High-Security Locks For Government and Banks Hacked By Researcher

pgmrdlm shares a report from Reuters: Hackers could crack open high-security electronic locks by monitoring their power, allowing thieves to steal cash in automated teller machines, narcotics in pharmacies and government secrets, according to research to be presented Friday at the annual Def Con hacking conference in Las Vegas. Mike Davis, a researcher with security firm IOActive, discovered the vulnerability last year and alerted government officials and Swiss company DormaKaba Holding, the distributor of multiple brands of locks at issue. In an interview with Reuters, Davis said he used an oscilloscope worth about $5,000 to detect small changes in the power consumption, through what is known as a side-channel attack. The method worked best in older models.

The locks include their own power supply so they function even when an external source of electricity is cut off. Most versions do not consume extra or randomized power to hide what they are doing. That leaves them open to attack if a thief can get physically close enough and has the right tools, Davis said. "I can download that analog signal and parse through the power trace to get ones and zeroes," Davis said. "I know what the lock is doing internally." Inside ATMs, the company's locks typically protect the cash in the more secure, lower compartment. An upper compartment includes the interface with customers and directs the lower compartment to send up money. The upper compartment often has less physical security, and breaking into it might provide access to the lower vault's vulnerable lock. A bigger concern is that another series of DormaKaba locks are used on military bases, U.S. presidential jet Air Force One and elsewhere in the government.

But for now, we like our things

[Empiric]

"We will bankrupt ourselves in the vain search for absolute security."

--Dwight D. Eisenhower

Re:

[Empiric]

That's when they'll disappear, that's when we'll be feared [youtube.com]

Re:

[iggymanz]

On the other hand, it's often the case a slightly better design at minimal extra cost can greatly increase security. This exploit is one of those cases

Re:

[Dunbal]

"We will bankrupt ourselves in the vain search for absolute security."

Yeah but calling something high security is just asking for it to be broken into, just like calling a ship "unsinkable".

Re:

[Z00L00K]

Lock Picking Lawyer just sees "unpickable" as a challenge and then defeats those locks one way or another.

Just look at some of his YouTube videos.

Re:

[Pascoea]

Yeah, the guys delivery is as dry as week old toast, but he's definitely talented. Biggest thing I've learned from his channel is how many unique lock designs there are out there.

Re:

[major12311]

This is an excellent post

Re:

[ctilsie242]

High security means a lot. For example, the average padlock and door lock in the US is easily bumped or raked open. It doesn't take a Bosnian bill type to do it... just someone with a wave rake and a Z tension tool. The problem is that most security in the US is designed around drug addicts... something beefy to mitigate a physical force attack. The EU doesn't have the addiction problem the US has, so the thieves are smarter, and thus locks are far more pick resistant, and lock brands more secure. (Com

Laboratory conditions = Mass hysteria

[Anonymous Coward]

This reads like those articles that claim researchers found vulnerabilities in airplanes or cars.... they just require you to rip open the ceiling mid-flight and splice into the wire looms without anyone noticing.

Re:Laboratory conditions = Mass hysteria

[DarkOx]

I don't know what attacks you are referencing specifically as to the airplanes but you are still on point here. Very few security measures are supposed to stand on their own.

So these locks are used on military bases, okay. Doing these side channel attacks requires 1) time and 2) specialized difficult to conceal equipment. There are other security mechanisms present that hopefully prevent you from walking onto a military base, entering the vicinity of secure area and busting out your O-scope.

There are probably things like entry gates that prevent you from taking a vehicle on base
Large distances to cross from said gates to any structure so that anyone who does jump a fence can be observed / intercepted
Military Police + policy to stop and question people, and require they show ID and other documents
Security Cameras + monitoring
Locks on exterior doors

Can an insider threat bypass these (maybe) could an outside pose as a maintenance contractor or something (possibly). Can they successful do all those things AND exploit these locks (I suspect this attack takes quite a lot time and isn't reliable) increasingly unlikely.

Re:

[drinkypoo]

This attack probably takes very little time, but it will require ACTIVITY. You've got to bypass physical security, install a tap, wait for someone to use the lock n times (if the locks are sufficiently insecure, n might be 1) and then generate your own key. So very little actual time is likely involved, but the attack can only reasonably executed from inside. From the outside you have men with guns, barriers, etc. From inside you also have men with guns, and hopefully you have security watching the areas yo

Real-world examples

[timeOday]

This is no disrespect to this research, it is good to be always improving.

