Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

AT&T Identifies Widespread Security Hole - In Locks

timothy posted more than 11 years ago | from the analogies-reversed dept.

Security 498

__roo writes "The New York Times has an article [free registration required] about a researcher at AT&T Labs Research who has discovered a little-known vulnerability in many locks that lets a person create a copy of the master key for an entire building by starting with any key from that building, and it requires little more than a file and a few key blanks."

cancel ×

498 comments

Sorry! There are no comments related to the filter you selected.

I'm locked out of the article.. (-1, Offtopic)

Meleneth (104287) | more than 11 years ago | (#5142300)

something about registration required. I would NEVER sign up for an account on any kind of web based system. Evil.

3. Profit!

Re:I'm locked out of the article.. (2, Funny)

fistynuts (457323) | more than 11 years ago | (#5142308)

How did you post that message then?

Re:I'm locked out of the article.. (0, Offtopic)

Meleneth (104287) | more than 11 years ago | (#5142311)

I would never post a message either.

What are you implying, sir?

Re:I'm locked out of the article.. (1)

REBloomfield (550182) | more than 11 years ago | (#5142312)

Then scroll down. Aren't I nice :) Saved you the hassle good sir...

Re:I'm locked out of the article.. (1)

Meleneth (104287) | more than 11 years ago | (#5142319)

thanks, just waiting for it to appear :)

(waits for time to go by so he can post)

(waits for more time to go by so he can post)

Re:I'm locked out of the article.. (-1, Troll)

Anonymous Coward | more than 11 years ago | (#5142325)

Step 1: Collect underpants!

Re:I'm locked out of the article.. (1)

HellKrisp (536404) | more than 11 years ago | (#5142388)

Interestingly enough, I didn't get any of the registration stuff - just the article. Perhaps they've changed their policy? Although that wouldn't explain why some people are still getting the registration message. Odd.

Re:I'm locked out of the article.. (1)

Rip!ey (599235) | more than 11 years ago | (#5142417)

Interestingly enough, I didn't get any of the registration stuff - just the article.

Same here. No sign of the usual registration page, just the article (and a pop-up).

Re:I'm locked out of the article.. (0)

Anonymous Coward | more than 11 years ago | (#5142441)

That's the LA Times, numbnuts.

i suppose that (5, Funny)

mrpuffypants (444598) | more than 11 years ago | (#5142301)

so now Master is going to have to release patches and hotfixes?

"Hey steve, check out my new lock!"

"pffft, is it v.3.21.7?"

"no"

"that's like an invite for key kiddies and 1337 crackers"

Re:i suppose that (1, Insightful)

Anonymous Coward | more than 11 years ago | (#5142346)

Looks like there is a way to hack without worying about the DMCA!

Re:i suppose that (4, Funny)

HermDog (24570) | more than 11 years ago | (#5142397)

I must have missed the CERT advisory. Which Linux distros are affected? OpenBSD, of course, is not vulnerable as long as you use the default installation inside the welded safe.

la la la (-1, Troll)

Anonymous Coward | more than 11 years ago | (#5142303)


here... (4, Informative)

REBloomfield (550182) | more than 11 years ago | (#5142304)

For those that don't want to register, here's the full text:

Master Key Copying Revealed
By JOHN SCHWARTZ

A security researcher has revealed a little-known vulnerability in many locks that lets a person create a copy of the master key for an entire building by starting with any key from that building.

The researcher, Matt Blaze of AT&T Labs-Research, found the vulnerability by applying his area of expertise -- the security flaws that allow hackers to break into computer networks -- to the real-world locks and keys that have been used for more than a century in office buildings, college campuses and some residential complexes.

Advertisement

The attack described by Mr. Blaze, which is known by some locksmiths, leaves no evidence of tampering. It can be used without resorting to removing the lock and taking it apart or other suspicious behavior that can give away ordinary lock pickers.

All that is needed, Mr. Blaze wrote, is access to a key and to the lock that it opens, as well as a small number of uncut key blanks and a tool to cut them to the proper shape. No special skills or tools are required; key-cutting machines costing hundreds of dollars apiece make the task easier, but the same results can be achieved with a simple metal file.

After testing the technique repeatedly against the hardware from major lock companies, Mr. Blaze wrote, "it required only a few minutes to carry out, even when using a file to cut the keys."

AT&T decided that the risk of abuse of the information was great, so it has taken the unusual step of posting an alert to law enforcement agencies nationwide. The alert describes the technique and the possible defenses against it, though the company warns that no simple solution exists.

The paper, which Mr. Blaze has submitted for publication in a computer security journal, has troubled security experts who have seen it. Marc Weber Tobias, a locks expert who works as a security consultant to law enforcement agencies, said he was rewriting his police guide to locks and lock-picking because of the paper. He said the technique could open doors worldwide for criminals and terrorists. "I view the problem as pretty serious," he said, adding that the technique was so simple, "an idiot could do it."

The technique is not news to locksmiths, said Lloyd Seliber, the head instructor of master-key classes for Schlage, a lock company that is part of Ingersoll-Rand. He said he even taught the technique, which he calls decoding, in his training program for locksmiths.

