Cupfighter.net

Unfortunately, Matt Fiddler could not make it to the talk because of acute appendicitis. There three guys are from http://in.security.org. They presented the results of their attempts to break high security electromechanical locks. Unfortunately they are not able to disclose the details of how they attacked the locks in the USA, but more information will the disclosed at Hacking at Random in Vierhouten in the Netherlands from 13 to 16 August.

When we talk about high security locks, what are we talking about? There are us standards for high security locks, but do they offer any value?

In order to know that, we have to look at what it is that makes a lock secure? There are three factors that determine this, it resistance against forced entry, it resistance agains covert entry, and key security. In.security.org has developed a rating based on the three T’s, Time, Tools and Training needed to compromise a lock.

When you look at the standers they cover a very limited set of attacks, e.g. the US standards do not cover cover dumping attacks.

In.security.org was able to successfully attack electromechanical locks because in the end they “are still mechanical locks”.

The attacks focused on the Clock system which is the most widely used implementation of Electromechanical locks, made by ASSA Abloy. It is e.g. used in the ASSA Cliq Solo system which was just released in Europe and will not be released in the USA because they where compromised.

Contrary to their advertisements (1, 2) here are real issues with Cliq system:
•    Simulation of keys
•    Lost or stolen cannot be deleted, but in stead put the entire system of a site at risk
•    Certain cylinders cannot be rekeyed
•    It is possible to simulate credentials
•    Or to totally bypass the electronic system
•    These attacks to not leave the promised audit trail

Toool, The Open Organisation Of Lockpickers has offered key vendors like ASSA Abloy their full research in exchange for locks and a promised that the fault found would be fixed, but this offer has turned down. Vendors will provide not locks for research, will not provided fixes and has “no interest” in the data.

They then showed a video where these locks where all compromised. One of the ways to prevent the creation of an audit trail is to block the interface of the electronics of the lock with the use of an “advanced attack”; putting a piece of paper between the lock and the key.

The most smashing demonstration was manually picking of one of these locks, something these locks are supposed to prevent.

As these locks contain fundamental security engineering flaws it is the believe of the speakers that the vendors should fix these issues and offer a full free replacement of all vulnerable locks installed. Unfortunately the  vendors have a different opinion.