 Good afternoon, everyone. Glad you could come. This is a two-hour presentation. And let me introduce, first of all, my cohorts. On my left is Matt Fiddler. He's a security researcher and security professional. And on my right is Tobias Bluesmanus, my co-author in the new book we came out with on medical high-security locks. Matt and I will be generally doing the presentation this afternoon, although I think Tobias will make some comments as we go. This afternoon we're going to talk about, our lecture is really split into three components, and we'd urge you to stay for the full two hours or hour and 50 minutes. The first part, we're going to talk about the methodology that we used and what we learned about cracking medical high-security locks. The second part, we're going to talk about what we perceive as a real threat that's resulted from the design of the third generation of medical high-security locks and what kind of trouble you can get into by toying with patents and current designs. The third part of our presentation will deal with ethical disclosure responsibility and what we call irresponsible non-disclosure, which is a flip side of responsible disclosure. So we think you'll find the material interesting, perhaps in the second part a bit shocking. We did invite representatives of Medeco to participate with us in this panel as we've done for the last three years at DEF CON. And we actually heard from the senior management that we deal with at Medeco this morning, apologizing they could not be here. It's really a shame because it would have made a terrific point counterpoint presentation. We also heard from the Executive Director of BHMA, which is the Builders Hardware Manufacturers Association, which is a group of lock manufacturers that derive standards, security standards, and Ralph Vassami, who's their Executive Director, a very good guy, very knowledgeable. He also could not arrange a schedule to be here, but said otherwise he would have been pleased to be here. So basically what we're talking about today are real-world threats, real-world issues. If you're involved in security, risk assessment, risk management, facility protection, you really need to understand the risks involved, the potential vulnerabilities that you can encounter in high-security locking hardware. This lecture is a result of 18 months of research that really the three of us conducted into Medeco high-security locks, which obviously culminated in a release of a book. So we're going to go through a rather lengthy slide presentation and a number of video segments, and then hopefully at the end we'll be able to entertain some questions if we have time. Matt? Great. So we'll start at the beginning. So why is this case study important? For us it's continued insight into high-security locks. We'll discuss some of the issues associated with patentability and the fact that there aren't assurances associated with patents. Appearances versus reality. And ultimately the manufacturers and their claims and reliance on standards organizations like Underwriter Laboratories or ANC-BHMA. We'll get into, as Mark said, responsible disclosure or as we call irresponsible nondisclosure. And manufacturers' representations thereof will go into detail the 18-month research exercise in our attacks and offer up suggestions for secure lock designs. So we're talking about, first of all, conventional versus high-security locks. For those of you that may not be totally conversant on this subject, essentially conventional security locks are easy to open by bumping and picking and the compromise of their key control. And there's limited forced entry resistance. Most of your residences, lots of businesses, they use conventional locks. They really have very limited security. In contrast, high-security cylinders are UL and or BHMA listed, which means they go through or are supposed to go through rigorous testing to ensure that they're secure against different types of entry. And so they're higher quality, higher tolerance, and they have multiple security layers. You typically pay two to four times more for high-security locks than conventional locks and they're not supposed to be able to be opened easily. So high-security locks, where do we find them? Basically, critical infrastructure, high-value targets. And this is why you put them in. We use these locks where the threat level is higher, where you anticipate more knowledgeable or sophisticated attackers. Everything from banks, jewelry stores, public infrastructure, government facilities, nuclear. And obviously locks aren't supposed to be the only layer of security, but in many instances they may be. And so the locks in any event are usually the first line of defense. So that's why we buy high-security locks and that's why we're talking about this subject today because of the many vulnerabilities that we've derived. So for high-security locks, there's three critical design factors. They need to be... And we really detailed this last year, the year before at DEF CON, all the standards and the associated requirements. But they need to provide resistance against forced entry, against covert and surreptitious entry. And what's key to our presentation and demonstrations here today is key control or what we call key security. But unfortunately there are vulnerabilities associated with each requirement. So high-security locks offer multiple security layers. There's more than one point of failure. Often they're integrated and react at the same time. Some operate in parallel. And often it's difficult to derive intelligence or information from one or more of the security layers. So in our research project, we developed an attack methodology that's really applicable to all high-security locks. And the first rule is assume and believe nothing. The high-security lock manufacturers, some of whom we do consulting work for, will represent their products as absolutely secure, virtually pick-proof, virtually bump-proof, virtually immune to attack. Some of them will tell you what the real world is. Some of them won't tell you, and some of them frankly don't know. And so we developed a methodology when we began our project to ignore all of our associates and experts in the field and to really think out of the box. And this is really important because, for example, my co-author, Toby, has been a locksmith for more than 25 years and has been a medical locksmith. That is, works on medical locks for more than 10 years. And if you had told Toby when we first started this that these locks could be picked in as little as 30 seconds or opened by forced entry means in as little as 30 seconds or that you could completely compromise their key control in seconds, he would have said you're crazy. And that is the problem. And a lot of locksmiths in the United States really believe this because they don't have the ability to do their own research. Very few are embarking on the kind of research project that we engaged in. So the bottom line is look with skepticism when somebody tells you a lock can't be picked or it's very difficult to pick or it's very difficult to bump or it's impossible to bump. So you also always have to believe there's a vulnerability. As many in this room can attest that specialize in opening locks, if you don't think you can open the lock, you're probably not going to do it. If you have a mindset that you can open it, you'll get it open more than likely. And what we really did, we worked the problem. For almost 40 years, everybody said, medicos are invulnerable, they're such a good design, so innovative they cannot be opened. Well, or with very, very limited success with complicated and sophisticated tools. And so we just kept working the problem. So there are really two primary rules in a tax. The first is the key never unlocks the lock. Now this may seem odd or a statement that nobody understands, but at the end of the day, many locks can be opened by a variety of techniques that does not rely on the key. It's mainly mechanical bypass. And so that's the first rule. The key really doesn't unlock the lock. The key controls the mechanism that unlocks the lock, the bolt, the latch, whatever. So if you can get directly to that mechanism, as we did, for example, in the deadbolt attack that we disclosed last DEFCON, then the key and all of its security means nothing. The second rule was expressed by Alfred C. Hobbs, and it basically says if you can feel resistance or contact between internal locking components, you can likely open that lock. And so those are really two fundamental principles that guide us in attacking and attempting to develop vulnerabilities or discover vulnerabilities in locks. And the second, you'll see we implement opposing forces and interactive components within the medical system to ultimately bypass the locks. And you'll see that in the video demonstrations. So methods of attack high security lock. There's a lot of methods to attack locks. Picking, impressioning, decoding, vibration, shim wires, magnetics, wrapping, air pressure, audio. There's many, many ways to attack high security locks or normal locks for that matter. Many of these have been disclosed in Europe and specifically by tool. There's some really neat new attacks on electronic locks. And so nothing is sacrosanct. And again, the rule that you all have to understand and remember is take with skepticism all the claims. And additional methods of attack, simulating sidebar codes, use of a key to probe the depths, right simplification of keys. There's many, many, many different approaches to attacking a lock. And this is why we've supported the locksport community over the years. It's much better than chess. And because it involves mechanics, it involves mental imagery. And it involves a lot of understanding. And so what you need to really realize is there's a lot of different ways of attacking the problem. So exploiting features. And this really dives into our methodology of attacks. Critical to the medical design was their codes, their code book, their design, their progression. You need to understand the key bidding design, what tolerances exist in the lock. John King and Skyler Town in the previous session in talking about the medicoder really got into the tolerances and the associated vulnerabilities that those tolerances bring into play. Keying rules. There's been a lot of talk over the last couple of years about top-level master key extrapolation. As we said before, the interaction of those components and how to leverage one against the other. And as