High insecurity at LockCon

Once again I made the annual trek to a little town in the northern Netherlands, Sneek, to meet with about 75 colleagues to discuss the latest security issues and bypass techniques for locks, safes, and access control systems. LockCon, the new name for "The Dutch Open" is organized by Barry Wels and Han Fey. For the past six years, they have put together a three-day event, replete with lock picking contests, safe cracking demonstrations, and briefings on new security technologies.

More importantly, the conference provides a forum for serious discussions and presentations about design flaws in security hardware, and new circumvention techniques. Barry Wels is actually a crypto expert for GSM phones, but is perhaps most well known in Europe for focusing attention on lock bumping in the Netherlands, through Toool (The Open Organization of Lock Pickers).

Two significant events occurred at LockConthis year.

On Friday, the director of research and development at Medeco High Security Locks gave a five-hour presentation on lock design. This is important because Medeco has finally recognized the value and contribution of the lock sport and professional bypass community and their ability to develop methods of compromise that manufacturers often seem incapable of determining in their own products. It is a real departure from the traditional approach of most lock makers, and one that I have supported and advocated for quite some time

The following day, a detailed four-hour presentation and workshop was given by my co-author (Tobias Bluzmanis) and I regarding the bypass of Medeco m3 and Biaxial cylinders. For those who may be unfamiliar with the name, Medeco has been the predominant high security lock manufacturer in North America for the past 40 years. It's responsible for protecting residences, commercial locations, and the most secure government facilities in the U.S. and overseas. Its lock design was revolutionary and very secure, until we figured out the embedded design issue.

In our presentation, we examined the theory and practical aspects of compromising these highly respected locks by various methods, including bumping, picking, and bypass of its key control. On Sunday, a contest provided a real-world confirmation of the theories and techniques that were presented in our new book on the subject.

If you thought your locks were secure, check out the details and video links at In.security.org. The best official time to open a five-pin Medeco high security cylinder was 23 seconds. This flies in the face of the requirements of the two primary testing protocols that apply to these locks in the U.S. These standards set the minimum performance criteria for locks, safes, and other security hardware, and define resistance to covert and forced entry techniques.

UL 437 and BHMA/ANSI 156.30 require a minimum of 10 minutes to bypass these mechanisms by picking and other forms of attack. This is precisely why we have challenged these standards as not being representative of real world attacks, with potentially catastrophic results for facilities or critical infrastructure. Security professionals rely upon these same standards by Underwriters Laboratories and the Builders Hardware Manufacturers Association to establish benchmarks for high security locks. In my view, 23 seconds of protection does not quite make it! That was the documented official time. Actually, a participant opened one of the same locks in five seconds, but we did not record it on video.

More in a later post on the concept of standards, and why many security professionals do not feel they are adequate.

A new book, "Open In Thirty Seconds," was recently released by Marc Weber Tobias and Tobias Bluzmanis regarding high security locks and the techniques and theory to bypass all levels of security in Medeco m3 and some Biaxial cylinders. See stories on CNET earlier this summer from Defcon 16 and HOPE regarding these issues. Marc has lectured and written extensively with regard to Medeco and other lock manufacturers.