Slashdot Mirror
Shrinky Dinks As a Threat To National Security
InflammatoryHeadlineGuy writes "What do Shrinky Dinks, credit cards and paperclips have in common? They can all be used to duplicate the keys to Medeco 'high-security' locks that protect the White House, the Pentagon, embassies, and many other sensitive locations. The attack was demonstrated at Defcon by Marc Weber Tobias and involves getting a picture of the key, then printing it out and cutting plastic to match — both credit cards and Shrinky Dinks plastic are recommended. The paperclip then pushes aside a slider deep in the keyway, while the plastic cut-out lifts the pins. They were able to open an example lock in about six seconds. The only solution seems to be to ensure that your security systems are layered, so that attackers are stopped by other means even if they manage to duplicate your keys."
Awesome.
So now they'll not just confiscate my laptop when I arrive in the US, they'll also pinch my paperclips and credit cards ?
While using credit cards and shrinky dink plastic is clever, is this story particularly surprising? The article states that a photo of the key in question is required. If I asked the average man on the street if it was possible to replicate a key from a photo of it if you were sufficiently determined, I'd imagine they would say yes.
OMFG!
Modding me -1 troll doesn't make me wrong.
Are they going to use this as a case to make everyone get implanted microchips??
Now what is the actual threath? Shrinky dink or easily duplicated keys?
I bet those new 3-D type printers could perform the same thing without using razor blades and such. In fact, you could probably make a computer program to transfer from images to the final "printout."
Or are there others seeing the humor in finding out the Whitehouse and Pentagon are protected by such easily defeated locks?
Layered security indeed! I bet that had to put shivers down the spine of some security people. I wonder what the budget is for locks at the Whitehouse?
There is nothing like a good idea that is too trusted. Ex: Where I work, the IT guys thought it smart to map a couple of drives for everyone (against my better judgment) and guess what found it's way across those drive mappings? Yep, a virus. What saved me was using the Engineering VPN instead of the normal server.
Does anyone know if MWT has been declared a terrorist yet?
Support NYCountryLawyer RIAA vs People
The only thing worse than duplicating keys is not duplicating keys.
I suppose if I had a picture of someone's login and password, I might be able to deftly hack into their computer.
The only solution seems to be to ensure that your security systems are layered, so that attackers are stopped by other means
Maybe the White House and Pentagon need to have a look at the opening theme sequence to "Get Smart".
.. is also clear evidence against certain racial stereotypes ..
my cheap microfluidics project...
This just like how the mythbusters got past other high tech locks.
If you have a picture of a key, you can generally duplicate it well enough to work in metal (easier if you have a blank, but not necessary). It's not the shrinky-dink that matters. Cutting a key by sight based on a key sitting on the seat of an car is apparently a useful skill for locksmiths.
MacGuyver would be able to get past every layer of security with the same items.
Silly me, I thought that men with guns protect the White House.
My granddad was a blacksmith who taught his trade to young crims at a borstal in the 1950s. One of them showed how he could open a Yale lock in about 30 seconds. He needed whatever plastic was equivalent to a credit card way back then, and a cigarette. He could feel the piston movement and burn the height into the plastic. No photos needed. The young crims summary: "Locks is to keep honest people out, boss."
In a sense, a moderately good lock that is all that is needed. I'd agree with the article that the objective is to remove a defense of accidentally straying. The next layer of entrapment is the real one.
Do not put all your eggs in one basket. Sometimes, those old ideas are the most modern of all.
I was a teacher at a secondary school in West Africa. For the most part my students were amazing kids with more motivation than I've ever seen in a stateside school. But like everywhere else there were a few kids not on the right track.
One of them, it turns out, was a thief. He'd come over my place and sweep around my little bungalow, clean, cook, etc (culturally pretty standard stuff for a student to do for his teachers there). Then I started noticing things missing -- books, paper, pens, money.. Eventually I caught him red handed but couldn't figure out how he got in my place when I was away -- I never gave him my keys or anything so there's no way he could have time to go the 30 min into town, wait an hour to get it copied and return the key to me, and I always was around when he was inside.
One thing he did for me was my laundry. He brought his own soap. It turns out he made impressions of my keys in the soap and used them to make a working key. Pretty clever...