we'll get into in part two of key security, the keyway and the key design. So standards, we spent a lot of time with this at DEF CON's past talking about underwriter laboratories, BHMA, the high security lock standards. But at the end of the day, many of the lock manufacturers rely on these standards and ultimately rely on the time factor associated with bypass of high security locks. And I think it's really interesting to insert at this point. There was an article, if you haven't seen it, on CNET at news.com, the latest one that was published about a week ago. And a senior medical representative was quoted as saying that companies should rely on independent testing agencies like UL to discover vulnerabilities. Well, that really raises interesting issues that we're going to talk about later. And that is we think these companies ought to have in-house or consultants that are really capable of looking at their locks outside of the box and making these determinations. The problem with UL and BHMA and our assessment is they test for very specific issues that are defined in the standards. It's like catch-22. And if it's not in the standard, they don't test for it. When we broke the deadbolt last year on Medico, which forced them to institute two fixes to deal with the issue, UL refused to look at a complaint with regard to that problem because it wasn't in the standards. And so the bottom line is the standards really are lagging way behind in providing the protection in these locks that they should. And I think the keyword there is contemplate. So they don't even contemplate future attacks or vulnerabilities. And another quote within that article talked about how us and you should not be responsible for finding those, but that the standards organizations should be. Keep in mind, again, our previous presentation, we talked about the types of tools, the size of tools, not to exceed X number inch screwdriver, hammer, et cetera. They're very specific requirements. So the standards address for the high-security locks under the Builders Hardware Manufacturers Association, there's three real criteria for high-security locks. Covert and forced entry resistance and key control. Now UL does not address key control. They do address forced and covert entry. And so there's pictures here of cylinders that have been drilled out that are contemplated in the standards. And then conventional picking attacks, which is covert entry, are also defined in the standards. And essentially in America, the standards require resistance of 10 minutes or 15 minutes depending on the security level against picking attacks. Then there's sophisticated decoders. This one was released a long time ago by John Fall in Europe. It was very sophisticated at the time. It's about a 6,000 of an inch wire that's used to decode the internal components of the lock. And so this was state-of-the-art 15 years ago and in a couple minutes we're going to ask John King to come up for a three-minute summary of his metacoder. But this tool prompted the introduction by Medeco of ARX pins, which are being re-implemented 15 years or more later to stop the use of the John King metacoder. And so it's not exactly new technology and actually all of this goes back 30 years to the lock technology case, which was really the first decoder for Medeco. Medeco sued the company. Medeco actually lost the lawsuit, but the company was put out of business. And so there's all kinds of decoders out there and the next one will tell a little story. This is my favorite story. No. No? No. This is Toby's decoder that he first came up with to decode Medeco locks. And he contacted me a couple years ago as a lawyer. This is a very neat piece of work. He was unaware of certain decoders that had been available for the government years before, so he conceived all this in his head. And when he asked me to take it to Medeco to see if they might be interested in this decoder and their answer was, you mean that crackpot from Miami? So if you need to reach Toby, it's crackpot at security.org. Yeah, you can make a note of that. And this other alternative email address also. Don't use that one, please. So that's how actually this all started in our research project, a little bit of history for everybody's enjoyment. So there's also ways to decode these locks. These were shots that are in the book on decoding pin angles by sticking a nine-tenths of a millimeter boroscope right through the keyway to read the pins. And so this is all documented, but this is another method of bypassing locks through covert entry. So forced entry resistance. Matt, why don't you talk about this photograph? So this photograph is showing a Medeco cylinder and where my mouse is. I don't know if you can see that. These are anti-drill pins that are inserted into the lock to prevent against the previous slide pictures demonstrating forced entry attacks or drilling attacks. These are the top three pins at the front of the plug by the key. Additionally, Medeco cylinders employ crescents, hardened steel crescents to prevent drilling. And as John King talked about, many of the ARX pins incorporate hardened steel inserts to prevent drilling of the individual pins and pin stacks themselves. And forced entry attacks in the standards, we won't dwell on this, but there are many types of attacks that are defined and there are just as many that aren't defined or not contemplated. And our problem is that we were able to develop, once we started looking at forced entry with Medeco, we were able to develop four different types of forced entry attack that are really not contemplated in the standards, are serious. They are exceedingly simple to execute and our problem is and what we're pushing for is a change in the way standards are written and defined so that they will protect all your facilities. That really is the end goal here. So, sidebars. Modern high-security locks, most of them employ what's called a sidebar and so we looked at different methods to bypass sidebars because in the case of Medeco, it is their patent and as we'll do one of the slides, the sidebar is Medeco security. It's all about the sidebar. If you can get around the sidebar, a Medeco is just like any other conventional pin tumbler lock and so that's really a critical issue. The sidebar gave us all the trouble in breaking the Medeco locks. So, we had to figure out how to go after that sidebar, Matt. So, for the Medeco cylinders and other high-security cylinders, there's direct access to compromise of critical components. The Medeco deadbolt, there's been one and two specific attacks against that. There's our latest release that we'll get into on the forced entry attacks later in the presentation, manipulating the tailpiece. This was released the first attack of the generation last year at DEF CON. That was a 30-second attack to open a lock that's essentially guaranteed to resist forced entry for five minutes by the standards. 30 seconds or less. And so the hybrid attack, there's a couple different methods that we'll demonstrate here, a reverse picking attack, picking, bumping, and others, as well as a significant flaw in mortis rim and IC cores defeating the shear line of these locks. Go ahead. So, Medeco case history, obviously, we exploited the vulnerabilities, you know, looking to attack this. We were able to reverse engineer their sidebar codes, and this is critical. The sidebar is medical security in those codes. Analyze the tolerances, all the control issues, and design enhancements that were made to extend the patentability of the M3 and Medeco line, and the ability to exploit those extensions to the technology, new features, new functionality that was added and used those against the lock. And I'd just like to make a comment, and we'll talk about it again. This issue of patents to protect these locks is really what you're paying for in key control and proprietary security technology. So, the problem is, in Medeco's case, and this is one of the real lessons that everybody needs to understand, and we hope that the high-security lock manufacturers pay attention, the problem is you start monkeying with designs because patents are good for 20 years. If your lock isn't patent protected, companies won't buy it, or the government won't buy it. There are legal protections to stop people from opening them for key control, and so patents are really prized so nobody can knock off your products. So, the original Medeco lock came out in about 1970. It was a brilliant design. It was actually a take-off on a 1935 design of the General Motors automobile lock, which employed a sidebar. But they figured out two guys in a garage in Salem, Virginia in 1968 started a little company called the Mechanical Development Company, which then they synthesized a Medeco. They figured out how to rotate tumblers and integrate a sidebar into a pin tumbler lock. So, the relevant issue here is the original patent, and we think that's probably their most secure lock, amazingly, they ought to go back to it. Seriously, and we've suggested that in the book, there are issues in the original lock, or security in the original lock that don't exist in the biaxial, which is second generation and the M3, which is third generation. And so, they came out in about 1985 with what's called the biaxial, which we refer to as generation two. And it was a radical departure, and it was very, very clever for increasing the number of key differs or the number of key combinations that were available in the lock. But it also brought in security vulnerabilities and caused all kinds of keying rules to be implemented. Then in 2003, their third generation, the M3, which is the lock with the slider that met the famous paper clip that we introduced last year. Well, the problem is that when they redid the patents or modified the locks the second time to get another 20 years, so when the life cycle runs, it'll be a 60-year-old product. Right now, it's 40. It's a 40-year-old lock with no real security enhancements. The problem is that they've really decreased the security twice. And this, in part, allowed us to compromise these locks. Go ahead. So, medical mistakes, and certainly there were quite a few, they failed to listen. Throughout this 18-month research exercise, they've been appraised of information provided samples. Everything for the entire project was provided to them. As Mark just described, there are embedded problems from the beginning and critical to the design failures of the M3 extending that patent, introducing that slider, introducing