Defcon Lockpickers Open Card-And-Code Government Locks In Seconds

Feuer Frei! · 08-10-11, 10:22 AM

To open a door fitted with the latest U.S. government-certified lock from high-end Swiss lock manufacturer Kaba, an employee must both enter a code up to eight digits long, then swipe a unique identity card coded to comply with a new standard that requires an extra layer of security, one designed to track individual staffers and make covert intrusion harder than ever. Or, as lockpicking expert Marc Weber Tobias will show a crowd of hackers Friday, you can stick a wire in the tiny display light above the keypad and instantly render all of that 'security' irrelevant.

At the Defcon security conference in Las Vegas, Tobias and his partner Toby Bluzmanis plan to demonstrate a series of simple hardware hacks that expose critical security problems in Kaba’s E-plex 5800 and its older 5000. Zurich-based Kaba markets the 5800 lock, which Bluzmmanis says can cost as much as $1,300, as the first to integrate code-based access controls with a new Department of Homeland Security standard that goes into effect next year and requires identifying credentials be used in secure facilities to control access.

In demonstrations for me and in videos they plan to show the Defcon audience, the lockpicking duo use one method called “rapping” to open the lock by simply hitting its top surface or lever handle with a mallet, compressing an internal spring that then decompresses and pushes open a latch that releases the lock. In another bypass, they insert a wire into a silicon cover for an LED light that blinks red when the user enters an invalid code. That wire can ground a contact on the circuit board behind the light that triggers a function intended to allow the door to be opened with a remote button, bypassing all its security measures.
A third attack allows an insider to open the back side of the lock and insert a wire that flips a microswitch intended as an override for power failures. That trick resets the lock’s software, tampering with its audit trail and allowing it to be reprogrammed with different codes. Bluzmanis demonstrated in a video that the more elaborate microswitch attack could be performed in under a minute.
“The issue is simply insecurity engineering,” says Tobias, who works as a consultant to several major lock firms and contributes blog posts to Forbes.com. “They simply don’t get it.”
Here are a few videos created by Tobias and Bluzmanis that demonstrate those security exploits:

SOURCE

Rockstar · 08-10-11, 11:03 AM

Nobody advertises security locks as fail-safe, security ratings of locks and vaults are measured by how long it takes someone to get past it. The longer time it takes to bypass the security system increases the probability of the thief getting caught before they can defeat it.

Makes ya wonder about this though. This is waaay to easy as if somehow maybe the design plans were intentional and specific buyers sought. This way others could have easy access to sensitive areas without a back ground check. Knowing this, one could easily make a fake issue ID and say they used it to get in. Be interesting to find out where these locks are being used. Scary.

.

CaptainMattJ. · 08-10-11, 11:24 AM

How bout this:

A very well trained security employee sits at a desk monitoring these doors they need to access. The person who needs to get in can either swipe a card and input at least a 12 digit code, or he can do a fingerprint scan and enter at least a 12 digit code. His profile comes up on a screen, the security guy opens the door, and its auto logged in the computer records.

That would be what i would do if i really needed to guard something

Growler · 08-10-11, 11:39 AM

Simply put, security of any stripe will always be reactive - you build a better lock, the other guys builds a better lockpick. It's an arms race with no ceiling, limited more by the amount of inconvenience you want to put legitimate users through than by what you can do to keep the other fellow out.

Skybird · 08-10-11, 02:21 PM

Bumpkeys, anyone?

That Kaba locks like in the above videos, or doorlocks still vulnerable to bumpkeys (Schlagschlüssel), still get sold in the shops, is hilarious. And that producers of these locks, especially normal socalled security-doorlocks that nevertheless are vulnerable to bumpkeys, still do not tell their customers about it, imo is criminal, because it is an intentional deception of the paying customer who is intentionally left in the belief to have bought a secure lock. Some months ago, when being in the do-it-yourself-market, I checked some locks due to curiosity - and the printed descriptions did not mention the vulnerability at all, although the manufactzurers know about it. Bumpkeys can be legally advertised and bought in Germany for small money (20-30 Euros), and open most doors with socalled "security locks" within seconds. Check youtube, if you don't believe it.

Yes, locks are meant to delay an intruder, not to eternally prevent him from entering, and yes, no lock ever will be totally secure. But what the videos demonstrate, or the speed and easiness by which even a novice can use bumpkeys to open locked doors within seconds, leads the whole concept nevertheless ad absurdum. Especially when the tools are legally available to everybody.

vienna · 08-11-11, 07:26 PM

Occam's Razor: The simplest solution is often the best. Time and time again articles appear regarding complex, sophisticated, and usually expensive security systems undone by someone using a simple, direct, and unsophisticated methodology. There have been many times I have helped out someone who has gotten themselves into some kind of fix with their computer or software and I just used some simple trick to clear up the problem. The whole security situation is somewhat akin to the famous scene in the original "Indiana Jones" movie where an Arab assailant is making grand threatening gestures with his swords and Indiana simply pulls out his pistol and blows the assailant away.