Brad Blog has this story from when Diebold had a picture of their key on their corporate website back in January 2007. Diebold's since replaced the picture. There's a video of the key in action @ the link I just posted.
That which does not kill me only postpones the inevitable.
if they are so easy to break, then the threat is the security people that choose it for so critical places.
So does this mean we'll see greater restrictions on photography around sensitive buildings? (As if security guards weren't paranoid enough about people with cameras.)
It seems to me that you could get a few hi-res snaps of a security guard's keyring, head back to the lair, and come back at night with a usable key. Of course, nobody is likely to actually do that, but now that the concept has been proven, I'd expect even greater rent-a-cop harassment of photographers around government buildings.
They also had Kari wander around in a giant fluffy bird suit to get past those ultrasonic sensors, IIRC. It's not exactly practical, but it makes for great TV. I'm sure the trial of whoever tries that in DC will be equally amusing.
How are sites slashdotted when nobody reads TFAs?
20 years ago, my house used to have a 3D-key - in other words, it had teeth all-around its central axis. Why? Because it is much harder to manipulate the tumblers that way. Not to mention that just photocopying the key won't work - or won't work as easily.
I'm surprised a high-security key has its teeth still on a line.
Those who can, do. Those who can't, sue.
Shrinky dinks? Paper clips? Gimme a break. I can duplicate a Medeco key blank with a piece of brass stock and a dremel tool, then cut a perfect key from a photocopy using my HPC Blitz. There's nothing amazing about what this guy's done. Given the appropriate information (cut depths and angles) any medeco key can be duplicated without serious difficulty. Heck, that's the case with all mechanical key locks. I once showed the Medeco rep who came to my lock shop how I could duplicate a standard G3 Biaxial key using a slightly modified commonly available Rolls Royce key blank. He was understandably dismayed, but not surprised. There are two kinds of locksmiths in this world: 1) the kind like the guy quoted in the article who said "Your locksmith will tell you this is impossible", and 2) guys like me who will tell you "yeah, someone could make a key to that--- I've done it myself". Point is, you want to use a locksmith more like 2) than 1). The first guy will feed you the standard Medeco marketing bullshit about how "only we can make your keys" and convince you that equals security. The second guy will tell you key control is useful, but it's not relevant beyond its obvious purpose. There are really only two kinds of common break-ins: inside jobs and random burglaries. In the case of inside jobs, all the key control in the world won't matter because the perp has a key already. This key could have been given to them, taken out of a desk drawer, or otherwise acquired via lax internal key management. This makes up 99% of all break ins. The other 1% is burglaries by random opportunist perps taking advantage of a weakness, usually on the spur of the moment. Back doors propped open by people out for a smoke, simply walking in during business hours wearing a suit, etc. All this spy crap people have in their heads about about burglars picking locks and James Bonding into their houses is fantasy bullshit. Real burglars wait till you're not home and throw a brick through the window, or let themselves in with the key you gave the cleaning service. All this hoo-hah over making a medeco key with a credit card is total yawnsville, and if anyone thinks they can get into the white house with a shrinky dink key, they're totally on crack. The whit House has things like SECRET SERVICE AGENTS, and ALARM SYSTEMS because they know keys alone are not enough.
If a job's not worth doing, it's not worth doing right.
I don't know about Medeco 3, but one lock mechanism that was out in other countries for almost four years before making it to the US which is quite pick resistant is Abloy's PROTEC cylinder.
It uses no pins or springs, so bumping is useless. Vibrating the key isn't going to magically move the detainer disks into position. Picking it requires a different technique altogether than pin tumbler locks.
So far, if I recall right, the best picking record for PROTEC cylinders took over 10-11 hours.
Of course, if you want the best in anti pick protection, purchase either an Abloy or Mul-T-Lock Cliq lock. It has a pick resistant mechanical key, as well as a small chip and solenoid with a challenge/response system. If someone does make a key impression, it won't help much. However, for $500 a cylinder, its pricy.
Errrm...
The places guys insert their shrinky dinks... crazy stuff.
Camping on quad since 1996.
...but can they also repair shoes?
Most All door security keys cards drive a solenoid door strike .
