The Study of Physical Hacks at DefCon

← Back to Stories (view on slashdot.org)

The Study of Physical Hacks at DefCon

Posted by Zonk on Sunday August 5, 2007 @05:53AM from the old-ways-are-the-best-ways dept.

eldavojohn writes "DefCon usually focuses on electronic security, but Saturday a talk was held that focused on possibly the oldest form of hacking — lockpicking. As software security becomes better and better, the focus may be shifting towards simple hacking tips like looking over someone's shoulder for their password, faking employment or just picking the locks to gain access to the building where machines are left on overnight. From the article: 'Medeco deadbolt locks relied on worldwide at embassies, banks and other tempting targets for thieves, spies or terrorists can be opened in seconds with a strip of metal and a thin screw driver, Marc Tobias of Security.org demonstrated for AFP ... Tobias says he refuses to publish details of 'defeating' the locks because they are used in places ranging from homes, banks and jewelers to the White House and the Pentagon. He asked AFP not to disclose how it is done.' I'm sure all Slashdot readers are savvy enough to use firewall(s) but do you know and trust what locks 'physically' protect your data from hacks like these?"

26 of 299 comments (clear)

Min score:

Reason:

Sort:

Backstop that lock... by swb · 2007-08-05 05:58 · Score: 5, Insightful

...with a Smith & Wesson (or a Glock, or a Bushmaster, or a Remington).
1. Re:Backstop that lock... by couchslug · 2007-08-05 06:07 · Score: 4, Insightful
  
  Funny, but you do have a valid point. Locks keep honest people honest.
  
  It isn't difficult to slice through or drill most locks or the doors holding them, let alone picking the lock, but if there is an armed human on the other side that changes the game a bit. :)
  
  --
  "This post is an artistic work of fiction and falsehood. Only a fool would take anything posted here as fact."
2. Re:Backstop that lock... by swb · 2007-08-05 06:16 · Score: 4, Informative
  
  No, it was meant to be serious. Locks keep out honest people and lazy criminals (given how often the police issue updates reminding us to lock the doors because they've had a run of unforced entry burglaries, there must be a lot of them).
  
  Weapons keep out ANYBODY, but watch out for criminal-friendly laws on deadly force that either require you to flee your own home or prove that you were threatened with imminent risk of death or great bodily harm.
  
  Fortunately where I live, deadly force is justified within your own home top stop the commission of a felony, and burglary is a felony.
3. Re:Backstop that lock... by Hijacked+Public · 2007-08-05 06:36 · Score: 4, Insightful
  
  Also, statistically, 100% of unarmed people are unable to repel boarders with arms.
  
  I have both the ADT sign and the above suggested firearms.
  
  --
  "Sacrifice for the good of The State" - The State
4. Re:Backstop that lock... by Anonymous Coward · 2007-08-05 06:42 · Score: 5, Insightful
  
  That argument has been discredited by several studies.
  
  Just look at how they derive those numbers...they categorize "loved ones" and "family members" and anyone you have ever met.
  
  If you want the real, peer reviewed scientific analysis on guns in the hands on citizens, just check out the writings of John Lott.
5. Re:Backstop that lock... by kd5ujz · 2007-08-05 06:46 · Score: 4, Informative
  
  I take it you have not seen the "Protected by Smith & Wesson" Signs.
  
  http://www.smith-wesson.com/webapp/wcs/stores/serv let/CustomContentDisplay?langId=-1&storeId=10001&c atalogId=11101&content=36818
  
  http://www.preparedness.com/protbysmitwe.html
  
  --
  -William
  God is everything science has yet to explain.
6. Re:Backstop that lock... by swb · 2007-08-05 07:08 · Score: 4, Insightful
  
  Your statistics aren't true, it's a tired argument hauled out by gun ban types based on a repudiated and poor study.
  
  The problem we have is that since the 1970s, we've emaciated homeowners and law-abiding citizens by making it difficult to use deadly force.
  
  If, as was the case prior to 1960 in most parts of the US, it was generally assumed that a property owner could use deadly force against an intruder, it would be the equivalent of a "Protected by Smith and Wesson" sign in front of EVERY house, along with criminals having to assume the risk of such crimes.
7. Re:Backstop that lock... by couchslug · 2007-08-05 08:25 · Score: 5, Insightful
  
  "Which is right and proper since in most Western countries the state doesn't demand the death penalty for burglary."
  
  You mistake shooting a "burglar" for penalizing said burglar instead of SELF-defense. Defending yourself is not to be confused with lynching.
  A "burglar" (intruder) is a huge risk to the occupant of a house because the intruder has incentive to kill the householder to shut him/her up, and sometimes does.
  Crimes of opportunity in a home invasion include rape, torture, arson to cover up the evidence etc.
  Intruders are not typically like Roger Moore in "The Saint".
  
