Why high-sec locks are pickable

Ross Kinard put out this paper on high sec locks earlier this month (found via [blackbag] today).

It outlines why several high-security locks are still vulnerable to manipulation and picking. Although it's often a more complex task to pick a Medeco or a Mul-T-Lock, the same flaws in manufacturing and normal wear end up creating many of the same vulnerabilities. It's just more difficult to pick these locks because there are more hoops to jump through, if you will.

Ross discusses the Two-Stage method of unlocking -- something that few lock manufacturers employ -- and why it's crucial to making a lock more difficult to pick. Ross uses Abloy's Disc Blocking System as an example of a very strong system that is highly resistant to straight-forward manipulation attacks.

If you like physical security, lockpicking, high-res photos of locky goodness and technical diagrams, this is a great read. It's not terribly verbose, either. I think it also goes without saying that Blackbag belongs in your RSS reader. Right now.

Locksport International guide to lock picking

The So-called "LSI Guide to Lock Picking" has been around for a few years, but it's a great primer for people who are interested in learning the art, science, and sport to picking locks. It covers basic lock parts terminology, a quick guide on making some basic lock picking tools, and some tips for picking your very first lock.

A few things to note:

• Picking your own locks or locks you have permission to pick is not a crime.
  
• It's very much like solving an interesting puzzle by feel alone.
• Certain locations (states, cities) have laws regarding transportation or carrying of lock picking tools, so it's best to keep them at home.

Read: The LSI Guide To Lock Picking (pdf link)

Fire: Improvised fire starter and tripwire

It's no secret that HiR absolutely loves fire and explosives as evidenced by almost a decade's worth of traditional pilgrimage out to the fringe of society every Independence Day to partake in massive amount of blowing stuff up.

In my more mischievous and adventurous youth, I made these fire starters in batches. The one drawback is that when these are fully assembled, they may be set off unintentionally if they're crushed or subjected to significant shock. I'll cover storage and transportation tips later on.

Disclaimer: Arson is illegal. Fire isn't a toy. Making improvised incendiaries is an act of "terror" in the US. Don't be a moron. HiR won't be held responsible for random acts of stupidity.

Why Bother?

• If waxed, these igniters are immune to temporary exposure to water splashes and rain.
  
• They start things on fire quickly.
  
• The intense flame is resistant to high winds while the igniter material is burning.
  
• In many situations, they burn for more than 10 seconds after the match heads finish.
  
• They're inexpensive to make.

Backpacking/Survival Uses:

• Start kindling quickly to build a fire for warmth, light, or cooking.
  
• Use as a bright, temporary flare signal in the dark.

Defense Uses:

• A trip-wire igniter with a fuse and road flare can to alert you to and illuminate intruders
  
• A remote pull trigger can be used to activate a fire (pile of leaves, flammable substances) as a distraction for egress or ambush.

Other uses:

• Use as an improvised remote trigger where distance from the fuse or fire is desirable.
• I'm sure plenty others come to mind.

Materials:

You will need the following materials to make a basic backpacking fire starter:

• Scissors or knife
• Some kind of tape
• A book of matches

Optionally:

• Paraffin wax or candles you can melt
  
• Small tin can
• Cooking pot
• a heat source (stove top)
• Yarn, thread, twine, string or fishing line (for a remote igniter)
  

Making a basic pull igniter

Take apart a book of matches and throw away the staple. Pardon the generic matches. I don't smoke nor do I make a habit of picking up match books from various places.


Take one of the sets of matches and roll it tightly, then tape the bottom to hold it tight.


Carefully wrap the match book cover around the igniter tightly with the striker touching the igniter, but don't let the igniter rub on the striker or it will go off in your hand! Keep a bowl of water handy just in case.


Wrap tape around the cover, and you have a pull igniter. Just yank the igniter out through the tube and you'll get a hot, brilliant flame. You can make a second igniter out of the other set of matches as well. The striker tube is re-usable.

Making a tripwire
Make a slip knot in fishing line or string and use it to bind the rolled matches. You really don't need to use tape for the rolled matches if you go about it this way. Leave a few feet of fishing line attached to the igniter, so that you can tie it around a sapling or another anchored object.


Take the striker tube and tie fishing line around it and tie it off. You will want a lot of fishing line to spare, because you will want to be able to string it across a fairly wide path if need be. I usually give it about 12 feet.