But historically, how often is something like this pulled off in the wild? What are some case studies? How often compared to, say, chaining up an ATM to a stolen car to drag it away or rip it apart? [nypost.com]

Re:Real-world examples

[Major_Disorder]

My girlfriend works doing crime stats for a local PD. (Not saying which.) I recently became interested in lock picking. So I watch a few hundred videos on the subject. (The LockPickingLawyer is awesome.) But after watching theses videos and a little experimenting, I discovered that most of the readily available locks are very easy to open with little of no skill. So I asked her if she commonly saw police reports where the method of entry was lock picking. Her answer: Never.
In most cases they break-in through an unlocked door or window. Occasionally a door or window will be kicked in, but as that makes noise it happens less often than you would expect.
Most criminals are stupid and lazy. A lot have drug problems that limit mental acuity.
Lock your doors and windows, then upgrade the door strike plates. You should be good against over 95% of break-ins. Unless you are a special case, where YOU are a target. Eg: You have a lot of drugs in your home and people know it.

Citation needed

[Anonymous Coward]

No one on Slashdot has a girlfriend. I'm calling bullshit on this comment.

Re:

[Anonymous Coward]

Look up lock bumping.
The difference between an unlocked door and a bumped door is about $5 equipment and 5 seconds. Police can't tell the difference.

Re: Real-world examples

[Anonymous Coward]

Bump gun is about 65 dollars and will open pretty much any normal tumbler with 3 clicks. Buy one and keep it in your car in case you ever lose your house keys. It's all the locksmith is going to use anyway unless they want to make a spectacle out of drilling and bill you an extra 3 hours

Re:

[AmiMoJo]

Criminals do make extra effort with things like ATMs. In the UK they have been known to pump in gas to expand the casing until it breaks, or to simply rip the entire ATM out of the wall. They contain enough money to make it worthwhile.

Re:

[gtall]

Here in the U.S. a favorite method is to run into a convenience store with your pickup truck, lasso the ATM, and haul it off. In Texas, they use a long horn steer rather than the pickup truck.

Re:

[Pascoea]

Here in the U.S. a favorite method is to run into a convenience store with your pickup truck, lasso the ATM, and haul it off. In Texas, they use a long horn steer rather than the pickup truck.

You'd think they'd be smart enough to at least use someone else's pickup truck. (Or steer)

Re:

[gweihir]

I have noticed recently that most ATMs here now have a sticker saying that they are protected against being blown up with gas and that trying to do so may result in severe injury.

Re:

[AmiMoJo]

I wonder if they are actually inflation-proof or if they just put a sticker on them.

Re:

[gweihir]

Good question. Nobody has tried in ages here though, so I have no idea.

Re:

[drinkypoo]

This article is about high security commercial locks. There's probably a lot more lock picking in industrial espionage, which is generally handled by the FBI, than in the cases handled by the Podunk PD.

Re:Real-world examples

[Anonymous Coward]

So I asked her if she commonly saw police reports where the method of entry was lock picking. Her answer: Never.

beware of confirmation bias. think about how the police most often catch the dumb criminals and the easy collars. The other thing is that picking a lock is non destructive which means that some of those crimes can go unnoticed until much later and even then are more likely not to be reported.

Most criminals that get caught are stupid and lazy

FTFY

Re:

[gweihir]

That does not surprise me. Anybody able to pick a lock has some skill, patience and insight and hence will not need to resort to breaking and entering to make a living.

Re:

[AHuxley]

How often is something like this pulled off in the wild?
Penetration testers do this every decades all over the USA.
In the wild the gov/mil/brand builds a sally port. No looking in further.
Then adds layer of human guards to look at photo ID and talk to the person.
Does the complex set of photo ID and biometrics in front of the guards.
Both entering and then on exit.
Good for seeing who is working long hours and who is at work too :)
People might get past the elevators, doors, locks, talk their way pas

Side channel attacks are pretty interesting

[cliffjumper222]

I'm in tech security and these are some of my favorite types of attacks because they are often innovative exploits. Reading the internal operations of an MCU via the power supply is a known issue and indeed many secure IC's will run from purposely noisy internal power supplies to mitigate this attack (see Microchip secure MCU's and HSM's like the ATECC608A for example). Although side channel attacks can be considered contrived, especially when they are first detected, you'd be surprised how they can become

Re:

[Pascoea]

That was one of my first thoughts. Yes, this type of attack would be INCREDIBLY hard to pull off, exactly as described. But I'm sure some enterprising engineer could come up with a relatively small, automated device to do this sort of snooping in a concealed manner.

Why Didn't He Report It To The Government?

[WindowsStar]

In the story they ask why didn't he report it to the government? Why because they a) don't believe you, or b) they don't respond to you, or c) more than likely, they send the FBI and arrest you. That is why he reported it to DefCon so the lock company and the government would actually do something about it!!!!

Re:Why Didn't He Report It To The Government?

[Anonymous Coward]

well, since this is my work. i get to point out that not only did we report it to the government, we had the government come to our offices to talk about it so that they could develop a mitigation, which i will point out the article does note the government confirming.. its going to be a rough defcon...