Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Defcon Hacks Defeat Card-And-Code Locks In Seconds

timothy posted more than 3 years ago | from the hey-tsa-locks-are-awesome dept.

Security 144

Sparrowvsrevolution writes "At the Defcon security conference in Las Vegas, Marc Weber Tobias and Toby Bluzmanis plan to demonstrate simple hardware hacks that expose critical security problems in Swiss lock firm Kaba's E-plex 5800 and its older 5000. Kaba markets the 5800 lock, which Bluzmmanis says can cost as much as $1,300, as the first to integrate code-based access controls with a new Department of Homeland Security standard that goes into effect next year and requires identifying credentials be used in secure facilities to control access. One attack uses a mallet to 'rap' open the lock, another opens the lock by putting a pin through the LED display light to ground a contact on the circuit board, and a third uses a wire inserted in the lock's back panel to hit a switch that resets its software."

cancel ×

144 comments

Sorry! There are no comments related to the filter you selected.

Attractive Nuisance (5, Insightful)

retroworks (652802) | more than 3 years ago | (#37003104)

Legally speaking, an "unhackable" security system is starting to resemble an attractive nuisance. Design utmost security, you are inviting hackers, thereby defeating your trespass claims...

Re:Attractive Nuisance (2)

sribe (304414) | more than 3 years ago | (#37003174)

I'd like to see the hacker that could defeat my home security system [remingtonle.com] !

Re:Attractive Nuisance (2, Funny)

Anonymous Coward | more than 3 years ago | (#37003198)

Well, since you're probably american, the hacker can have a gun as well, if he shoot first, no one give a shit about YOUR gun.

Re:Attractive Nuisance (2)

chill (34294) | more than 3 years ago | (#37003610)

Han? Is that you?

Re:Attractive Nuisance (2)

kvezach (1199717) | more than 3 years ago | (#37004650)

No, he's Greedo. Don't you know? We've always been at war with, err... Greedo always shot first.

Re:Attractive Nuisance (0)

Anonymous Coward | more than 3 years ago | (#37005344)

Plenty of other countries have even more guns per capita than the US, and they have lower crime rates as well. Canada, for instance.

Re:Attractive Nuisance (0)

Anonymous Coward | more than 3 years ago | (#37005708)

[citation needed]

Pediwikia puts US at #1, followed by such bastions of law and order like Serbia and Yemen. And US is a real leader - there are almost 90 firearms per 100 persons there, while in Serbia there are a bit fewer than 60. That's, like, 1/3 less firearms per 100 people.

Canada is far, far behind.

Re:Attractive Nuisance (1)

slackbheep (1420367) | more than 3 years ago | (#37005964)

This listing [wikipedia.org] shows roughly the same values, with the US leading at 88.8/100 and Canada taking up the rear with 30.8/100. I'd always assumed we canucks would rank far higher given the uproar here over the gun registry.

Re:Attractive Nuisance (0)

Anonymous Coward | more than 3 years ago | (#37006306)

Yeah, bad guys can only have guns in the US... oh wait...

Re:Attractive Nuisance (1)

Carnildo (712617) | more than 3 years ago | (#37003242)

Easy [wikipedia.org] .

Re:Attractive Nuisance (0)

Anonymous Coward | more than 3 years ago | (#37004074)

+1 for LMFAO. Yep that would just about do it.

Re:Attractive Nuisance (2)

siddesu (698447) | more than 3 years ago | (#37005756)

Even easier and not so exotic, I'll always bet on a thug who is used to violence against a regular guy with a gun. The thug wins because he has advantage in ruthlessness. I have a reasonably good command of a martial art, yet I got surprised this year in the street by a guy roughly twice my size who tried to mug me. I took one in the teeth just because I just refused to believe what was happening. In the end he wasn't really successful and is probably still productively employed in a brick prison factory, but my mouth hurt for a week after our meeting.

Re:Attractive Nuisance (1)

camperdave (969942) | more than 3 years ago | (#37003270)

Won't work if you're not home.

Re:Attractive Nuisance (1)

Sulphur (1548251) | more than 3 years ago | (#37004420)

Won't work if you're not home.

Sounds like a job for Turret Monkey.

Re:Attractive Nuisance (0)

Anonymous Coward | more than 3 years ago | (#37003562)

That's easy, put some mud down the barrel, if you try to fire your shotgun, it'll be more painful for you.

Or you know, the hypothetical hacker/burglar waits for you to not be home and takes your stuff anyway.

Re:Attractive Nuisance (0)

Anonymous Coward | more than 3 years ago | (#37003626)

Best home security: 2~3 of these...http://www.akc.org/breeds/doberman_pinscher/

Re:Attractive Nuisance (-1)

Anonymous Coward | more than 3 years ago | (#37003988)

Cue the gun-hating faggots in 3..........2.........1................

