 So, let's now start with the task. To my right side, it's a pleasure to introduce Walter Burgers. He's the ethical hacker, and he makes technical hacking and social engineering, but also he's the president of Tool, the open organization for the lockpickers under us, and he will show us similarities between these two worlds. Enjoy it and give him a warm welcome. Thank you. Thanks. Am I on? Yeah, good. Great. It's awesome to see all of you here. It's really awesome. Maybe you're here just to get rid of the rain and be warm inside, but anyways, it's great to have so many people still here when this is the last actual technical talk before the closing. So this is about lockpicking and IT security. And I am indeed a lockpicker. I have done lockpicking for a lot of years now. I'm the president of Tool, but I also, as a day job, work in IT security. And the reason for this talk is that I thought about floors in locks that you will also find in IT security. So in IT security, we have zero days. We have all kinds of design floors, implementation floors. And I thought, do we have these kinds of problems in locks as well? And yes, we do. So I can already give you the conclusion of the talk, which is that in locks, we see the same problems that we see in IT systems. And I think it's fun to just go through all these kinds of problems because in the end, lock security is not that different from IT security. In IT security, you get a really complicated system and you have to think like a hacker to figure out floors in the system. And if you have the right tools and the right knowledge, then maybe, yes, you can open the system. It's the same for locks as it is with IT security. And then you have owned the system. Right. So if we build a security system, whether it is a lock or IT system, you have this software, for software, you have the software development lifecycle, you design something, you develop it, you build it, you test it. And you change your requirements again to fix the design. And this is an ongoing circle that we go through. And all these stages, we can introduce security problems. So let's start at the beginning, the design. So first, let's look at IT systems and design. In IT, we see a lot of design problems, actually, because security is often just a small component. In my daily work, I see a lot of systems being developed where during the design phase, there is not much eye for security. It's mainly about functionality. And also customers who ask for a system to be built, they have functional requirements and not so much security requirements. So sometimes that becomes a bit of an add-on in the end, which doesn't really work. Functionality is more important than security. So we have design flaws in software. Should stand a little bit back. But it was actually quite hard to find a good example of a real-life software design problem that actually led to a real problem. I mean, if you make a design and you forget to include two-factor authentication, for instance, that's a design flaw, which is hard to fix afterwards, but the system can still work. But here's an example of a real design flaw. This is the Ariane 5 rocket, the European project, and this rocket exploded shortly after take-off. And that was actually a design flaw. The problem was that there was a piece of software that got a floating point exception. And the design flaw was that the system was built to, in case of any such error, it should shut down that piece of equipment. So this was in the trajectory tracking software. There was a floating point exception, which is bad, but if you carry on, it would have worked. But instead, the trajectory calculation software shut down completely, and then the self-destruct mechanism was engaged and the rocket exploded. So it was a pretty expensive design flaw. Do we also have design flaws in LOX? Well, LOX are different, because if you build a software system, it does a lot of stuff. So maybe somebody will ask you to write a CMS, for instance, and it needs to provide CMS functions. But if you ask somebody to build a LOC, the LOC will only provide security services. A LOC is a security device. So of course, if you design a LOC, you will always think about security. It's never an afterthought. So that's good. We have security in the picture from the beginning. And also, LOC manufacturers are really good in specifying requirements. In software, it's really bad. People will ask, please write me a CMS, and they will tell you it needs to be blue and it needs to fit on the screen, but they won't ask you to build it securely in many cases. There are exceptions, of course. But LOC manufacturers are really good at specifying requirements, and there are several different requirements that I will go into. And the risks are also pretty well understood. The LOC industry is not that dynamic as is the IT industry, and traditional LOCs have been around for a long, long time, and the risks haven't changed that much. Well, things are a bit changing now when we have electronic LOCs. But I'm mainly focusing on the mechanical ones. And LOCs are almost always tested to get certain certifications. It's not true for the cheap Chinese LOCs, but if you buy a well-known brand LOC, it will probably be tested and certified. What the certification means is another thing, but I'll get back to that as well. I have to walk because the clicker is not working. We have a lot of pollution on this band, I think. So we need to design a secure LOC. But then the question is, what risks do we have? What are we trying to protect against? And it's really funny because I get a lot of talks where people ask me, well, what LOCs should I buy? And then my counter question is, well, what are you afraid of? What would you like to protect against? Because a LOC does not protect against theft. It depends on what kind of LOC you buy, what it protects against. So one thing, for instance, you could be worried about is key control. So say you have a very large facility and you have keys for all the LOCs, and you give those keys to certain people and you don't want them to be able to copy the key. That's key control. That might be an important aspect. But if this is for your own house and you keep your key with yourself all the time, maybe this is not an issue at all. But maybe then you are really worried about destructive attacks. So people trying to drill through the LOC, if you drill through the LOC, you will drill away all the pins, rendering the LOC inoperative. There are techniques where you pull out stuff of the LOC or you completely break the LOC so you could protect against that. So you would need special hardened materials to harden the LOC. Then there are non-destructive attacks like LOC picking, like bumping, pick guns, impression. Those are all techniques that you could also protect against. So you would need different kinds of LOCs with different mechanisms with wavy lines, with dimples, with discs. There are all kinds of techniques that you can use to protect against picking, bumping, et cetera. What's interesting with LOCs is that the space is really limited. So if you have a standard European cylinder, it's a standard form factor, and this is all the space you have as a manufacturer to build in all your security mechanisms. So it becomes really hard to make a LOC that has good key control, protection against forced attacks and non-forced attacks. But you can make those LOCs, but then they become really expensive. So that's another thing. If