"This has been true for 150 years," Mr. Seliber said.

Variations on the decoding technique have also been mentioned in passing in locksmith trade journals, but usually as a way for locksmiths to replace a lost master key and not as a security risk.

When told that Mr. Seliber taught the technique to his students, Mr. Tobias said: "He may teach it, but it's new in the security industry. Security managers don't know about it."

In the paper, Mr. Blaze applies the principles of cryptanalysis, ordinarily used to break secret codes, to the analysis of mechanical lock designs. He describes a logical, deductive approach to learning the shape of a master key by building on clues provided by the key in hand -- an approach that cryptanalysts call an oracle attack. The technique narrows the number of tries that would be necessary to discover a master-key configuration to only dozens of attempts, not the thousands of blind tries that would otherwise be necessary.

The research paper might seem an odd choice of topics for a computer scientist, but Mr. Blaze noted that in his role as a security researcher for AT&T Labs, he examined issues that went to the heart of business security wherever they arose, whether in the digital world or the world of steel and brass.

Since publishing Mr. Blaze's technique could lead to an increase in thefts and other crimes, it presented an ethical quandary for him and for AT&T Labs -- the kind of quandary that must also be confronted whenever new security holes are discovered in computing.

"There's no way to warn the good guys without also alerting the bad guys," Mr. Blaze said. "If there were, then it would be much simpler -- we would just tell the good guys."

Publishing a paper about vulnerable locks, however, presented greater challenges than a paper on computer flaws.
The Internet makes getting the word out to those who manage computer networks easy, and fixing a computer vulnerability is often as simple as downloading a software patch. Getting word out to the larger, more amorphous world of security officers and locksmiths is a more daunting task, and for the most part, locks must be changed mechanically, one by one.

Advertisement

But Mr. Blaze said the issue of whether to release information about a serious vulnerability almost inevitably came down to a decision in favor of publication.

"The real problem is there's no way of knowing whether the bad guys know about an attack," he said, so publication "puts the good guys and the bad guys on equal footing."

In this case, the information appears to have made its way already to the computer underground. The AT&T alert to law enforcement officials said that a prepublication version of the paper distributed privately by Mr. Blaze for review last fall had been leaked onto the Internet, though it has not been widely circulated.

"At this point we believe that it is no longer possible to keep the vulnerability secret and that more good than harm would now be done by warning the wider community," the company wrote.

There is evidence that others have chanced upon other versions of the technique over the years. Though it does not appear in resources like "The M.I.T. Guide to Lockpicking," a popular text available on the Internet, Mr. Blaze said, "several of the people I've described this to over the past few months brightened up and said they had come on part of this to make a master key to their college dorm."

Mr. Blaze acknowledged that he was only the first to publish a detailed look at the security flaw and the technique for exploiting it.

"I don't think I'm the first person to discover this attack, but I do think I'm the first person to work out all the details and write it down," he said. "Burglars are interested in committing burglary, not in publishing results or warning people."

Mr. Tobias, the author of "Locks, Safes and Security: An International Police Reference," said that the technique was most likely to be used by an insider -- someone with ready access to a key and a lock. But it could also be used, he said, by an outsider who simply went into a building and borrowed the key to a restroom.

He said he had tested Mr. Blaze's technique the way that he tests many of the techniques described in his book: he gave instructions and materials to a 15-year-old in his South Dakota town to try out. The teenager successfully made a master key.

In the alert, AT&T warned, "Unfortunately, at this time there is no simple or completely effective countermeasure that prevents exploitation of this vulnerability, short of replacing a master-keyed system with a nonmastered one."

The letter added, "Residential facilities and safety-critical or high-value environments are strongly urged to consider whether the risks of master keying outweigh the convenience benefits in light of this new vulnerability."

Other defenses could make it harder to create master keys.

Mr. Blaze said that owners of master-key systems could move to the less popular master-ring system, which allows a master key to operate the tumblers in a way that is not related to the individual keys. But that system has problems of its own, security experts say.

Mr. Blaze suggested that creating a fake master key could also be made more difficult by using locks for which key blanks are difficult to get, though even those blanks can be bought in many hardware stores and through the Internet.

But few institutions want to spend the money for robust security, said Mr. Seliber of Schlage. His company recommends to architects and builders that they take steps like those recommended by Mr. Blaze, measures that make it more difficult to cut extra keys -- like using systems that are protected by patents because their key blanks are somewhat harder to buy, Mr. Seliber said. Even though such measures would add only 1 to 2 percent to the cost of each door, builders were often told to take a cheaper route. He said that they were told, " `We're not worried about ninjas rappelling in from the roof stuff -- take it easy.' "

That is not news to Mr. Blaze, who said it was also a familiar refrain in the world of computer security. "As any computer security person knows," he said, "in a battle between convenience and security, convenience has a way of winning."

Oh, come on (-1, Redundant)

Anonymous Coward | more than 11 years ago | (#5142306)

Like most people have the skills to exploit this! It's not a case of downloading a new rootkit you know...

