When I was a kid leaving your house or car doors unlocked was a commonplace. That’s one of the many things that have changed, forever and not for better, over the years. Imagine a world in which there are, in effect, no locks because they just don’t function any more. This article explains why mechanical locks may soon be rendered ineffective:
“If we show that mechanical locks are vulnerable to key duplication just by having a handful of numbers you can download off the internet, hopefully they ‘ll be phased out more quickly… Either that or make 3D printers illegal,” warns Eric Van Albert, a 21-year-old engineering student at the Massachusetts Institute of Technology (MIT) in an interview with Forbes, following his keynote at Def Con 21.
Along with fellow student and researcher David Lawrence, Mr. Van Albert showed off a software tool that used scans from a flatbed scanner of a highly advanced “secure” key design to create a 3D model of the key and then duplicate it via online printing services Shapeways (nylon; $5 USD) and i.Materialise (titanium: $150 USD).
Meanwhile, electronic high-security locks have long been known to be easily defeatable:
Toby Bluzmanis and Matt Fiddler are at it again.
The three, who have made numerous headlines for bumping and picking Medeco high-security locks and other brands, have now succeeded to crack state-of-the-art, CLIQ technology electro-mechanical high-security locks.
They showed Threat Level how they could easily bypass the electronic portion of the locks and thwart audit logs that track who opens a lock and when. They provided the demonstration in advance of a presentation they’re giving at the DefCon hacker conference here on Sunday, with the caveat that Threat Level not disclose certain details about how they defeated the locks. (View edited video on Tobias’ web site.)
The hacks are low-tech and don’t involve attacking the actual electronic component of the lock. Instead, they use standard techniques for opening mechanical locks, similar to bumping — where an attacker places a specially-designed key in the keyway and “bumps†it repeatedly with a device until the lock releases.
“These [locks] are used in some high-security facilities,†Tobias said. “And the makers tout the fact that this is the ultimate in security. And they shouldn’t be saying that.â€
The locks cost between $600 and $800 apiece, with keys costing about $95 each.
They’re used in government buildings, banks, and critical infrastructures, such as power and water plants and transportation facilities. The Swiss Federal Railway System uses them as does the Ottawa International Airport in Canada.
Ah, brave new world! When the technology of lock-breaking proceeds faster than the technology of new locks, locks have become ineffective.
It’s been a truism since classical times that a wall is only as good as the men defending it: if someone who knows what they’re doing wants in badly enough, the only reliable way to keep them out is with actual guards. There’s an arms race between locks and walls and gates on one side, and the tools and techniques for overcoming them on the other, but it’s always been true that a determined attacker could break in somehow if given the chance. The locks and walls and gates are just there to slow the attackers down enough that casual attackers (especially ones without the tools and skills to attack properly) don’t bother and to give your guards a better opportunity to stop serious attackers.
For most people’s houses and cars, you’re only stopping casual attackers anyway. Bump keys have been around for ages, and standard lock picking techniques good enough for standard residential locks have been around for even longer, not to mention the time-honored technique of throwing a brick through a window.