  If you don't want to defend yourself, it is your right not to. To say that I cannot defend myself is to say that I don't matter, and those who would violate me do. I respectfully disagree.
  Even in Iraq, the US allows householders one firearm. This is because police response is reactive, not preemptive. All the cops can usually do is collect evidence and maybe arrest the perp for whatever he/she did. This neither does not reverse or prevent damage to the victim.
  
  When I was TDY to Saudi Arabia, some crackheads decided to party on my property. My wife asked them to leave. They told her to fsck off and made threatening statements. (We lived in an area with light police protection and long response times.) She retreated to the house, got our our Mini-14, and put several warning shots into the ground (not towards the crackheads) where the bullets could be retrieved if required. They promptly left and never returned for the remaining three years we lived there. When the police finally responded, the officer was fine with it. (I love the South!
  
  The right to violent self-defense is essential to freedom, because if you are forbidden to defend yourself anyone can do their will to you.
  
  --
  "This post is an artistic work of fiction and falsehood. Only a fool would take anything posted here as fact."
8. Re:Backstop that lock... by HUADPE · 2007-08-05 08:32 · Score: 4, Insightful
  
  I would never want one of these signs. It seems like it would attract many criminals whose intent was to steal my gun.
  
  --
  This sig has not been evaluated by the FDA. It is not designed to diagnose, treat, prevent, or cure any disease.
9. Re:Backstop that lock... by Anonymous Coward · 2007-08-05 10:14 · Score: 5, Funny
  
  100% of unarmed people are unable to repel boarders with arms Make that 99.9%, you forgot Chuck Norris.
10. Re:Backstop that lock... by Filip22012005 · 2007-08-05 21:42 · Score: 4, Funny
  
  That's only illegal near spawn points.
  
  --
  When the policeman of the tie, rule you violate, hello punishment of the kitty?
11. Re:Backstop that lock... by couchslug · 2007-08-06 01:08 · Score: 4, Insightful
  
  "The right to violent self-defense is essential to freedom...
  It is also essential to get those high homicide rates. Your call."
  
  Lawful self-defense /= homicide.
  
  "Self-defense should be proportional to the actual threat.
  Shooting any burglar because some burglars might become violent is just stupid. If the burglar is coming at you, fine. If he's trying to leave or running away, no."
  
  The applicable laws cover that. They vary by state, so do read yours.
  
  "Your wife is a psycho. (and apparently you are as well, from the tone of your post)"
  
  Nice troll, but note I mentioned firing into the ground to facilitate bullet retrieval. That is not "psychotic"
  We both have military training and are disciplined shooters. Making noise to scare away the crackheads worked, no one was injured, and the situation was de-escalated nicely. What you may (and others who may be unfamiliar with the way criminals like crackheads think) not understand is that they only respect people who appear scary. I'm not some crazed redneck, but I'll emulate one if it is useful. Crackheads are not deterred by the consequences of crack use, so that worldview limits the things that do deter them. :)
  
  "Then all of a sudden it is the burglar who is being threatened for life, and who feels a need to defend yourself. Do you really want to go into that spiral?"
  There is no spiral. Burglar has choice of turning and running or being shot. If he entered an occupied residence he may be presumed willing to attack and subdue anyone in that residence. If he hopped my fence and continued past my barking dogs he was determined to enter.
  I'm not advocating trap guns or other nonsense, I'm advocating reasonable latitude in defending myself and other humans in my house where I have the reasonable (through human history) expectation of security. If I get burgled and no one is home, that's why I buy home insurance!
  
  "A burglar has no intent to kill. If he would, why not do armed robbery instead? Why not take people hostage, take them to their home, clear out and kill them?"
  
  He may have no INITIAL intent to kill/rape/assault. Your statement seems to imply burglars are a logical, rational lot. Some meth head who has been awake for thirty days may start out to burgle, but they aren't necessarily going to stick to that. Never assume the bad guy is interested in your logic. I'm not expecting to defend against Slashdotters, so I don't assume crooks think like Slashdotters. :)
  
  --
  "This post is an artistic work of fiction and falsehood. Only a fool would take anything posted here as fact."
Protection by SaidinUnleashed · 2007-08-05 06:01 · Score: 5, Funny

>>do you know and trust what locks 'physically' protect your data from hacks like these?"

I know I weld my doors shut nightly. You should too!

--
Shiny. Let's be bad guys.
1. Re:Protection by mcpkaaos · 2007-08-05 06:40 · Score: 4, Funny
  
  Using doors for physical security is so 90s. I keep my servers suspended over an open pit of RIAA lawyers.
  
  --
  It goes from God, to Jerry, to me.
"Hacking" by Arthur+Grumbine · 2007-08-05 06:01 · Score: 5, Informative

From TFS,
"...simple hacking tips like looking over someone's shoulder for their password."

