
now we need to go OSS in diesel cars
ALL security is by obfuscation, to some degree. Got a password? That's obfuscation... access relies on something only you know.
The goal of security technology is to make something as secure as possible with the least cost possible.
All security systems rely on a secret of some sort. However, where they differ is in what has to be kept secret.
In a well-designed lock I would assert that the only thing that would have to be secret were the key itself, which I'd keep on a string around my neck at all times. If to keep things secret the workings lock mechanism itself has to be protected you have created a vulnerability. If your neighbor wants to break in they can just buy another lock of the same brand and take it apart to figure out how it works.
Secrets are very hard to protect. A password is either short and easy to guess or long and hard to remember. If you write it down then it is easier for an opponent to obtain. A good security system of any kind should avoid relying on secrets any more than necessary.
Does the bank do other stuff? YES, they have alarms, and a vault. The vault has a combination.. does that make it security through obscurity, and hence, designed by idiots?
The workings of the alarms and the vault are not secret. However, the exact alarm code and combination used by the bank are. If the alarm and vault are well-designed the knowledge of how they work should provide little benefit to a burgler. The only thing that has to be kept secret are the codes.
In the case of the master key vulnerability, simply keeping the master key well-protected affords little to no protection as long as ordinary keys are issued. The burgler needs only to know how the lock mechanism works to break it - and this is common knowledge now.
That isn't to say that new vulerabilities won't be found in existing systems, but a well-designed security system should not rely on keeping the operation of the system secret.
How many sysadmins know that the door to their server closet can be opened by an employee with a regular key?
Mine can't. Not only is the lock not mastered; the master key for the building has different keyways than the server room therefor you can't even stick the master in the lock.
Okay, I've read the full article [that's what RTFA means, isn't it?], and they say that to defeat priviledge escalation, you have to add to each lock pin a random additional pseudo-master-lock combination. However, they then note that this decreases the security of each individual lock.
What they don't say, but is easily calculated, is that you can raise the security of each individual lock by increasing the number of pins.
Specifically: if you have a single master key, then you have to go up from double-cut up to triple-cut. That means that I'll work with log-base-3 below (for triple cut).
In that case, the number P of additional pins you must add, having formerly had N pins, and having x (let us suppose 9) possible cut heights, then
P = N/[Log3(x)-1]
So if you have 9 possible heights for each pin, single master key, and 5 tumblers, then you can prevent privelege escalation with no further loss in security by going to 5+[5/(2-1)]=10 pins. Not common today, but not impossible. Currently most locks run from 5 pins to 8 pins. Add two pins to an 8 pin lock, and you get your 10 pin security, privilege-protected.
Or you can go open source.
Correct Horse Battery Staple: 72 bits of entropy. Enter "Correct H" into google. When it generates the phrase, that's
How many sysadmins know that the door to their server closet can be opened by an employee with a regular key?
How many sysadmins keep trying to convince their bosses that security is important, only to discover that the custodial staff routinely pops in the server room to empty the trash?
Sadly, not everyone understands that security is an issue.
And specifically read section 9.10 about Master Keys. This stuff is pretty old and well circulated. The entire guide makes for a great read if you're bored. If you're interested in mind teasers, puzzles, and such, you'll appreciate what the guide talks about, even if you never attempt to pick a lock.
~Chris
We used this technique to figure out the grand master key for our school. That was in 1977... The school keys employed a registered blank but we managed to fabricate acceptable keys out of sheet metal.
A tougher problem was creating what's called a conrol key. This key is used to remove the guts of the lock (called the core) from the cylinder. The way this works is that the pins line up at a different level inside the lock, causing a separate sheath to turn and disengage the core from the cylinder.
Of course we had to have a control key. But it is nearly impossible to pick the lock at the control level since there is no way to put pressure on the inner sheath. (Some systems have grooved sheaths you can torque on with a special tool, but not this one. And of course there's no such thing as an individual control key.
Since the control key level shared some (but not all) pin breaks with the master key it is theoretically possible to use the master to reduce the number of possible control keys. But we were never able to work it out. Eventually we found an abandoned door with a lock still on it and drilled it. That gave us our control key.