Here it is without registering for NYT (5, Informative)

elodan (601886) | more than 11 years ago | (#5142309)

SOME EVEN BETER LINKS to the method itself (4, Informative)

goombah99 (560566) | more than 11 years ago | (#5142534)

Cryptographer Matt Blaze [crypto.com] (of AT&T),previously known for cracking the backdoor of the vaunted 'clipper chip' has submitted a publication [crypto.com] to the IEEE journal "Security and Privacy" which demonstates that given an ordinary building key (like your office key or one borrowed for the rest room) you can get 'root' access to the entire building (i.e. a master key) with no more that about 30 guesses and $2.00 at the hardware store, and typically much less than that.

The crack works on virtually all locks and was inpsired by parallels to cryptographic analysis, reducing the search from exponential to linear, and exploiting 'key" generation weaknesses. Virtually all master-key locks are vulnerable.

There is also a story [nytimes.com] on the front page of the nytimes covering police verification of the threat including giving the instructions to a 15 year old.

of course (0, Flamebait)

Joe the Lesser (533425) | more than 11 years ago | (#5142313)

Every programmer puts backdoors in his code so he can wreak havoc when he's laid off.
Why should the lock business be any different?

In other news, guard dog sales are up...

Re:of course (0, Redundant)

hatchet (528688) | more than 11 years ago | (#5142382)

Actually this 'flaw' is because it's much cheaper to make such locks. And masterkeys have been is use for decades by our postmen.
Anyway.. if someone wants to break a lock he will do it no matter what lock is it. But of course this article will not help with safety of our homes and offices. I doubt it will help thieves as well.

Of course.. (0, Funny)

tomknight (190939) | more than 11 years ago | (#5142318)

..it's all Microsoft's fault.

Tom.

d00d I have your brass k0d3z (0, Funny)

Anonymous Coward | more than 11 years ago | (#5142321)

And eye will own your barbies!#()!)(% PHEYUR!!! this is a sig line this is a sig line this is a sig line

Upgrade quickly (4, Funny)

angelsdescent (627539) | more than 11 years ago | (#5142327)


In the cert advisory, The Microsoft Corporation are quoted "Those who upgrade to Windows XP Service Pack One should be unaffected by this exploit"

:-)

Re:Upgrade quickly (5, Funny)

squiggleslash (241428) | more than 11 years ago | (#5142538)

I think everyone should be made aware that this vulnerability largely affects doors rather than windows...

better get your copy of the paper while you can (1, Funny)

Anonymous Coward | more than 11 years ago | (#5142328)

http://www.crypto.com/papers/

IN SOVIET RUSSIA... (-1, Offtopic)

Anonymous Coward | more than 11 years ago | (#5142331)

Lock exploits YOU!!!

PDF Download (5, Informative)

Anonymous Coward | more than 11 years ago | (#5142337)

You can get the paper here [crypto.com]
Paper's homepage is here [crypto.com]

Re:PDF Download (5, Funny)

icantblvitsnotbutter (472010) | more than 11 years ago | (#5142363)

In this case, the information appears to have made its way already to the computer underground. The AT&T alert to law enforcement officials said that a prepublication version of the paper distributed privately by Mr. Blaze for review last fall had been leaked onto the Internet,
though it has not been widely circulated.


Well, I think we've fixed that little problem...

Re:PDF Download (4, Informative)

Richard W.M. Jones (591125) | more than 11 years ago | (#5142395)

Mirror here [annexia.org]

Locks and Registration (2, Insightful)

jeepliberty (624159) | more than 11 years ago | (#5142339)

Locks keep the honest person honest... Registration, on the other hand, keeps the pareniod parenoid.

Re:Locks and Registration (1, Funny)

Anonymous Coward | more than 11 years ago | (#5142350)

Slashdot keeps the bad speller...err...bad-spellerified.

Good job AT&T, (-1, Troll)

Anonymous Coward | more than 11 years ago | (#5142340)

But I too have found a gaping widespread security hole [goatse.cx] .

The paper itself (4, Informative)

elodan (601886) | more than 11 years ago | (#5142341)

Not linked in the NYT article, but it's here [crypto.com] anyway.

Looks like we should (1)

datadictator (122615) | more than 11 years ago | (#5142364)

reconsidder this guys idea [slashdot.org]

After all, 'computer security starts by securing physical access to the machine'

Where's the DMCA when you really need it? (0, Flamebait)

icantblvitsnotbutter (472010) | more than 11 years ago | (#5142343)

Because, boy, then we wouldn't have to worry about this.

It's good to see that some people think outside the box and are still doing research in less-glamorous-than-IT security.

Re:Where's the DMCA when you really need it? (1)

giel (554962) | more than 11 years ago | (#5142349)

Hey, they would even sue you if you just made a few copies for personal use! Eg. to give your girlfriend access to your home.

Re:Where's the DMCA when you really need it? (1)

icantblvitsnotbutter (472010) | more than 11 years ago | (#5142371)

Sarcasm. Sometimes people don't get it.

Nothing New Hew (0)

Anonymous Coward | more than 11 years ago | (#5142344)

There is nothing new in Matt's article. I learned that method of creating a master key back in 1978.

I am not a crook.

WOW (0)

Anonymous Coward | more than 11 years ago | (#5142353)

So all i need is a working key, a blank key, and a key copier!?

