Slashdot Mirror

← Back to Stories (view on slashdot.org)

Shrinky Dinks As a Threat To National Security

Posted by timothy on from the silly-putty-now-public-enemy-No.-2 dept.

InflammatoryHeadlineGuy writes "What do Shrinky Dinks, credit cards and paperclips have in common? They can all be used to duplicate the keys to Medeco 'high-security' locks that protect the White House, the Pentagon, embassies, and many other sensitive locations. The attack was demonstrated at Defcon by Marc Weber Tobias and involves getting a picture of the key, then printing it out and cutting plastic to match — both credit cards and Shrinky Dinks plastic are recommended. The paperclip then pushes aside a slider deep in the keyway, while the plastic cut-out lifts the pins. They were able to open an example lock in about six seconds. The only solution seems to be to ensure that your security systems are layered, so that attackers are stopped by other means even if they manage to duplicate your keys."

10 of 257 comments (clear)

  1. Is this surprising? by MagdJTK · · Score: 5, Insightful

    While using credit cards and shrinky dink plastic is clever, is this story particularly surprising? The article states that a photo of the key in question is required. If I asked the average man on the street if it was possible to replicate a key from a photo of it if you were sufficiently determined, I'd imagine they would say yes.

    1. Re:Is this surprising? by postbigbang · · Score: 5, Insightful

      Fool.

      Look at the keypad. The numbers will be worn down. Look to see if it's an even wear, that means there are more than a few combos that work, but usually it's only one or two that are commonly shared.

      Then look for the most worn, with the most dirt-- it's the first number. Elminate the clean bright keys from the pool. Eliminate zero and one; the remaining pool has the combination. It's probably just four numbers, could be five.

      Now take your Timex/Sinclair and do the math.

      --
      ---- Teach Peace. It's Cheaper Than War.
    2. Re:Is this surprising? by antirelic · · Score: 3, Insightful

      Any single defensive measure on its own is irrelevant. This was proven very clearly during the early days of WWII when the Volkesgrenadiers over ran the impressive, but unmanned defensive positions in Belgium. The same principles of security hold true today as they did 50 years ago. Any defensive mechanism that is not reinforced via a secondary defensive measure is easily defeated.

      The real story is this is story worth discussing.

      --
      20th century Marxism is not progress...
    3. Re:Is this surprising? by CityZen · · Score: 3, Insightful

      You are missing the point a little bit. The locks in question are not ordinary locks. They are very expensive, high-security locks, like you might find in a secure government installation. The keys are not cut in an ordinary way; the ridges have different angles on them in order to turn the pins to the left or right as they are raised to the correct height. The company in question is saying that this kind of bypass is not possible. And guess what? It is.

      It just goes to show: you should never completely trust a security system that has only been "designed" to be secure. You should only trust it after lots of intelligent hackers have failed to crack it over time.

  2. the actual threath by fractic · · Score: 3, Insightful

    Now what is the actual threath? Shrinky dink or easily duplicated keys?

  3. Re:Is it just me by Dachannien · · Score: 5, Insightful

    Layered security indeed!

    Maybe these locks aren't all that, but it's the Secret Service agents capping you in the head that you really have to worry about.

  4. Re:This just like how the mythbusters got past oth by Firehed · · Score: 3, Insightful

    They also had Kari wander around in a giant fluffy bird suit to get past those ultrasonic sensors, IIRC. It's not exactly practical, but it makes for great TV. I'm sure the trial of whoever tries that in DC will be equally amusing.

    --
    How are sites slashdotted when nobody reads TFAs?
  5. Re:Not news... by russotto · · Score: 4, Insightful

    Of course you can duplicate a Medeco key in metal; Medeco keys are made of metal in the first place. Key control means you can't get the proper blanks from any legitimate source, but it's still a fairly simple hunk of metal.

    Medeco locks were never considered "uncrackable". Medeco has claimed they're unpickable, but I think only the Biaxial remains unpicked. But picking is an attack that doesn't require knowledge of the key.

  6. Re:BFD by Jeffrey+Baker · · Score: 5, Insightful

    Yeah I found it funny that the lamers in the write-up think the Pentagon is protected by Medeco locks. Sorry, no. The Pentagon is protected by men with rifles and grenades.

  7. Re:I wish Abloy PROTEC locks made it to the US soo by Dun+Malg · · Score: 4, Insightful

    I don't know about Medeco 3, but one lock mechanism that was out in other countries for almost four years before making it to the US which is quite pick resistant is Abloy's PROTEC cylinder.

    Trouble with those is that they're ONLY pick resistant. I can drill the face of an Abloy disc-tumbler lock, remove the sidebar, and fill the drilled hole such that no one will notice--- all in a matter of minutes. After that, the old key will still work... and so will a screwdriver. The laundry machines at the apartment I lived in years ago had Abloy PROTEC locks. I never paid for laundry, and no one ever knew the difference.

    Of course, if you want the best in anti pick protection, purchase either an Abloy or Mul-T-Lock Cliq lock. It has a pick resistant mechanical key, as well as a small chip and solenoid with a challenge/response system. If someone does make a key impression, it won't help much. However, for $500 a cylinder, its pricy.

    That's just electronic access control shrunk down to fit the size of standard key access components and hybridized with mechanical keys. Great if you want to retrofit existing mortise and rim lock installations, but then you're just trading labor cost for material cost. I'd personally go for a keyless prox card system before I'd field a system powered by batteries in the key. It's bad enough dealing with your average dodo trying to use normal locks. Can you imagine the service calls from those dodos who break their keys off because the battery in the key head is dead? Locksmith's dream (service call = money in your pocket), businessman's nightmare (service call = money down the rathole).

    I don't understand why people fixate on "pickability". Criminals just don't pick locks. I've been a locksmith since 1995 (minus a couple years when the Army decided I should be in Afghanistan), and I have never seen a case of intrusion that wasn't either a) forced entry, or b) an inside job.

    --
    If a job's not worth doing, it's not worth doing right.