How far the meaning of this word has come from it's original usage.

--
Now that I think about it, I'm pretty sure everything I just said is completely wrong.
1. Re:"Hacking" by multisync · 2007-08-05 06:10 · Score: 4, Funny
  
  I'm reminded of Ralph Macchio asking Mr. Miyagi what kind of belt he had in the Karate Kid. Mr. Miyagi's answer:
  
  "Canvas. JC Penny. Three ninety-eight. You like?"
  
  --
  I don't care why you're posting AC
Locks are pretty much useless by Anonymous Coward · 2007-08-05 06:03 · Score: 5, Funny

Because doors are riddled with 0-day exploits in the frames and hinges. With even a small vehicle, you can exploit a stack-overflow in the frame, popping the entire door out. DOS attacks against hinge pins can also be used to completely bypass a lock.
How Medeco locks work by Beryllium+Sphere(tm) · 2007-08-05 06:44 · Score: 4, Informative

The cuts in the key are individually angled so they rotate the tumblers as well as lifting them. Slots in the tumblers are lined up by the rotation to unlock a sidebar that fits into a longitudinal slot in the cylinder.

Bump keys can't even get started opening that.

More burglars have feet than have lockpicking skills. Step one in physical security is to combat kick-in attacks. Replace your strike plate, which I can almost guarantee is inadequate, with a reinforced model like the Mag-3 and most important, install it with #10 wood screws at least 3" long, so it can't tear out of the studs when subjected to a good kick. Predrill the holes and put soap on the threads so you don't break screws as you install it.

A block watch is a great idea too. Neighbors are a security mechanism.

An alarm system also protects you against fire, which depending on where you live can be a bigger threat than burglary.
Re:How to pick Medeco locks by mlts · 2007-08-05 06:47 · Score: 4, Informative

From what the original poster's article said, this appears to be a valid method against the original Medeco and the Medeco Biaxial line [1], but I don't see how this would have any effect at all versus the latest Medeco3 mechanism (well, latest since 2003), which uses side bitting on the key as well as the usual Medeco rotating pins.

Other than Medeco, there is one type of lock that would be excellent for security, Abloy's Protec line, which from what I read takes 10-12 hours to pick even for the pros at detainer disk type of locks. However, the Protec line isn't sold in the US. Older Abloy lines are decent, but it would take far less time for a pro to pick them open. There are other high security locks out there, and one can read from a lock site what the weaknesses are of each of them.

Nothing is 100% secure. If some thief is determined enough to bypass something, they can.

Lastly, high security locks just one tool, in a toolbox of security options. If its worth locking with a high security cylinder, its worth having a centrally monitored alarm system (with a duress code [2] option.)

[1]: Biaxial isn't that much more secure than the original Medeco, but it allows for (IIRC) 10 times as many key combinations, allowing for more flexible keying options.

[2]: Yes, home invasions are on the rise, so make sure an alarm system has a duress feature (where it disarms, but silently calls the central station)... and USE the alarm. If at home, use the alarm's "at home" feature which monitors the doors and windows, but doesn't arm the IR detectors. A high security lock is no good when it is opened by the owner at gunpoint.
Re:How to pick Medeco locks by eggoeater · 2007-08-05 07:07 · Score: 4, Interesting

From what the original poster's article said, this appears to be a valid method against the original Medeco and the Medeco Biaxial line...
Sorry, but I'm not buying the article the GP pointed to...it's simply saying "modify a diamond shaped lock pick...etc etc". I don't see how ANY lock picking solution can get around correctly rotating the pins so the holes line up with the sidebar. Added to that, there are many things to help defeat the constant tension during a pick, mushroom pins being one.

You seem to know a thing or two about Medeco locks (like the fact that there's a diff. between the original and Biaxial). If you know/see something about the article I don't, please let me know. My father worked for Medeco (and I briefly worked in their factory one summer) and I'm sure he'd love to know.

Also, last I heard, there was still a reward offered by Medeco for picking a lock at their headquarters in Salem VA.

--
$7.95/mo, 200 GB disk, 2TBxfer, MySQL, PHP, RoR.
anecdotal by zogger · 2007-08-05 07:14 · Score: 5, Interesting

One summer I was forced to park right in the same neighborhood as crack houses, etc, because of where I had to work. As did my co workers. They all locked their doors and trunks, result, all of them got busted glass and popped trunks. I warned them too, I really did, I said "look at reality, these cars are targets now". Nope, none of them listened. I left my doors unlocked and the trunk slightly open, just eased down. The ride was so old and ratty I wasn't afraid of it getting stolen, albeit that was a chance. There was nothing left in the car to steal, a very cheap in dash radio not even worth a dollar at a pawn shop, but I made it easy for the crooks to ascertain that, because I knew they would look.

