Fail Of The Week: Padlock Purports To Provide Protection, Proves Pathetic

Anyone in the know about IoT security is likely to steer clear of a physical security product that’s got some sort of wireless control. The list of exploits for such devices is a long, sad statement on security as an afterthought, if at all. So it’s understandable if you think a Bluetooth-enabled lock is best attacked via its wireless stack.

As it turns out, the Master 5440D Bluetooth Key Safe can be defeated in a few minutes with just a screwdriver. The key safe is the type a realtor or AirBnB host would use to allow access to a property’s keys. [Bosnianbill] embarked on an inspection of the $120 unit, looking for weaknesses. When physical attacks with a hammer and spoofing the solenoids with a magnet didn’t pay off, he decided to strip off the resilient skin that Master so thoughtfully provided to prevent the box from marring the finish of a door or gate. The denuded device thus revealed its awful secret: two Phillips screws, each securing a locking shackle to the cover. Once those are loose, a little prying with a screwdriver is all that’s need to get the keys to the kingdom.

In a follow-up video posted later, [Bill] took a closer look at another key safe and found that Master had made an anemic effort to fix this vulnerability with a squirt of epoxy in each screw head. It’s weak, at best, since a tap with a hammer compresses the gunk enough to get a grip on the screw.

We really thought [Bosnianbill]’s attack would be electronic, like that time [Dave Jones] cracked a safe with an oscilloscope. Who’d have thought a screwdriver would be the best way past the wireless stack?

Continue reading “Fail Of The Week: Padlock Purports To Provide Protection, Proves Pathetic”

Sneakers: A Love-Fest

“A TURNIP CURES ELVIS” begins the opening credits, an intriguing beginning to a smart and still timely film that was released around 25 years ago. If you’ve never seen the movie, I’m about to spoil the hell out of it.

Sneakers features the title characters, hackers who work the 1992 gig economy as freelance penetration testers. They work for Martin Bishop, a hippie hacker Obi Wan who works San Francisco’s gray market, doing good deeds and helping banks improve their security.

While there is a fair amount of cheese in Sneakers, a lot of the problems the characters face — physical security and cryptography come to mind — remain the problems of today. Securing our digital business? Check. Surveillance? Check? Gray operators? Absolutely. At the same time, the movie does a good job of exploring different categories of hacker. The various characters seem to offer glimpses of people I see all the time at the hackerspace. Bigger than life, certainly, but they are in a Hollywood movie, after all.

Finally, the movie is just smart. Those opening credits offer a preview: the anagrams that begin the movie (“A TURNIP KILLS ELVIS” translates to Universal Pictures) are not just some art director’s conceit for the opening credits. The anagrams end up being important later on in the film, where there is a key clue hidden but if you think about it, shuffling letters on your Scrabble tray could be taken as a metaphor for hacker thinking — taking the same information as everyone else but looking at it in a different way.

Continue reading “Sneakers: A Love-Fest”

The First Evil Maid-Proof Computer

It doesn’t matter how many bits your password has, how proven your encryption is, or how many TrueCrypt volumes are on your computer. If someone wants data off your device, they can get it if they have physical access to your device. This is the ‘evil maid’ security scenario, named after hotel maids on the payroll of a three-letter agency. If someone has physical access to a laptop – even for an hour or two – the data on that laptop can be considered compromised. Until now, there has been no counter to this Evil Maid scenario, and for good reason. Preventing access to data even when it is in the possession of an Evil Maid is a very, very hard problem.

Today, Design Shift has released ORWL (as in George Orwell), the first computer designed with physical security in mind. This tiny disc of a computer is designed to defeat an Evil Maid through some very clever engineering on top of encryption tools we already use.
Continue reading “The First Evil Maid-Proof Computer”

MBTA Drops Lawsuit Against MIT Subway Hackers

The Massachusetts Bay Transit Authority (MBTA) has dropped its federal case against three MIT researchers, “the subway hackers”. This happened in October and now the EFF brings news that the students will be working with the MBTA to improve their system. The overall goal is to raise security while keeping expenses minimal.

This whole mess started in August when a gag order was issued against the students’ presentation at Defcon. It’s a shame no one ever saw it because it covers a lot of interesting ground. A PDF of the banned slides is still online. They performed several attacks against both the subway’s fare system and physical security. Our favorites by far were using GNU Radio to sniff the RFID card’s transaction and bruteforcing Mifare Classic with an FPGA.

Ring Of The Devil Electric Lock Exploit


[Barry] got his hands on an interesting electronic lock pick. The ‘Ring of the Devil’ is made of aluminum and has four magnets inside. By rotating it against an electric lock, (like the one in our RGB keypad lock How-To) the magnetic force can cause the electric motor inside the lock to turn and unlock. More details and commentary are on [Barry]’s site.