AT&T Identifies Widespread Security Hole - In Locks 498
__roo writes "The New York Times has an article [free registration required] about a researcher at AT&T Labs Research who has discovered a little-known vulnerability in many locks that lets a person create a copy of the master key for an entire building by starting with any key from that building, and it requires little more than a file and a few key blanks."
Locks and Registration (Score:2, Insightful)
Re:i suppose that (Score:1, Insightful)
Overstating the risk? (Score:5, Insightful)
I see several problems with the article.
He said the technique could open doors worldwide for criminals and terrorists.
All in all, the article sounds more like fearmongering than a real concern.
Proverb (Score:4, Insightful)
Locks are against wildlife. Humans will have no problems with them.
If this were bits rather than molecules... (Score:5, Insightful)
-S
Re:Overstating the risk? (Score:1, Insightful)
Less detectable....and unless your one hell of a lockpicker much quicker too. This attack is much easier for a novice to carry out than trying to pick a lock with picks...
-Psy
Re:Overstating the risk? (Score:5, Insightful)
Re:Overstating the risk? (Score:4, Insightful)
Now imagine you work there, in a different suite, in some counter-terrorism capacity. Do you start looking under your car for plastic explosive, or not?
Or imagine you work elsewhere, but a colleague has an office there and keeps your name and address handy
So it finally happened, eh? Damn I'm curious now (Score:5, Insightful)
Foo: Why should we disclose computer security vulnerabilities when we don't disclose, say, lock vulnerabilities?
Bar: Because if a way to break a common lock would be disclosed 1. it would be very difficult to "issue a patch," or upgrade the locks 2. it would be very expensive to "issue a patch," or upgrade the locks 3. locating and telling all people who use the lock that the security of that lock has been compromised would be nearly impossible, or at least much more difficult than in the equivalent computerized situation. Therefore it seems it is not worthwhile going public with a lock vulnerability, but from this it does not follow that one shouldn't disclose computer security vulnerabilities.
If this line of reasoning is one that computer security full disclosure advocates finds compelling, and I think it is, one would expect them to condemn the disclosure of this vulnerability. Note the "would" in that sentence.
I'm not sayin', I'm just sayin'...
Re:Overstating the risk? (Score:5, Insightful)
You might think so, but consider this example. There are no litter bins in British railway stations, and very few in the centre of London, like the Square Mile. This is because IRA terrorists would leave explosive in them, in order to kill or main as many noncombatants as possible. I think that clearly illustrates that a terrorist can turn the most ordinary, everyday objects into weapons. Maybe there's nothing important in the janitor's closet, but the lock is still there for a reason.
If the technique has been known to locksmiths, what makes the author think lockpickers haven't known about it, too?
True, but there's a difference between gaining a skill yourself and having step by step instructions. For example, any Chemistry graduate could make explosives from scratch, working from basic principles. However, anyone with step by step instructions could make it from everyday items, and those are the ones to worry about.
Cant wait for bluetoof (Score:4, Insightful)
Among all the other cool data sync things I think bluetooth enables, the death of keys is the other cool thing I really want bluetooth for.
Re:Cant wait for bluetoof (Score:5, Insightful)
Re:Overstating the risk? (Score:2, Insightful)
Which part of "it can be used without resorting to removing the lock and taking it apart" did you not understand?
this plainly shows the hypocrisy of the DMCA!! (Score:2, Insightful)
this is absolutely hilarious because of the fact that this so plainy illustrates the hypocrisy inherent in the DMCA.
if this guy were publishing a similar article about virtual locks in operating systems, he would be in JAIL already, awaiting trial and facing billions of dollars of charges against him.
gotta love it
Re:Is this a joke? (Score:3, Insightful)
Indeed. I knew it when I was ten, and I'd never even met an actual
locksmith.
The solution is equally simple: if security actually matters, you
sacrifice the convenience of having a single master key and install
locks that use a completely different key in the places that matter.
Your "master key" is then a whole ring of keys, but hey.
Next they'll start talking about how the social engineering technique
used by computer crackers can be used in the real world too...
just phone up the front desk and ask 'em to unlock the side door
and let in the plumber...
Re:Overstating the risk? (Score:3, Insightful)
For instance, let's say someone robs a house. It's obvious right away if the door is kicked in and the jamb is busted. However, if the thief is selective about what is taken (which, they never are) and also has the skills to not cause a lot of damage on the way in, then those "selective" stolen items may go unnoticed for some time, which gives the thief more time to fade into the noise.
Re:Is this a joke? (Score:3, Insightful)
OT: Railway stations (Score:1, Insightful)
Re:Is this a joke? (Score:5, Insightful)
Sure, locksmiths knew this. A good sysadmin also knows the weaknesses in their systems. But as a user of both locks and ecommerce, I blindly put my trust in those systems in part because I *don't* know their weaknesses!
How many sysadmins know that the door to their server closet can be opened by an employee with a regular key?
It's like with PGP: what can you trust? Regular people know now that you cannot trust master-key systems.
Re:HOW TO DO IT (Score:3, Insightful)
The master key does not necessarily suffer the same limits. Consider a lock where your key has a (trivial) code of 11111 (minimal cuts) and the master key has a code of 99999 (all cut to the maximum depth; I'm using Schlage codes here, just because the only key I have handy with a code stamped on it happens to be a Schlage.) In that case, none of your test keys will open the door because they will all have a 9 next to a 1 and wouldn't fit into the lock (or worse, would stick in the lock and not come back out) but neither the individual key nor the master key will have any large transitions (in fact, they won't have any transitions at all.)
I would guess that ensuring a condition like this exists is one of the suggested workarounds in the original paper.
Re:Too little concern for physical security.... (Score:0, Insightful)
A lifelong friend of mine is a locksmith. He taught me how to pick a lock in under three minutes.