In other news, you can h4x every computer in the world, all you need is a working login & password. More news at 11.

Re:WOW (0)

Anonymous Coward | more than 11 years ago | (#5142411)

Yah, all you need is one room of a motel, and ta-da, you have access to all rooms of a motel.

That certainly doesn't make me feel good about staying in motels.

Overstating the risk? (5, Insightful)

hcdejong (561314) | more than 11 years ago | (#5142356)

I see several problems with the article.

He said the technique could open doors worldwide for criminals and terrorists.

  • Surely, any place that's a likely target for terrorists has more security in place than cylinder locks? Like keycard access systems, or Marine guards with machine guns? This is more a criminal than a terrorist problem.
  • Most types of terrorist attack don't require access to keys. Just park a truck full of explosives in the general vicinity.
  • If the technique has been known to locksmiths, what makes the author think lockpickers haven't known about it, too?
  • This technique is only marginally safer (less detectable) than an attack with lockpicking tools.

All in all, the article sounds more like fearmongering than a real concern.

Re:Overstating the risk? (1, Insightful)

Anonymous Coward | more than 11 years ago | (#5142439)

"This technique is only marginally safer (less detectable) than an attack with lockpicking tools."

Less detectable....and unless your one hell of a lockpicker much quicker too. This attack is much easier for a novice to carry out than trying to pick a lock with picks...

-Psy

Re:Overstating the risk? (5, Insightful)

GigsVT (208848) | more than 11 years ago | (#5142474)

It's not even a criminal problem in reality. I've be willing to bet that 99.9% of criminals don't know how to pick locks, and don't care. There is usually little point in picking a lock when a door can be kicked in, a window broken, a lock drilled, or a padlock cut.

Re:Overstating the risk? (4, Insightful)

Peter Greenwood (211400) | more than 11 years ago | (#5142482)

Don't forget, terrorists do research. Imagine an office building where someone can get taken on as a cleaner in one of the less sensitive office suites, without security checks. Obviously they get a key to that suite.

Now imagine you work there, in a different suite, in some counter-terrorism capacity. Do you start looking under your car for plastic explosive, or not?

Or imagine you work elsewhere, but a colleague has an office there and keeps your name and address handy ...

Re:Overstating the risk? (4, Insightful)

sql*kitten (1359) | more than 11 years ago | (#5142502)

Surely, any place that's a likely target for terrorists has more security in place than cylinder locks? Like keycard access systems, or Marine guards with machine guns? This is more a criminal than a terrorist problem.

You might think so, but consider this example. There are no litter bins in British railway stations, and very few in the centre of London, like the Square Mile. This is because IRA terrorists would leave explosive in them, in order to kill or main as many noncombatants as possible. I think that clearly illustrates that a terrorist can turn the most ordinary, everyday objects into weapons. Maybe there's nothing important in the janitor's closet, but the lock is still there for a reason.

If the technique has been known to locksmiths, what makes the author think lockpickers haven't known about it, too?

True, but there's a difference between gaining a skill yourself and having step by step instructions. For example, any Chemistry graduate could make explosives from scratch, working from basic principles. However, anyone with step by step instructions could make it from everyday items, and those are the ones to worry about.

Cylinder locks (0)

Anonymous Coward | more than 11 years ago | (#5142531)

I'm surprised that the old-style cylinder locks with a single row of tumblers are still in use. I've met enough people that can open them in seconds without keys and without good tools that I've come to regard this type of lock as largely symbolic.

That's probably common knowledge for most people that live in unsavory neighborhoods in large cities: Come home and semi-randomly throw 3 or 4 of the deadbolts on the apartment door at night. The next morning they're in a different configuration.

The method descibed in the article sounds like the slower of two methods to make master keys a friend stumbled across. He figured these out a side effect of hand cutting a copy of his girlfriends. She was gave him a key to make a copy but rather than going to the store he wanted to see if he could do it himself with some blanks.

Re:Overstating the risk? (0)

Anonymous Coward | more than 11 years ago | (#5142549)

All in all, the article sounds more like fearmongering than a real concern.

Which article?

news? (4, Interesting)

electrick (579755) | more than 11 years ago | (#5142357)

Lock picking kits and expliots have been avalible for a very long time, out of the back of magazines (soldier of fortune, most notably) and there have even been text files about it. Why does it take a computer security expert to make us nerds consider "real life" attacks a possibility?

Proverb (4, Insightful)

frn123 (242374) | more than 11 years ago | (#5142359)

There is an old proverb in *.ee

Locks are against wildlife. Humans will have no problems with them.

Re:Proverb (0)

Anonymous Coward | more than 11 years ago | (#5142476)

> Locks are against wildlife. Humans will have no > problems with them.

Or the racoons in Toronto...

Another case for DMCA? (1)

IgD (232964) | more than 11 years ago | (#5142366)

Hmmm... Seems to me this guys has come up with a technique to circumvent a technologically advanced security device. Would the DMCA apply in this situation? :)

Re:Another case for DMCA? (1)

barryfandango (627554) | more than 11 years ago | (#5142503)

Agreed - how is this publication any different from going public with De-CSS?