08-10-11, 10:22 AM	#1
Feuer Frei! Navy Seal Join Date: Sep 2009 Location: Valhalla Posts: 5,295 Downloads: 141 Uploads: 17	Defcon Lockpickers Open Card-And-Code Government Locks In Seconds To open a door fitted with the latest U.S. government-certified lock from high-end Swiss lock manufacturer Kaba, an employee must both enter a code up to eight digits long, then swipe a unique identity card coded to comply with a new standard that requires an extra layer of security, one designed to track individual staffers and make covert intrusion harder than ever. Or, as lockpicking expert Marc Weber Tobias will show a crowd of hackers Friday, you can stick a wire in the tiny display light above the keypad and instantly render all of that 'security' irrelevant. At the Defcon security conference in Las Vegas, Tobias and his partner Toby Bluzmanis plan to demonstrate a series of simple hardware hacks that expose critical security problems in Kaba’s E-plex 5800 and its older 5000. Zurich-based Kaba markets the 5800 lock, which Bluzmmanis says can cost as much as $1,300, as the first to integrate code-based access controls with a new Department of Homeland Security standard that goes into effect next year and requires identifying credentials be used in secure facilities to control access. In demonstrations for me and in videos they plan to show the Defcon audience, the lockpicking duo use one method called “rapping” to open the lock by simply hitting its top surface or lever handle with a mallet, compressing an internal spring that then decompresses and pushes open a latch that releases the lock. In another bypass, they insert a wire into a silicon cover for an LED light that blinks red when the user enters an invalid code. That wire can ground a contact on the circuit board behind the light that triggers a function intended to allow the door to be opened with a remote button, bypassing all its security measures. A third attack allows an insider to open the back side of the lock and insert a wire that flips a microswitch intended as an override for power failures. That trick resets the lock’s software, tampering with its audit trail and allowing it to be reprogrammed with different codes. Bluzmanis demonstrated in a video that the more elaborate microswitch attack could be performed in under a minute. “The issue is simply insecurity engineering,” says Tobias, who works as a consultant to several major lock firms and contributes blog posts to Forbes.com. “They simply don’t get it.” Here are a few videos created by Tobias and Bluzmanis that demonstrate those security exploits: SOURCE __________________ "History is the lies that the victors agree on"- Napoleon LINK TO MY SH 3 MODS

08-10-11, 11:24 AM	#3
CaptainMattJ. The Old Man Join Date: Aug 2009 Location: Sin City Posts: 1,364 Downloads: 55 Uploads: 0	How bout this: A very well trained security employee sits at a desk monitoring these doors they need to access. The person who needs to get in can either swipe a card and input at least a 12 digit code, or he can do a fingerprint scan and enter at least a 12 digit code. His profile comes up on a screen, the security guy opens the door, and its auto logged in the computer records. That would be what i would do if i really needed to guard something __________________ A popular Government without popular information nor the means of acquiring it, is but a Prologue to a Farce or a Tragedy or perhaps both. Knowledge will forever govern ignorance, and a people who mean to be their own Governors must arm themselves with the power knowledge gives - James Madison

08-10-11, 11:39 AM	#4
Growler A long way from the sea Join Date: May 2005 Location: Iowa Posts: 1,913 Downloads: 21 Uploads: 0	Simply put, security of any stripe will always be reactive - you build a better lock, the other guys builds a better lockpick. It's an arms race with no ceiling, limited more by the amount of inconvenience you want to put legitimate users through than by what you can do to keep the other fellow out. __________________ At Fiddler’s Green, where seamen true When here they’ve done their duty The bowl of grog shall still renew And pledge to love and beauty.

08-10-11, 02:21 PM	#5
Skybird Soaring Join Date: Sep 2001 Location: the mental asylum named Germany Posts: 42,601 Downloads: 10 Uploads: 0	Bumpkeys, anyone? That Kaba locks like in the above videos, or doorlocks still vulnerable to bumpkeys (Schlagschlüssel), still get sold in the shops, is hilarious. And that producers of these locks, especially normal socalled security-doorlocks that nevertheless are vulnerable to bumpkeys, still do not tell their customers about it, imo is criminal, because it is an intentional deception of the paying customer who is intentionally left in the belief to have bought a secure lock. Some months ago, when being in the do-it-yourself-market, I checked some locks due to curiosity - and the printed descriptions did not mention the vulnerability at all, although the manufactzurers know about it. Bumpkeys can be legally advertised and bought in Germany for small money (20-30 Euros), and open most doors with socalled "security locks" within seconds. Check youtube, if you don't believe it. Yes, locks are meant to delay an intruder, not to eternally prevent him from entering, and yes, no lock ever will be totally secure. But what the videos demonstrate, or the speed and easiness by which even a novice can use bumpkeys to open locked doors within seconds, leads the whole concept nevertheless ad absurdum. Especially when the tools are legally available to everybody. __________________ If you feel nuts, consult an expert.

08-10-11, 11:03 AM	#2
Rockstar In the Brig Join Date: Nov 2002 Location: Zendia Bar & Grill Posts: 12,614 Downloads: 10 Uploads: 0	Nobody advertises security locks as fail-safe, security ratings of locks and vaults are measured by how long it takes someone to get past it. The longer time it takes to bypass the security system increases the probability of the thief getting caught before they can defeat it. Makes ya wonder about this though. This is waaay to easy as if somehow maybe the design plans were intentional and specific buyers sought. This way others could have easy access to sensitive areas without a back ground check. Knowing this, one could easily make a fake issue ID and say they used it to get in. Be interesting to find out where these locks are being used. Scary. .

08-11-11, 07:26 PM	#6
vienna Navy Seal Join Date: Jun 2005 Location: Anywhere but the here & now... Posts: 7,711 Downloads: 85 Uploads: 0	Occam's Razor: The simplest solution is often the best. Time and time again articles appear regarding complex, sophisticated, and usually expensive security systems undone by someone using a simple, direct, and unsophisticated methodology. There have been many times I have helped out someone who has gotten themselves into some kind of fix with their computer or software and I just used some simple trick to clear up the problem. The whole security situation is somewhat akin to the famous scene in the original "Indiana Jones" movie where an Arab assailant is making grand threatening gestures with his swords and Indiana simply pulls out his pistol and blows the assailant away.