Re:Attractive Nuisance (1)

Ja'Achan (827610) | more than 3 years ago | (#37004930)

This might be true. But for every smart hacker out there, there's a thousand script kiddies. You might not be able to keep everyone out, but if you have low end security, everyone will take a crack at it.

Re:Attractive Nuisance (1)

Arancaytar (966377) | more than 3 years ago | (#37005062)

So the solution is to design things that are so obviously insecure no hacker will even bother to play with it? That's not the security I'd feel comfortable with.

Re:Attractive Nuisance (0)

Anonymous Coward | more than 3 years ago | (#37005448)

Use ssh with PKI only and deny root access
Limit the number of connections per second
Use port knocking
Use IPtables to secure ssh (limit)
Tunnel everything over ssh
Add an IPS for packet inspection

Use pwgen -sy 128 or higher for decent and complex passwords.
Use luks or other available crypto tools to secure storage.
Use steganography as a part of the authentication process (multiple factors for authentication)
Use keys as a part of the authentication process
And most of all, keep your mouth shut about your settings, location and other info that may give you away.

As I please! (-1, Flamebait)

Copyrightest (2430638) | more than 3 years ago | (#37003140)

I'll cum inside of you as I please like corn on peas! When I'm through with that hot, tight ass of you ares, it'll be a cum fiesta inside of it!

made to government spec (5, Interesting)

magarity (164372) | more than 3 years ago | (#37003146)

a new Department of Homeland Security standard that goes into effect next year
 
How many places will buy them because they meet this government spec without regard to these problems? Government planning at its finest!

Re:made to government spec (1, Interesting)

camperdave (969942) | more than 3 years ago | (#37003314)

Seems odd to me that DHS standards specify a Swiss lock. Are there no American lock manufacturers?

Re:made to government spec (2)

Capt. Skinny (969540) | more than 3 years ago | (#37003426)

DHS doesn't specify any lock. They define standards that manufacturers can choose to implement if they want to market a standards-compliant lock. FTFA:

Zurich-based Kaba markets the 5800 lock... as the first to integrate code-based access controls with a new [DHS] standard

Re:made to government spec (0)

Anonymous Coward | more than 3 years ago | (#37003852)

The American government itself, whether by design or through "good intentions", has been dumbing down Americans for decades through their byzantine public education system. Things from Europe are just different - even regular paper isn't the same size, and everything else is in metric. They probably figured that would be enough to confuse American criminals.

Re:made to government spec (1)

Jorl17 (1716772) | more than 3 years ago | (#37004028)

I agree. Knowing bright minds who lived in America, they do say that our education system is a thousand times better. Plus the whole American-like thing of "limo dating", "dances", "trips" are incredible! I thought they were parodied in movies but it seems that it *is* done! No matter what, bright minds come from the US as much as from Europe, so don't get offended by my silly words.

Re:made to government spec (1)

Anonymous Coward | more than 3 years ago | (#37003428)

a new Department of Homeland Security standard that goes into effect next year

How many places will buy them because they meet this government spec without regard to these problems? Government planning at its finest!

I couldn't find a link to this standard (though I didn't try that hard), so I'm not sure it's fair to criticize the standard without reading and understanding it.

The "attacks" mentioned in the summary don't seem to be against the standard itself, but are physical attacks against one particular implementation.

And if it's a new standard being implemented, it shouldn't be too unusual for one company to be first to bring it to market.

Re:made to government spec (0)

Anonymous Coward | more than 3 years ago | (#37003468)

DHS approved, N.I.S.T, CIA, NSA recommendations avoided!

Re:made to government spec (1)

AHuxley (892839) | more than 3 years ago | (#37003560)

With residential key box programs spreading all over the US, good standards are going to get interesting.
Sneak and peek :)

Let me write the spec... (1)

NotQuiteReal (608241) | more than 3 years ago | (#37003824)

Lock specification:

1) Submit production samples of your candidate locks to several Defcon conferees, particularly those who have defeated lock mechanisms in the past.
2) A decision on whether your locks meets the specification will be rendered after next year's Defcon.

Re:made to government spec (0)

Anonymous Coward | more than 3 years ago | (#37003970)

a new Department of Homeland Security standard that goes into effect next year How many places will buy them because they meet this government spec without regard to these problems? Government planning at its finest!

That's sorta the point. Spend taxpayer dollars fattening up your largest campaign contributors, or perhaps, a company of your own. So, who at Kaba is related to a senator?

Re:made to government spec (1)

hey! (33014) | more than 3 years ago | (#37004128)

What I don't understand is, why spend $1300 on an untested design?

What I'd do is put an RFID tag on the user's key, then take a high quality conventional lock and add an RFID reader to it and a pawl which prevents the lock cylinder from turning unless an RFID on the allow list is present.

The point would be the lock would fail to a safe, or relatively safe condition. If the electronic system were defeated you'd still have a functioning lock.