new problems to the system. Yeah, and I'd just like to comment, and they were really my friends at Medico and we hope someday they'll be again. We really briefed them and provided them with everything that we had for 18 months. We told them what we thought the vulnerabilities were. We told them what our assumptions were. We asked them repeatedly, tell us why we're wrong. Tell us why we can open your locks and we shouldn't be able to do it. Is it a random occurrence? What's the deal? So they wouldn't tell us. And so we just kept developing more technology and kept opening their locks. And it was really, in the end analysis, a failure of imagination and an understanding of certain bypass techniques, especially if they really do it here to theory, let UL find the problems. It's not the way to do it and not by the leader in North America in the high-security lock industry. They own at least 70% of the market. The real problem is they can't open their own locks. That's really the problem. And so they really didn't connect the dots. And we've tried to be not really critical, but they should have listened. Go ahead. So back to the design, equalling the vulnerability. We'll get into the internal components of the Medico design, how the sidebar and sliders work, the tolerances that we're able to exploit, the biaxial design, foreign app positioning that was, I'm sure, gone through in detail in John King's slide, as well as the deadbolt design. But again, as Mark stated, it's not only their failure to understand the problem and to understand the bypass issues. He said they were not able to duplicate what we provided them, tools, techniques, and instructions, and they couldn't reproduce the same attack. Yeah, they just said this is all nonsense and it's not true and there's nothing in these locks. And this is really a critical reason for lock sport. This is a critical for independent research and analysis of locks. At the end of the day, if a lock is designed properly, the manufacturer should not be concerned about who is trying to break it. If there's a problem, fix it. If there's no problem, you're not going to open it or you're not going to open it in a timely fashion, which means there's no security vulnerability. So exploiting design vulnerabilities, basically to sum up this slide, we took the best design features of the medical lock, which was embedded since the original patent, and we figured out how to use those design features against the lock to open it. And so we use the way the sidebar leg is designed and the way it integrates or interfaces to the pin tumblers. We looked at their code books because the first generation lock and the second generation and third generation had entirely different codes because of the way the pins were designed. That difference in code and whoever the mathematicians and cryptographers were that derived those codes, they allowed us to break those same codes. And so we looked at all the designs and we also looked at their slider design in their 2003 third generation and we figured out how to methodically break each layer of security. So the medical timeline, as I said, 1970, the original lock, about 1985, the biaxial, 2003, the M3, which is the current generation. And that's really important for y'all to remember because the M3, as we're going to show you in the next hour, is really, really vulnerable to a very simple method of attack. So we're going to talk about why they're secure and I think the three of us sitting up here truly believe that these medical locks are great locks. It's a great company, they're great locks, but there are flaws and vulnerabilities associated with them that you need to be aware of and you need to assess your own security and your own requirements for protection. So they incorporate two shear lines and a sidebar in the biaxial model and the M3, they introduce this notion of a slider. There's three rotating angles with six permutations, false gates, John talked in depth about ARIX, anti-pick pins that close off the channel where the sidebar mates and interacts with the pins and they're extremely high-tolerance locks. Yeah, they're very good locks for most applications. So this is a normal pin tumbler, this is a conventional pin tumbler, all the bottom pins are aligned at shear lines so the plug, the key in it right now is free to turn. This is a medical biaxial cutaway that we did and the plug is turned about 10 degrees. You can see all the bottom pins have a channel, the lavender arrow, number four, and number three is the sidebar leg that actually integrates, it enters that gate and when all the legs enter all the gates, the sidebar retracts and the plug can turn. So there's three independent security layers in a medical M3 cylinder, the shear line, the sidebar, and the slider. And each of them have their own parameters and each of them really operate in parallel which means independently, which means that if one fails or two fail, the third one should still keep the lock from being open. Unfortunately, this is not exactly the case. So, medical twisting pins, which is what their patent is all about, this is a biaxial key with lines drawn so it shows, unlike a normal key where all the cuts are parallel, these are all different angles and the combination of angles is what we call the sidebar code, a term that we coined so everybody would understand a common language, what we're talking about. So the collection of angles is different for each system. All the angles within a system are generally the same, all the angle combinations. And the bottom cylinder here shows a key, the bottom of the key has been marked in red. This is a milled out cylinder so you can see, why don't you zoom in on that. So you can see what the pins look like if the key were stuck in the lock. And you can see that the angles are different on the pins and they match the red lines on the key on the left side of the plug. So basically what happens when you stick the key into this lock is the pins are rotated as well as being lifted. That is the security of a medical cylinder. So again, we won't dwell on this, but sidebar technology, it blocks rotation of the plug unless all the pins are rotated to the correct individual angles so the sidebar can retract in the plug and it can turn. That is what the sidebar does in almost all locks in one form or another. So in certain locks like the ASSA and the Schlage Primus and the EVA Magnetic Coat System, the sidebars are really independent locking systems that are controlled by independent bidding on the key. If you look at a Schlage Primus, for example, there's two sets of cuts. One that's in the side of the key and one that's the conventional vertical bidding on the key that raises the pins up and down. This is really critical to the discussion that's coming up in a few minutes about how we violate their key control and obliterate it because a lot of these high security locks you cannot do that because of the design of the way they made the keys. So sidebar locking, it's very simple. Most locks have one sidebar. A lot of them have two sidebars. And again, there's a second set of pins or rotations that control that sidebar and how it retracts into the plug. Unless the sidebar retracts, that lock isn't being opened. And this last pull is really key to some of our findings. Setting that sidebar code and being able to manipulate the lock through picking or bumping and a new method attack that we'll demonstrate in a video here which is a reverse picking attack where we're actually able to pull the plug forward without turning, which is a typical technique when picking a lock to apply tension to a cylinder to bind the pins. We're applying that tension laterally and pulling the plug forward. So information from the lock. AC Hobbs talked about deriving intelligence or information from interactive components. Field picking, the ability to sense what's going on. The ability to leverage magnets. A whole host of interactions that can be decoded or interpreted from feedback from the lock. Okay, so again, in a medical cylinder, the sidebar is medical security. And unless you can manipulate that sidebar so it retracts into the plug, you will not open the lock covertly. Okay, so this is a photograph of the plug and sidebar. All of the pins are aligned. Zoom in on that. So this is what the plug looks like when the key raises all the pins to shear line and all of the pins are rotated so that the sidebar legs can go into the gates of each individual pin. Next. So this is the same picture with one of us putting our thumb on the sidebar, pushing it into the plug. So the sidebar can be pushed all the way in so there's nothing to stop this plug from turning when it's inside the lock. And this is, in contrast, would be a locked plug. The sidebar could not retract. The key is actually pulled out here a little bit. The pins are in the shell in the plug and the angles are different. So this lock could never be open. Go ahead. So also at the heart of medical security is their code book. And the code book derives or specifies all of the usable codes for the vertical bidding and the rotation angles. So all the locksmiths in the world have to use this code book for all non-master keyed systems. And the new codes, the new code book came out in about 1983, 1985 when the Biaxial was introduced. It's the same code book for the M3. And these are only codes for non-master keyed systems. The factory usually does the coding for master keyed systems. So the relevance here is we broke that code book. We computerized it. And we figured out the codes so that we could figure out how to simulate the codes for the sidebar and open the locks. So go ahead. So the results of the project, this is really what we've been leading up to, covert, surreptitious entry in as little as 30 seconds. Forced entry, many techniques, more than four, 30 seconds or less. And a total complete compromise of key control. Total. Okay, so this is the M3 slider. This was their third generation and their patent claims another layer of security. Well, evidently, we didn't know about Mr. Paperclip. So Matt, I'll let you address the slide because this is outside my realm. Mark didn't know who MacGyver was, so we had to educate him. So we're going to show a quick demonstration of bypassing a slider on a medical M3 with the Paperclip. Actually, a piece of wire. And it just turns out that the slider is offset by 40 thousandths of an inch, which happens to be the normal diameter of a normal Paperclip. And so, when I saw this in 2003 