How To Make Friends How To Make Friends & &
Influence Lock ManufacturersInfluence Lock Manufacturers
Schuyler Towne & Jon King Schuyler Towne & Jon King DEFCON 16, 2008DEFCON 16, 2008
Reviewing this on the DEFCON 16 DVD? Be sure to check ndemag.com/DC16 for updates.Much of the material covered in this talk is on-going. This document has been prepared more than a month prior to publication. Any omissions or inaccuracies in this version will have to be
forgiven. Please consult the current version for accurate information. Thank you.
07/06/08 2
LOCK-AND-KEY:LOCK-AND-KEY:n. The distinguishing device of n. The distinguishing device of civilization and enlightenment.civilization and enlightenment.
– – Ambrose BierceAmbrose Bierce
6/30/08 3
Let's Talk
RoboKey System: Developed with the locksport community
Kwikset / Weiser's SmartkeyResponded to bumping with complete redesign
ABUS PlusFixed flaw found by lockpicker & issued new challenge
MedecoWorked with Jon King to mutually release exploit
Q&A / Super-secret announcement
07/06/08 4
The RoboKey System
John Laughlin with Barry Wels of TOOOL
“It's easy to love your own baby, but we wanted to get this out to the community. We figured they wouldn't be shy about telling us what was wrong with it.”
–John Laughlin, Stanton Concepts
“It's easy to love your own baby, but we wanted to get this out to the community. We figured they wouldn't be shy about telling us what was wrong with it.”
–John Laughlin, Stanton Concepts
07/06/08 5
Background
John & Bob LaughlinJohn was a communications engineerBob was a retired lock engineerWhen telcom bust John started working with his father
InspirationBoth have a healthy interest in securityWorld more interested in security than ever beforeOpportunity to address a lot of areas that hadn't received the scrutiny they were dueHow can we secure containers that have to change hands multiple times / survive tough environments
07/06/08 6
Basic Operation
Disc-Detainer type mechanismLooks like an Abloy style cylinderHas flies like a combo lockExtremely rugged for environmental conditions
Automatic dialerOperator does not need to know combo, just has to be a valid userVarious potential forms of authentication – password, RFID, embedded dialer in cell phone, matched pair, etc.
Manual dialerPhysical lock can still be operated manually
07/06/08 7
Community Scrutiny
First IntroductionsBob Laughlin met Han Fey via eBay/both avid collectorsMet in Holland in early 2006 to see RKSHan invited John to the Dutch Open
Dutch Open“The people were very generous with their knowledge”Panel on viable attacks & applications
ALOAAttended ALOA with Han & BarryShowcased RKS & other productsArticle in Locksmith Ledger as a result
07/06/08 8
Open Source Future
Open source developer kitsLooking to license their productWanted to get the ball rolling while seeking a dealOpen source software and microcontrollerAdd whatever functionality you wantAiming to get total package, lock & dialer kit for ~$300
Would love to hear from youJohn has always kept in touch with folks in the locksport communityAnswering questions and fielding commentary about the NDE article at lockpickology.com
07/06/08 9
Smartkey
Photo courtesy Mike Brewerton
“At least one lock maker says the hobbyists can help companies...”
–Wall Street Journal
“At least one lock maker says the hobbyists can help companies...”
–Wall Street Journal
07/06/08 10
Bump In The Night
How blind were we?Walt Strader told the WSJ he heard of bumping via locksport groupsTold them this in 2006
Smartkey is launchedLock is 100% bump proofRekeyable (NOT U-Change)Subdued marketing campaign – no initial mention of bumpingRigorous testing process
07/06/08 11
How Does It Work?
Breakdowns courtesy Zeke
07/06/08 12
Testing
2006 Dutch OpenPrototype from an unnamed companyArthurmeister!Definite challenge
JapanDifferent culture of entryInteresting methods of testingPassed the 15 minute attacks with flying colors
07/06/08 13
Smartkey 2
The new generationUpdated materials for destructive entry (DE) concernsSimilarly subdued roll-out to first generationOut now!
What does the future hold?Black and Decker employees now keep an active eye on the locksport communityLed to current advances & additional free feedbackExcited for future collaboration
07/06/08 14
ABUS Plus System
Photo & Quote by Jaakko Fagerlund
“I suppose that nobody thought you could actually “look” behind the discs...”
07/06/08 15
The Exploit
BackgroundZeke's ContestEveryone missed the flaw – forest for the treesCreated proof of concept
How it works:
Photos Courtesy Jaakko Fagerlund
07/06/08 16
Simplification
The goalBuild the simplest version of Jaakko's tool possibleBuild the least expensive version possible
The toolAt the advice of a fellow lockpicker we used the filed down head of a nailMany impressioning mediums were tried before we settled on white glue
07/06/08 17
Alerting ABUS
First ContactArranged by an LP101 member “mh”Initial response was polite, but non-commitalProof is in the pudding - Jaakko's PDF got attention
The ResponseA brief silenceUpdated all current productionChallenged Jaakko to defeat the new mixed cylinderJaakko could only get the keys to the lock if he uncovered the bitting
07/06/08 18
Current Events
Jaakko's ABUS Plus PickA brief silenceCommunity fundedSuccessfully picked the challenge lock!
07/06/08 19
Medecoder
Photo & Quote by Jaakko Fagerlund
“I suppose that nobody thought you could actually "look" behind the discs...”
“Who is Jon King and what is he doing with our locks?”
–Peter Field, Medeco
07/06/08 20
Who is this guy?
Jon KingJK_the_CJer, JK, etc.NavyLocksport HobbiestSecurity Geek
I am NOTSpeaking on behalf of the NavySpeaking on behalf of Medeco
07/06/08 21
My Obsession
Why Medeco?Holy Grail of pin tumblersPins must lift and rotateLots of attempts by the community
OK – Show me...in one picture
07/06/08 22
The Problems
Open Grooves
OMG Wire!
Even Spacing
07/06/08 23
Humble Beginnings
Early tool designs aimed at rotating all of the pins at once
“I suppose that nobody thought you could actually "look" behind the discs...”
07/06/08 24
Let's Simplify
Maybe I'll try hooking into one pin first
07/06/08 25
The Early Tools
+=
07/06/08 26
Purdy
07/06/08 27
The Community
Lockpicking101.comSchuyler TowneDoug FarreMitch CapperEveryone else...
Public release & NDEWanted to publicly release via NDE Magazine“Let's get a manufacturer reaction”
07/06/08 28
Quite A Reaction
Peter FieldHead of R&D at Medeco drove to my houseLock talk, history, other exploits, etc.
Closed GroovesMedeco reimplements the ARX closed groove pins
07/06/08 29
The Future
Keep going! Nothing is impossible!
Think before disclosure!
Don't get wrapped up, have fun!
07/06/08 30
Final Thoughts
Please helpWe're getting our feet in the doorOur communities are mergingPhysical security disclosure is DIFFERENT than digital security disclosureWant to help?
And finally, that super-secret announcement...
07/06/08 31
The NDE Grant
Misson Our goal is to help get tools and supplies into the hands
of hobbyists who are doing legitimate lock research.
Once an exploit is discovered and verified we work with the researcher(s) to communicate with the manufacturer.
I have privately funded a few research projects, but this is not sustainable for me financially, so I'm opening the funding up to public donations.
For more details, please visit: ndemag.com/grant
07/06/08 32
Thank You!
And thanks to:Zeke79Raimundo & DBMike BrewertonLockpickology.com & LP101Jon KingPeter FieldsWalt StraderJohn LaughlinJaakko FagerlundABUS
07/06/08 33
FOR LOCKSPORT!