Re:made to government spec (0)

Anonymous Coward | more than 3 years ago | (#37004340)

Like something like this?
http://www.abloy.com/en/abloy/abloycom/Products-MPC/?groupId=1369

Re:made to government spec (0)

Anonymous Coward | more than 3 years ago | (#37004392)

I assuming that the whole point of this lock is that it doesn't require a key. High-security locks require expensive keys, making it prohibitely expensive to rekey the lock or distribute many keys. Your idea just makes keys even more expensive. The other disadvantage of a key is that it's something you have rather than something you know -- if it's stolen (or borrowed), your security is compromised.

Furthermore, there's no reason your lock wouldn't be vulnerable to a mallet attack or other non-standard physical attacks (like the one where they opened up the back and stuck something inside).

dom

Re:made to government spec (2)

arglebargle_xiv (2212710) | more than 3 years ago | (#37004180)

How many places will buy them because they meet this government spec without regard to these problems? Government planning at its finest!

That's pretty common with (non-classified) government security standards. A bunch of guys, often ones whose last industry experience occurred twenty years ago, get together and, after 2-3 years of often acrimonious committee meetings, throw together enough random features to call it a standard. Far too frequently what gets certified for govt.standards is whatever's possible to itemise in a checkbox rather than what would actually add security (I've seen stuff that's little removed from EU banana-bentness requirements in USG security standards). It's not surprising then that you can have products that are fully compliant with (non-classified) USG standards while also being completely insecure.

Standards for classified security systems, now they're another matter, they're often written by the people who have the most experience in breaking them so they tend to be much better. They also work with a completely different development cycle, taking 5-10 years to get to market and costing an arm and a leg when they arrive.

Re:made to government spec (0)

Anonymous Coward | more than 3 years ago | (#37004974)

NOT to give DHS a pass on this, but these locks ( cipher locks ) are designed for restricted access ( airport doors, office doors and the like ) they are not protecting top-secret documents from bad guys. These locks are to replace the 5 button mechanical cipher locks ( should you ever encounter one of these used by technical types, the code 3-1-4 is used much too often )

Combination locks are better for these types of installation because you can not loose the keys to them, and if a change is needed - the combination can be changed in about 10 minutes.

This 'new' lock uses the popular security procedure of 'something you have ( your ID card ) and something you know ( the combination ) which eliminates 'borrowing' an ID to gain access or someone getting the combination from overhearing it, finding it on a post-it note or other such methods.

Re:made to government spec (1)

sander (7831) | more than 3 years ago | (#37005812)

All of them that need some kind of certification from DHS on meeting their standards. It does not matter if it works or is useful - DHS mandates it, so they must have one.

good security (2)

kermidge (2221646) | more than 3 years ago | (#37003160)

It's nice to know that those in charge of building the United States' very own Gestapo are also security experts. Too bad they're so good at the first task and so lousy at the second.

Also... (1)

naturaverl (628952) | more than 3 years ago | (#37003300)

Look, I can defeat the lock by kicking the door in! It must be an insecure design.

Re:Also... (1)

micheas (231635) | more than 3 years ago | (#37003328)

If you have a few hundred pounds of gold behind the door that would be a safe conclusion.

Security in depth... (1)

Firethorn (177587) | more than 3 years ago | (#37005022)

Your post reminded me of something I haven't seen mentioned here -
In pretty much any system you're going to have numerous vulnerabilities, which you will mitigate with controls(being generic here).

Take a house or building. Incomplete list, of course:
Depending on attack, all of these are vulnerabilities:

  • Doors - Lock, Door Body, Frame
  • Windows - Glass, Lock, Frame
  • Walls & Roof

Now, there's also covert and non-covert entry. Picking a lock is covert, busting a window isn't. It's a sliding scale really; busting a hidden window may be more covert than picking the front door.

The trick to security is to determine your budget, list up all your vulnerabilities, then figure out a plan to 'even up' your worst vulnerabilities while staying in budget.

As such, in a home buying premium 'unpickable' locks is typically not necessary. You'll quickly make it so picking the lock isn't worth it - but you may fail to address the other vulnerabilities. Instead, you might as well pick one for features such as being able to rekey it yourself, electronic entry, durability/reliability, even appearance.

One quick fix may be to buy some long, heavy duty screws and put them into your door frame, and replace the screws that came with your locks and hinge hardware. Longer screws = more strength against break attacks. They're generally cheap; even $20 will go a long ways towards making your door harder to kick in. After that, you're probably better off looking at your windows - bars on the windows, if you're that paranoid.

An automatic alarm system gives you some depth, but be careful of monitoring companies - some don't take their own alarms seriously.

I guess all those cheesy movies/TV shows are right (2)

bfwebster (90513) | more than 3 years ago | (#37003320)

You know, the ones where the character (usually a young, bright geek) rips the cover off the card swipe/keypad unit, shorts a few wires, and opens the door? ..bruce..

