Posts filed under ‘security’

Medeco M3 High Security Locks Vulnerable?

The supposed gold standard for door locks has been shown to be pretty easily defeated. Hackers at DefCon the general hacking of all things convention showed that not only is it possible but actually fairly easy to defeat these locks that protect some pretty important places, the White house anyone?

Using a combination of a paperclip and a cut up credit card these locks can be defeated.  In this first video there is a detailed presentation of the vulnerabilities of this lock.

In the next video we see a 12 year old girl bumping the lock (Courtesy of Wired)

Most concerning about this problem is that these locks can apparently be comprimised with only the barest of essential tools, a shim and a modified cheap screwdriver. Again from Wired:

In addition to bumping and picking Medeco’s M3 cylinder locks, the researchers also succeeded in the last few weeks to crack a Medeco M3 deadbolt lock — considered to be one of the highest security locks in the world. They showed Wired News how to open the deadbolt in less than a minute using nothing more than a modified $2 screwdriver and a wire shim. They asked, however, that we not publish the details.

“Medeco invented the pin tumbler lock that lifts and twists the pins,” says Marc Weber Tobias, one of the researchers and an investigative lawyer and author. “It’s a brilliant idea and basically these are unpickable locks. But we can pick them. Everybody in my profession has been trying to break these for 30-35 years. And frankly, I can’t believe that we’ve come up with this and nobody else has.”

I have only one building with any Medeco locks on it and I don’t just count on them for security as this site also has cameras and security, but I know of buildings that do and it is those sites that need to reevaluate their security plans in light of this new information.

As always I thank you for your time and interest. Please take the time to Digg, Stumble Upon or add to the other social network of your choice to help me spread the word about these issues. Please forward any questions or suggestions to: askthefm@gmail.com

Social Bookmarks:

Add to Technorati Favorites

August 10, 2008 at 10:41 pm Leave a comment

Access Control Cards – Are they really secure?

The news broke to day that over in London England hackers succeeded in cloning or duplicating the cards that most Londoner’s use to ride on mass transit.  These so called Oyster Cards are a version of smart card that is used in a great many other places for access control to secured areas.  The Dutch government has issued a country wide security alert due to the fact that they use the same or at least very similar technology at most of their government buildings!

Both Wired Magazine (http://blog.wired.com/cars/2008/06/hackers-crack-l.html) and the Evening Standard in London have articles on this story (http://www.thisislondon.co.uk/standard/article-23454596-details/Oyster+card+cloning+fears/article.do).

This is just the latest problem with this technology to come to the surface.  The main problems with these systems is that they are often specified incorrectly and sometimes just installed poorly.  Also they are only as good as the people who have administrative access.  I took over the management of a fairly simple system at a large corporate site and was amazed that the functionality of the software wasn’t even fully enabled and the previous administrator had made no real effort to audit the system.  I spent a very hectic 3 weeks auditing the system, inventorying the access rights of several hundred employees and getting the reporting module actually working!

There is a very good white paper on some best pratices for these systems here: (http://www.smart-id.com/documents/Access_Control_Industry_Best_Practices_wp_en.pdf).

The news is full of successful attempts to bypass these systems. Another story from Wired magazine: (http://blog.wired.com/27bstroke6/2007/08/open-sesame-acc.html)

Now I am not saying that I am dead set against using these devices, just that you need to realize that they are far from perfect or fool proof.  Just like any other similar system such as a burgler alarm they need to be designed carefully, used with their limitations firmly in mind and monitored constantly.

As always I thank you for your time and interest. Please take the time to Digg, Stumble Upon or add to the other social network of your choice to help me spread the word about these issues. Please forward any questions or suggestions to: askthefm@gmail.com

Social Bookmarks:

Add to Technorati Favorites

June 25, 2008 at 9:39 pm 1 comment


Categories

Feeds