The pro crooks or intruders don't bother with magnetic stripe cards , electronics, , encryption etc,they buy the system and drill a hole in the right place and operate the door strike Directly with a narrow screwdriver or fashioned shorting stripe or wad of tin foil , bypassing all of the electronics and all of the security.
Ironically , The better electronics is more precise making the drill and popping of the door solenoid that much faster and easier .
Normal or hacked card time to door open about 2 seconds
Drill and screwdriver about 10 seconds.
A similar thing was done in casinos to electronics in slot machines the crooks purchased a machine and screwed it over.
A single metal piece of wire up into the machine at the right place and instant winner.
Casinos have since changed the way the machines work and one can no longer buy the new machines as easily,and security looks out for anyone putting things up into the machines
Just the paperclip would be enough.
Actually it was a fluffy rug that was converted in to a bird suit. ;)
Another alternative is the Bilock. It's basically 2 cut keys in parallel. Supposedly bump proof as well. Not terribly expensive, about $150 for a double deadbolt. Duplication would not be easy at all, IMO. And the keys are proprietary, so your average joe wouldn't have access to blanks.
http://www.bilock.com/
I counted the word "anus" 3 times. Does that make me gay?
I've been doing this for a while now with Aluminum from soda cans, but credit card plastic is a nice idea too
This isn't the huge threat to national security that the article would have you believe. The government does not use key based lock systems to secure anything of real high priority. They use digital combination (X-09) locks to secure any information that is classified at secret level or higher. These keys are used in the white house and pentagon, but they are office keys not keys to places where someone could do dire harm to our nation.
Lameness filter encountered. Post aborted!
IIRC, the fluffy bird suit didn't work.
A simple sheet held up in front of her did.
I would hate to be the Secret Service guy that has to tell the President he can't have his Shrinky Dinks anymore.
The only change I can believe in is what I find in my couch cushions.
Technology is rarely the true threat to security. Likewise, security is rarely the key way to keep things secure.
The real threat is people using the toys, guns, or other tools. Yes, this is basically the "People kill people!" argument but it's true. If other nasty humans didn't want to hurt other humans security wouldn't exist.
How to Download YouTube Videos
The real news I got out of this is: they still make shrinkydinks!?!
Who knew?
I woulda thought they woulda been classified as toxic by now...
Physical locks are basically advisory; it doesn't take a lot of determination or skill to circumvent them. If you really need to protect something, you need to back the locks up with other security mechanisms.
Something like Medeco is probably already overkill and beyond cost/benefit.
1) First, get a million dollars, then...
Obviously this vulnerability is an embarrassment to Medco, and many facilities will be vulnerable, mostly from crooked employees. Still, you do need a copy of the key, or at least a scan.
But truly secure sites like the White House have a bit more security than a mere door lock. Try getting to a WH locked door without proper credentials. Even if you could, you'd have less time than Magnum PI picking a lock while "the lads" descend upon him.
Slashdot "libertarians": Small government for me, big government for those I disagree with. -1, I disagree with you
I used to be a blacksmith myself, and I never needed a credit card. My tool of choice was a ground-down .02-inch feeler-gauge (you can get one from any DIY car maintenance shop) and a screwdriver (to do the work of turning the barrel).
And saved it for someone who could do this country a favor. Especially if it works at all government branches.
I want to know when there's going to be a clearance sale on Medeco locks? I need new locks, and since I don't live near Sioux Falls, South Dakota, these sound perfect.
Nothing for 6-digit uids?
I don't know about Medeco 3, but one lock mechanism that was out in other countries for almost four years before making it to the US which is quite pick resistant is Abloy's PROTEC cylinder.
Trouble with those is that they're ONLY pick resistant. I can drill the face of an Abloy disc-tumbler lock, remove the sidebar, and fill the drilled hole such that no one will notice--- all in a matter of minutes. After that, the old key will still work... and so will a screwdriver. The laundry machines at the apartment I lived in years ago had Abloy PROTEC locks. I never paid for laundry, and no one ever knew the difference.
Of course, if you want the best in anti pick protection, purchase either an Abloy or Mul-T-Lock Cliq lock. It has a pick resistant mechanical key, as well as a small chip and solenoid with a challenge/response system. If someone does make a key impression, it won't help much. However, for $500 a cylinder, its pricy.