Re:I guess all those cheesy movies/TV shows are ri (5, Interesting)

mea_culpa (145339) | more than 3 years ago | (#37003580)

I got locked in my self-storage lot after staying past closing time (11 PM). There were no staff to let me out and I was trapped inside with only a keypad to open the gate which happily told me the lot was closed. After inspecting the gate I saw a what amounted to a key switch on a pole high enough for someone on a fire truck to access from the outside. I followed the conduit from that key switch to an electrical box near the gate motor. This small box was secured with one flat head screw, Armed with a paperclip I removed the screw and shorted the two wires coming from the key switch and the gate opened.

I don't know if I would have thought to do that if I wasn't inspired by the movies. It sure beat camping there for the night,

Re:I guess all those cheesy movies/TV shows are ri (2)

thygate (1590197) | more than 3 years ago | (#37003588)

Normally these cheap devices directly control an actuator (coil or motor etc..) that is physically embedded in the door lock. If you can open the device, only little logic is needed to directly drive the actuator using the power supply, or gate the responsible transistor with a wire. It would be more secure if the scanning device had a digital link to a control system located somewhere else, that would verify the code and drive the actuator directly.

Truth in television (1)

DragonHawk (21256) | more than 3 years ago | (#37004094)

"You know, the ones where the character (usually a young, bright geek) rips the cover off the card swipe/keypad unit, shorts a few wires, and opens the door?"

I swear to FSM I've done this.

I was meeting a friend of mine at a place. Door is protected by a keypad lock. When we get there he then realizes they just issued all new codes for the year, he can't remember his yet, and the paper with the new code is back at his place. I look at the box the keypad is mounted in, and notice it has two exposed screws.

I whip out my Leatherman and take the keypad off. There are four wires running to the keypad. I try randomly shorting two of the pins on the connector.

*click*

I couldn't believe it actually worked. I know the keypads we have at work are much better than that. The exposed keypads and scanners only transmit codes back to the control unit. The relays for the door releases are in the control unit, and the door releases are wired separately. Ripping open the keypad gets you very little.

Re:Truth in television (1)

bfwebster (90513) | more than 3 years ago | (#37004718)

OK, I'm at my laptop, laughing out loud. Well done. ..bruce..

Attacks too easy? (4, Interesting)

QuasiSteve (2042606) | more than 3 years ago | (#37003332)

One attack uses a mallet to 'rap' open the lock

Isn't this pretty much an old trick, similar to 'bumping'?

another opens the lock by putting a pin through the LED display light to ground a contact on the circuit board

This one's a lot more fun as you have to know where, approximately, that contact is - but then again, why is that contact accessible?

and a third uses a wire inserted in the lock's back panel to hit a switch that resets its software."

oh for pity's sake.

The first has already been solved by lockmakers, the second is solved by making the PCB reasonably inaccessible (an individual cover plate will do) which would also deal with the third, but then the third shouldn't be a switch anyway - it should be two distinct female header points on the PCB that can be bridged only with a length of wire; this is not a crappy home wireless router that actually needs a user-accessible reset button.

Whoever designed these $1k locks, electronically and mechanically, really need to go back to the drawing board... or school.

Re:Attacks too easy? (0)

Anonymous Coward | more than 3 years ago | (#37003600)

Now why did I put that self destruct button on the front panel? -Doof

Re:Attacks too easy? (1)

93 Escort Wagon (326346) | more than 3 years ago | (#37003844)

Coin-operated self-destruct - not one of my better ideas...

Re:Attacks too easy? (0)

Anonymous Coward | more than 3 years ago | (#37004248)

+1 reference that no mod but me will get.

Re:Attacks too easy? (1)

fuzzyfuzzyfungus (1223518) | more than 3 years ago | (#37003644)

A few CCs of potting compound would really have saved them some embarrassment...

Re:Attacks too easy? (1)

maxwells_deamon (221474) | more than 3 years ago | (#37003810)

I thought of this when I saw the summary:

http://www.youtube.com/watch?v=yp4LFuFCon0 [youtube.com]

Come on guys, don't you watch any movies?
From the movie Sneakers

Sun Microsystems knows this well (1)

DragonHawk (21256) | more than 3 years ago | (#37004112)

"It is important to realize that any lock can be picked with a big enough hammer." -- Sun System & Network Admin Manual

Re:Attacks too easy? (1)

sjames (1099) | more than 3 years ago | (#37003910)

Isn't this pretty much an old trick, similar to 'bumping'?

Sadly, this is like bumping only with less finesse and no need to make a special bump key. For a $1300 lock, it's a damned sad showing. A $20 lock is actually a bitharder to crack.

No kidding for that price (1)

Sycraft-fu (314770) | more than 3 years ago | (#37004076)

I mean when you deal with physical security, you accept that there is no 100%. There is no unbreakable lock, no invincible door, and so on. However that doesn't mean everything is shit and money should get quality.

Compare that shit to a high security Medeco or Assa lock or the like. They can't be bumped, are hard to get keys copied for, can take a hell of a lot of physical abuse and so on, yet only cost about $200-300.