Assemble much like you put the last one together (that is, very carefully!). To set the trip wire, tie the igniter to a stationary object, then string the longer wire across a path. Jam a fuse deep into the striker tube with the igniter to activate a flare or other payload.

Waterproofing
Carefully melt some wax in an old tin can set in a pot of boiling water. Dip the igniter in wax a few times to coat it.

Transporting and storage
Wrap paper around the igniter before storing it in the striker tube to keep the igniter from going off in transit.


I recommend keeping these in a 35mm film canister or orange pharmacy pill bottle. Both of these are relatively water-tight. Add some old dryer lint for padding. Lint also ignites easily and makes good kindling for starting a larger fire when you're camping or backpacking.

Tinkering with the ComboGard 2

This article is a derivative of an article I wrote a while back ago, which was published in 2600: The Hacker Quarterly 21:4 (Winter 2004-2005). If it looks familiar, that's why.

The LaGard ComboGard series of digital combination locks (Model 33E) is a mainstay of the vault lock industry. It was designed to be a drop-in, high-tech replacement for the old dial-type combination locks for safes and vaults. The actual lock mechanism has the same dimensions as most run-of-the-mill group 1 or group 2 combination locks. The spindle that connects the keypad to the lock mechanism (to retract the bolt of the lock) is in the same location as the spindle that connects the dial to the lock mechanism on old combination locks, and the keypad will mount using similar mounting hardware and at the same location as an old combination lock. Quite literally, you can use a ComboGard lock to replace an aging mechanical lock on an otherwise good vault.

Safe and vault manufacturers can also buy these locks and install them from the factory. You can find one of these in use at many restaurants, stores, and businesses. They're not all that expensive, so their widespread popularity is no mystery. Are they more secure? Arguably, yes. A typical mechanical lock has about 27 million possibilities, whereas a 6-digit combination lock such as the ComboGard has a mere 1,000,000 possibilities. Mechanical locks have other weaknesses though. Many of them can be manipulated and listened to. Digital locks cannot be easily manipulated. Digital locks can also enforce a lock-out policy much like networked systems, where no further combinations can be tried until a penalty time has expired. This limits attacks to 3 tries per penalty period, with a 5 minute penalty, only 36 combinations can be tried per hour. At this pace, it would take years to go through every possible combination.

Lock Parts:
The lock's main electronics board is housed inside the lock assembly, which is secured within the vault itself. There's a single 9-volt battery that powers the whole thing, which can last for years if it's opened daily. It's contained within a small plastic box, connected to the lock assembly through a proprietary connector. The keypad has an identical connector, and they're easy to confuse, and they will plug into the wrong ports. The keypad is a circuitboard with a membrane touch pad, with an LED and speaker, covered with rubber keys and housed in a metal case with a plastic bezel. In the event that the owner fails to act on the lock's low-battery warnings, there are terminals located on the keypad so that an emergency battery can be attached to operate the lock temporarily. The lock case and keypad are connected via a square-shaped brass spindle which can be cut to the proper length to accommodate different thicknesses of vault doors. The keypad electronics connects back to the lock case with standard-issue two-pair phone cable, with the same proprietary connector on the end.

Operating:
When you enter the correct combination, the keypad is allowed to rotate counter-clockwise, retracting the lock bolt. There are numerous other features that are programmable, either with a special tool that service personnel have, or via the keypad for owners. The online manual at LaGard's website has all this information. What if you forget the combination? As far as I know, there is no master combination. You're left to do what a locksmith would do to a mechanical lock that can't be opened: drill it. Unless drilled in a very precise location, the lock will never open. On some revisions of the case, there is a raised circular area that designates the optimal spot to drill.

Dumpster Diving for Locks!
For some reason, a local place has been discarding these locks, and I've managed to find a few in a dumpster. Some have been opened up and no longer have the factory warranty. Some of them have had their spindles cut and have been installed and uninstalled. One thing holds true though, none of them have the default combination (1-2-3-4-5-6) and none of them have been reset by a technician (in which case the combo would be 5-5-5-5-5-5). Lately, I've been seeing several of them turn up on eBay and other auction sites, some selling for $50 or less. This is definitely a bargain. I called LaGard and asked them if they knew how to reset a lock, and they informed me that I needed to call the people I bought the lock from. Well, since I found it by dumpster diving, that was out of the question. I called the place whose dumpster I've been finding them in, and they informed me that I needed to call some company in Kansas, as they service all of their ComboGard locks. They were of little assistance. After a bit of social engineering and a call back to LaGard, I had a fax in my grubby little hands that outlined in great detail exactly how to reset these gems.