at the factory pre-production, my friend at the factory said, here's what we've come out with, what do you think? I said, oh, I think it's really neat, but I think there might be a problem. I've been doing this for many years. Why don't you leave us alone? Go pick on somebody else. I said, well, Clyde, because you're the big target. And I said, well, there's 26 different sliders in these locks. So what the hell is the problem? And I said, well, the problem is that all of the sliders are the same length. There's little steps on the slider, but all of the sliders are the same geometry, so if you offset the whole slider, you know what the key does. I can do it with a Paperclip. So go ahead, roll the video. We're going to form the Paperclip that locks into place to position the slider properly. And this is just a standard 40,000 inch diameter approximately Paperclip that you can buy at any office supply store. Okay. To form that special tool that we're going to do is the third element that blocks the medical and free. Well, it's actually not a special tool. We're going to bend the wire 90 degrees. Okay. With that portion up, we're going to bend it again. The Paperclip is a high security tool. And it's going to look more or less like this. Now, if you notice this portion is too big, we're going to cut it in a way that's going to help us. This is just a standard pair of these. Yeah, that you can do it. So it can wedge into the, between the slider. Not necessarily, but it helps. So once we have that shape, we can look. I love this picture. Right there we have the slider completely bypassed. So we have one element bypassed by the wire or the Paperclip. I'm going to just pause this here because basically, so what Toby's done is he's introduced this Paperclip right before the slide bar, bypassing any of the possible 26 steps. What we're going to show you now is a simulated key created on a key blank that has the correct vertical bidding and the correct angles. But because the slider is bypassed, this key that's been simulated doesn't have a slider step on it. So just watch. On the other two elements in the key when we put all those elements together just like a factory original, the lock. So that tool, that MacGyver multi-tool effectively made this Medeco M3 a biaxial. So it eliminated the third security layer. So the results of the project in picking, as we said, picking in as little as 30 seconds. The leveraging standard picks, no special tools. We can use another key in the system, a change key or some other key with the correct sidebar code. One of the code setting keys all that's required is to pick the pins to the shear line and neutralize the sidebar. And let me just make one other comment. A 18-year-old kid in Colorado that works for a Medeco lock shop bought our book when it first came out a couple weeks ago. He sent me an email on Wednesday when he got it. He says, I can't stop reading this. I can't go to sleep. It's great. Friday, two days later, he sends me an email. We're sitting at dinner. And I am in Miami. He says, I think I cracked your codes. He says, could you verify these codes for your code for code setting keys that will open all the Medeco locks? Well, they weren't exactly correct, but they were close enough, but then he went on, so he called me. And he told me that after he figured out how to make the code setting keys, he picked the lock on the front door of the lock shop in 55 seconds as an 18-year-old kid. And he said, I told my boss and my boss really didn't believe it because he's been a Medeco dealer forever. This is a real problem. And so this is really what we did in our code setting key concept. Four keys for all pre-December 2007, Medeco cylinders, and some much later if they haven't been pinned to the new codes. Four keys will allow you to pick or bump all of the, virtually all of these locks that are non-master keyed. Okay, so we're going to show a quick video. And just as an introduction, this video was created with a cutaway lock that's mounted in a vice and Toby's going to be picking this lock. He's actually, rather than leveraging a tension wrench or tensioner tool in the lock, he's using the cam on the back of the lock to provide tension. Yeah, so he's twisting the lock, but it's exactly the same thing and we cut the channel on the bottom of the lock. So this is the underside of the keyway so that you can see, this is the same photograph as we did earlier, so that you can see the actual angles as the pins are set in the lock. So this is just the way they'd look when the key is inserted to the right angle. So now, and Toby's best picking time is 27 seconds on a six-pin Medeco cylinder. Mine is a couple minutes because I don't pick locks as often now as Toby does because he's a working locksmith every day and so what you're seeing is the pick tool at the bottom of the keyway, manipulating each one of these pins. And you're seeing this after the sidebar has been set, so that's an we've neutralized the sidebar as he's picking this lock. We have set the sidebar called and we've neutralized the slider also. So there's the pick. One. One. Two. Three. Four. And these are mushroom pins now. And it's open. That is a standard off-the-shelf, six-pin Medeco cylinder. That is not under the standards allowable. Period. So when my friend at Medeco says we should allow UL and other standards organization to test for vulnerabilities, that's why we really respectfully disagree with the statement. They don't even have a clue about the ways we've developed in opening these locks. And they're used in 70% of the facilities in the country. So this is a new hybrid attack. As we mentioned previously, it's reverse picking. So by leveraging design vulnerabilities associated with the lock, we're able to introduce, set the slider with the paperclip, wrap that around a screwdriver and apply lateral or outward tension rather than rotational tension that would typically be applied in picking a lock and pick this lock and pull the plug forward. Yeah, so let me just make a couple comments because this is really a novel technique that we actually call this pulling plug on Medeco just to maintain our sense of humor. Everybody thinks that when you pick a lock you have to apply torque to the plug either left or right. That's the conventional way of picking a lock. And when you do that, you bind the pins so that as you push each pin up, they get trapped at shear line and when all the pins are trapped, the lock opens. Okay, so we looked at this problem once we figured out some other forced entry issues and vulnerabilities and we figured out, well why can't we pull the plug forward and apply torque as the plug is being pulled out of the lock so that the pins bind at the back end of the pin rather than at the side of the pin there is no difference. So the video we're going to show you is we're applying reverse pressure on that plug to pick it. And that's why obviously we call the reverse picking attack. So again, a couple pieces of information from this video have been edited. We've removed the ability to set the sidebar code and then we just basically cut to the end after it's been successfully picked and removed and you'll see. You have to understand that on this forced entry we're a little bit sensitive about it and so we have with held publication for the last year and it's not in the book it's on the CD version with regard to certain forced entry techniques that are required they're very simple but they're required in order to accomplish the rest of the steps. So Tobi is picking the lock he's using a screwdriver wrapped around a paper clip or a piece of wire that's grabbing where the slider is to put reverse torque on the plug so he's actually leveraging that plug forward and picking the lock so he can pull it. The plug has moved forward okay on his trap so we're going to remove this tool very sophisticated tool and now I'm going to pull that plug this is a standard pair of ice grips hold the components hold the pins and then then you can stick a screwdriver in and directly access the tailpiece and the lock is open so that was another forced entry vulnerability that honestly none of the standards organizations have contemplated and this is precisely the problem we've been advocating why don't we write standards for three security levels low, medium and high and it really doesn't matter how you open the locks within a specified time frame. So bumping we demonstrated this here at DEF CON as well we can reliably bump Biaxial and M3 we can produce bump keys on actual blanks simulated blanks and leverage this attack with a known sidebar code or no intelligence at all yes and so this is our bump key this is a special bump key that we designed we have actually four of them to bump open again all of the pre December 2007 and some later locks now this is cut on a specific blank for a keyway but we can also do this on a simulated blank this is a very different looking bump key than you'll find for normal locks that we introduced two years ago but and this is the bump key that medical says cannot work that their locks are bump proof or virtually bump proof as we'll talk about or virtually resistant so we have some video demos if I could just get a quick show of hands who hasn't seen the general in video quite everybody okay this is this is the little 11 year old and 12 year old that we made a star at DEF CON two years ago and last year who we walked into the lock picking village and she's bumping open locks two years ago quick sets and then last year we handed her a bump key that we had prepared for a medical security bump proof cylinder and as you'll see she opened it in about a minute and 20 seconds and the company said this is impossible so we suggested so what did you do so what I did was I bumped this lock by putting the key inside and you then put just a little tension and then you hit it with the hammer and then it took me a few times before the key actually turned and it opened and how many times did you do it I wasn't counting are you willing to give another try on camera she was very nervous she probably won't be able to do it because she's nervous she can try it, you can try it, go ahead and try it oh you're a bump man okay so she figured out how to do this so she takes the key out and puts it back in again and I was a little bit surprised there you have more video proof of it so we said that lock now there's a number 2 when you turn it you locked it there's a number 2 on this that we've identified the cylinder this is going to