There seems to be one consistency in all these kinds of stories. The moral, it seems, is: if you want to have security, do not buy what your government does.
This applies to everything. When you need something, look at what people who actually need it are buying, not what people who just want to cover their ass are doing.
"For the Minuteman ICBM force, the US Air Force's Strategic Air Command worried that in times of need the codes would not be available, so they quietly decided to set them to 00000000; checking this combination was even present on the launch checklists. This was not changed until 1977.[7]"
Not so true. When the government REALLY wants to secure something, like, say, nukes, no matter what the technical security measures, there are always guys with guns.
I like how they say they haven't even disclosed the worst of the flaws, because they want the company to have a chance to fix this stuff.
And how the company is trying to tell us that these flaws can only be exploited in the lab. I can just imagine the security bulletins banning rubber mallets from the facility.
A company I worked for once installed a super secure magnetic locking system on a server room door. One day I tripped and fell, knocked into the door and it popped right open. Must have been a pretty weak magnet.
The article says that certain other techniques weren't demonstrated because they were "too sensitive to show to the Defcon audience before giving Kaba a chance to fix the problems." What is worse than a whack on the top opening it?
I'd assume ways to fake the access logs. It's bad to allow unauthorized access, but it's really bad to allow unauthorized access that appears to be authorized (a great vector for framing people).
Ways to bypass the lock and leave no evidence that the lock was bypassed are much worse.
When an ameteur picks a lock it is very easy to inspect the pins and see if they have been manipulated by something other than the key. I imagine that the rubber mallet technique leaves evidence of malicious manipulation behind.
If I was going to bootstrap a lock company, I'd start by presenting my designs at hacker conferences and offering bounties for exploits, just like an opensource project.
Manufacturers really should embrace this kind of testing.
It's just possible this is a title which deserves to be editorialized to "Defcon Lockpickers Open Card-And-Code Government Locks In Seconds With a Hammer." Edit: Make that "With a Rubber Mallet."
There were three different security exploits. The first was rapping with a mallet to compress the springs and release the pins (similar concept to bumping).
But don't forget:
"In another bypass, they insert a wire into a silicon cover for an LED light that blinks red when the user enters an invalid code. That wire can ground a contact on the circuit board behind the light that triggers a function intended to allow the door to be opened with a remote button, bypassing all its security measures."
and
"A third attack allows an insider to open the back side of the lock and insert a wire that flips a microswitch intended as an override for power failures. That trick resets the lock’s software, tampering with its audit trail and allowing it to be reprogrammed with different codes. Bluzmanis demonstrated in a video that the more elaborate microswitch attack could be performed in under a minute."
The sample is on a small demo cutout of a door, thus has a lot of give/spring. I would like to see the Rapping flaw demo'd on a lock on a full size, mounted door which does not have the same resonant spring which would drop the lock.
>"He argues that Kaba’s locks claim only to be “access control devices, not high security locks,” and says less than 500 have been sold to government customers."
Haha, he justified the vulnerabilities by stating that few have been sold.
It would be interesting to know where the ~500 locks have been deployed, or, rather, what has supposedly been protected with them.
I think these guys are taking the best possible method of working with Kaba on these vulns, but typical security PR from Kaba is as laughable as HBGary.
Cool, but I don't understand $1,300 locks. If somebody can breech a permitter and actually physically get to the door I think maybe you should allocate resources elsewhere.
[+] [-] Groxx|14 years ago|reply
[+] [-] potatolicious|14 years ago|reply
[+] [-] arethuza|14 years ago|reply
http://en.wikipedia.org/wiki/Permissive_Action_Link
[+] [-] jpitz|14 years ago|reply
[+] [-] aero142|14 years ago|reply
[+] [-] jrockway|14 years ago|reply
[+] [-] Cushman|14 years ago|reply
Which, hey, that's convenient.
[+] [-] Natsu|14 years ago|reply
And how the company is trying to tell us that these flaws can only be exploited in the lab. I can just imagine the security bulletins banning rubber mallets from the facility.
[+] [-] Hominem|14 years ago|reply
[+] [-] mattbot5000|14 years ago|reply
[+] [-] jonknee|14 years ago|reply
[+] [-] dfc|14 years ago|reply
When an ameteur picks a lock it is very easy to inspect the pins and see if they have been manipulated by something other than the key. I imagine that the rubber mallet technique leaves evidence of malicious manipulation behind.
[+] [-] Adaptive|14 years ago|reply
Manufacturers really should embrace this kind of testing.
[+] [-] Cushman|14 years ago|reply
[+] [-] dlsspy|14 years ago|reply
But don't forget:
"In another bypass, they insert a wire into a silicon cover for an LED light that blinks red when the user enters an invalid code. That wire can ground a contact on the circuit board behind the light that triggers a function intended to allow the door to be opened with a remote button, bypassing all its security measures."
and
"A third attack allows an insider to open the back side of the lock and insert a wire that flips a microswitch intended as an override for power failures. That trick resets the lock’s software, tampering with its audit trail and allowing it to be reprogrammed with different codes. Bluzmanis demonstrated in a video that the more elaborate microswitch attack could be performed in under a minute."
[+] [-] jonknee|14 years ago|reply
[+] [-] wglb|14 years ago|reply
[+] [-] samstave|14 years ago|reply
[+] [-] HN_Addict|14 years ago|reply
[+] [-] samstave|14 years ago|reply
Haha, he justified the vulnerabilities by stating that few have been sold.
It would be interesting to know where the ~500 locks have been deployed, or, rather, what has supposedly been protected with them.
I think these guys are taking the best possible method of working with Kaba on these vulns, but typical security PR from Kaba is as laughable as HBGary.
[+] [-] bennyfreshness|14 years ago|reply
[+] [-] jonknee|14 years ago|reply
[+] [-] count|14 years ago|reply
Getting into a locked room with no drop ceiling and no faked credentials is pretty damn hard (unless, of course, they're using this lock, heh).
[+] [-] skhan|14 years ago|reply