You are going to roll out a $1000 lock it need to at least give you the same kind of security you'd get from one of those. They may not be perfect, but you can't stick a wire in them to get by them at least.

Uber locks (5, Informative)

DragonHawk (21256) | more than 3 years ago | (#37004178)

You are going to roll out a $1000 lock it need to at least give you the same kind of security you'd get from one of those. They may not be perfect, but you can't stick a wire in them to get by them at least.

What's interesting is that Kaba Mas also makes the X-09, which is the current DoD uber-lock used for classified stuff. It is, by all reports, extremely hard to subvert.

  • * Self-powered. No battery or external power supply needed.
  • * The exposed side has an LCD and a dial. Everything else is inside the security boundary. If you break the dial off you just make entry harder.
  • * The LCD is designed to only be viewable by someone standing right at the lock. Someone standing next to you can't snoop the numbers.
  • * The rate at which the dial causes numbers to change varies randomly with each step of the combination. Someone standing next to you can't derive the numbers from the rate at which you turn the dial.
  • * If the dial is turned too at regular a pace, the lock assumes you're an auto-dialer and shuts down.
  • * Repeated wrong combinations result in progressively longer lockout delays.
  • * You can view how many unsuccessful attempts have been made (allows you to audit to see if someone's tried to get in).

Neat stuff.

Re:Uber locks (1)

Anonymous Coward | more than 3 years ago | (#37004852)

The X-09 is just amazing - a bit of a pain in the ass, because the turning of the dial and the rate of numbers changing is never quite the same.

The self - powered thing is cool too - you spin the knob hard 3 or 4 times - the lcd display will appear - and it is good to go.

You are allowed to go past the number you want to n+3 where you can turn the dial 'backwards' and still pick-up the right number, at n+4 you have to start again.

The earlier model X-08 is largely the same - Led display and not quite as fancy

I am always looking for a cheap one on ebay - just to 'protect' a cookie jar if nothing else

FWIW - the numbers for the combination are almost always remembered using a dictionary word - next to almost all locks you will see a drawing of a 12 button phone number / letter pad. You pick a 6 letter word ( another popular option is a 4 letter word with an object or adjective) or something reasonably easy to remember and each letter crosses to one of the digits of the combination.

Typically you select the word and that sets the digits for the combination. Sometimes it needs to be done the other way. Most often, in my experience, when the team gets its first female member. If the word used would be widely considered NSFW, and the combination can not be reset before hand, there is a bit of a scramble to find a word/words that can be used in place of the original combination word

Re:Uber locks (1)

subreality (157447) | more than 3 years ago | (#37005724)

FWIW - the numbers for the combination are almost always remembered using a dictionary word - next to almost all locks you will see a drawing of a 12 button phone number / letter pad.

How sad that this piece of well-engineered technology can be subverted by something so simple... This drastically reduces the keyspace. It's not quite as bad as leaving the combination on a post-it, but it's still considerably degraded from what it should be.

Re:No kidding for that price (1)

Jimbookis (517778) | more than 3 years ago | (#37004972)

They can't be bumped, are hard to get keys copied for, can take a hell of a lot of physical abuse and so on, yet only cost about $200-300.

You are going to roll out a $1000 lock it need to at least give you the same kind of security you'd get from one of those. They may not be perfect, but you can't stick a wire in them to get by them at least.

Oh come one, do you know just how EXPENSIVE the cost of living is in Switzerland compared to the USA? The Swiss get in trouble if the pop over the border to Germany and buy cheaper petrol and groceries!

Re:Attacks too easy? (1)

martin-boundary (547041) | more than 3 years ago | (#37004702)

Isn't this pretty much an old trick, similar to 'bumping'?

What's bumping? Is that like on NCIS when DiNozzo says something stupid while standing with his back to Gibbs?

Re:Attacks too easy? (0)

Anonymous Coward | more than 3 years ago | (#37005916)

It is remarkably similar to a back-of-the-head/neck-smack,-Gibbs-style ;)

http://en.wikipedia.org/wiki/Lock_bumping [wikipedia.org]

Re:Attacks too easy? (0)

Anonymous Coward | more than 3 years ago | (#37005944)

What if this lock was 'secure' by design, "Department of Homeland Security standard". I'm pretty sure they got standardized backdoors.

Still a major defect (2)

MobileTatsu-NJG (946591) | more than 3 years ago | (#37003336)

Unfortunately these locks still happily open the door when fired on by a blaster.

Re:Still a major defect (1)

arglebargle_xiv (2212710) | more than 3 years ago | (#37004212)

Unfortunately these locks still happily open the door when fired on by a blaster.

Gimme a light saber any day. This is the weapon of a Jedi Knight. Not as clumsy or random as a blaster; an elegant weapon for a more civilized age.

(In addition you can use it to cut through the door directly, even if the lock is blaster-proof).

