Defcon Hacks Defeat Card-And-Code Locks In Seconds

Sparrowvsrevolution writes "At the Defcon security conference in Las Vegas, Marc Weber Tobias and Toby Bluzmanis plan to demonstrate simple hardware hacks that expose critical security problems in Swiss lock firm Kaba's E-plex 5800 and its older 5000. Kaba markets the 5800 lock, which Bluzmmanis says can cost as much as $1,300, as the first to integrate code-based access controls with a new Department of Homeland Security standard that goes into effect next year and requires identifying credentials be used in secure facilities to control access. One attack uses a mallet to 'rap' open the lock, another opens the lock by putting a pin through the LED display light to ground a contact on the circuit board, and a third uses a wire inserted in the lock's back panel to hit a switch that resets its software."

Attractive Nuisance

[retroworks]

Legally speaking, an "unhackable" security system is starting to resemble an attractive nuisance. Design utmost security, you are inviting hackers, thereby defeating your trespass claims...

Re:Attractive Nuisance

[sribe]

I'd like to see the hacker that could defeat my home security system!

Re:Attractive Nuisance

Well, since you're probably american, the hacker can have a gun as well, if he shoot first, no one give a shit about YOUR gun.

Re:Attractive Nuisance

[chill]

Han? Is that you?

Re:Attractive Nuisance

[kvezach]

No, he's Greedo. Don't you know? We've always been at war with, err... Greedo always shot first.

Re:Attractive Nuisance

[siddesu]

Even easier and not so exotic, I'll always bet on a thug who is used to violence against a regular guy with a gun. The thug wins because he has advantage in ruthlessness. I have a reasonably good command of a martial art, yet I got surprised this year in the street by a guy roughly twice my size who tried to mug me. I took one in the teeth just because I just refused to believe what was happening. In the end he wasn't really successful and is probably still productively employed in a brick prison factory, but my mouth hurt for a week after our meeting.

made to government spec

[magarity]

a new Department of Homeland Security standard that goes into effect next year
 
How many places will buy them because they meet this government spec without regard to these problems? Government planning at its finest!

Re:made to government spec

[Capt.+Skinny]

DHS doesn't specify any lock. They define standards that manufacturers can choose to implement if they want to market a standards-compliant lock. FTFA:

Zurich-based Kaba markets the 5800 lock... as the first to integrate code-based access controls with a new [DHS] standard

Re:made to government spec

[arglebargle_xiv]

How many places will buy them because they meet this government spec without regard to these problems? Government planning at its finest!

That's pretty common with (non-classified) government security standards. A bunch of guys, often ones whose last industry experience occurred twenty years ago, get together and, after 2-3 years of often acrimonious committee meetings, throw together enough random features to call it a standard. Far too frequently what gets certified for govt.standards is whatever's possible to itemise in a checkbox rather than what would actually add security (I've seen stuff that's little removed from EU banana-bentness requirements in USG security standards). It's not surprising then that you can have products that are fully compliant with (non-classified) USG standards while also being completely insecure.

Standards for classified security systems, now they're another matter, they're often written by the people who have the most experience in breaking them so they tend to be much better. They also work with a completely different development cycle, taking 5-10 years to get to market and costing an arm and a leg when they arrive.

good security

[kermidge]

It's nice to know that those in charge of building the United States' very own Gestapo are also security experts. Too bad they're so good at the first task and so lousy at the second.

I guess all those cheesy movies/TV shows are right

[bfwebster]

You know, the ones where the character (usually a young, bright geek) rips the cover off the card swipe/keypad unit, shorts a few wires, and opens the door? ..bruce..

Attacks too easy?

[QuasiSteve]

One attack uses a mallet to 'rap' open the lock

Isn't this pretty much an old trick, similar to 'bumping'?

another opens the lock by putting a pin through the LED display light to ground a contact on the circuit board

This one's a lot more fun as you have to know where, approximately, that contact is - but then again, why is that contact accessible?

and a third uses a wire inserted in the lock's back panel to hit a switch that resets its software."

oh for pity's sake.

The first has already been solved by lockmakers, the second is solved by making the PCB reasonably inaccessible (an individual cover plate will do) which would also deal with the third, but then the third shouldn't be a switch anyway - it should be two distinct female header points on the PCB that can be bridged only with a length of wire; this is not a crappy home wireless router that actually needs a user-accessible reset button.

Whoever designed these $1k locks, electronically and mechanically, really need to go back to the drawing board... or school.

Still a major defect

[MobileTatsu-NJG]

Unfortunately these locks still happily open the door when fired on by a blaster.

Exposed grounds/resets?

