Ironworks Gaming Forum - Odd news: August 2011

Quote:

<h2>Defcon Lockpickers Open Card-And-Code Government Locks In Seconds</h2>
By Andy Greenberg | Forbes

To open a door fitted with the latest U.S. government-certified lock from high-end Swiss lock manufacturer Kaba, an employee must both enter a code up to eight digits long, then swipe a unique identity card coded to comply with a new standard that requires an extra layer of security, one designed to track individual staffers and make covert intrusion harder than ever.

Or, as lockpicking expert Marc Weber Tobias will show a crowd of hackers Friday, you can stick a wire in the tiny display light above the keypad and instantly render all of that "security" irrelevant.

At the Defcon security conference in Las Vegas, Tobias and his partner Toby Bluzmanis plan to demonstrate a series of simple hardware hacks that expose critical security problems in Kaba's E-plex 5800 and its older 5000. Zurich-based Kaba markets the 5800 lock, which Bluzmmanis says can cost as much as $1,300, as the first to integrate code-based access controls with a new Department of Homeland Security standard that goes into effect next year and requires identifying credentials be used in secure facilities to control access.

In demonstrations for me and in videos they plan to show the Defcon audience, the lockpicking duo use one method called "rapping" to open the lock by simply hitting its top surface or lever handle with a mallet, compressing an internal spring that then decompresses and pushes open a latch that releases the lock. In another bypass, they insert a wire into a silicon cover for an LED light that blinks red when the user enters an invalid code. That wire can ground a contact on the circuit board behind the light that triggers a function intended to allow the door to be opened with a remote button, bypassing all its security measures.

A third attack allows an insider to open the back side of the lock and insert a wire that flips a microswitch intended as an override for power failures. That trick resets the lock's software, tampering with its audit trail and allowing it to be reprogrammed with different codes. Bluzmanis demonstrated in a video that the more elaborate microswitch attack could be performed in under a minute.

"The issue is simply insecurity engineering," says Tobias, who works as a consultant to several major lock firms and contributes blog posts to Forbes.com. "They simply don't get it."

Here are a few videos created by Tobias and Bluzmanis that demonstrate those security exploits:

In other techniques that Tobias plans to share privately with Kaba engineers in Zurich next week and demonstrated for me, additional vulnerabilities allowed him to open the lock silently and without a trace in seconds. Tobias asked me not to describe those methods, and argued that they're too sensitive to show to the Defcon audience before giving Kaba a chance to fix the problems.

Frank Belflower, the chief operating officer of Kaba's U.S. subsidiary Kaba Ilco responds to Tobias's claims by pointing out that he and Bluzmanis were using a lock on a wooden mount rather than on a door. "In a lab and on a mount is different than in the real world," says Belflower.

He argues that Kaba's locks claim only to be "access control devices, not high security locks," and says less than 500 have been sold to government customers. He adds that the company "reviews all data and input from the market to constantly enhance our product, and we'll take to look at these findings to enhance the locks and make them better."

Tobias says that in private conversations with Belflower, he learned that 1,500 of the locks have been sold. But that relatively small number encouraged Tobias and Bluzmanis to come forward with their findings before the hardware was more widely installed.

The holes in Kaba's security carry a larger lesson, says Tobias: that lock firms spend their resources trying to comply with standards like FIPS 201 without considering more imaginative attacks intruders might attempt. "The problem is that the engineers don't know security," he says. "They know about meeting the standards. But the criminals aren't keeping a copy of the standards in their back pockets."

For Kaba, the presentation comes is the second potential blow to its security reputation this year: In November 2010, customers filed a class action lawsuit against Kaba after they found that its Simplex lock, a simpler punch-code product, could be opened with a large magnet. The hack was originally discovered in Orthodox Jewish communities, where many religious residents don't carry keys on the Sabbath.

Kaba's E-Plex 5800 has far fewer users, but given its government target market, potentially far more secure ones. But better to expose to the lock's insecurities now, Tobias argues, than after it's installed in applications like the Pentagon and in airports. "Will they fix these issues? Yeah," says Tobias. "But the issue isn't whether they'll fix it. The issue is what sort of vulnerabilities would have been created for the government if we hadn't found them first."

Ummm... yeah. Well, they didn't put the lock on a real door, so they didn't really break in.

What?

No, I'm not going to let them try to break into our offices.