That's just electronic access control shrunk down to fit the size of standard key access components and hybridized with mechanical keys. Great if you want to retrofit existing mortise and rim lock installations, but then you're just trading labor cost for material cost. I'd personally go for a keyless prox card system before I'd field a system powered by batteries in the key. It's bad enough dealing with your average dodo trying to use normal locks. Can you imagine the service calls from those dodos who break their keys off because the battery in the key head is dead? Locksmith's dream (service call = money in your pocket), businessman's nightmare (service call = money down the rathole).
I don't understand why people fixate on "pickability". Criminals just don't pick locks. I've been a locksmith since 1995 (minus a couple years when the Army decided I should be in Afghanistan), and I have never seen a case of intrusion that wasn't either a) forced entry, or b) an inside job.
If a job's not worth doing, it's not worth doing right.
The reason why pickability (or lack therof) is important is because insurance companies will, in general, cover theft if windows are broken, doors are crowbared, or there is obvious signs of forced entry. Of course, if the person breaking in is caught, its easy to tag them with breaking and entering charges.
If a lock is picked, other than maybe some scratches, there is no evidence, so its harder to get insurance companies to cover losses if someone picks a door or padlock. Its also a lot harder to charge someone with burglary or breaking an entering if they bumped or picked a door open, then hid the tools.
That's the code on my luggage!
Kids didn't have credit cards when I was in high school but every lock in our school except the outside doors (which we could sometimes tape or the like) and the principal's office were simple spring locks. Take seconds to open any of them with a piece of plastic. We got so fluid at it we were observed once from a distance and just lied, "Hey, what do you mean? It was unlocked. We were just snooping around." and he didn't push it. Did stupid stuff like swapping teachers' home room desks on different floors or laying out chairs in the auditorium to spell out expletives. A separate group we taught unfortunately got into more hardcore vandalism.
My car keys aren't vulnerable to this attack - you not only have to duplicate the shape of the key, you have to have a programmed ID chip to match its internal code number as well. If one OR the other is off, the lock doesn't work.
(Possible hack I've not tried: disconnect/kill the battery. Of course, in normal events you have to get into the car to pop the hood lock as well).
In reality - hey, people used to take clay or wax impressions of keys, and use that to make a replica. I don't see how this is necessarily so different.
Fortunately the US is still enough of a free country where we like to treat the aristocracy the traditional manner of our founding principles. So, even though we have mickey mouse copyright laws to insure that the heirs are rich even though they contribute nothing to society, laptop rules to insure that the productivity of those that do contribute to society is limited, and other civil list type concessions, we at least have the freedom to call a spade a spade, and remember that this country was founded on the principles of taking things from aristocrats, not coddling them.
"She's a scientist and a lesbian. She's not going to let it slide." Orphan Black
Actaully, vibration has shown to be a way to get the disks into position by disabling the mechanism that keeps singular disks from moving(very easy with a bit of fiddling around).
Also with the Cliq locks the keys are cloneable and are not a secure system any longer.
Medeco locks have never been unpickable, unbreakable or un-anythingable and as far as I know have never claimed to be. They are just much harder than your average lock. A normal pin tumbler lock is vulnerable to a number of attacks that a Medeco, or other high security lock, resists. For example most regular locks can be bumped. You make a bump key from the appropriate blank, which is available at any hardware store, and then you can bump the lock. Well not high security locks. The blanks aren't easy to get, and the lock has internal mechanisms to resist bumping.
So that's why secure places use them. Not because they are invincible, but because they are better. They are also extremely useful in thwarting casual key copying. With a normal lock you take it most places and they have a machine that'll make a copy. Sometimes the stores will look at the key and refuse if it has a "do not duplicate" stamped on it but often not. However they don't work on high security locks since they don't have the blanks.
They aren't a magic, unbreakable layer of security, just a better than normal one that helps in the scheme of a good layered system.
exactly, if really dishonest people want in they'll just break a window and then unlock the door! The key is to make it noisy and noticeable when something is wrong. With digital tech, you just have to get them to stand still long enough for a picture, then catch them later.
