AT&T Identifies Widespread Security Hole - In Locks

__roo writes "The New York Times has an article [free registration required] about a researcher at AT&T Labs Research who has discovered a little-known vulnerability in many locks that lets a person create a copy of the master key for an entire building by starting with any key from that building, and it requires little more than a file and a few key blanks."

Overstating the risk?

[hcdejong]

I see several problems with the article.

He said the technique could open doors worldwide for criminals and terrorists.

• Surely, any place that's a likely target for terrorists has more security in place than cylinder locks? Like keycard access systems, or Marine guards with machine guns? This is more a criminal than a terrorist problem.
• Most types of terrorist attack don't require access to keys. Just park a truck full of explosives in the general vicinity.
• If the technique has been known to locksmiths, what makes the author think lockpickers haven't known about it, too?
• This technique is only marginally safer (less detectable) than an attack with lockpicking tools.

All in all, the article sounds more like fearmongering than a real concern.

Re:Overstating the risk?

[GigsVT]

It's not even a criminal problem in reality. I've be willing to bet that 99.9% of criminals don't know how to pick locks, and don't care. There is usually little point in picking a lock when a door can be kicked in, a window broken, a lock drilled, or a padlock cut.

Re:Overstating the risk?

[Peter+Greenwood]

Don't forget, terrorists do research. Imagine an office building where someone can get taken on as a cleaner in one of the less sensitive office suites, without security checks. Obviously they get a key to that suite.

Now imagine you work there, in a different suite, in some counter-terrorism capacity. Do you start looking under your car for plastic explosive, or not?

Or imagine you work elsewhere, but a colleague has an office there and keeps your name and address handy ...

Re:Overstating the risk?

[sql*kitten]

Surely, any place that's a likely target for terrorists has more security in place than cylinder locks? Like keycard access systems, or Marine guards with machine guns? This is more a criminal than a terrorist problem.

You might think so, but consider this example. There are no litter bins in British railway stations, and very few in the centre of London, like the Square Mile. This is because IRA terrorists would leave explosive in them, in order to kill or main as many noncombatants as possible. I think that clearly illustrates that a terrorist can turn the most ordinary, everyday objects into weapons. Maybe there's nothing important in the janitor's closet, but the lock is still there for a reason.

If the technique has been known to locksmiths, what makes the author think lockpickers haven't known about it, too?

True, but there's a difference between gaining a skill yourself and having step by step instructions. For example, any Chemistry graduate could make explosives from scratch, working from basic principles. However, anyone with step by step instructions could make it from everyday items, and those are the ones to worry about.

Proverb

[frn123]

There is an old proverb in *.ee

Locks are against wildlife. Humans will have no problems with them.

If this were bits rather than molecules...

[sdo1]

... we'd be hearing about building owners calling for new laws outlawing the tools involved, i.e. files and blank keys. After all, their assets could be compromised by the use of these tools and therefore those tools should be banned! It should not matter that there are legitimate uses for these tools and everyone knows that anyone who owns and/or uses a metal file is a criminal and should be prosecuted!

-S

Cant wait for bluetoof

[rosewood]

Am I the only one that wants bluetooth everywhere, including on my door locks, so that I can unlock my door either auto (when my cell phone + my key get close) or by entering a password (user preference)?

Among all the other cool data sync things I think bluetooth enables, the death of keys is the other cool thing I really want bluetooth for.

Re:Cant wait for bluetoof

[WoodSmoke]

And when the power goes off do you want it to fail open or fail closed? Woodsmoke

Re:Is this a joke?

[raddan]

It's a big deal because regular people, people that trust the system, *don't* know about it. I didn't know about it, and though I knew locks could be picked, I didn't know that they could be circumvented so easily.

Sure, locksmiths knew this. A good sysadmin also knows the weaknesses in their systems. But as a user of both locks and ecommerce, I blindly put my trust in those systems in part because I *don't* know their weaknesses!

How many sysadmins know that the door to their server closet can be opened by an employee with a regular key?

It's like with PGP: what can you trust? Regular people know now that you cannot trust master-key systems.

"Good Guys" vs "Bad Guys"

[lildogie]

There's another aspect to this article besides the lock-hacking technique.

The writer speaks of the familiar dilemma of whether to publish to the "Good Guys," which notifies the "Bad Guys" simultaneously, or keep the information secret, knowing the "Bad Guys" could be sharing it already. Same old story we know from cyber security.

Then there's the "Locksmith" angle, "We've been teaching our students this for years, nothing new here." One wonders how the teachers sorted the trustworthy students from the evil students.

Good guys, bad guys, locksmiths, students, trustworthy, evil.

The enormous elephant here is whether people and their motives can be categorized this way. The truth is, these categories aren't cut and dried distinctions.

Take your government agent, for instance. When we're thinking about wiretapping mad bombers, they look more like good guys. When we're thinking about wiretapping political dissidents, they're bad guys. Same people, same behaviors, different categories.

Even discussing the distinction brings up more fuzzy categories: "bombers," "dissidents," "we."

As long as security is addressed from a good-guys vs bad-guys distinction, the argument will go in circles, because you can't really sort out the good guys from the bad guys without a clear value context. If you're diligent, you'll get mired in the values debate, and if you're not, you'll end up drawing biased conclusions.

The best stragegy in the good guys vs. bad guys debate is not to play the game.

When making powerful tools like locks, master keys, and cryptography, you have to bite the bullet that you can't really manage the motives of the tool users.

Oh, one more thing...

[Skapare]

Oh, one more thing. If you do decide to make yourself a grand master key, and are tempted to carry it around on your key ring, cut the hilt off so that the key will go in too far to work. Then only you will know that you have to put it in only part way. So if you get stopped and someone thinks you might have a master key and tries the keys on your ring, their natural human thing of "go all the way" will prevent them from detecting that your key works the lock.

Read the "MIT Guide To Lock Picking"

[blinq]

You can find the "MIT Guide To Lock Picking" at http://www.lysator.liu.se/mit-guide/mit-guide.html .

And specifically read section 9.10 about Master Keys. This stuff is pretty old and well circulated. The entire guide makes for a great read if you're bored. If you're interested in mind teasers, puzzles, and such, you'll appreciate what the guide talks about, even if you never attempt to pick a lock.