be sent for analysis tomorrow to another expert but you saw it right on video so first of all she had done this several times but she was really nervous we're going to be up in the lockpicking village for the weekend we do have special medical biaxial profile cylinders that we've set up for researchers to understand how this works and some of them you can open in 5 seconds 10 seconds they're 5 pin brand new biaxials but these locks are definitely not bump proof and as we'll talk later even with ARX pins we can bump them open so go ahead so I had to explain the top level master key but unfortunately we weren't nominated for the pony awards but if we were I think it would be pretty interesting but the top level master key extrapolation again we don't have demonstrations of this a lot of this is restricted information but a total compromise of the top level master key system within the medical locks so forced entry attacks again there's been 3 revisions of the deadbolt design after last year's police we mentioned the hybrid technique of reverse picking forced entry and the mortise and rim cylinder and IC specific locks for forced entry so this was the deadbolt attack and again this is a sanitized version but at the end of the day a modified $2 screwdriver is capable of opening all the deadbolts with the specific design that medical came out with for the M3 some biaxials prior to the fall of 2007 and again this was not contemplated in the standards and in fact UL and BHMA wouldn't even look at this issue because it was not defined in the standards of this method of attack so this is the high tech tool that was designed to bypass as we said there was the original attack medical released an interim fix immediately after DEF CON last year and they subsequently introduced the third generation fix and this video demonstration is against that the latest release or incarnation of their deadbolt design well actually it's the interim it's the interim version the reverse picking attack is the final version it's a great picture to apply end pressure to this bolt normally however if we insert our screwdriver and apply torque we can then easily push the bolt to the unlocked position this procedure can be employed on an outward opening door where access to the deadbolt is available an ice pick or sharp pointed knife can be used to push back the bolt and compromise the cylinder so that was their interim fix and then they came out with their final fix late fall of 2007 which rectified that but allowed us to develop our reverse picking attack so and we should make a couple comments the medical by level is their latest clone it's a low security medical lock that does not have a real sidebar in it and if your facility is using these or you're contemplating using them you really ought to understand the security vulnerabilities that we lay out because the entire system can be compromised by looking at by level cylinders they really are not secure they're for internal doors they're easy to open so go ahead Matt so just in summary we're able to reverse engineer the master key system we have four keys that are able to simulate sidebar codes for second generation code book able to set sidebar codes the wider key way as we'll explain in the key security opens up a whole host of vulnerabilities which is coming in a few minutes and the paperclip offset okay so these are the four keys to the kingdom that we developed that will open all the non master keyed cylinders now these happen to be for a specific key way but as I said we can simulate these blanks to accomplish the same thing patents have actually been filed with technology for setting the sidebar code using code setting keys for picking and bumping so now we're going to come to the fun part key control and key security go ahead so as we said in the standards the standards mandate certain restrictions on key control that they can't be duplicated, replicated or simulated and introduce a whole host of technologies regional sidebar milling restricted key ways to prevent duplication simulation of keys and this is what key control is supposed to be all about you can't get the blanks if you're a government facility or a bank or a major medical facility you do not want employees or anybody else to be able to go get copies of your keys if they're restricted or proprietary just like the White House for example they have their own key way and so nobody else can get it and that's the idea of key control so if you can compromise key control you really own the system so we're talking here about real world threats as you'll see in a few minutes this affects every medico M3 cylinder that they've made because of the way they changed the patents and it also affects a number of biaxial cylinders go so obviously keys while the key never unlocks the lock it is the easiest way to open the lock via change key, master key, bump keys but keys are protected via the standards we talked about side bit millings that are existing in primus and asset cylinders interactive elements like the multi lock interactive that has a floating pin to it use of magnets and a whole host of additional components that are added to protect keys so owning the system obtaining the critical data so how do you get key data and I must say that my friend Barry Wells who's here today from the Netherlands and Han Fey gave a great lecture a few weeks ago in New York about this same topic and really introduced the topic and so we're taking it a little bit farther today how do we get information we can do impressioning decoding visually and key gauges and boroscopes and photographs and scanning keys and copy machines go ahead so the critical element of keys there's the length, the number of pins sliders, disks the variables associated with that what is the height of the blade or thickness whether or not there's paracentric keyways the wards in those keys cross the imaginary center line and prevent or obstruct some foreign entity from entering that keyway like a lock pick so it's difficult to move anything vertically in that keyway which is the idea which is why the standards require certain keyway designs and the introduction of additional modifications like finger pins in the Schlage Primus or sliders so this is about key control this is an M3 key on top the latest key and you see the little step on the bottom that controls the slider the bottom key is one of our metal keys that we made to simulate this key both of these keys are working the lock as you saw in the earlier video but we went much much further this we actually embarked on regulating keys because we had to come up we had to be able to do all the different keyways to make bump keys and code setting keys to open these locks because otherwise you'd never accomplish this because a lot of these keyways are proprietary restricted one of the reporters asked us last night why didn't you guys figure this out a couple years ago what's the matter with you what's the matter with us is we had a different perspective because we were looking at solving different problems so we're going to talk in detail about duplication, replication and simulation of key control and specifically key security so key control is the physical protection of keys again I'm trying not to be redundant here but it's important that you understand the standards the requirements that are introduced upon manufacturers to protect those keys protect you as a consumer and the infrastructure they control the generation of keys there's patent protection and we'll go into this in detail so this is the medical key control and it's appearance versus reality and you're all going to have to judge and by the way there's a wired magazine article that just hit the net about two hours ago that covers this in depth what is it supposed to mean are the standards sufficient and real world vulnerabilities now this if you can't read it says do not duplicate so is this the key control you guys draw your own conclusion as we proceed here can't duplicate it, read it high security starts with key control a process that ensures that keys cannot be duplicated without proper permission clearly if anyone can have a locks key copied then it truly doesn't matter how tough the lock itself is built medical patented key control makes it virtually impossible for someone to duplicate a commercial or residential key without permission now this is taken from a brochure that medical issued in 2005 which we can only assume is still active and relevant so this is statement number one go ahead goes on to read a standard key can be copied at a million stores without restriction or proof of ownership unauthorized duplicate keys often result in burglaries theft vandalism and even violent crimes so that's what we're talking about in the real world and here's what's coming I'll show you a quick demo that reinforces this fact could you like copy this for me? sure I've been babysitting these kids for a couple weeks now their parents totally think we're running errands but in a few minutes I'm going to have a copy of your front door key and in a couple weeks I'm just going to walk right in and help myself to whatever wait a minute this is a medical key only a medical locksmith can make a copy of this and only with the key owner's permission now you got to remember this video so you're all anticipating what's coming so medical key control the problem the problem is that we can circumvent each of their security layers their keyways can be bypassed their blanks can be simulated their sidebar codes can be simulated and the sidebars and the sliders can be bypassed so there's no real protection except for the M3 step which can be bypassed by a paper clip and so as we go through each security layer all of a sudden the lock has no protection so key control duplication duplication replication simulation of keys this is a keyway diagram that we did for the book with showing the center line of the keyway now under the standards the wards are supposed to cross that red line so that you can't do this this red line is the same thing as a blank key or a cut key being inserted into that keyway so go ahead so we're going to go through duplication replication and simulation so improper acquisition or use of keys by employees and criminals and what we're going to really talk about is the insider threat so someone who has unauthorized access to facilities they can create bump keys they can use those keys for rights amplification top level master key extrapolation and totally compromise the master key