Slashdot Mirror
Shrinky Dinks As a Threat To National Security
InflammatoryHeadlineGuy writes "What do Shrinky Dinks, credit cards and paperclips have in common? They can all be used to duplicate the keys to Medeco 'high-security' locks that protect the White House, the Pentagon, embassies, and many other sensitive locations. The attack was demonstrated at Defcon by Marc Weber Tobias and involves getting a picture of the key, then printing it out and cutting plastic to match — both credit cards and Shrinky Dinks plastic are recommended. The paperclip then pushes aside a slider deep in the keyway, while the plastic cut-out lifts the pins. They were able to open an example lock in about six seconds. The only solution seems to be to ensure that your security systems are layered, so that attackers are stopped by other means even if they manage to duplicate your keys."
So now they'll not just confiscate my laptop when I arrive in the US, they'll also pinch my paperclips and credit cards ?
While using credit cards and shrinky dink plastic is clever, is this story particularly surprising? The article states that a photo of the key in question is required. If I asked the average man on the street if it was possible to replicate a key from a photo of it if you were sufficiently determined, I'd imagine they would say yes.
OMFG!
Modding me -1 troll doesn't make me wrong.
Now what is the actual threath? Shrinky dink or easily duplicated keys?
I bet those new 3-D type printers could perform the same thing without using razor blades and such. In fact, you could probably make a computer program to transfer from images to the final "printout."
I suppose if I had a picture of someone's login and password, I might be able to deftly hack into their computer.
If you have a picture of a key, you can generally duplicate it well enough to work in metal (easier if you have a blank, but not necessary). It's not the shrinky-dink that matters. Cutting a key by sight based on a key sitting on the seat of an car is apparently a useful skill for locksmiths.
Screw your cheap microfludics! ... There goes my etsy store!
Layered security indeed!
Maybe these locks aren't all that, but it's the Secret Service agents capping you in the head that you really have to worry about.
Silly me, I thought that men with guns protect the White House.
My granddad was a blacksmith who taught his trade to young crims at a borstal in the 1950s. One of them showed how he could open a Yale lock in about 30 seconds. He needed whatever plastic was equivalent to a credit card way back then, and a cigarette. He could feel the piston movement and burn the height into the plastic. No photos needed. The young crims summary: "Locks is to keep honest people out, boss."
In a sense, a moderately good lock that is all that is needed. I'd agree with the article that the objective is to remove a defense of accidentally straying. The next layer of entrapment is the real one.
Brad Blog has this story from when Diebold had a picture of their key on their corporate website back in January 2007. Diebold's since replaced the picture. There's a video of the key in action @ the link I just posted.
That which does not kill me only postpones the inevitable.
They also had Kari wander around in a giant fluffy bird suit to get past those ultrasonic sensors, IIRC. It's not exactly practical, but it makes for great TV. I'm sure the trial of whoever tries that in DC will be equally amusing.
How are sites slashdotted when nobody reads TFAs?
20 years ago, my house used to have a 3D-key - in other words, it had teeth all-around its central axis. Why? Because it is much harder to manipulate the tumblers that way. Not to mention that just photocopying the key won't work - or won't work as easily.
I'm surprised a high-security key has its teeth still on a line.
Those who can, do. Those who can't, sue.
Shrinky dinks? Paper clips? Gimme a break. I can duplicate a Medeco key blank with a piece of brass stock and a dremel tool, then cut a perfect key from a photocopy using my HPC Blitz. There's nothing amazing about what this guy's done. Given the appropriate information (cut depths and angles) any medeco key can be duplicated without serious difficulty. Heck, that's the case with all mechanical key locks. I once showed the Medeco rep who came to my lock shop how I could duplicate a standard G3 Biaxial key using a slightly modified commonly available Rolls Royce key blank. He was understandably dismayed, but not surprised. There are two kinds of locksmiths in this world: 1) the kind like the guy quoted in the article who said "Your locksmith will tell you this is impossible", and 2) guys like me who will tell you "yeah, someone could make a key to that--- I've done it myself". Point is, you want to use a locksmith more like 2) than 1). The first guy will feed you the standard Medeco marketing bullshit about how "only we can make your keys" and convince you that equals security. The second guy will tell you key control is useful, but it's not relevant beyond its obvious purpose. There are really only two kinds of common break-ins: inside jobs and random burglaries. In the case of inside jobs, all the key control in the world won't matter because the perp has a key already. This key could have been given to them, taken out of a desk drawer, or otherwise acquired via lax internal key management. This makes up 99% of all break ins. The other 1% is burglaries by random opportunist perps taking advantage of a weakness, usually on the spur of the moment. Back doors propped open by people out for a smoke, simply walking in during business hours wearing a suit, etc. All this spy crap people have in their heads about about burglars picking locks and James Bonding into their houses is fantasy bullshit. Real burglars wait till you're not home and throw a brick through the window, or let themselves in with the key you gave the cleaning service. All this hoo-hah over making a medeco key with a credit card is total yawnsville, and if anyone thinks they can get into the white house with a shrinky dink key, they're totally on crack. The whit House has things like SECRET SERVICE AGENTS, and ALARM SYSTEMS because they know keys alone are not enough.