You see it with virtual security all the time: People around here (and other sites) seem to think that perfect security is achievable. They believe you can make a system that is perfectly unbreakable, no matter what. Now maybe in the virtual world that is a theoretical possibility, though a practical impossibility, but those of us who deal with physical security know it is impossible, even in theory. I mean I've never seen a lock, no matter what kind, that will stand up to a sufficiently large shaped charge.
The White House doesn't buy invincible locks because they aren't invincible locks to be bought. Turns out if you do research, it is hard to get much better than Medeco for mechanical locks. However the White House also doesn't rely on just locked doors to keep people out. As you noted, highly trained men with guns would be one of their main security systems, but by far not the only one.
Silent Bob would do it so much cooler. He's use his mum's vibrator and some chicken wire and shit.
I drink to make other people interesting!
Sounds like you *really* need to do some more research... Look up lock forensics and you will see that clear distinctions can be made if a lock has been picked or bumped.
Lockpicking isn't in reality a high priority criminal skills. If you wan't in somewhere, its a lot quicker and easier simply to force the door rather than fiddling with the lock mechanism.
If we can put a man on the moon, why can't we shoot people for Apollo-related non-sequiturs?
They can be bumped like any one with a side pin, its just harder to make and use a bump key with them.
These keys have been around for a long time now:
http://www.assaabloy.com/Global/News/Image bank/Products/High res/Abloy_Key2_2649x841.jpg
.
If you are serious about scaring away would-be baddies, buy some big freaking dogs. Dobermans, German Shepherds, Akitas -- these are all very good watchdogs. Let them patrol the Pentagon. Also, I would certainly hope that most entrances to the Pentagon, White House, etc. would have, oh I don't know, armed guards? It doesn't matter if you are good lockpick if the guy at the door has a gun that can beat you to the corner.
Now if we're really talking defense, obviously you need to go with a moat filled with sharks... with lasers on their heads.
The reason why pickability (or lack therof) is important is because insurance companies will, in general, cover theft if windows are broken, doors are crowbared, or there is obvious signs of forced entry. Of course, if the person breaking in is caught, its easy to tag them with breaking and entering charges
You could have at least read the post you were replying to.
Locks do not get picked.
Inside jobs involve a real key - and in those cases, it's very unlikely that the insurance will pay out because, as you say, there would be no sign of forced entry.
Burglars without inside access to keys don't spend time messing around with picking locks. They generally walk in through an open door or smash their way in and 9 times out of 10 they'll be in and out in under 10 minutes.
OK, so the locks have a weakness. What was the point of the statement that they're used in the White House, Pentagon, etc.? You would need access to the lock and Joe Blow ain't gettin' there. Ergo, the statement attempts to create importance where there is none.
Try just walking up to any of the places mentioned in the OP. Can't be done. Layered security? T'ain't kiddin.!
to steal into the White House when all he needed was a shrinky dink? I bet he has lots of shrinky dinks. Damn shame.
There were frats at UT that had plastic keys like this for controled keys in the early 80's. They used these keys to steal tests before they were given. You can also translate these to ground down blank keys for the cheapest locks for more long term reliability. Locksmiths who are unaware of these possibilities are either ignorant of how locks actually work or don't want to admit that they long ago saw through the marketing materials of these locks. For most I'm betting on the latter.
Yes, setting up manufacturing to make helical keys and the locks would be expensive. But copying helical keys, or picking helical locks, is orders of magnitude more difficult than straight keys. It's a really significant barrier.
They may be somewhat longer with more pins and have a couple of minor "security" features, but the main reason Medeco keys are "high security" as opposed to any regular key/lock you'd pick up at Home Depot is that Medeco has patents on their keys and they enforce those to make it illegal for standard key copiers at the local hardware store to carry blanks. To buy legal copies of Medeco keys, you have to go to Medeco, and they supposedly check to make sure they're selling the keys to authorized people. So "borrowing" the key for half an hour doesn't allow you to get copies made commercially. But that's the primary thing that's "high security" about them- otherwise they're about as copyable and pickable as most standard locks- and those are pretty low security.
Can anyone tell me how to set my sig on Slashdot?