system they can replicate again very well did an amazing presentation at Hope that talked about silicone casting using a bismuth alloy for metal casting of keys plastics, epoxy totally duplicating and re-fabricating real facsimiles of keys everybody knew that conventional keys could be easily replicated it's not a problem go ahead and you can answer that so everybody for many many many years understands what makes a key and that pin tumbler locks can be easily circumvented given specific key ways with everything from metal to epoxy what they didn't really contemplate is bypassing certain high security locks so go ahead so this just goes on to say the additional design features and functionality inherent with the M3 to extend that patent allowed us to simulate those keys so basically we have a total failure of key control or of what we prefer to call key security so we can go through as we'll show you in a couple minutes we can totally bypass restricted and proprietary key ways in the M3 and some biaxials we can get around the M3 slider with a paper clip there's a serious sabotage potential with that same paper clip to lock you out of your own system this is what wasn't contemplated when they developed the patented technology in the M3 availability of blanks is not an issue as you'll see we can duplicate keys from pictures or codes we can extrapolate the top level master key go ahead so from our perspective there is no key control or key security again we can do this on all M3s and some biaxials restricted and proprietary key ways that are restricted to certain locksmiths the M3 step that we showed with the MacGyver multi-tool is absolutely no security we can copy and produce any blank generate that top level master key and cut any key buy code go ahead this is skipping over this we'll post all these slides online but this is the hybrid attack that is detailed in the government version against mortise rim and interchangeable core cylinders these locks are at risk there's millions of them and there's really a design problem that we perceive allows us to really rapidly open these with certain inside information so this is the new threat that we perceive key mail this is e-mailing of your key from inside a restricted facility to somebody outside to make the key and this is what the Wired magazine article is about it's a dangerous threat it can affect millions of cylinders it is a total failure of key control and as I said all of the M3s virtually and some biaxial key ways and it's use of the new multifunction copier that scans copies prints and allows the production of medico keys key mail go ahead so we can easily capture an image of your key we can then replicate that key in plastic and there's a couple different methods that we can leverage to open that lock and you're probably saying to yourself okay I can do this already with my quickset or some other standard this should not be capable in a high security app and it's a very very simple technique and it's not contemplated by the standard so we'd like to announce that medico accepts plastic so again it works by you need access this is an insider attack you need access to that key you need it for two seconds you capture an image, you print the image you produce a key, you open the lock and some of our key catchphrases from our vendors we always try to maintain our sense of humor here we're not sure that medico has what we have really attempted to so which one do you like the best don't leave them without one what's behind the lock door? priceless go anywhere you want to be the card that can get you cash or the card is key and that's actually diner's clubs you know, claim to fame the card is key so we agree we absolutely agree so you need to cut effectively the key in this specific hybrid attack against mortis rim and interchangeable cores the two dimensional photograph copy picture of the key we don't need sidebar data all we're doing is raising the pins to shear line now this picture by the way can you zoom in on that Matt this picture I shot of a medico key and the little cut marks are with an exacto knife this is actually a two dimensional image this was done on an HP scanner copier $150 copier this was printed on a piece of address label and then imprinted on plastic go ahead and it's a simple matter to cut out the key this is medico key control this is a medico key card that's issued to protect their keys from improper replication or duplication so we took the medico key card and we cut it out and made a key and opened the lock sweet so the procedure again obtaining image scan copy photograph use that little etching with the crayon and the piece of paper like you did with leaves in school email and print that image remotely again this is an insider attack and I want to stress that you need to then ensure that you have a one to one image you can print it on paper on labels or my favorite shrinky dinks shrinky dink I don't know if anybody remembers those when you're a kid you basically does color an image cut it out bake it in the oven we're not baking these in the oven now and I want to make a comment about shrinky dinks because we talked to them it just so happens that this company in Wisconsin has been around for about 35 years great company they make this special plastic that you can print on and then it'll expand when you put it in the oven well we don't need to put in the oven we just wanted to print on portion so we take the plastic if we want to use shrinky dinks and we cut out the plastic and we make a key that'll that'll replicate the vertical bidding on the lock now the plastic credit card plastic we can actually replicate the angles also so then we all have to do is use the paper clip to bypass the slider the folks at shrinky dinks were rather upset at this prospect and said look you can't talk about this well why not we're using your plastic no no no our company is built on magic imagination and creativity and and so are we and I said ma'am it sounds to me like those are all the key ingredients that are lacking at medico I said maybe you guys ought to get together she says oh my god don't talk about us everybody's going to think we're condoning breaking into buildings ma'am we're not that's the farthest thing from the truth I'll tell everybody you guys are not condoning your plastic to be used for unlawful purposes but this is a valid research project and it just so happens that you make the plastic that really works neat shrinky dinks so again the there is one critical skill high tech it goes back to kindergarten it's your ability to stay in the lines and cut that image out it's really really difficult so then ultimately you insert that key that you've created duplicated simulated insert it into the plug and for mortis rim and interchangeable cores it's hybrid attack this is all that's needed to open the lock in several seconds so again inside our tech you need access to that key just for a second whole host of ways that you could get it produce an image of that key email it out of your facility capture it on a copier scanner, fax, cell phone you know here's one technique here's another this is the HP scanner copier that I used to make that key and this is a piece of shrinky dink material okay this is my blackberry curve that I used to capture an image of the key that I made a copy of that I used to open a lock now this is actually the image and nobody believes you can do that with a 2 megapixel camera on a blackberry well you can do that because this is shot through a magnifying glass and as you can see that's an excellent image and not only is this image representative of a two dimensional picture of this medico key but if you look closely you can see the shading on the bidding that will actually yield information to the rotational angle of those cuts as we demonstrated last evening so should I talk about that right now? the reporter that wrote this story spent a lot of time on it she went and bought a medico cylinder in san francisco she then went to a kinko store and emailed me a picture of the key it was not a one to one picture because evidently the scanner wasn't working properly we got the images Toby and I compared the images decoded the key and we actually Toby produced the plastic last night we met with the reporter inserted the key in her lock and opened it it had the angles it had the vertical bidding and that was the end of the story it was literally on eventful she's like wait wait stop stop we have to document this no your lock is open now we thought we were going to use a forced entry technique to do this with that key but we got the angles and so this is real world threats this was done remotely anybody could do it it's not that difficult now decoding the angles it's a little more difficult but replicating the vertical bidding on the key no problem it's trivial and then use your own imagination but we're able to do it on paper credit cards, plastic favorite shrinky dinks Toby just did one also for this reporter's keys on a piece of copper wire we thought that was appropriate for wired so we took a, Toby actually took a piece of wire flattened it out made the key open the lock yeah we have some pictures though and a simulated metal key as we showed before so here's another picture of printing it on plastic or paper again this will open M3s and some biaxials a standard key machine could be leveraged a medico cutter, a hand cutting exacto knife a whole host of techniques the real issue is it's not difficult it's not complicated so everybody can understand this threat as opposed maybe to bumping and picking which takes arguably a little bit more skill and you have to have the right keyway for the lock this doesn't require any knowledge of the keyway it's just the vertical bidding but again you gotta stay in those lines gotta stay in the lines, it's critical so this is a key that I made this is a 20,000 inch thick piece of report plastic folder that we, all of us were down in Miami preparing doing the final research for the book in May so we're rummaging through the office max store looking for things and we took this piece of report folder cut it out exactly and this will open the lock, what it is is overlaying on the bidding so it's an exact overlay and again these are different examples of plastic keys this was traced all of these keys will open the lock but we actually like the credit card plastic the best so this is a picture of the hybrid attack with a mortise cylinder with a piece of plastic this will work with a mortise IC cylinder and