If a job's not worth doing, it's not worth doing right.
I don't know about Medeco 3, but one lock mechanism that was out in other countries for almost four years before making it to the US which is quite pick resistant is Abloy's PROTEC cylinder.
It uses no pins or springs, so bumping is useless. Vibrating the key isn't going to magically move the detainer disks into position. Picking it requires a different technique altogether than pin tumbler locks.
So far, if I recall right, the best picking record for PROTEC cylinders took over 10-11 hours.
Of course, if you want the best in anti pick protection, purchase either an Abloy or Mul-T-Lock Cliq lock. It has a pick resistant mechanical key, as well as a small chip and solenoid with a challenge/response system. If someone does make a key impression, it won't help much. However, for $500 a cylinder, its pricy.
Errrm...
The places guys insert their shrinky dinks... crazy stuff.
Camping on quad since 1996.
Most All door security keys cards drive a solenoid door strike .
The pro crooks or intruders don't bother with magnetic stripe cards , electronics, , encryption etc,they buy the system and drill a hole in the right place and operate the door strike Directly with a narrow screwdriver or fashioned shorting stripe or wad of tin foil , bypassing all of the electronics and all of the security.
Ironically , The better electronics is more precise making the drill and popping of the door solenoid that much faster and easier .
Normal or hacked card time to door open about 2 seconds
Drill and screwdriver about 10 seconds.
A similar thing was done in casinos to electronics in slot machines the crooks purchased a machine and screwed it over.
A single metal piece of wire up into the machine at the right place and instant winner.
Casinos have since changed the way the machines work and one can no longer buy the new machines as easily,and security looks out for anyone putting things up into the machines
This isn't the huge threat to national security that the article would have you believe. The government does not use key based lock systems to secure anything of real high priority. They use digital combination (X-09) locks to secure any information that is classified at secret level or higher. These keys are used in the white house and pentagon, but they are office keys not keys to places where someone could do dire harm to our nation.
IIRC, the fluffy bird suit didn't work.
A simple sheet held up in front of her did.
I would hate to be the Secret Service guy that has to tell the President he can't have his Shrinky Dinks anymore.
The only change I can believe in is what I find in my couch cushions.
The real news I got out of this is: they still make shrinkydinks!?!
Who knew?
I woulda thought they woulda been classified as toxic by now...
I used to be a blacksmith myself, and I never needed a credit card. My tool of choice was a ground-down .02-inch feeler-gauge (you can get one from any DIY car maintenance shop) and a screwdriver (to do the work of turning the barrel).
I don't know about Medeco 3, but one lock mechanism that was out in other countries for almost four years before making it to the US which is quite pick resistant is Abloy's PROTEC cylinder.
Trouble with those is that they're ONLY pick resistant. I can drill the face of an Abloy disc-tumbler lock, remove the sidebar, and fill the drilled hole such that no one will notice--- all in a matter of minutes. After that, the old key will still work... and so will a screwdriver. The laundry machines at the apartment I lived in years ago had Abloy PROTEC locks. I never paid for laundry, and no one ever knew the difference.
Of course, if you want the best in anti pick protection, purchase either an Abloy or Mul-T-Lock Cliq lock. It has a pick resistant mechanical key, as well as a small chip and solenoid with a challenge/response system. If someone does make a key impression, it won't help much. However, for $500 a cylinder, its pricy.
That's just electronic access control shrunk down to fit the size of standard key access components and hybridized with mechanical keys. Great if you want to retrofit existing mortise and rim lock installations, but then you're just trading labor cost for material cost. I'd personally go for a keyless prox card system before I'd field a system powered by batteries in the key. It's bad enough dealing with your average dodo trying to use normal locks. Can you imagine the service calls from those dodos who break their keys off because the battery in the key head is dead? Locksmith's dream (service call = money in your pocket), businessman's nightmare (service call = money down the rathole).
I don't understand why people fixate on "pickability". Criminals just don't pick locks. I've been a locksmith since 1995 (minus a couple years when the Army decided I should be in Afghanistan), and I have never seen a case of intrusion that wasn't either a) forced entry, or b) an inside job.
If a job's not worth doing, it's not worth doing right.
The reason why pickability (or lack therof) is important is because insurance companies will, in general, cover theft if windows are broken, doors are crowbared, or there is obvious signs of forced entry. Of course, if the person breaking in is caught, its easy to tag them with breaking and entering charges.
If a lock is picked, other than maybe some scratches, there is no evidence, so its harder to get insurance companies to cover losses if someone picks a door or padlock. Its also a lot harder to charge someone with burglary or breaking an entering if they bumped or picked a door open, then hid the tools.
That's the code on my luggage!
Kids didn't have credit cards when I was in high school but every lock in our school except the outside doors (which we could sometimes tape or the like) and the principal's office were simple spring locks. Take seconds to open any of them with a piece of plastic. We got so fluid at it we were observed once from a distance and just lied, "Hey, what do you mean? It was unlocked. We were just snooping around." and he didn't push it. Did stupid stuff like swapping teachers' home room desks on different floors or laying out chairs in the auditorium to spell out expletives. A separate group we taught unfortunately got into more hardcore vandalism.
