Hacking Medeco locks

The Last HOPE conference, now being held in New York City, is as much for people interested in hacking the real world as it is for computer techies.

One such real world presentation on Friday was called "Undoing Complexity--From Paper Clips to Ball Point Pens." Despite the title, it was about hacking high-security electronic locks from Medeco. (The paper clip in the title is a reference to using one as a way of bypassing one type of security in Medeco locks.) The presentation was very well attended, SRO in a large room.

The presenters, Matt Fiddler and Marc Tobias, didn't seem to hold a grudge. They said nice things about Medeco and its locks, which they claimed are used to protect the White House and England's royal family, among many other high value targets, such as server farms. But after 18 months of research, they claim to be able to hack into almost any Medeco high-security lock with ease. They also claimed to have had a good relationship with Medeco, until recently. Still, they must be Medeco's worst nightmare.

Much of the technical hacking details went over my head, but one thing came through loud and clear: don't trust the claims of vendors when it comes to the security of their locks. It was fascinating to hear how Medeco initially made a strong claim about its locks ability to resist one particular type of attack, then how it had to re-word that claim when that was proven untrue, and eventually, how it had to re-word the claim yet again to the point where it sounds good but has no real meaning at all.

Tobias was a guest, on the 2600 radio show Off The Hook on WBAI back on May 21. That show, is available for download here. He also spoke on "Lockpicking: Exploits for Mechanical Locks" at the prior HOPE conference. Audio of that talk is also available.

See a summary of all my Defensive Computing postings.