Why high-sec locks are pickable

Ross Kinard put out this paper on high sec locks earlier this month (found via [blackbag] today).

It outlines why several high-security locks are still vulnerable to manipulation and picking. Although it's often a more complex task to pick a Medeco or a Mul-T-Lock, the same flaws in manufacturing and normal wear end up creating many of the same vulnerabilities. It's just more difficult to pick these locks because there are more hoops to jump through, if you will.

Ross discusses the Two-Stage method of unlocking -- something that few lock manufacturers employ -- and why it's crucial to making a lock more difficult to pick. Ross uses Abloy's Disc Blocking System as an example of a very strong system that is highly resistant to straight-forward manipulation attacks.

If you like physical security, lockpicking, high-res photos of locky goodness and technical diagrams, this is a great read. It's not terribly verbose, either. I think it also goes without saying that Blackbag belongs in your RSS reader. Right now.

Locksport International guide to lock picking

The So-called "LSI Guide to Lock Picking" has been around for a few years, but it's a great primer for people who are interested in learning the art, science, and sport to picking locks. It covers basic lock parts terminology, a quick guide on making some basic lock picking tools, and some tips for picking your very first lock.

A few things to note:

• Picking your own locks or locks you have permission to pick is not a crime.
  
• It's very much like solving an interesting puzzle by feel alone.
• Certain locations (states, cities) have laws regarding transportation or carrying of lock picking tools, so it's best to keep them at home.

Read: The LSI Guide To Lock Picking (pdf link)

Tinkering with the ComboGard 2

This article is a derivative of an article I wrote a while back ago, which was published in 2600: The Hacker Quarterly 21:4 (Winter 2004-2005). If it looks familiar, that's why.

The LaGard ComboGard series of digital combination locks (Model 33E) is a mainstay of the vault lock industry. It was designed to be a drop-in, high-tech replacement for the old dial-type combination locks for safes and vaults. The actual lock mechanism has the same dimensions as most run-of-the-mill group 1 or group 2 combination locks. The spindle that connects the keypad to the lock mechanism (to retract the bolt of the lock) is in the same location as the spindle that connects the dial to the lock mechanism on old combination locks, and the keypad will mount using similar mounting hardware and at the same location as an old combination lock. Quite literally, you can use a ComboGard lock to replace an aging mechanical lock on an otherwise good vault.

Safe and vault manufacturers can also buy these locks and install them from the factory. You can find one of these in use at many restaurants, stores, and businesses. They're not all that expensive, so their widespread popularity is no mystery. Are they more secure? Arguably, yes. A typical mechanical lock has about 27 million possibilities, whereas a 6-digit combination lock such as the ComboGard has a mere 1,000,000 possibilities. Mechanical locks have other weaknesses though. Many of them can be manipulated and listened to. Digital locks cannot be easily manipulated. Digital locks can also enforce a lock-out policy much like networked systems, where no further combinations can be tried until a penalty time has expired. This limits attacks to 3 tries per penalty period, with a 5 minute penalty, only 36 combinations can be tried per hour. At this pace, it would take years to go through every possible combination.

Lock Parts:
The lock's main electronics board is housed inside the lock assembly, which is secured within the vault itself. There's a single 9-volt battery that powers the whole thing, which can last for years if it's opened daily. It's contained within a small plastic box, connected to the lock assembly through a proprietary connector. The keypad has an identical connector, and they're easy to confuse, and they will plug into the wrong ports. The keypad is a circuitboard with a membrane touch pad, with an LED and speaker, covered with rubber keys and housed in a metal case with a plastic bezel. In the event that the owner fails to act on the lock's low-battery warnings, there are terminals located on the keypad so that an emergency battery can be attached to operate the lock temporarily. The lock case and keypad are connected via a square-shaped brass spindle which can be cut to the proper length to accommodate different thicknesses of vault doors. The keypad electronics connects back to the lock case with standard-issue two-pair phone cable, with the same proprietary connector on the end.

Operating:
When you enter the correct combination, the keypad is allowed to rotate counter-clockwise, retracting the lock bolt. There are numerous other features that are programmable, either with a special tool that service personnel have, or via the keypad for owners. The online manual at LaGard's website has all this information. What if you forget the combination? As far as I know, there is no master combination. You're left to do what a locksmith would do to a mechanical lock that can't be opened: drill it. Unless drilled in a very precise location, the lock will never open. On some revisions of the case, there is a raised circular area that designates the optimal spot to drill.

Dumpster Diving for Locks!
For some reason, a local place has been discarding these locks, and I've managed to find a few in a dumpster. Some have been opened up and no longer have the factory warranty. Some of them have had their spindles cut and have been installed and uninstalled. One thing holds true though, none of them have the default combination (1-2-3-4-5-6) and none of them have been reset by a technician (in which case the combo would be 5-5-5-5-5-5). Lately, I've been seeing several of them turn up on eBay and other auction sites, some selling for $50 or less. This is definitely a bargain. I called LaGard and asked them if they knew how to reset a lock, and they informed me that I needed to call the people I bought the lock from. Well, since I found it by dumpster diving, that was out of the question. I called the place whose dumpster I've been finding them in, and they informed me that I needed to call some company in Kansas, as they service all of their ComboGard locks. They were of little assistance. After a bit of social engineering and a call back to LaGard, I had a fax in my grubby little hands that outlined in great detail exactly how to reset these gems.

Resetting (without any fancy tools)
I've since lost the actual fax, but the process remains engrained in my head. Whether it's exactly the same as the fax I received, I can't remember, but I do know that it works! It also voids the warranty, since it involves breaking the tamper-resistant seal tape (hint: a razor blade and a hair dryer does wonders.) On with resetting the lock. I've included some photos to help with the process.