Patching ? (0)

Anonymous Coward | more than 11 years ago | (#5142368)

OK, so where can I get the security patch ?

Why does this not sound easy to me? (1, Interesting)

Inda (580031) | more than 11 years ago | (#5142375)

Every time I go the cobblers to have a key cut I normally end up taking it back. The fresh key is cut on a professional key cutting machine by someone who has probably cut thousands of them - I still end up taking it back because it doesn't work in the lock. I've also worked in on the bench in an engineering company and am trained to use a file - detailed filing is not like filing your nails or removing huge burrs from machined metal.

Load of bollocks I say.

Re:Why does this not sound easy to me? (1)

Queuetue (156269) | more than 11 years ago | (#5142469)

I guess everyone's experience is different. I had a friend named Randy in college who could see a key for a few minutes, go home and fashion one out of a set of blanks and files that he had.

Maybe hard to believe, but I watched him do it on 2 occasions.

This is dumb (0, Redundant)

zanderredux (564003) | more than 11 years ago | (#5142376)

All that is needed, Mr. Blaze wrote, is access to a key and to the lock that it opens, as well as a small number of uncut key blanks and a tool to cut them to the proper shape.

How different is this from making an ordinary copy of a key, like people all around the world do everyday? It's like I borrowed the keys to someone's house, made a copy, gave the original back, and used the copy to open the door.

Seems way too much noise for such a everyday thing.

Re:This is dumb (1)

phil reed (626) | more than 11 years ago | (#5142418)

Because you're using the key, and a little deductive reasoning, to come up with the master key. Once you do that, all locks on the same master are toast.

Re:This is dumb (0)

Anonymous Coward | more than 11 years ago | (#5142424)

Have a bit of imagination:

You go to motel on highway 666, you rent room 12, and ta-da, you have access to all 80 rooms in the motel.

enter crazy sadistic murderer bent on killing young virgin on set...

Re:This is dumb (0)

Anonymous Coward | more than 11 years ago | (#5142434)

If you actually read it it will tell you that you don't need the key for the lock you are opening, you just need the key for another lock with the same master key. Example would be an apartment building: you can use the key to your apartment to make a master key that will open everyone else's apartment.

Re:This is dumb (2, Informative)

Rip!ey (599235) | more than 11 years ago | (#5142481)

How different is this from making an ordinary copy of a key

It is different because the method can be used to create a Master Key to an entire building (like every single door in a block of flats for instance) from a key that only opens one single door in the same building.

If you make a copy of the single key, you only get to open the single door.

Re:This is dumb (1)

battjt (9342) | more than 11 years ago | (#5142483)

Read it again.

Mr. Blaze has formalized a procedure for creating the master key (that will open the CEO's office, or the front door) from the bathroom key for sets of locks that have master keys (like office buildings or universities).

Joe

little known? (4, Funny)

Talisman (39902) | more than 11 years ago | (#5142378)

"...a little-known vulnerability in many locks..."

Yeah, until now.

Talisman

Re:little known? (1)

yatest5 (455123) | more than 11 years ago | (#5142479)

Yeah, until now.


Uh, yeah. It isn't described in the article. So, like, what are you on about?

Re:little known? (4, Funny)

stud9920 (236753) | more than 11 years ago | (#5142487)

"...a little-known vulnerability in many locks..."
Yeah, until now.
You do not actually believe ./ folks read the article, do you ?

Idiots! (-1, Troll)

Anonymous Coward | more than 11 years ago | (#5142380)

In August, a suit filed by the parents of two girls claimed that McDonald's and two of its restaurants in the Bronx failed to disclose clearly and conspicuously the ingredients and effects of its food, much of which is high in fat, salt, sugar and cholesterol. The plaintiffs argued that McDonald's should therefore be held accountable for the girls' obesity, heart disease, diabetes, high blood pressure, and elevated cholesterol. The girls are Jazlyn Bradley and Ashley Pelman. Bradley, 19, is 5 feet, 6 inches tall, and weighs 270 pounds. Pelman, 14, is 4-foot-10 and 170 pounds. Bradley said that an McMuffin for breakfast and a Big Mac meal for dinner was her regular diet. Pelman preferred the Happy Meals and used to eat at McDonald's three or four times a week. Bradley's father, Israel, said he never saw anything in the Bronx restaurants that informed him of the food's ingredients. "I always believed McDonald's was healthy for my children," he said in an affidavit.

Nice article... (4, Interesting)

pVoid (607584) | more than 11 years ago | (#5142384)

His company recommends to architects and builders that they take steps like those recommended by Mr. Blaze, measures that make it more difficult to cut extra keys -- like using systems that are protected by patents because their key blanks are somewhat harder to buy [...]

I find it interesting seeing that security by obfuscation is a prevalent concept throughout mankinds realm. I guess it is nurtured by the ostrich-sticking-head-in-sand effect of thinking something doesn't exist if we're not aware of it.

It also makes me laugh how newspapers always skew stuff for sensationalism: now terrorists are one step closer to the US. They are pounding on the gates! WATCH OUT!!!. I think this security whole is mostly going to be used by 16 year old K-Mart workers.

Anyways, very nice article in the end, and hats off to AT&T for having 'brass hats'.