[fuzzyfuzzyfungus]

The fact that somebody managed to get a "secure" lock out the door with electrical contacts trivially accessible from the hostile side of the door is pretty damn pathetic... Couldn't they have potted the thing? Worse, it isn't as though designing systems that are supposed to be resistant to physical/electrical attacks isn't exactly an unknown field. The Nevada Gaming Commission, for example, would laugh a slot machine out of their office if it had externally accessible PCBs. The standards specifically mention that, among numerous other considerations. Heck, these super-advanced locks would seem to be rather more vulnerable than contemporary consumer hardware DRM, of the sort that protects a few bucks worth of pop-culture drivel. FFS...

Re:I guess all those cheesy movies/TV shows are ri

[mea_culpa]

I got locked in my self-storage lot after staying past closing time (11 PM). There were no staff to let me out and I was trapped inside with only a keypad to open the gate which happily told me the lot was closed. After inspecting the gate I saw a what amounted to a key switch on a pole high enough for someone on a fire truck to access from the outside. I followed the conduit from that key switch to an electrical box near the gate motor. This small box was secured with one flat head screw, Armed with a paperclip I removed the screw and shorted the two wires coming from the key switch and the gate opened.

I don't know if I would have thought to do that if I wasn't inspired by the movies. It sure beat camping there for the night,

Re:I guess all those cheesy movies/TV shows are ri

[thygate]

Normally these cheap devices directly control an actuator (coil or motor etc..) that is physically embedded in the door lock. If you can open the device, only little logic is needed to directly drive the actuator using the power supply, or gate the responsible transistor with a wire. It would be more secure if the scanning device had a digital link to a control system located somewhere else, that would verify the code and drive the actuator directly.

Hammer method might not work?

[superdave80]

In their demo video, the locking mechanism isn't attached to anything, so the whole mechanism bounces around when they whack it. I'd be interested to see if this method still works when it is attached to a solid door.

Uber locks

[DragonHawk]

You are going to roll out a $1000 lock it need to at least give you the same kind of security you'd get from one of those. They may not be perfect, but you can't stick a wire in them to get by them at least.

What's interesting is that Kaba Mas also makes the X-09, which is the current DoD uber-lock used for classified stuff. It is, by all reports, extremely hard to subvert.

• * Self-powered. No battery or external power supply needed.
• * The exposed side has an LCD and a dial. Everything else is inside the security boundary. If you break the dial off you just make entry harder.
• * The LCD is designed to only be viewable by someone standing right at the lock. Someone standing next to you can't snoop the numbers.
• * The rate at which the dial causes numbers to change varies randomly with each step of the combination. Someone standing next to you can't derive the numbers from the rate at which you turn the dial.
• * If the dial is turned too at regular a pace, the lock assumes you're an auto-dialer and shuts down.
• * Repeated wrong combinations result in progressively longer lockout delays.
• * You can view how many unsuccessful attempts have been made (allows you to audit to see if someone's tried to get in).

Neat stuff.

Re:um...

[tibit]

A 6lb maul? You joking? I have an 8lb demolition hammer, and I wished I had something bigger when doing a rather "simple" remodel of a room and demolition of a deck. 8lb was barely enough to get a slightly curvy 6.5' 2x10 header in place...

I've seen plenty of doors where even a 24lb demolition hammer would perhaps dent them and scratch the paint, and not much else. Since I had to replace the front doors on my house, I did try the 8lb hammer on them. By my estimate, it'd take me half a day of pounding and sweating to get through. I would probably demolish the block wall those doors were mounted in before ripping the doors open. And those seem to be standard commercial steel entry doors. Not the cheap residential stuff, but nothing specifically designed for highly secure areas either.

I would have liked to seen the demo done properly

[517714]

I am not convinced that the locks in the You Tube videos were actually locked. The plunger on the deadlatch was not depressed, and many locks respond differently in this mode since there is no purpose served in making the lock secure while the door is open. Last week I performed a modification to the front door lock of my parents' home to allow opening the door by either raising or depressing the handle that was similar to the third attack and the plunger function is critical to the locking function on that lock. The techniques may work with the deadlatch engaged to the striker plate, but without seeing the demonstrations repeated in that arrangement I remain a little dubious.

1300$

[Chuby007]

1300$ lock ... I would need to buy a lock to protect the lock but that lock would be 1300$ so I would need to buy another lock to protect the lock but that lock would be 1300$, more so I would need to buy another lock to protect the lock but that lock would be 1300$, more so I would need to buy another lock to protect the lock but that lock would be 1300$, more so I would need to buy another lock to protect the lock but that lock would be 1300$, more so I would need to buy another lock to protect the lock but that lock would be 1300$, more so I would need to buy another lock to protect the lock but that lock would be 1300$, more I'm looping... But thankfully /. has an answer for everything ! : http://developers.slashdot.org/story/11/08/02/2031215/Escaping-Infinite-Loops