1) Remove the keypad and battery from the lock case.

2) Cut or otherwise remove the tamper seal tape. This is the only thing that holds the back plate onto the lock case.

3) Remove the back plate of the lock

4) Locate the reset jumper holes. There's a central DIPP IC. If you hold the lock with the bolt facing away from you, the jumper holes are directly to the left of that IC. They're larger holes than the rest, and they have exposed tinning around them. They're about 1/4 inch apart.

5) Place a jumper wire into the two reset jumper holes.

6) Attach the keypad. It goes into the port closest to the corner of the case.

7) With the jumper wire still attached, connect the battery.

8) Within 5 seconds, press the "5" key on the keypad.

9) Wait 60 seconds, then disconnect the battery and remove the jumper wire. Test the lock with the combination "5-5-5-5-5-5". If it doesn't work, start over again. Timing is critical, and the jumper wire must be secure and connected for the duration of the procedure. Changing the combination: 0-0-0-0-0-0, Old Combination, New combination

Bypassing merchandise display locks

A great many of the popular merchandise security locks and tags operate simply on magnets. Those big plastic sticks you see hanging off of clothing? Usually unlocked at the register with a powerful magnet. The plastic locks that Blockbuster slides into the DVD cases on the display floor to keep people from opening them up until they've paid? Also opened with powerful magnets. The plastic things that keep you from removing cheap-ass MP3 players from the display hooks at Wal-Mart or the pharmacy? Guess what? Yep. Magnetic. Some use other means, like a set of plastic pins that unhook the latching mechanism. These days, RFID or inductor-loop systems physically sealed inside the packaging (or even inside the device!) are becoming more common, so this trick is fast becoming less relevant.

Shown above is a popular security device that simply clamps around a display hook, locking all of the products onto that hook until it's deactivated. Another common one you'll see is a big grey brick stuck on the end of the display hook. They both work the same way, though.

When opened, you can see that a spring-loaded metal pin sticks out. This pin locks the other half shut, clasping this device firmly around the display hook. The display hook will either have a bend in it, or a thicker, rounded ball on the end -- usually both. This is sufficient to keep this plastic lock from being pulled off the end of the display hook. Now, a would-be shoplifter could probably pull the display hook out of the display board pretty easily, but then they would need to sneak out of the pharmacy with a whole batch of $9.99 Coby MP3 players. That's a lot more difficult to hide than just one.

Your run-of the mill fridge magnet won't work, but the rare-earth magnets found in hard drives work wonders. A strong magnet will grab the spring-loaded pin and pull it out of the way, allowing the clasp to open.

Other security devices, for example Blockbuster DVD locks, use two or more spring-loaded metal actuators. Behind the counter, the unlocking device has magnets already spaced apart just right to open them up. These systems are a little more secure.

So next time you see some kid messing around with rare earth magnets in the electronics aisle, know that it's probably not so he can corrupt hard drives or make pretty gauss patterns on CRT displays.

Shimming a cable lock

Some of you may know that in my spare time, I like to ride bicycles. I ride for fun, and for basic transportation when I feel up to it. When I park my bicycle at work, I use a heavy-duty chain and padlock to hold it to the rack in the security-patrolled private parking garage. My bike isn't going anywhere. When I'm just out and about running errands, I usually lock my bike up with an inexpensive cable lock. In this case, it's a "Python" by Master.



The Python is a pretty resilient lock. It has a steel braided cable that's covered in a hard plastic material. The cable itself is 6' long and can easily be wrapped around a large light post or pillar. The lock cylinder itself is only four tumblers, but the keyway is small and obstructed. To further complicate the task of picking the cylinder, the lock requires a very impressive amount of tension in order to turn. In an attempt to figure out a good method of bypass, I turned to the ancient art of shimming the lock.

Shimming is when you place a sheath or other material around the shackle of a lock, and force the shim into the locking mechanism, thus unlatching the grip on the hasp and allowing the attacker to open the lock. This usually only works on lower-quality padlocks. The Python works by providing a pair of ribbed surfaces that allow the cable to easily slide into the lock, but resist any attempts to pull the cable outward. By its very nature, this lock design is meant to have some slack between the lock itself and the thickness of the cable. With that, I went to work fabricating my shim.

I used only a utility knife and a soda can for this attack. I cut a long strip out of the soda can that would be wide enough to wrap almost completely around the cable body. Both the utility knife and the resulting metal edges on the can and shim will be very sharp. Use good work gloves or at least a lot of caution if you choose to replicate what you see here.



Next, I wrapped the shim around the body of the cable, and inserted the end into the entrance to the lock body just enough to hold the shim into shape.


I then pushed the cable and shim further into the lock body. This squeezes the shim between the jaws and the cable, allowing the cable to slide out of the lock without being held into place by the one-way jaws.


I held one end of the shim (not shown, my other hand was taking the picture) while gently and easily twisting and pulling the cable back out of the lock. This takes patience, and remember what I said about sharp edges!


Eventually, the cable will come all the way out. Note, you can still see the shim inside the lock body.


Then, you simply remove the shim, coil the lock back up, and away you go. Of course, I'd never advocate theft in any way. If you do attempt to steal my bike while it's locked up this way, you can expect to find yourself trying to shim this lock to get it off from around your neck! This is a very quick way to bypass many inexpensive locking systems, however. It's often easier to shim a cheap lock than to pick it. You can apply this same method to some combination locks, keyed padlocks, and certain "U" shaped bicycle locks as well. Next time someone needs their cheap lock opened without the hassle and carnage of bolt cutters, just reach for a soda can.

It's worth mentioning that this attack relies on the attacker's ability to move the shim into place. Had the cable lock been pulled tightly as to remove all of the cable slack, an attack such as this one would be nearly impossible.