My wife grew up in the suburbs and I grew up in the city. One of her pet peeves is that I tend to leave the doors of our car unlocked when I park. The difference is that I grew up in a neighborhood where some people would smash your windows if they saw anything in it they might want.
Nobody in my neighborhood had fancy car stereos; they either had plain old AM/FM radios, or they had a hole in their dashboard with wires hanging out.
Some of the kids had almost a hacker's attitude towards breaking into cars. Things you left out in your car, in plain view (like a car stereo I guess) were pretty much looked on as abandoned property. But it was the drug addicts to smashed windows. The classier kids didn't do more damage than necessary, unless they decided to take your car for a ride.
I was visiting the old neighborhood once and locked my keys in my car. One of the local kids who was sitting on his front porch asked if I needed help, and I said yes. He disappeared into his apartment and came out with a few tools. He had my car open almost as fast as I could do it with a key, literally in about ten seconds. Didn't leave a scratch on the car, either.
Nice kid. Practically a Boy Scout.
Post may contain irony: discontinue use if experiencing mood swings, nausea or elevated blood pressure.
My elderly mom was once stuck in her apartment by a jammed deadbolt. She couldn't get the super, and there was no exit, not even a fire escape, only a third floor balcony.
Rather than call the Fire Department, she called me. I came over, and she buzzed me in, then I kicked her front door in (let's say I'm a little bigger than average). It took me two or three tries to break the hinges.
Not a single soul peeked out to see what was going on, or called the cops.
Post may contain irony: discontinue use if experiencing mood swings, nausea or elevated blood pressure.
Bystander apathy. Nobody called the cops because they assumed someone else had already done so. Also, do you really think your average person wants to physically confront a housebreaker who isn't a direct threat to them, but could well be armed and/or a deranged crackhead.
If we can put a man on the moon, why can't we shoot people for Apollo-related non-sequiturs?
Many apartment buildings as their "main line" of security use Medco locks as its assumed that they provide a good-high level of security. The next layer, the door to a unit, uses a cheapo deadbolt that can probably be bumped in a second.
So if you live in an apartment, any suggestions on improving security? I don't think the building management will take kindly, to changing the lock on the door. I guess unless you provide them with a copy.
"My granddad was a blacksmith who taught his trade to young crims at a borstal in the 1950s. One of them showed how he could open a Yale lock in about 30 seconds."
It shouldn't take that long for a *blacksmith* ... one hammer blow should do it.
-fb Everything not expressly forbidden is now mandatory.
Which is kind of my point. The basic skill for any criminal is recognizing situations where he wont' get caught.
Post may contain irony: discontinue use if experiencing mood swings, nausea or elevated blood pressure.
Shrinky dinks? Credit cards?? No need to try even that hard. True story: my uncle works for DHS, and right after he got hired there were a couple days before he got his ID card that unlocked the doors. He quickly realized, however, that the doors -- which unlock automatically as someone approaches from within -- could be opened by slipping a piece of paper between the door and the jamb, tripping the motion sensor. Try not to tell the terrorists.
I can mention at least one case where the supposed inability of key duplication might be a big problem. Several hotels that I know of have safes in the room, which lock with a Medeco key. Hotel guests are urged to stash their wallets, cameras, whatever in the safe, and take the key. However, if every person who's ever stayed in that room might have a duplicate key, (or if the housekeeping staff could have duplicated several of the keys), then there's a bit of a hole in the security. Granted, the thief would still have to get into the room. But the reason the safe is there in the first place is to protect valuables that the room itself isn't enough security for.
I am admittedly still in love with the "Hollywood" image of the lockpicking idea and spent a couple of happy weekends learning the most basic of tricks on the kitchen cupboards in my university halls, on one occassion had a flatmate walk in and find me bent over an unscrewed door, learning how the tumblers worked and the door clearly missing from their kitchen cupboard and seeing what I could move in the "security" doors we had on our rooms, so this kind of little niceness warms my heart to know that it's possible to beat these locks with next to nothing
Thanks.
My boyfriend and I have this disagreement too -- we both grew up in the suburbs, but I've taken to keeping the car unlocked since some awful kid put a $1700 hole in my ragtop. He understands why I keep my car unlocked, but it bugs him if I leave his open.