Slashdot Mirror

← Back to Stories (view on slashdot.org)

AT&T Identifies Widespread Security Hole - In Locks

Posted by timothy on from the analogies-reversed dept.

__roo writes "The New York Times has an article [free registration required] about a researcher at AT&T Labs Research who has discovered a little-known vulnerability in many locks that lets a person create a copy of the master key for an entire building by starting with any key from that building, and it requires little more than a file and a few key blanks."

13 of 462 comments (clear)

  1. i suppose that by mrpuffypants · · Score: 5, Funny

    so now Master is going to have to release patches and hotfixes?

    "Hey steve, check out my new lock!"

    "pffft, is it v.3.21.7?"

    "no"

    "that's like an invite for key kiddies and 1337 crackers"

  2. Here it is without registering for NYT by elodan · · Score: 5, Informative

    courtesy of Google News

  3. Overstating the risk? by hcdejong · · Score: 5, Insightful

    I see several problems with the article.

    He said the technique could open doors worldwide for criminals and terrorists.

    • Surely, any place that's a likely target for terrorists has more security in place than cylinder locks? Like keycard access systems, or Marine guards with machine guns? This is more a criminal than a terrorist problem.
    • Most types of terrorist attack don't require access to keys. Just park a truck full of explosives in the general vicinity.
    • If the technique has been known to locksmiths, what makes the author think lockpickers haven't known about it, too?
    • This technique is only marginally safer (less detectable) than an attack with lockpicking tools.

    All in all, the article sounds more like fearmongering than a real concern.

    1. Re:Overstating the risk? by GigsVT · · Score: 5, Insightful

      It's not even a criminal problem in reality. I've be willing to bet that 99.9% of criminals don't know how to pick locks, and don't care. There is usually little point in picking a lock when a door can be kicked in, a window broken, a lock drilled, or a padlock cut.

      --
      I've had enough abrasive sigs. Kittens are cute and fuzzy.
  4. If this were bits rather than molecules... by sdo1 · · Score: 5, Insightful
    ... we'd be hearing about building owners calling for new laws outlawing the tools involved, i.e. files and blank keys. After all, their assets could be compromised by the use of these tools and therefore those tools should be banned! It should not matter that there are legitimate uses for these tools and everyone knows that anyone who owns and/or uses a metal file is a criminal and should be prosecuted!

    -S

    --
    --- What parts of "shall make no law", "shall not be infringed", and "shall not be violated" don't you understand?
  5. Fundamental problem with any master key system by wowbagger · · Score: 5, Interesting

    Any system that has a "master key" to allow access - be it a physical lock on a door, a backdoor to a program, a key-escrow system, whatever, allows this kind of attack - get the master key, game over.

    I had do design an encryption system to manage software options in a piece of gear I designed. I thought about having a "back-door" to enable options on any unit, the better to test software. I quickly abandoned that idea - let the master key get out, and it's game over. Sure, it may make my life slightly more difficult as a developer, but it also means that no one, not even me, can cheat the system.

    When I had to write the system up for export permission, I described it in detail - algorithm, file formats, I even had to include the source code for the relevant sections. I suppose you could get that information with a FOIA request. Knock yourself out - if you don't have the private key of the keypair, you won't be able to create the options file.

    Say it with me, kids - "master keys and back doors are BAD - JUST SAY NO!"

    --
    www.eFax.com are spammers
  6. security by v(*_*)vvvv · · Score: 5, Funny

    This is hilarious.

    I mean, anyone can break a window and jump right in!!

    We can call that a "backdoor", and the plywood to cover them "patches".

  7. This is clearly illegal! by Lethyos · · Score: 5, Funny

    I think that the manufacturer of the locks should sue AT&T under the DMCA for exposing weaknesses in an access control device. Furthermore, AT&T are terrorists for releasing this sensitive security information to the Net before other sites using the same locks are able to correct the vulnerability. I demand that the perpetrators that discovered the weakness with these locks be sentenced to life in prison. We can't have these hackers running free, finding security holes and disrupting national security!

    --
    Why bother.
  8. Re:Upgrade quickly by squiggleslash · · Score: 5, Funny

    I think everyone should be made aware that this vulnerability largely affects doors rather than windows...

    --
    You are not alone. This is not normal. None of this is normal.
  9. Re:Cant wait for bluetoof by WoodSmoke · · Score: 5, Insightful

    And when the power goes off do you want it to fail open or fail closed? Woodsmoke

  10. HOW TO DO IT by goombah99 · · Score: 5, Informative

    Here's the method in a nutshell.

    1) get a normal key that opens a lock.

    2)count the notches, if its a 5 pin tumbler, then buy 6 more blank keys. ($2.00)

    3) cut 5 keys to be identical to the original except at one of the pin position, let it be full height. SO that you now have 5 keys each with a full height blank at a different pin postion.

    3.b) reducing the complexity. it's not physically possible to have a full height position adjacent to a deeply cut position. No problem, just cut it as high a possible, the master key suffers the same limits too, and this reduces the complexity of the pattern.

    4) insert the first key. does it turn? No then file off 0.010" of metal and try again. within 7 tries, usually only one or 2 it will turn. congatulation you now know the pin 1 master height.(duh: ignore the turning at the original height.)

    5) insert key2, rinse, lather repeat.
    the beauty of this crack twofold. first, you are discovering the master heights of each pin independently, so the combinatorics is just linear in the number of resolvable pin heights not the product of pin-positions times pin heights. Second, you are also simultaneously factoring the ordinary key out of the master key combination, thus only discovering the master key not some useless key that is part paster and part ordinary key (that would only owrk on that particular lock).

    6) Exception: if you cannot find the a pin height that opens one of the tumblers (ignoring the obvious one for the original key) then the original key height is the one for the master too.

    --
    Some drink at the fountain of knowledge. Others just gargle.
  11. Re:Is this a joke? by raddan · · Score: 5, Insightful

    It's a big deal because regular people, people that trust the system, *don't* know about it. I didn't know about it, and though I knew locks could be picked, I didn't know that they could be circumvented so easily.

    Sure, locksmiths knew this. A good sysadmin also knows the weaknesses in their systems. But as a user of both locks and ecommerce, I blindly put my trust in those systems in part because I *don't* know their weaknesses!

    How many sysadmins know that the door to their server closet can be opened by an employee with a regular key?

    It's like with PGP: what can you trust? Regular people know now that you cannot trust master-key systems.

  12. Oh, one more thing... by Skapare · · Score: 5, Insightful

    Oh, one more thing. If you do decide to make yourself a grand master key, and are tempted to carry it around on your key ring, cut the hilt off so that the key will go in too far to work. Then only you will know that you have to put it in only part way. So if you get stopped and someone thinks you might have a master key and tries the keys on your ring, their natural human thing of "go all the way" will prevent them from detecting that your key works the lock.

    --
    now we need to go OSS in diesel cars