on the left it's inserted, on the right it's turned so this is a conventional lock, this is a quick set, my favorite one layer of security so we had a key, we produced a key for this to open this lock and this we took a chase card and this is the key up above, this is the chase card that opens that lock this is a piece of cake this you expect in a conventional lock when we opened up part two about key control that's why I said you expect this this is the chase key, that's it but we do not expect to be able to do this with a high security cylinder, quick sets no problem so in contrast we have a Schlage primus on the left and an OS on the right, they both have what we call side bit millings, why don't you zoom in on that these keys you cannot replicate in plastic the way we're doing with medico because they're totally separate parallel systems and so there's really no way to do what we're doing with a medico cylinder with these kind of locks so whether they thought of this when they designed the locks Beau Whedon is actually the inventor I never asked him about this but these locks are secure against this form of attack they have real key control so we're going to show a couple of video demos medico key being cut on a actual medico on a medico key machine as well as plastic being leveraged on a door so this is a master card key priceless remember to wear eye protection and this is the little wire that we'll use to bypass the slide so now toby's going to trim the plastic residue off the side of the key there's a comparison and the lock is open it takes master card okay no problem it's trivial this is not supposed to happen this is an m3 that's the key that opens this lock it's provided by medico there's our favorite paper clip there's a medico yes we're using a small little vice grip to actually turn the plug you could use a tension wrench use a tension wrench screwdriver whatever but no problem okay so here's what we advocate to protect your facility I'm sorry go ahead you know you obviously can read as well as I can no paper clips no first amendment you can't talk about security vulnerabilities that's the first rule don't tell anybody and they won't know about it no shrinky dinks, no exacto knives printers, copiers, faxes, scanners cell phone, email fax connections no links to the outside world you might post that so here we go to part 3 lock, slides and videotape now medico announced after Jenna Lynn opened the quick set by bumping in 2006 our locks are bump proof virtually bump proof and virtually resistant it gets a lot better so about the same time that Matt and I gave our presentation in 2006 here at DEF CON and right after Barry Wells and I were in New York at Hope medico came out with their press release that said our locks are bump proof August 4th or 5th there you go August 4th or 5th 2006 so go ahead if we want to bring up John briefly then we'd like a 3 minute summary if John will come up to just give us a summary of what transpired with his medicoater and then because we're going to talk about responsible disclosure for a couple moments and then show you why medico hasn't exactly leveled with everybody about being bump proof go ahead my name is John King how many people here saw my talk right before Mark, Matt and Toby's I'm going to give a brief summary basically back in November I developed a tool that turned out the technique it leveraged was quite old but the tool was able to defeat the sidebar on medico locks original by Axial and M3 we decided myself in some of the locksport community that we wanted to release it but first we thought we might get a reaction from medico and we were kind of expecting something like a lawsuit or a payoff but we were pleasantly surprised that they were really friendly they sent the director of research out there Peter Field out through my apartment he saw the tool and said this looks like a problem so as a result what they're doing right now is fixing all the locks coming off the assembly line by re-implementing a system called ARX to defeat this tool pretty much they've been very friendly with us myself in a NDE magazine is the publisher I released through but they have not responded whatsoever to Mark, Matt and Toby's stuff and you guys have seen a lot here it's pretty impressive in my opinion what do you guys think? Medico? So responsible disclosure about the medicoder John went to them, we couldn't agree more there's two editorials that are posted on our blog in.security.org that address the issues of why we think medico embraced the locksport community at this particular time so what's the responsibility known vulnerabilities in medico locks responsible disclosure versus what we call irresponsible non-disclosure if there's serious vulnerabilities that are disclosed to medico we did that for 18 months and they as well as we know have failed to disclose these issues to their customers we really believe they should and that they should tell everybody okay there's issues and you need to know about them instead there's been what we would perceive as misrepresentations half-truth and misleading advertising and the use of language that means nothing so we think responsible disclosure is a two-way street we think if you discover a defect in a new lock in a security system that hasn't been released we think you absolutely have a duty to tell the manufacturer so they can fix it in a timely manner the problem is locks are a little different if a lock has been in service and there's an embedded base then there's a real problem because generally the manufacturer is not going to pay to fix the problem it's upon the consumers a matter of fact medico made a statement a few weeks ago in a cnet article that said locks aren't like a subscription to a magazine or similar language meaning go buy new locks if there's a problem I don't really subscribe to that theory as a lawyer or a security professional and I really believe and Matt and Toby believe that there's a responsibility on the part of manufacturers to tell you what's going on and disclose potential issues go ahead so the responsibilities of the manufacturers you know for us from a high security perspective the responsibilities are very different they do protect critical high value targets and infrastructure these aren't like toasters and as Mark said the responsibility lies upon the manufacturer to disclose these vulnerabilities to the consumers we think they just ought to tell all of these manufacturers if they have a known problem they have a duty to tell their customer if they have a vulnerability if they don't both for the manufacturer and the locksmiths that sell them so the real question is what to disclose and to whom and there are two components the public right and the need to know and so it's security by obscurity and it does not work and that's because of the internet in order for you to assume the risk and understand you need to understand go ahead so again the perspective or retroactive effect Mark talked about this if this is a newly discovered vulnerability in a not yet released piece of hardware then absolutely you need to work with the manufacturer to introduce these details of the vulnerabilities and give them time at the end of the day though it's a question of liability and cost in a retroactive implementation who's going to pay for that is that you the consumer or ultimately the vendor and our problem is when John went to medical and they told him we're going to implement a fix in a couple of months that's all well and good the problem was they knew about that issue at least 15 years before because they developed the pins to combat it so the real question is why didn't they implement those pins 15 years ago rather than implementing them now and who's going to pay for them now because you don't just stick them in the locks you don't mail them out so we want to talk briefly about our perspective of the truth again after we spoke at DEF CON medical introduced a press release where they claimed their locks were bump proof they retroactively edited that same press release to say they're virtually bump proof I don't think medical is aware of archive.org they probably will be after today so here's archive.org's representation of the August 4th press release I'm going to try and zoom in here you can read the third paragraph down medical is commonly known as a virtually actually I have the wrong one here this is the 2007 you have the wrong one medical is known as a bump proof lock bear with me here this is a Mac this is working really good Matt stop stop telling me what to do don't get nervous not at all so there you go I went too fast this is the 2006 press release I'm not going to zoom because I'll screw it up third paragraph down medical is commonly known as the bump proof lock we go to archive.org from February 2007 medical is commonly known as a virtually bump proof lock now they went back on their website and evidently changed the press release so that when all the search engines pointed to this they'd come up with the new verbiage which they again changed and ultimately in 2008 this was a response so now the claim is we never said our locks were bump proof August 15th 2006 this is called the smoking gun they now claim we never said our locks weren't bump proof everybody else said they were bump proof but we never never never claim that August 15th 2006 for those of you that like to do research the US patent and trademark office filing by medical security locks ink lawyer Mr. Rothwell the application is on the power point the word mark bump proof and it was abandoned in February of 2007 sometime after we showed them conclusively that we could bump open their locks so here's the actual filing with the patent by medico for the word bump proof so the question is why would we want to protect the word bump proof to use by medico if they didn't claim their locks were bump proof if you can answer that that would really be we'd like to hear from you so the claims extend into picking bumping nobody's proven in 40 years that they can pick our locks these are false demonstrations here today in these videos are smoke and mirrors we're lying to and they can't replicate the problem except for the 18 year old kid in Colorado now that opened the lock in 55 seconds after reading the book that would be a problem so responsible disclosure by lock manufacturers we just think that they have a duty to disclose if they know or suspect there's a vulnerability that they should make responsible notifications and let the users and others