Re:Still a major defect (0)

Anonymous Coward | more than 3 years ago | (#37004372)

But then you'd be stuck with no way to extend the bridge...

Nice videos (1)

Anonymous Coward | more than 3 years ago | (#37003400)

In other news, people who attend Defcon are too cheap to use a Mac, upload bizarrely interlaced videos to YouTube because mencoder's command line cannot be understood by humans.

don't forget (0)

Anonymous Coward | more than 3 years ago | (#37003406)

Don't forget about the wile coyote method of sneaking a cannon to the door and blowing it up.

Disklocks are awesome... (1)

Duncan J Murray (1678632) | more than 3 years ago | (#37003460)

If you could just implement a identifying credentials into these locks...
toool.nl/images/f/f3/Abloypart2.pdf (PDF)

Re:Disklocks are awesome... (1)

Keruo (771880) | more than 3 years ago | (#37004172)

It exists, abloy specific product is called protec. The key operating the disks is special shaped, quad toothed, double grooved with head pin. The metal in the key works as i-wire or similar digital contact which controls the magnetic part of the door.(has string encrypted on it, which the server uses to validate access times for that specific key).

Re:Disklocks are awesome... (0)

Anonymous Coward | more than 3 years ago | (#37004842)

Easy Peasy 3 Pounds of C4 plastic and leggit.

The Swiss can make good rolexes but high priced lo (1)

Joe_Dragon (2206452) | more than 3 years ago | (#37003572)

The Swiss can make good rolexes but high priced locks where you can get to bypass wire real easy.

any ways slots machines used to be easy to short out by doing some thing like this and they fixed them.

Exposed grounds/resets? (3)

fuzzyfuzzyfungus (1223518) | more than 3 years ago | (#37003578)

The fact that somebody managed to get a "secure" lock out the door with electrical contacts trivially accessible from the hostile side of the door is pretty damn pathetic... Couldn't they have potted the thing? Worse, it isn't as though designing systems that are supposed to be resistant to physical/electrical attacks isn't exactly an unknown field. The Nevada Gaming Commission, for example, would laugh a slot machine out of their office if it had externally accessible PCBs. The standards specifically mention that, among numerous other considerations. Heck, these super-advanced locks would seem to be rather more vulnerable than contemporary consumer hardware DRM, of the sort that protects a few bucks worth of pop-culture drivel. FFS...

Re:Exposed grounds/resets? (0)

Anonymous Coward | more than 3 years ago | (#37003826)

Oh but when software ships with hundreds of gaping flaws and bugs, programmers are "craftspeople". But how dare hardware engineers working under management make a mistake! The wrath of the bearded unwashed software retards shall be heard!!! Fuck you, software turd. Build something real and get back to me. Now go back to pounding your keyboard like a retard on pudding day.

Re:Exposed grounds/resets? (0)

Anonymous Coward | more than 3 years ago | (#37006060)

On the other hand you could try "engineering" something useful. No one but your mother is going to be proud of the birdhouse you built that's more along the lines of an iron maiden.

how about hardwired so there less need battery (1)

Joe_Dragon (2206452) | more than 3 years ago | (#37003850)

how about hardwired so there less need for a some what easy to get to battery door / panel. Still can use a backup battery that is more sealed up.

But make so the lock can be in place where some one will see messing with it to bypass it and make take a little bit of time to bypass it as well.

It's tough to get security *right*s (1)

mcrbids (148650) | more than 3 years ago | (#37004284)

It's pretty easy to put together a basic security system. Require an identity token of some sort, and require proof of knowledge of a secret, and you have the makings of a security system!

Security is not a boolean. Security is a variable, ranging from non at all to mild, moderate, to extremely secure.

Little things can greatly add greatly to real security (such as free permits for concealed weapons and password strength requirements), and big, obvious, "secure" things can easily be nothing more than theater. (EG: the TSA goons at the airports)

To be truly secure at the high end is surprisingly difficult. As the value of the prize increases in value, the number of potentially useful attacks increases exponentially. A dollar-store lock will reasonably protect a $50 used bike in most areas, but at $500, the lock has to be able to reasonably defend itself from something like a grinder. At $5,000, blow torches become reasonable, and at $50,000, plastic explosives are a fair bet.

See how much more difficult it gets to defend concentrated wealth? It's *hard* to do it right!

I was hoping for something more sophisticated (0)

Anonymous Coward | more than 3 years ago | (#37003714)

Web sites need cookie poisoning, sql-injection, clickjacking, clearjacking, buffer overflows, cookie forgery, cross site scripting, cross site request forgery, dictionary ribbon table attacks, border gateway protocol packet insertion man in the middle attacks....... and they hit the reset button in the back? Shove a pin through the led display and ground a wire? Rap on the lock with a mallet? Really?!?!? If a kid had a beach bucket and immersed the lock, would that 'cook it' and unlock it too? This all reminds me of an attack a few years ago where kids in a junior high school computer lab with 'fingerprint readers' attached were able to log in as each other using gummy bears to copy each others fingerprints. Want to test your system for security? Let a bunch of junior high kids at it!

um... (0)

Charliemopps (1157495) | more than 3 years ago | (#37003874)

I'd think that these guys are missing the point. Getting through a door is easy. Getting through a door without making it obvious that someone got through the door, is an entirely different matter. When I was a kid my parents had the all the whiskey in a locked cabinet. The doors were glass, and the lock was the flimsiest padlock you'd ever seen. I sure as hell could have gotten into it with a mallet... would that achieve my goals? No.

