High insecurity at LockCon
Medeco high security locks opened in 23 seconds at Netherlands event replete with lock picking contests, safe cracking demos, and briefings on new security tech.
More importantly, the conference provides a forum for serious discussions and presentations about design flaws in security hardware, and new circumvention techniques. Barry Wels is actually a crypto expert for GSM phones, but is perhaps most well known in Europe for focusing attention on lock bumping in the Netherlands, through Toool (The Open Organization of Lock Pickers).
Two significant events occurred at LockConthis year.
On Friday, the director of research and development at Medeco High Security Locks gave a five-hour presentation on lock design. This is important because Medeco has finally recognized the value and contribution of the lock sport and professional bypass community and their ability to develop methods of compromise that manufacturers often seem incapable of determining in their own products. It is a real departure from the traditional approach of most lock makers, and one that I have supported and advocated for quite some time
The following day, a detailed four-hour presentation and workshop was given by my co-author (Tobias Bluzmanis) and I regarding the bypass of Medeco m3 and Biaxial cylinders. For those who may be unfamiliar with the name, Medeco has been the predominant high security lock manufacturer in North America for the past 40 years. It's responsible for protecting residences, commercial locations, and the most secure government facilities in the U.S. and overseas. Its lock design was revolutionary and very secure, until we figured out the embedded design issue.
In our presentation, we examined the theory and practical aspects of compromising these highly respected locks by various methods, including bumping, picking, and bypass of its key control. On Sunday, a contest provided a real-world confirmation of the theories and techniques that were presented in our new book on the subject.
UL 437 and BHMA/ANSI 156.30 require a minimum of 10 minutes to bypass these mechanisms by picking and other forms of attack. This is precisely why we have challenged these standards as not being representative of real world attacks, with potentially catastrophic results for facilities or critical infrastructure. Security professionals rely upon these same standards by Underwriters Laboratories and the Builders Hardware Manufacturers Association to establish benchmarks for high security locks. In my view, 23 seconds of protection does not quite make it! That was the documented official time. Actually, a participant opened one of the same locks in five seconds, but we did not record it on video.
More in a later post on the concept of standards, and why many security professionals do not feel they are adequate.
A new book, "Open In Thirty Seconds," was recently released by Marc Weber Tobias and Tobias Bluzmanis regarding high security locks and the techniques and theory to bypass all levels of security in Medeco m3 and some Biaxial cylinders. See stories on CNET earlier this summer from and regarding these issues. Marc has lectured and written extensively with regard to Medeco and other lock manufacturers.