Re:Nice article... (1)

BVD (1495) | more than 11 years ago | (#5142466)

Ah. Security through obsurity w/ regards to key lanks. Now that brings back memories of the quest for the Ruswin (sp?) 17N key blank. In the area where I had a Ruswin 17N key, none of the locksmiths would touch it b/c it was a law enforcement only blank. So, we broadened the search to locksmiths out of state. So yes, it makes it harder when you don't know a locksmith who can get you the blank, but if you just hunt around, you can get any blank you want.

I'm sure this is nothing new (1)

Emperor Shaddam IV (199709) | more than 11 years ago | (#5142390)

I'm sure this is nothing new. Professional criminals ( the smart ones, not the ones you see on Cops! ) have probably known about this for years. I mean, come on, unless a lock is custom made it came from a factory where there is a set number of templates.

Cars are the worst. I once opened a friends car ( same make, model as mine ) with my keys. I think the car manufactuers must only have 50 or so lock variations. More reason to go to retinal scans.

Shouldn't be a problem in homes (1)

bubblegoose (473320) | more than 11 years ago | (#5142391)

From reading the article it shouldn't be a problem for homeowners. It requires masterkeying and getting a copy of any key in that system.

Since I only have one key for my whole house, they would need to get ahold of that, and if that happened I'd be screwed anyway.

Re:Shouldn't be a problem in homes (1)

nycsubway (79012) | more than 11 years ago | (#5142455)

If they had a key to your house, then that would be just the same as breaking a latch on a window and prying it open. If they have a key, or if they break the window, they will still need a security code to turn off the alarm. If there is no alarm, then having a key or breaking a window will make no difference.

Oh, yes it will (1)

CowboyMeal (614487) | more than 11 years ago | (#5142509)

When my house was built, I'm pretty sure the builder had a master key at some point.

Re:Shouldn't be a problem in homes (0)

Anonymous Coward | more than 11 years ago | (#5142521)

Wow, what an oscure way to say that u're single and can't get laid :)

Re:Shouldn't be a problem in homes (1)

slide-rule (153968) | more than 11 years ago | (#5142544)

Except don't some locks you buy in DIY/home stores come in systems? They'd probably have a master key in the series for the lot of them. Now then, assuming something like that is the case, people who live in cookie-cutter neighborhoods (and/or apartment buildings) where the contractors all probably installed locks from the same supplier might (?) be at similar risk. Just a random thought.

If this were bits rather than molecules... (5, Insightful)

sdo1 (213835) | more than 11 years ago | (#5142398)

... we'd be hearing about building owners calling for new laws outlawing the tools involved, i.e. files and blank keys. After all, their assets could be compromised by the use of these tools and therefore those tools should be banned! It should not matter that there are legitimate uses for these tools and everyone knows that anyone who owns and/or uses a metal file is a criminal and should be prosecuted!

-S

moron whoreabull deception being spaketh.. (-1, Troll)

Anonymous Coward | more than 11 years ago | (#5142400)

buy Godless ?pr? woredoggIEs, onto the huddling masses, over at the nyt.

billwg - 07:31am Jan 23, 2003 EST (#6089 of 6090)

1/23/03 3:13am

If you look at Microsoft's filings for the appeal you will see that Motz actually dismissed the charges against Microsoft on the very same issue that he based the injunction on. When Microsoft moved to then dismiss the injunction as well, Motz then re-activated the charges, i.e. reversed himself, without any stated reason to do so. Motz is apparently another clown like Jackson who finds himself suddenly in the limelight and trips himself up trying for a photo opportunity.

http://www.google.com/search?hl=en&ie=UTF-8&oe=U TF-8&q=microsoft+%22bill+weisgerber%22&btnG=Google +Search

Makes you think (1)

Chanc_Gorkon (94133) | more than 11 years ago | (#5142402)

If all you have between your floor network racks is a cylinder lock in a hallway, then yes you should worry about this. Think about it. How easy would it be to take out network access to a whole floor or steal access from a hall wiring closet? Not every employee who has a key is honest. I have also seen some server rooms that had a lock such as this. Server rooms and now even wiring closets should have controlled card key access at a minimum. Maybe biometric access should be looked into more closely.

Little-known? (0)

Anonymous Coward | more than 11 years ago | (#5142405)

...who has discovered a little-known vulnerability...

Little-known? Not any more, it isn't!

Luckily... (1)

dknj (441802) | more than 11 years ago | (#5142406)

...we've still got our 10 year old electronic lock system that is no longer supported

-dk

What to do now ? Patent it a better system... (1)

SpaceKow (24359) | more than 11 years ago | (#5142407)

What to do now ?

1. Creat a New Locking System
2. Patent it
3. Charge 1 Cent on each lock that's created.
4. Invest your profits

Yeah, but have they figured out bathroom locks? (1)

bubblegoose (473320) | more than 11 years ago | (#5142413)

Thankfully they haven't published details on how to break into those locks on the bathroom and bedroom doors.

The builder gave me a bunch of those flat keys, so I have spares. Looks like I'll be picking up a bunch of those locks for my front and rear doors.