Resetting (without any fancy tools)
I've since lost the actual fax, but the process remains engrained in my head. Whether it's exactly the same as the fax I received, I can't remember, but I do know that it works! It also voids the warranty, since it involves breaking the tamper-resistant seal tape (hint: a razor blade and a hair dryer does wonders.) On with resetting the lock. I've included some photos to help with the process.

1) Remove the keypad and battery from the lock case.

2) Cut or otherwise remove the tamper seal tape. This is the only thing that holds the back plate onto the lock case.

3) Remove the back plate of the lock

4) Locate the reset jumper holes. There's a central DIPP IC. If you hold the lock with the bolt facing away from you, the jumper holes are directly to the left of that IC. They're larger holes than the rest, and they have exposed tinning around them. They're about 1/4 inch apart.

5) Place a jumper wire into the two reset jumper holes.

6) Attach the keypad. It goes into the port closest to the corner of the case.

7) With the jumper wire still attached, connect the battery.

8) Within 5 seconds, press the "5" key on the keypad.

9) Wait 60 seconds, then disconnect the battery and remove the jumper wire. Test the lock with the combination "5-5-5-5-5-5". If it doesn't work, start over again. Timing is critical, and the jumper wire must be secure and connected for the duration of the procedure. Changing the combination: 0-0-0-0-0-0, Old Combination, New combination

Bypassing merchandise display locks

A great many of the popular merchandise security locks and tags operate simply on magnets. Those big plastic sticks you see hanging off of clothing? Usually unlocked at the register with a powerful magnet. The plastic locks that Blockbuster slides into the DVD cases on the display floor to keep people from opening them up until they've paid? Also opened with powerful magnets. The plastic things that keep you from removing cheap-ass MP3 players from the display hooks at Wal-Mart or the pharmacy? Guess what? Yep. Magnetic. Some use other means, like a set of plastic pins that unhook the latching mechanism. These days, RFID or inductor-loop systems physically sealed inside the packaging (or even inside the device!) are becoming more common, so this trick is fast becoming less relevant.

Shown above is a popular security device that simply clamps around a display hook, locking all of the products onto that hook until it's deactivated. Another common one you'll see is a big grey brick stuck on the end of the display hook. They both work the same way, though.

When opened, you can see that a spring-loaded metal pin sticks out. This pin locks the other half shut, clasping this device firmly around the display hook. The display hook will either have a bend in it, or a thicker, rounded ball on the end -- usually both. This is sufficient to keep this plastic lock from being pulled off the end of the display hook. Now, a would-be shoplifter could probably pull the display hook out of the display board pretty easily, but then they would need to sneak out of the pharmacy with a whole batch of $9.99 Coby MP3 players. That's a lot more difficult to hide than just one.

Your run-of the mill fridge magnet won't work, but the rare-earth magnets found in hard drives work wonders. A strong magnet will grab the spring-loaded pin and pull it out of the way, allowing the clasp to open.

Other security devices, for example Blockbuster DVD locks, use two or more spring-loaded metal actuators. Behind the counter, the unlocking device has magnets already spaced apart just right to open them up. These systems are a little more secure.

So next time you see some kid messing around with rare earth magnets in the electronics aisle, know that it's probably not so he can corrupt hard drives or make pretty gauss patterns on CRT displays.

Surveillance with old CCTV Cameras

It seems that most of the time I go dumpster diving, I find a CCTV (Closed-Circuit Television) camera or two. Or three. I've picked up quite a few, and left many, many more to rot in the landfill. Some have worked well. Others haven't. We're going to have some fun with them. As more and more companies go high-tech with snazzy digital recording systems, you can often find older CCTV cameras on eBay and Craigslist for cheap. Or in dumpsters for free.

The Broken Ones
There are always broken ones. You can get them for cheap or free as mentioned above. Surf eBay for "Parts only" when looking at CCTV cameras and you'll find a suitable one. The easiest thing to do is to make it look like a real CCTV to give would-be bad-guys the impression that they're being recorded. While this is much akin to security through obscurity, making a fake camera out of one that used to work is a lot more convincing than this:



Compare that piece of crap to my finished product at the end of this section.