You have no idea just how vulnerable these locks really are to someone who even remotely knows what he's doing. The locks you see in schools, offices and places like car dealerships are the easiest to pick, believe it or not.
"Good Guys" vs "Bad Guys" (Score:5, Insightful)
The writer speaks of the familiar dilemma of whether to publish to the "Good Guys," which notifies the "Bad Guys" simultaneously, or keep the information secret, knowing the "Bad Guys" could be sharing it already. Same old story we know from cyber security.
Then there's the "Locksmith" angle, "We've been teaching our students this for years, nothing new here." One wonders how the teachers sorted the trustworthy students from the evil students.
Good guys, bad guys, locksmiths, students, trustworthy, evil.
The enormous elephant here is whether people and their motives can be categorized this way. The truth is, these categories aren't cut and dried distinctions.
Take your government agent, for instance. When we're thinking about wiretapping mad bombers, they look more like good guys. When we're thinking about wiretapping political dissidents, they're bad guys. Same people, same behaviors, different categories.
Even discussing the distinction brings up more fuzzy categories: "bombers," "dissidents," "we."
As long as security is addressed from a good-guys vs bad-guys distinction, the argument will go in circles, because you can't really sort out the good guys from the bad guys without a clear value context. If you're diligent, you'll get mired in the values debate, and if you're not, you'll end up drawing biased conclusions.
The best stragegy in the good guys vs. bad guys debate is not to play the game.
When making powerful tools like locks, master keys, and cryptography, you have to bite the bullet that you can't really manage the motives of the tool users.
Oh, one more thing... (Score:5, Insightful)
Oh, one more thing. If you do decide to make yourself a grand master key, and are tempted to carry it around on your key ring, cut the hilt off so that the key will go in too far to work. Then only you will know that you have to put it in only part way. So if you get stopped and someone thinks you might have a master key and tries the keys on your ring, their natural human thing of "go all the way" will prevent them from detecting that your key works the lock.
Re:Nice article... (Score:3, Insightful)
The goal of security technology is to make something as secure as possible with the least cost possible.
All security systems rely on a secret of some sort. However, where they differ is in what has to be kept secret.
In a well-designed lock I would assert that the only thing that would have to be secret were the key itself, which I'd keep on a string around my neck at all times. If to keep things secret the workings lock mechanism itself has to be protected you have created a vulnerability. If your neighbor wants to break in they can just buy another lock of the same brand and take it apart to figure out how it works.
Secrets are very hard to protect. A password is either short and easy to guess or long and hard to remember. If you write it down then it is easier for an opponent to obtain. A good security system of any kind should avoid relying on secrets any more than necessary.
Does the bank do other stuff? YES, they have alarms, and a vault. The vault has a combination.. does that make it security through obscurity, and hence, designed by idiots?
The workings of the alarms and the vault are not secret. However, the exact alarm code and combination used by the bank are. If the alarm and vault are well-designed the knowledge of how they work should provide little benefit to a burgler. The only thing that has to be kept secret are the codes.
In the case of the master key vulnerability, simply keeping the master key well-protected affords little to no protection as long as ordinary keys are issued. The burgler needs only to know how the lock mechanism works to break it - and this is common knowledge now.
That isn't to say that new vulerabilities won't be found in existing systems, but a well-designed security system should not rely on keeping the operation of the system secret.
Re:Is this a joke? (Score:2, Insightful)
Mine can't. Not only is the lock not mastered; the master key for the building has different keyways than the server room therefor you can't even stick the master in the lock.
Their Fix, Having RTFA: (Score:3, Insightful)
What they don't say, but is easily calculated, is that you can raise the security of each individual lock by increasing the number of pins.
Specifically: if you have a single master key, then you have to go up from double-cut up to triple-cut. That means that I'll work with log-base-3 below (for triple cut).
In that case, the number P of additional pins you must add, having formerly had N pins, and having x (let us suppose 9) possible cut heights, then
P = N/[Log3(x)-1]
So if you have 9 possible heights for each pin, single master key, and 5 tumblers, then you can prevent privelege escalation with no further loss in security by going to 5+[5/(2-1)]=10 pins. Not common today, but not impossible. Currently most locks run from 5 pins to 8 pins. Add two pins to an 8 pin lock, and you get your 10 pin security, privilege-protected.
Or you can go open source.
Re:Is this a joke? (Score:3, Insightful)
How many sysadmins know that the door to their server closet can be opened by an employee with a regular key?
How many sysadmins keep trying to convince their bosses that security is important, only to discover that the custodial staff routinely pops in the server room to empty the trash?
Sadly, not everyone understands that security is an issue.
Read the "MIT Guide To Lock Picking" (Score:3, Insightful)
And specifically read section 9.10 about Master Keys. This stuff is pretty old and well circulated. The entire guide makes for a great read if you're bored. If you're interested in mind teasers, puzzles, and such, you'll appreciate what the guide talks about, even if you never attempt to pick a lock.
Old news resurfaces - but what about control keys? (Score:1, Insightful)
A tougher problem was creating what's called a conrol key. This key is used to remove the guts of the lock (called the core) from the cylinder. The way this works is that the pins line up at a different level inside the lock, causing a separate sheath to turn and disengage the core from the cylinder.
Of course we had to have a control key. But it is nearly impossible to pick the lock at the control level since there is no way to put pressure on the inner sheath. (Some systems have grooved sheaths you can torque on with a special tool, but not this one. And of course there's no such thing as an individual control key.
Since the control key level shared some (but not all) pin breaks with the master key it is theoretically possible to use the master to reduce the number of possible control keys. But we were never able to work it out. Eventually we found an abandoned door with a lock still on it and drilled it. That gave us our control key.