My guess is that no matter how hack-proof they make this lock, with a 6lb maul and a pry-bar I could get through that door in under 30 seconds. Which would leave just as glaring evidence as all of the methods suggested here would. A real hack would allow the attacker to pass through the door and leave the door and lock unharmed and no evidence (or at least hard to find evidence) of the attackers passage.

Re:um... (1)

johnwerneken (74428) | more than 3 years ago | (#37003944)

NOPE. The point of "terror" is to be known, not to remain undetected. Breaching the damn lock is almost as good as getting to, busting, etc. whatever the lock is supposed to keep safe, inaccessible to the unauthorized, etc....

Re:um... (1)

johnwerneken (74428) | more than 3 years ago | (#37003952)

If what's being "protected" is a part of the Dept of Homeland Security I'd say my few nickles worth of pop culture is far more valueable. Of course I have a more tamper-resistent lock, from Ace hardware....

Re:um... (1)

Bing Tsher E (943915) | more than 3 years ago | (#37003958)

My father locked certain power tools in a steel 'sea chest' because he didn't want me using them. I quickly sanded down one end of the hinge pins on the two hinges on the chest. Thus I could easily slip the hinges and get access to the tools when needed. I didn't tamper with the lock in any obvious way, and from then on always had access to those tools.

These don't leave any visible damage (1)

bigtrike (904535) | more than 3 years ago | (#37004024)

Did you watch the videos? The first two don't leave any visible damage and the third one is hard to detect.

Re:um... (1)

Osgeld (1900440) | more than 3 years ago | (#37004070)

um yea if your liquor lock issue had a big squishy silicone window to a "opps reset to unlock mode" that you could trip with a key-chain swiss army knife, cost a grand doing it, while being marketed to our dumb government, then you would have a point.

Re:um... (2)

tibit (1762298) | more than 3 years ago | (#37004310)

A 6lb maul? You joking? I have an 8lb demolition hammer, and I wished I had something bigger when doing a rather "simple" remodel of a room and demolition of a deck. 8lb was barely enough to get a slightly curvy 6.5' 2x10 header in place...

I've seen plenty of doors where even a 24lb demolition hammer would perhaps dent them and scratch the paint, and not much else. Since I had to replace the front doors on my house, I did try the 8lb hammer on them. By my estimate, it'd take me half a day of pounding and sweating to get through. I would probably demolish the block wall those doors were mounted in before ripping the doors open. And those seem to be standard commercial steel entry doors. Not the cheap residential stuff, but nothing specifically designed for highly secure areas either.

Re:um... (0)

Anonymous Coward | more than 3 years ago | (#37005510)

Clearly you have the larger penis.

Beware of assumptions (0)

Anonymous Coward | more than 3 years ago | (#37003890)

All but a couple of comment seem to assume that the lock-maker had security as a goal. But it sounds instead like it's trying to win government contracts, and has been doing well at that. I seriously doubt that "be secure" was any more of the design specification than "leap tall buildings in a single bound". Why the criticism for failing something it's almost surely not trying to do, nor been asked to do?

Re:Beware of assumptions (1)

johnwerneken (74428) | more than 3 years ago | (#37003934)

Exactly. No such thing as security, although there are such things as making "violations" more difficult or maybe even trying to do somehing to reduce, punish, or otherwise affect the number doing "violations" ("violations" = whatever the F a "breach of "Security" is for the matter at hand, if any)

Abolish Dept Home Security - while still can! (0)

Anonymous Coward | more than 3 years ago | (#37003914)

Shows again the Total Stupidity of the whole CONCEPT of Homeland Security and the even more thorough-going stupidity of the Department of that name and everything/everybody associated with it. ABOLISH DHS!!! While we still can!

Re:Abolish Dept Home Security - while still can! (1)

johnwerneken (74428) | more than 3 years ago | (#37003928)

Above comment MINE get so PO'd about the whole war on terrorism - perhaps not as bad as the war on drugs at least there is a problem in there somewhere and maybe an enemy somewhere as well...that I FORGOT I was not logged in, thought I had that on auto, guess not lol

Hammer method might not work? (3, Insightful)

superdave80 (1226592) | more than 3 years ago | (#37003924)

In their demo video, the locking mechanism isn't attached to anything, so the whole mechanism bounces around when they whack it. I'd be interested to see if this method still works when it is attached to a solid door.