Fundamental problem with any master key system (5, Interesting)

wowbagger (69688) | more than 11 years ago | (#5142419)

Any system that has a "master key" to allow access - be it a physical lock on a door, a backdoor to a program, a key-escrow system, whatever, allows this kind of attack - get the master key, game over.

I had do design an encryption system to manage software options in a piece of gear I designed. I thought about having a "back-door" to enable options on any unit, the better to test software. I quickly abandoned that idea - let the master key get out, and it's game over. Sure, it may make my life slightly more difficult as a developer, but it also means that no one, not even me, can cheat the system.

When I had to write the system up for export permission, I described it in detail - algorithm, file formats, I even had to include the source code for the relevant sections. I suppose you could get that information with a FOIA request. Knock yourself out - if you don't have the private key of the keypair, you won't be able to create the options file.

Say it with me, kids - "master keys and back doors are BAD - JUST SAY NO!"

we would just tell the good guys (1)

DrSkwid (118965) | more than 11 years ago | (#5142423)

"There's no way to warn the good guys without also alerting the bad guys," Mr. Blaze said. "If there were, then it would be much simpler -- we would just tell the good guys."

But as ever, one person's good guy is another person's bad buy.

security (5, Funny)

v(*_*)vvvv (233078) | more than 11 years ago | (#5142428)

This is hilarious.

I mean, anyone can break a window and jump right in!!

We can call that a "backdoor", and the plywood to cover them "patches".

my master key to the entire university campus (4, Interesting)

dmoen (88623) | more than 11 years ago | (#5142444)

This technique was discovered by a grad student at a certain Canadian university back in the late seventies. As a result, when I was a student in the eighties, I and several of my friends had a master key that opened pretty near every door on campus. We had a lot of fun exploring the steam tunnels and dodging security guards.

The funny thing is, the lock system was not designed to have a single master key. Instead, there was supposed to be a different master key for each building. The campus wide master key was an "emergent property" of the similarities between the various building master keys. Only students possessed this master key :-)

I still have the key, but it's not so useful any more, as they've changed many of the locks.

Doug Moen

In other news... (4, Funny)

grahamlee (522375) | more than 11 years ago | (#5142450)

Xerox PARC have issued an advisory stating that any combination lock can be "cracked" by a malicious terrorist with a finger. Due to the digital [sigh...] nature of this crime, it is now illegal to own a finger under the terms of the DMCA and patriotic Americans are being asked to remove all their fingers in a show of solidarity. U.S. President, George W. Bush, is said to be having some difficulty removing his finger from his arse. £:-)

BTW did the original story remind anyone else of the safe-cracking chapter in "Surely you're joking, Mr. Feynman"?

Great Satire! (1)

ka9dgx (72702) | more than 11 years ago | (#5142460)

I read it... it's great satire. I mean, come on, who doesn't know about "master keys", and the delta algorithm for finding them? I've known about it for at least 10 years, if not more, does that make me a terrorist?

Or, do I now fit in the same category with persons who posess a PhD in Nuclear Weapons?

--Mike--

I have been doing it all wrong!!! (1)

EvlOvrLrd (559820) | more than 11 years ago | (#5142462)

So much for the Bolt Cutters, lock picks, drill & bits or a good hammer. All I need is a set of blanks, file and a bunch of time to 'decrypt' the master pattern through a dozen or so attempts.

I am guessing Occam's Razor doesn't apply here...

security through obscurity? (1)

JeanBaptiste (537955) | more than 11 years ago | (#5142463)

Thanks /., now every little 14 year old is going to run out and do this just to be a little more 1337... by releasing flaws to the public your only making things worse...
I wonder if this will make bugtraq....

umm (0)

Anonymous Coward | more than 11 years ago | (#5142465)

this was known for a LONG LONG time. what's new?

MIT Guide to Lockpicking (3, Interesting)

Malc (1751) | more than 11 years ago | (#5142470)

Does anybody remember the MIT Guide to Lockpicking (PostScript file??) that was readily available on the internet in the past? We downloaded it back in '94 and friend used it to make some lock picks by filing down some nails. Let me tell you, some fun was had on campus with the practical jokes that followed ;)

I don't understand (1)

nmg196 (184961) | more than 11 years ago | (#5142480)

I don't understand... Why do locks have/need master keys? I though you could only have one lock tied to a specific key. Are we talking about "Yale" type cylinder locks here?

Why would someone produce a lock for which a master key could be made anyway? Surely crimials would just steal or make a master key and they'd be laughing...

Is a master key an accidental side effect of the way a lock works, or are most locks intended to have a master key?

Nick...

Method might be somewhat obvious (2, Informative)

linefeed0 (550967) | more than 11 years ago | (#5142488)

I haven't seen the (amazingly quickly slashdotted) research paper on crypto.com yet, but it's pretty clear what the technique could be since the Times article mentioned it's an oracle attack. [Update: the PDF finally loaded while just about to post this comment and it pretty much works like this.]