You see it with virtual security all the time: People around here (and other sites) seem to think that perfect security is achievable. They believe you can make a system that is perfectly unbreakable, no matter what. Now maybe in the virtual world that is a theoretical possibility, though a practical impossibility, but those of us who deal with physical security know it is impossible, even in theory. I mean I've never seen a lock, no matter what kind, that will stand up to a sufficiently large shaped charge.
The White House doesn't buy invincible locks because they aren't invincible locks to be bought. Turns out if you do research, it is hard to get much better than Medeco for mechanical locks. However the White House also doesn't rely on just locked doors to keep people out. As you noted, highly trained men with guns would be one of their main security systems, but by far not the only one.
it's simpler than that. Each KEY has a unique (not repeated on blanks) number used once (like iButton, etc) and they're paired to the car at the dealership. The tooth pattern opens the mechanical door locks, the car doesn't start without the matching number code whether the key turns or not. Disabling the battery won't work as it happens all the time, so it's written to flash somewhere in the car computer. The various manufacture alarms all trigger off various mismatches of key versus code chip.
OK, so the locks have a weakness. What was the point of the statement that they're used in the White House, Pentagon, etc.? You would need access to the lock and Joe Blow ain't gettin' there. Ergo, the statement attempts to create importance where there is none.
Try just walking up to any of the places mentioned in the OP. Can't be done. Layered security? T'ain't kiddin.!
And to complete the circle, in most cases you have to replace not just the PCM (powertrain control module, which runs the engine and controls things like fuel injection and timing adjustment, or on distributor-free systems, initiates the sparks themselves) but also the sensor-reader. Sometimes this is built into the ignition switch itself, and sometimes it's just wrapped around it - but you have to get into the column to mess with it. This does NOT stop people from stealing these high-dollar cars, it only raises the bar. It more or less means you need a car to practice on before you can steal them, but dealers have to employ someone to service cars... And anyone can go to the dealer service schools, masquerading as a service mechanic.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
On my car, an identical-toothed key with the wrong code (I was having a dealership make a spare, and they screwed up on it) won't even open the door.
What make of car is it? I'm not aware of any car that uses transponder interrogation to secure the doors. It seems more likely that the key is simply mis-cut, just not obviously so. The only way a dealership can actually "screw up" a key is to make the physical cuts in the metal wrong--- they don't do ANYTHING to the transponder module. The transponder is just an RFID chip that responds with a unique serial number, and this number is burned in at the factory, long before the dealer gets the key blank. The car's computer simply has a list of valid serial numbers and wont start if it doesn't see one of them.
If a job's not worth doing, it's not worth doing right.
These keys have been around for a long time now:
http://www.assaabloy.com/Global/News/Image bank/Products/High res/Abloy_Key2_2649x841.jpg
.
Abloy disc tumbler locks? The trouble with those is that the discs are not spring loaded and occasionally require repeated twisting of the key to get it to seat all the way before opening. Not a good feature when dealing with large numbers of dodos, which most large installations do.
If a job's not worth doing, it's not worth doing right.
My wife grew up in the suburbs and I grew up in the city. One of her pet peeves is that I tend to leave the doors of our car unlocked when I park. The difference is that I grew up in a neighborhood where some people would smash your windows if they saw anything in it they might want.
Nobody in my neighborhood had fancy car stereos; they either had plain old AM/FM radios, or they had a hole in their dashboard with wires hanging out.
Some of the kids had almost a hacker's attitude towards breaking into cars. Things you left out in your car, in plain view (like a car stereo I guess) were pretty much looked on as abandoned property. But it was the drug addicts to smashed windows. The classier kids didn't do more damage than necessary, unless they decided to take your car for a ride.
I was visiting the old neighborhood once and locked my keys in my car. One of the local kids who was sitting on his front porch asked if I needed help, and I said yes. He disappeared into his apartment and came out with a few tools. He had my car open almost as fast as I could do it with a key, literally in about ten seconds. Didn't leave a scratch on the car, either.
Nice kid. Practically a Boy Scout.
Post may contain irony: discontinue use if experiencing mood swings, nausea or elevated blood pressure.
My elderly mom was once stuck in her apartment by a jammed deadbolt. She couldn't get the super, and there was no exit, not even a fire escape, only a third floor balcony.
Rather than call the Fire Department, she called me. I came over, and she buzzed me in, then I kicked her front door in (let's say I'm a little bigger than average). It took me two or three tries to break the hinges.
Not a single soul peeked out to see what was going on, or called the cops.
Post may contain irony: discontinue use if experiencing mood swings, nausea or elevated blood pressure.
"My granddad was a blacksmith who taught his trade to young crims at a borstal in the 1950s. One of them showed how he could open a Yale lock in about 30 seconds."
It shouldn't take that long for a *blacksmith* ... one hammer blow should do it.
-fb Everything not expressly forbidden is now mandatory.