Pretty Sneaky Sis (1)

RubberDogBone (851604) | more than 3 years ago | (#37004184)

Still prefer the "Sneakers" solution to a locked, secured room sporting a very hard to crack keypad combination lock on the door.

It was not only one of the best scenes in the movie but should cause anyone faced with an impossible problem to stop for a moment and think outside the box. If your problem is in the box, then move the box. You will eventually find a way to crush it.

For those who have not seen the film or won't bother, the secret solution to the ultra secure keypad lock is to.... kick the door in.

A lock is only as good as the door it locks. And the door only as good as the door frame. And the frame only as good as the wall. When faced with a very good lock tumbler mounted in a very good lock on a very good door in a very good frame, the solution is not to spend time picking the lock when you could just make a big, quick hole in the cheap low bidder drywall next to the door and instantly make a whole new door with no lock. You get in. You get out.

Subtle, not really. But if you want to get in, expand your horizons. Put your problem in the box and then move the whole box.

Almost nobody thinks like this in my experience. They are all too busy contemplating how to pick the super good lock tumbler. Meanwhile I am out choosing which boot to use on the door, or which fire axe to use on that drywall.

Re:Pretty Sneaky Sis (1)

ShakaUVM (157947) | more than 3 years ago | (#37004288)

One of my old BJJ instructors always carries a knife to make emergency exits through drywall. Kept his ads from being jumped by a gang of guys in Brazil, once.

Re:Pretty Sneaky Sis (1)

tibit (1762298) | more than 3 years ago | (#37004362)

Even if the wall is made of cement blocks, it should only take a good chisel and a 4lb hammer to get through. Perhaps if you're in shape a 6lb hammer will make the job quicker, but I don't recommend it if you don't use it regularly. Once you get two blocks out, the rest will be like eating cheesecake: smooth and easy goin'. Brick walls are easier once you start, but may be harder to break through the first brick or two. If there's two of you -- to start let one hold the chisel, while the other one uses an 8lb long demolition hammer. The bricks will pop right out. Yes, I've done some deconstruction...

Going through drywall can be pretty much noise-less. All you need is a good cast metal Stanley knife handle for W-shape blades, and a few spare blades. Score, cut through, remove. For cast prefab plaster walls (saw them in Europe in many places), the knife still works. Only when you face lath it's harder to keep it quiet.

Re:Pretty Sneaky Sis (0)

Anonymous Coward | more than 3 years ago | (#37004556)

You'd like Burn Notice.

"Once somebody sends a guy with a gun after you, things are only going to get worse. But like it or not, you've got work to do. For a job like getting rid of a drug dealer next door, I'll take a hardware store over a gun any day. Guns make you stupid. Better to fight your wars with duct tape. Duct tape makes you smart. Every decent punk has a bullet proof door, but people forget walls are just plaster. Hopefully you get him with the first shot, or the second. Now he's down and waiting for you to come through the front door; so you don't come through the front door."

Re:Pretty Sneaky Sis (1)

putaro (235078) | more than 3 years ago | (#37005172)

Our front door is steel, in a concrete wall and opens out. Before you break your leg or get the jack hammer out, though, I'd recommend jumping onto our balcony and breaking the glass in the sliding doors.

I would have liked to seen the demo done properly (2)

517714 (762276) | more than 3 years ago | (#37004424)

I am not convinced that the locks in the You Tube videos were actually locked. The plunger on the deadlatch was not depressed, and many locks respond differently in this mode since there is no purpose served in making the lock secure while the door is open. Last week I performed a modification to the front door lock of my parents' home to allow opening the door by either raising or depressing the handle that was similar to the third attack and the plunger function is critical to the locking function on that lock. The techniques may work with the deadlatch engaged to the striker plate, but without seeing the demonstrations repeated in that arrangement I remain a little dubious.

1300$ (2)

Chuby007 (1961870) | more than 3 years ago | (#37005138)

1300$ lock ... I would need to buy a lock to protect the lock but that lock would be 1300$ so I would need to buy another lock to protect the lock but that lock would be 1300$, more so I would need to buy another lock to protect the lock but that lock would be 1300$, more so I would need to buy another lock to protect the lock but that lock would be 1300$, more so I would need to buy another lock to protect the lock but that lock would be 1300$, more so I would need to buy another lock to protect the lock but that lock would be 1300$, more so I would need to buy another lock to protect the lock but that lock would be 1300$, more I'm looping... But thankfully /. has an answer for everything ! : http://developers.slashdot.org/story/11/08/02/2031215/Escaping-Infinite-Loops [slashdot.org]

The IT Crowd (1)

pinkushun (1467193) | more than 3 years ago | (#37005252)

Turning it off and on again, usually helps :)

Obvious Countermeasure (0)

Anonymous Coward | more than 3 years ago | (#37006098)

Make physical access to the lock itself as hard as breaking through the door itself..oh wait..

I can't decide if this is a joke or not.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?