Ya, it sucked doing that,the principle rankled me, but my practical nature took over, because it was better than having to replace a door window.

Most modern stick frame construction houses are vulnerable to a razor knife. Just pick a section of wall and slice a hole. You got plastic siding, a thin tyvek sheet, some cheap ass pressboard stuff,(glorified cardboard really), some spun fiberglass insulation, then drywall. That's all you need, a couple minutes with a razor knife and any thief can get in easy, let alone if they use something like a cordless sawzall thing.
1. Re:anecdotal by iminplaya · 2007-08-05 07:51 · Score: 4, Interesting
  
  Most modern stick frame construction houses are vulnerable to a razor knife.
  
  There were thieves in Chicago(and I'm sure elsewhere) that would steal whole garages, bricks and all. Turns out they could sell the bricks. And watch out for stolen manhole covers. That could really hurt. Well, you have the right idea. Don't go through those neighborhoods wearing your nice shoes.
  
  --
  What?
Re:How to pick Medeco locks by mlts · 2007-08-05 07:34 · Score: 4, Insightful

The OP's article really didn't have much detail, but there are other sites that one can check out that have more details on attacks on Medeco locks.

The Medeco reward I've heard about in a number of different forms, so I'm not sure the exact details. Last I heard, if someone can pick 3 Medeco cylinders (the six pin type found in deadbolts, not the four or five that are used as replacement for disk tumbler cylinder replacements.), they get a prize. However I have no clue what the real status of that is.

Nothing is unpickable by someone who knows their stuff and has the manual dexterity. Its slowing people down, to where even a skilled lock manipulator will take hours to open the lock, which will most likely mean detection. Its also forcing someone to leave a signature (scratches), so if stuff does get taken, one can prove to an insurance company that a lock was defeated or something was broken.

Mushroom pins help, but are just one security mechanism, forcing locksmiths to jam the pins up, then let them float downward to the shear line, rather than pushing pins up from their resting place. I'm pretty sure the sidebar is pickable by some tool that rotates the pins, as its talked about on various lockpicking sites.

This is one reason I recommend high security locks. If someone kicks down a door or breaks a window, that leaves a noticable signature where a claim with insurance has more ground. If someone's house is robbed by a bumped lock, there is no trace, and it goes to a word against word thing to prove that stuff was there, and is now not.

It may be the security has nothing to do with the tumbler mechanism. In some locks are weaknesses that have nothing to do with the cylinder used. For example, one lock I have has a very pick resistant cylinder, but one can use a shim and the lock pops right open.

Lastly, some people may state security through obscurity, but I'm glad that the methods of opening Medeco deadbolts are not made public. Physical locks can't be updated like most programs can. Every cylinder in a building would need replacing, and that would amount to hundreds of thousands, if not millions of dollars, factoring in parts, labor, the time it takes to deploy a new keying system, getting the new keys to all the employees, etc.
Locks are easy by reboot246 · 2007-08-05 08:45 · Score: 4, Funny

Locks are easy compared to trying to unhook her bra with your left hand in the dark.
Re:If guns stop crime then why crime in the USA? by Rakishi · 2007-08-05 09:51 · Score: 4, Insightful

Parent's point I'd guess would be that it's an arms war. Not really, there are legal limits on what guns can be owned and who can own them. As a result law abiding citizens have easier access to weapons and training in how to use them. As a result the criminals are at a perpetual disadvantage.
If you're saying that the way to stop being knifed is to carry a knife yourself, then the criminals carry guns. No you carry around a gun, knife fights aren't something I wish to engage in.
If weapons stop crime, how come the USA, one of the most tooled up countries in the world, has so much crime and so many people die from gun injuries? The US crime rate is mostly due to gang violence between gang members as well as certain unfortunate people who are forced to live in gang territories. This in turn is due to the lovely war on drugs that should have never started. Also only half of murders are committed with guns and many of those are in areas with heavy gun restrictions for civilians. Amazing how the murder rate in Washington, DC is absurdly high (I do mean absurdly) and yet it is basically illegal for a civilian to own a gun.

Also if guns are the cause of all evil how come after they were mostly banned in the UK the crime rate hasn't budged, knife murders are way up, burglaries are 3 times that in the US and rapes are also close to 3 times that in the US (rate wise of course).
Re:If guns stop crime then why crime in the USA? by ichigo+2.0 · 2007-08-05 10:08 · Score: 4, Insightful

If weapons stop crime, how come the USA, one of the most tooled up countries in the world, has so much crime and so many people die from gun injuries?

This argument always pops up when the topic is guns. And I always counter by asking why Finland, which is in the top five when it comes to guns per capita, has one of the lowest crime rates in the world.

The roots of the American crime problem lies somewhere else than guns. Try income inequality and poverty if you really want some kind of beginnings of an real answer, instead of reinforcement to preexisting memes.