Biometric Locks Turned Trojan


In the same vein as our recent Defcon article on biometric cloning, White Wolf Security has released this article about turning a biometric door lock into a trojan. They note that there are many common ways to break into one, from harvesting fingerprints to using gummy bears to fake a finger. This hack involves having full access to the unit so you can disassemble it.

The unit has a system built-in where you can touch a 9-volt battery to some connectors on the bottom to power it in case of a building power failure. The researchers simply routed some wires from the motorized lock to the plates used for the 9-volt and then reassembled the lock. The door can then be opened at any time without verification, even if the software on the unit is reset.

[Thanks, dwight]

Medeco High Security Lock Picking


Despite, Hack a Day seeming to be fairly lock heavy lately, we’ve yet to cover a major story from The Last HOPE. At the conference, [Jon King] talked about vulnerabilities in Medeco locks and presented his Medecoder tool. Medeco is really what makes this story interesting; unlike the EU, the US has very few high security lock manufacturers. You pretty much have to use Medeco and it’s found in many government agencies.

The Medeco locks have a vertical row of six pins arranged like most pin tumbler locks. Unlike your average lock, the rotation of the pins is important. When the key is placed in the lock, it not only moves the pins to the correct height, it also rotates them to the correct orientation. A sidebar blocks the cylinder unless the pins are rotated properly. Each pin has three possible orientations. They’re biaxial as well, which means the pin’s offset point allows for three more possible positions.

Continue reading “Medeco High Security Lock Picking”

Lock Picking And Security Disclosure


Slate is running an interesting article about taking new security approaches to lock vulnerabilities. In the past, lock makers such as Medeco have been able to quietly update their product lines to strengthen their security, but as movements such as Locksport International gain popularity and lock picking videos on YouTube become dime a dozen, lock makers can no longer rely on security through obscurity. It’s no question that an increased interest in this field helps lock manufacturers to create more secure products, but because patching these flaws often means changing critical features of the lock, it becomes a very expensive game of cat-and-mouse.

Traditional lock picking has employed the use of picksets, like the credit card sized set given out sold at The Last HOPE, but more recent methods of lock hacking have used bump keys or even magnets. However, as manufacturers make their locks less susceptible to picking and bumping, not even high-security locks will ward off someone determined enough to create a copy of the key, either by observing the original or using impressioning, as [Barry Wels] covered in a recent talk at HOPE 2008.

HOPE 2008: Methods Of Copying High Security Keys


[Barry Wels] is well known for his lockpicking talks, but this year he wanted to talk about how he copies high security keys. If a key blank is available, you could make a copy just by viewing the original. High security keys generally have profiles with more side cuts, which means you can guess at how deep a specific pin is by observing how many cuts it crosses. He also showed that you could imprint your arm with the key and use that as a guide. If a blank isn’t available, you could fill a similar key with solder and file that down.

[Barry] showed two different kits for casting keys. The first used soft clay in a clam shell to make an imprint of the original key. The form is then filled with a low melting point alloy (probably Wood’s metal) to create the new key. A second style uses a metal form and two part silicone to create the mold. This method works for most high security keys, but will not work on keys with active elements like sliders or magnets.

Finally, [Barry] talked about his favorite method: impressioning. Unlike picking a lock, when you’re done impressioning you have a funtional key. You start with key blank and file off the top layer. Place the blank in the lock and turn it till it jams. Then, you rock the key up and down. Observing the key under light you’ll see a small mark where each pin is. File a bit where the marks appear and repeat the process. You can’t use too much force or you might break the blank. This also works on dimple keys and as this video shows, laser cut keys. [Barry] highly recommends the impressioning book by [Oliver Diederichsen].

[photo: Rija 2.0]

Toool Picksets At The Last HOPE

Speaking of laser engraving, the blackbag blog announced that Toool has designed 2 unique picksets for The Last HOPE this year. First is the credit card sized snap-off set seen above. They have named this one The Last HOPE emergency pickset. The other pickset is a new version of the ‘double sided pick’ series. This set consists of picks with the same tool on either end, but they are sized differently. This set will contain 8 picks with promised improvements. If you are interested in more complex picks, check out the centipede.

Bump Key Experiments


[Barry] took one of his blog readers comments to heart and started wondering just what happens when you bump a lock. As suggested, he made a cut away lock core and started experimenting. [Barry] doesn’t have a high speed camera, so he tried some alternatives like filling the chambers with grease to indicate pin movement. Master Lock put together a nice video demo of lock bumping (in order to sell their new bump stop gear).

Open An AXA Bike Lock With A Blank Key (Doh)


[Barry] sent in his writeup and video about a serious vulnerability in the AXA bike lock. (One of the most popular locks in the Netherlands.) It turns out that quite a few of them can be opened with a blank key. [Barry] demo’s the hack, and has some comments about the lame efforts of the manufacturer. If you enjoy interesting reading, check out his blog covering lock picking and physical security.