First, take the old, broken CCTV apart and gut it to make room for a battery and LED. See the following photos.







Then, drill a hole in the front plate for the LED.



For the next part, I taped a low-brightness 1.7v red LED to a AA battery. Let's face it, this whole fake camera idea is pretty shifty. There's no point in putting a whole lot of finesse into it. LEDs like this one usually drain between 10 and 20 mA, so a plain old AA battery without a resistor should keep this LED lit up for more than a week.



Then, tape the battery/LED down inside the chasm left in the camera and re-assemble it so that the LED sticks out.





It looks real because it IS REAL (well, it used to be!)


Hang it up somewhere and hook all the cables up. They don't have to be actually hooked up to anything on the other end, just tuck them into the ceiling or run them to a wall plate. No one could tell this isn't real by just looking.





The working ones
Although these cameras all have BNC connectors on the back, the signal they put out is typical composite NTSC -- The same thing most VCRs put out. You need a BNC-to-RCA adapter (shown left) and then an RCA video cable and a monitor to view it on. This can be an RFU-adapter hooked up to a TV, or in my case a portable DVD player with A/V inputs. You could just as easily get a video capture card or USB adapter to record the video straight to your hard drive if you felt so inclined.

First, hook up the RCA adapter, RCA cable, and power cables to the camera and mount it somewhere.

Then, hook the other end of the RCA cable up, and enjoy your working CCTV system!

Shimming a cable lock

Some of you may know that in my spare time, I like to ride bicycles. I ride for fun, and for basic transportation when I feel up to it. When I park my bicycle at work, I use a heavy-duty chain and padlock to hold it to the rack in the security-patrolled private parking garage. My bike isn't going anywhere. When I'm just out and about running errands, I usually lock my bike up with an inexpensive cable lock. In this case, it's a "Python" by Master.



The Python is a pretty resilient lock. It has a steel braided cable that's covered in a hard plastic material. The cable itself is 6' long and can easily be wrapped around a large light post or pillar. The lock cylinder itself is only four tumblers, but the keyway is small and obstructed. To further complicate the task of picking the cylinder, the lock requires a very impressive amount of tension in order to turn. In an attempt to figure out a good method of bypass, I turned to the ancient art of shimming the lock.

Shimming is when you place a sheath or other material around the shackle of a lock, and force the shim into the locking mechanism, thus unlatching the grip on the hasp and allowing the attacker to open the lock. This usually only works on lower-quality padlocks. The Python works by providing a pair of ribbed surfaces that allow the cable to easily slide into the lock, but resist any attempts to pull the cable outward. By its very nature, this lock design is meant to have some slack between the lock itself and the thickness of the cable. With that, I went to work fabricating my shim.

I used only a utility knife and a soda can for this attack. I cut a long strip out of the soda can that would be wide enough to wrap almost completely around the cable body. Both the utility knife and the resulting metal edges on the can and shim will be very sharp. Use good work gloves or at least a lot of caution if you choose to replicate what you see here.



Next, I wrapped the shim around the body of the cable, and inserted the end into the entrance to the lock body just enough to hold the shim into shape.


I then pushed the cable and shim further into the lock body. This squeezes the shim between the jaws and the cable, allowing the cable to slide out of the lock without being held into place by the one-way jaws.


I held one end of the shim (not shown, my other hand was taking the picture) while gently and easily twisting and pulling the cable back out of the lock. This takes patience, and remember what I said about sharp edges!


Eventually, the cable will come all the way out. Note, you can still see the shim inside the lock body.


Then, you simply remove the shim, coil the lock back up, and away you go. Of course, I'd never advocate theft in any way. If you do attempt to steal my bike while it's locked up this way, you can expect to find yourself trying to shim this lock to get it off from around your neck! This is a very quick way to bypass many inexpensive locking systems, however. It's often easier to shim a cheap lock than to pick it. You can apply this same method to some combination locks, keyed padlocks, and certain "U" shaped bicycle locks as well. Next time someone needs their cheap lock opened without the hassle and carnage of bolt cutters, just reach for a soda can.

It's worth mentioning that this attack relies on the attacker's ability to move the shim into place. Had the cable lock been pulled tightly as to remove all of the cable slack, an attack such as this one would be nearly impossible.