Despite, Hack a Day seeming to be fairly lock heavy lately, we’ve yet to cover a major story from The Last HOPE. At the conference, [Jon King] talked about vulnerabilities in Medeco locks and presented his Medecoder tool. Medeco is really what makes this story interesting; unlike the EU, the US has very few high security lock manufacturers. You pretty much have to use Medeco and it’s found in many government agencies.
The Medeco locks have a vertical row of six pins arranged like most pin tumbler locks. Unlike your average lock, the rotation of the pins is important. When the key is placed in the lock, it not only moves the pins to the correct height, it also rotates them to the correct orientation. A sidebar blocks the cylinder unless the pins are rotated properly. Each pin has three possible orientations. They’re biaxial as well, which means the pin’s offset point allows for three more possible positions.
[Jon King]’s Medecoder tool helps deal with the sidebar issue. Each pin in the lock has a groove running up the side. When the pins are in the correct orientation, these grooves are all perpendicular to the lock body and the sidebar can slide into place. [Jon]’s Medecoder tool is a thin piece of wire with a sliding scale to help you position these grooves correctly.
To pick the lock, you first set all the pins to the correct height. Then, using the Medecoder you find each pin’s individual groove. All Medeco locks have the pins at the same distance from the lock face. The scale on Medecoder indicates where the pin currently is and where the pin should be. You can see [Jon] using this technique to open a lock onstage at The Last HOPE in under three minutes.
This pin vulnerability has been known in Medeco locks since 1974. With the recent release of the Medecoder, Medeco has started manufacturing ARX pins again. ARX pins don’t have the groove cut all the way to the keyway, so they can’t be manipulated by the tool. As we mentioned earlier, unlike software companies, physical security companies have no perceived obligation to patch their install base… even if they’ve known it was broken in some form for 30 years.
The latest issue of NDE has just been released and features a full write up on the Medecoder. It also details the different kinds of ARX pins that have been developed.