The obvious problem that allows a lock to be an oracle is that the pins are independent of one another, so a "mixed" key that is partly master key and partly a normal key for that lock will open it. There presumably could exist a technical solution that needs only changes to the locks, and doesn't involve whacked-out Medeco[tm] patented key blanks with slanted cuts (although medeco may very well own related patents that would cover some aspects of the improved lock design). However, that solution would be mechanically somewhat difficult (there's a reason master keys are designed the way they are). Maybe there's a good business opportunity for "medium security" locks, but unless this attack becomes very widespread installations with a high theft risk may just start using electronic locks more. Not that many of those are that great except by significant degrees of obscurity -- I'm wondering how many independent parameters there actually are to this resonant-circuit proximity badge I got issued for access to a machine room...

This is clearly illegal! (5, Funny)

Lethyos (408045) | more than 11 years ago | (#5142491)

I think that the manufacturer of the locks should sue AT&T under the DMCA for exposing weaknesses in an access control device. Furthermore, AT&T are terrorists for releasing this sensitive security information to the Net before other sites using the same locks are able to correct the vulnerability. I demand that the perpetrators that discovered the weakness with these locks be sentenced to life in prison. We can't have these hackers running free, finding security holes and disrupting national security!

I heard about this about 6 months ago... (1)

gmplague (412185) | more than 11 years ago | (#5142493)

I heard about this about 6 months ago. I was visiting the Computer Science department at the University of Pennsylvania, and a professor had just been shown a paper on this vulnerability, written by another professor. Is this coincidence? We'll see.

reminds me of an old apartment I lived in (2, Interesting)

AssFace (118098) | more than 11 years ago | (#5142495)

I can recall discussions of this sort of thing where you put a blank into a lock, try turning it, see where the distress marks are, and filing them down one notch, then trying again, etc etc until you have a key that opens that door.

but this is interesting in that it is a master key.

the master key thing reminds me of an apartment that I lived in a few years back. the super of my building was an alcoholic and was a mess pretty much all the time - when he wasn't a mess, he was angry and mean.
the day I moved in, I happened to catch him on a "good" (meaning drunken?) part of the day and I told him that I was trying to move into my apartment but the key to my apartment door didn't work.
He said he would make me a copy and give it to me...
and I guess he made me a copy of the master - not only would my key work on any door in my building, it would work in the one across the street as well (they were part of the same complex, but normally the keys didn't work for both - I had a friend over there that couldn't get into my building).

The reason I thought to test that I had a master key was that if I turned my key the "wrong" way in my door, it wouldn't open the door, but it would disengage the lock and allow me to remove the entire locking machanism.
If turned the "right" way, then it would open the door.
I - wish much hesitation - but morbid curiosity tried it out on my neighbor's door when I figured she wasn't home (she was VERY loud, so if it was quiet, she was likely not home - or asleep).
It worked. I later tried it on my friend's door, the laundry door, the storage room, the outer doors - worked on all of them.
I never did anything with it other than swear a lot when I wasn't paying attention and would pull the lock out of a door when I only wanted to open it.

that building later switched to a code key system that wasn't mechanical in that you slid in a metal key and turned, but instead you waved a code key over a detector and it would then open the door for you - this was only on the outside doors.

So it finally happened, eh? Damn I'm curious now (4, Insightful)

Theodore Logan (139352) | more than 11 years ago | (#5142496)

The most common arguments computer security full disclosure advocates face are based on real world analogies. Usually the so called debunking of these proceeds as in this hypothetical dialogue:

Foo: Why should we disclose computer security vulnerabilities when we don't disclose, say, lock vulnerabilities?

Bar: Because if a way to break a common lock would be disclosed 1. it would be very difficult to "issue a patch," or upgrade the locks 2. it would be very expensive to "issue a patch," or upgrade the locks 3. locating and telling all people who use the lock that the security of that lock has been compromised would be nearly impossible, or at least much more difficult than in the equivalent computerized situation. Therefore it seems it is not worthwhile going public with a lock vulnerability, but from this it does not follow that one shouldn't disclose computer security vulnerabilities.

If this line of reasoning is one that computer security full disclosure advocates finds compelling, and I think it is, one would expect them to condemn the disclosure of this vulnerability. Note the "would" in that sentence.

I'm not sayin', I'm just sayin'...

Cant wait for bluetoof (3, Insightful)

rosewood (99925) | more than 11 years ago | (#5142506)

Am I the only one that wants bluetooth everywhere, including on my door locks, so that I can unlock my door either auto (when my cell phone + my key get close) or by entering a password (user preference)?

Among all the other cool data sync things I think bluetooth enables, the death of keys is the other cool thing I really want bluetooth for.

if I owned crypto.com.... (0)

Anonymous Coward | more than 11 years ago | (#5142514)

I would have expected a site like crypto.com to be able to take a couple hits before it went down.

anyone know of another place to get the pdf?

So where is HIS published paper? (1)

nurb432 (527695) | more than 11 years ago | (#5142527)

I assume its available.

Oh, and this inst really news, this has existed for years, for good reasons.

It just wasn't public knowledge... until now.

AAAHHHHH!!!! (-1, Troll)

Anonymous Coward | more than 11 years ago | (#5142553)

Shut this man up! Use the DMCA! Use something!! AAAAHHHH!!!! Security through obscurity! SECURITY THROUGH OBSCURITY!! Throw him in jail!! Burn him!! BURN HIM!!!
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>