The ethics of lock picking and telling
Hackers are turning their attention from software to locks and publicizing the vulnerabilities, angering the industry. But security experts say publicity is necessary.
In 2004, a video circulated on the Internet showing how a standard Bic pen could be used to open the U-shaped Kryptonite bike lock. The company recalled the locks, replaced newer purchases, and changed the design for new locks. Problem solved, right?
Not exactly. Despite the fact that the problem had been revealed 12 years earlier in a British bike magazine, Kryptonite had continued to sell the locks unchanged. Angry customers filed a class action lawsuit that was settled in 2005, with Kryptonite offering to replace all affected locks or provide vouchers, and compensate people whose bicycles were stolen as a result of the lock being picked.
"If you don't make the problems public, the companies don't fix them and the consumers buy shoddy stuff," said Bruce Schneier, chief security technology officer at BT.
There's been plenty written about breaking into the virtual locks that safeguard sensitive data on the Web. But the picking of real-world physical locks is becoming an increasingly popular pastime for some. Enthusiasts have formed sporting clubs and hold regular competitions. Security researchers write books about how locks can be broken into and show how it's done on blogs and videos and at security conferences.
Naturally, lock manufacturers aren't happy. They argue that publicizing the vulnerabilities causes people to panic unnecessarily and puts the public at risk by giving criminals information they can use to break door locks, safes, and other secured assets.
But, just like third-party disclosure of vulnerabilities in software forces manufacturers to acknowledge security holes and patch them quickly, lock manufacturers will find they can't escape the scrutiny and will have to be held accountable for their products, experts say.
"The concept of responsible disclosure is well and good for new locks that haven't hit the market yet. But that doesn't help you when the lock is already embedded in millions of facilities. They're not going to fix them," said Marc Weber Tobias, a lawyer who has written a book about breaking into high-security Medeco locks called Open in Thirty Seconds and issued the original security alert on all tubular locks that included the Kryptonite locks.
Tobias will be presenting a session at the Defcon hacker conference in Las Vegas next week on how to break the key control of Medeco M3 locks by making fake keys.
"How does it help the consumer not to tell them that there is a vulnerability?" he said. "Medeco customers have a right to know whether their locks can be compromised."
The issue highlights the conflicting world views of two very different groups: hackers who like a good challenge and enjoy taking things apart, and traditional hardware manufacturers who don't want anyone but certified locksmiths testing their systems.
As the lock manufacturers' and locksmith trade groups see it, most non-locksmiths picking locks are trying to reduce security, not improve it.
Web sites selling lock picking tools are breaking U.S. federal law, said Tim McMullen, legislative manager for the Associated Locksmiths of America.
Ralph Vasami, executive director of the Builders Hardware Manufacturers Association, said: "We believe that lock picking, obviously, is an illicit activity, even if it's a sport. We frown on all of that, even if it's for fun."
The industry doesn't need outsiders pointing out flaws with products because there is an established system in place for creating new standards for manufacturers to follow, he said.
"As new technologies have become available that is what spurred product innovation and that spurs development of new standards," Vasami said. "I think we're a pretty nimble and flexible organization."
However, the standards are voluntary, and new security vulnerabilities may not fit in with established procedures. For instance, Tobias said that when he informed the standards group last year that a deadbolt could be broken into with a screwdriver, he was told that the method he was using was not defined in any standard. "The standards aren't protecting people," he said.
Unlike with software, where patches and fixes can be downloaded quickly, locks have to be physically replaced when they are found to be vulnerable to picking. This infrastructure issue puts more of a responsibility on vulnerability researchers to not publicize the problems to the public, said Clyde Roberson, technical director of Medeco Security Locks.
"Our responsibility is to make changes when we see a change in the state of the art," he said. "Everybody has some responsibility to not disclose things that can hurt people and that people don't have power over changing."
Asked how a company would know when its locks are vulnerable if it weren't for independent researchers announcing problems, Roberson said companies should rely on independent testing agencies like Underwriters Laboratories.
"Is it a known vulnerability if people don't know about it?" he then asked, rhetorically. "I'm not sure you need to worry about it unless people are out there demonstrating it and showing how to do it."
Keeping a security problem secret
But that notion of "security through obscurity" wrongly assumes that keeping a security problem secret will protect the people relying on the security system.
"The assumption is that the criminals don't know about it," BT's Schneier said. "Criminals know how to pick locks...The secrecy just hides the truth from the consumer."
"The goal is to make security better. As soon as it's not responsible to do research, the bad guys win," Schneier said.
"(The) lock picking (industry) doesn't get this because they're basically still a guild--a secret knowledge kind of field, whereas computer security is always built on open knowledge," he added. "There have been insecurities discovered by computer people-turned-locksmiths that have existed for hundreds of years."
Lock manufacturers aren't the only hardware makers confronting this issue. Voting machine manufacturer Sequoia threatened a security researcher who was planning to analyze a machine.
And more recently, Philips Semiconductor spinoff NXP sued to prevent a Dutch university from publishing information on security flaws in its Mifare Classic wireless smart card chip used in transit and building access systems around the world. A judge ruled earlier this month that blocking publication would violate the researchers' rights to freedom of expression and hinder vital research.
"The bottom line is the public needs to know," Tobias said. "Let them make their security assessments based on how secure they are told the locks are."
Misrepresenting hardware as more secure than it actually is poses a liability problem for the manufacturer and for companies using the security system to protect their customers' assets.
Siemens is having to change 300,000 cards that use the Mifare Classic chip as a result of the discovered security shortfalls, Schneier said.