assess the risk they really have a duty to tell the truth and this is the problem again high security lock manufacturers have a special place because of what they protect everybody relies on their engineering expertise and their integrity they have to tell the truth so I hope you'll agree after this demonstration that medical locks are vulnerable again you need to assess your own risk your own exposure what you're trying to protect whether or not you should use these locks they are good locks medical knows we provided them all the information all the research all the excerpts from the code design progression top level master key the book everything they are vulnerable to bumping picking forced entry we believe they should be more candid with their dealers their distributors unlike how candid they were with the release of the deadbolt fixes we believe there is a failure to tell the truth and you consumers customers people responsible for protecting critical infrastructure have a right to know so again there is no security by obscurity it doesn't work with the internet it's the user security it's not medical or your locks miss security they have a right to assess their own risks criminals already have the information disclosure benefits we believe far outweigh the risks involved medical says our job isn't educating criminals no that's true they need to educate everybody so they can assess what their risks are what other people already know and there is a liability for a failure to disclose so the lessons learned nothing is impossible corporate arrogance which this is a classic example it doesn't work high security lock makers engineering security and integrity that's what it's all about so we would solicit we have some time left with this work really well if does anybody have any questions or comments about the concept of responsible disclosure or anything we've talked about today and actually if you want to come up if anyone has a question does anybody have any questions why don't you come up we'd really be glad to entertain questions we think this should be a really good debate we're really sorry that medical could not be here today to engage in this to present their side of the story so the question was who funds our research that's a good question I work for several I have several legal clients that really are good about letting me do and retain anybody I want to do security research and vulnerability testing and I also have some clients that specifically hire me and my associates to look at locks to protect themselves from liability other than that my wife helps to fund my research yeah right there's a book signing at 315 so the book is available it's in your program it's at 315 we're in the vendor area there's some book we've got to find it other questions back there is there any evidence that people are attacking what these locks no we haven't heard any but then we may not either usually in high security facilities this isn't talked about other than in the news a few weeks ago when the lady was sentenced for stealing $700,000 a controller I believe at medico who was working inside that stole $700,000 we hope that she didn't have medical locks on her office I don't know but honestly you wouldn't hear go ahead that's the question we always get what is the most secure lock out there why have several answers it depends when you say secure for what purpose if it's really a high security facility the last 5 or 10% where you really really have to make sure they don't get in we like slag primus we like abloy we love eva mcs the magnetic code system if you look on eva's website evva.com they're in Austria or we've showcased them in the book as the lock to compare to basically for the eva if you don't have the key you're not going to open the lock now nobody says it's impossible if you don't have the key you're not going to open the lock slag primus, abloy, kaba medico are good locks it's just not good for all installations but those would be my answer abloy primus eva go ahead yep any other questions more questions go ahead so the question was have any other lock manufacturers bought into our proposed methodology for disclosure for disclosure and testing well actually some of the folks that I work with are beginning to embrace this and they figured out that the best business policy is full disclosure and I've had extensive meetings with Ralph Wasami who's the executive director of BHMA in New York the builders hardware manufacturers association who have the real high security standard they really are looking at this they really want to do the right thing and they're not bound by bureaucracy like we believe UL is and they're seriously looking at this issue now and they're talking to their members about disclosure so I think there ought to be disclosure on packaging to tell people these locks can be open in seconds to let everybody know and everybody says well yeah but then we wouldn't sell any locks well that's the point tell the consumer what the vulnerabilities are and let them make the decision or tell them to buy better locks go by higher security rated locks any other questions so similar to iDefense and other organizations the question was are there any incentives to exposing or disclosing vulnerabilities associated with hardware to lock manufacturers it depends on the vulnerability what the penetration of in the marketplace is how serious it is how easy it is to open the lock it's a complicated formula I've represented a number of clients in this area my suggestion first and foremost well first of all if you can file for a patent you file for a patent and you can file for a provisional patent for $100 to protect the invention for a year then you go to the manufacturer and ask them to sign a non-disclosure agreement if they won't do that then it's a real interesting issue then it depends on the exploit maybe you can make tools maybe they're not interested it is a complicated formula I've represented several clients you know sometimes the manufacturers will want to work with you sometimes they won't question over here who do I contact at medico to get my money back hmm let's see 5403805 thousand that's a good question and it may be raised subsequently well they said you're not buying a subscription so I guess you have to buy new locks well that's also that's a legal term and whether it is or not is subject to discussion and probably later analysis it's a very complicated area and what happens from here I'm not quite sure question over there are they in the book is that the question yeah so the question was is the archive.org screenshots and associated details of the disclosure of the bump proof virtually bump proof in the book it's essentially all documented in the book there's also a multimedia addition for locksmiths and government or security people right here so medico has a lot of locks this is a serious vulnerability exposure is there sufficient capacity by other manufacturers to replace these locks I think they'd meet the challenge yeah I think if you contact Schlage or Osso or Kava they'll meet the challenge yeah or Abloy that's a good question I don't think that would be a problem and again it depends on your risk we felt that it was relevant to disclose this and frankly I think a lot of the security community or locksmiths would say we knew about this a long time ago nobody really put it together for medico as a high security lock because of the result of our research and so we think it needed to be disclosed so the question was Barry asked do we think we'll break the ARX pins well the problem is there's a lot of different ARX pins there's not just one as John King well knows we've already broken some of them we have repeatedly demonstrated picking and bumping their cylinders with up to four ARX pins in a biaxial lock and so it depends on a lot of different parameters and I wouldn't be so foolish to sit up here and say we'll break all of them we've broken some of them so time for two more questions one right here so the question is when you're looking at a lock that's mounted on a door and you'd like to attack that lock what are the resources available to that lock? we're talking about an M3 or a biaxial lock M3 actually stamps M3 on it so if I'm looking at you're talking about a medical lock no no any lock that's a pretty wide open question there's a lot of different ways you can impression it Barry Wells has become a real expert in impressioning he'll be here all weekend to answer your questions but there's probes look at the lock, look at the internals of the lock a lot of times through visual inspection the naked eye is pretty powerful a lot of the techniques that we've described here don't require borescopes and other technology so there's a lot of tools available there's a lot of different ways frankly impressioning is one of the slickest alright last question lots of problems so the question is is Mark having trouble with Aloha? well Aloha threatened to pull well Aloha is the associated locksmiths of America 4 years 5 years ago when I first lectured at one of these conferences they said if you do it again we're going to throw you out of the organization because our code of ethics prohibits you from talking about security vulnerabilities other than other locksmiths or security professionals now they didn't I don't think they understand the character of who attends these meetings and I told them I sent them a long letter and said look I'd be glad to discuss this with you but I'm not everybody needs to know this information and I'm not sitting up here picking locks and frankly you'd be making a big mistake so they let it set for 4 years I think they're going to take it up again this fall you know if they throw me out of Aloha they throw me out of Aloha but I really believe I'm right and everybody needs to know I'm not disclosing information that could be inimical to the national security I'm pretty careful about what I talk about and they really need and I don't know how they now say that you guys are all criminals when medical has embraced the lock sport community which Aloha attacked several years ago as being all people of questionable character so there's a lot of issues you know I've told them I'd be glad to discuss it with them so I have no idea what they're going to do so we're at a time we're going to go over to wherever the book signing is at 3.15 we'll be there we can answer additional questions and we'll have copies of the books available thank you so much for your time today we really appreciate it