you design a LOC, you have to ask the question, well, what is the market? Who am I going to build this for and what can the LOC cost? So do we have design flaws in LOCs? I ask myself. And actually, there are some examples of things that I would consider a design flaw. Here's an example. This is a Kaba LOC, and I have to say, I mentioned some LOC manufacturers, and it's not because they make bad LOCs. Actually, Kaba makes really, really great LOCs. I like Kaba a lot, but every LOC manufacturer sometimes makes a mistake, and this happens to be a mistake by Kaba. This is a really expensive LOC. This is a LOC that has two-factor authentication. You need to key in a code, and you have to have an RFID card at the same time to open the LOC. But there was a problem with this LOC. I would say a design flaw. There's some circuitry behind here, electronics, and there's two LEDs, and the LEDs are in this housing, and there's a little bit of space between the LED and the housing, and you can insert a paperclip in between it that touches the circuit board, makes it short, and the LOC will then open. So this LOC could be defeated at that time with just a paperclip. So that's a bit of a design flaw. And we see that if you are a traditional LOC manufacturer, having done mechanical LOCs for a long, long time, you have to adapt to the new threads that you have with electronic LOCs. That's a whole new playing field. Another example is this LOC. This is the Winkhouse blue chip, which is a really interesting LOC. It has a plastic key that is only there, so you can apply a turning force, the actual mechanical force to operate the mechanism. Inside is an RFID chip that sends a code to some electronics inside of the LOC that they managed to fit in there, and this uses really good encryption, so that's well thought out. And if the key matches, then some pin is being retracted, enabling the mechanism to operate. Now the problem with this LOC is that in the design is that they didn't think of an attack where somebody would operate the pin without having the correct code, and you could do that with a magnet. So if you have a really large magnet, you hold it close to the LOC, the pin will also retract. So I think that's a design flaw as well. It's funny because the same trick was now in the news with the Black Hat DevCon, where there was this safe gun, smart gun, that you could only operate if you were the owner, but this has the same flaw. You could use a magnet to operate the mechanics inside of the gun to be able to operate it. So when you design LOCs, you have to be really clever and think about ways of circumventing the whole mechanism. Actually, it would be good if you designed LOCs to have some hackers working for you trying to figure out ways of getting past LOC. Because if you don't do it, somebody else will do it. This was in the news a couple of years ago. I don't know who knows the story, but there are hotel LOCs, and they have a little jack plug underneath to access the electronics within the LOC. And you can actually, if you figure out, reverse engineer the API of this LOC, which is what this guy did, you can figure out commands to read memory from the LOC. And of course, in the memory of the LOC is the unlock code. So you read that from memory, and then you use an API call to send that code via the same port, and the LOC will open. Build some electronics into a marker pen, and you put a button on the end, and this will plug into the LOC, and this will send the correct commands and open the LOC. So that's also a design flaw. As is this one, this is the same KABA LOC. There's another flaw. KABA is absolutely not the only one with this flaw. There are a lot of LOCs that have the same flaw. So this is in the LOC. This is some mechanical part, and it needs to go down to enable the LOC to be opened. So normally, you have to type in the code, use the RRVD card, and some thing will pull this down so the LOC opens. Now in this case, you can't use a magnet to pull it down because it's all metal, but you can use force of inertia. So you hammer on the LOC with a rubber hammer. The force will cause the latch to go down, and you have to experiment a little bit because you need to apply the opening force at the correct time, but this will allow you to open the LOC as well. So those I think are design flaws. When you have your design ready, next step is implementing stuff, and of course you can make a lot of mistakes doing implementation as well. And the same goes for LOCs. So we have a good design, but there is some kind of error in the implementation. So here's a video of the implementation flaw in a LOC. In fact, the guy who made the video is in this room, and he calls it the design flaw. I think it's the implementation flaw. It's this LOC. If you insert the blank into the LOC, you put a little tension on it, you take the blank out, and then turn it like this. The LOC opens. And yeah, it's a big design flaw in this LOC. Here I'm going to try another one. Another technique that works is put tension on it, pull the key out, stick the tip in, and open the LOC. Now as you can see, it's a really severe vulnerability. This was fixed by the manufacturer. What exactly is happening? So here you see the inside of a LOC. You see that there are five pins. Actually, we have a top pin and bottom pin for each pin, and they need to be aligned exactly at this shear line, which is done by the key. If the key fits the pins, then they all align, and this will allow this inner plug to become free to rotate. So this is how a normal LOC works. Now, the implementation flaw, so this design should not allow this to happen. But if you have an implementation flaw, and you have lower pins that are made too thick, thicker than they were meant to be, then if you insert a key that pushes down all the pins too far, will not operate. But if you then apply tension and retract the key, these thicker pins will pop up exactly onto the shear line, and this will allow the LOC to open. So I don't have the same bike lock. They are not for sale anymore. I have a lock that is prepared to do the same. So this is a key that is new. It's not bitted. So if I insert the key, apply tension, pull it out, then it should open. So this is the implementation flaw, and I can actually take the key out. Implementation flaw in this LOC. Even if you implement your system correctly, one of the biggest risks I think in IT systems are when users get involved with it. So it might be secure if you use it correctly, but what happens if you use it incorrectly? And then we have awareness problems. So the problem exists between keyboard and chair. That's always a problem. It's interesting. This was a guy from the Greek ministry that was in charge of the Secret Service of Greece. This was the official picture on his official website, the government website. And if you look closely here, you can actually read what's on his post-it containing his username and password. This picture is no longer online. They've cropped it, but it's here for you still to enjoy. So you should never, of course, but there's a user error. This is not a design or implementation flaw within the system. The problem is with this guy using a post-it memo and not understanding that that's a risk. You have the same with keys. Your key is your password. And your key can be good enough. It can be secure. But if you show it to other people or have it lying around, that's a problem. And this happens more often than you would think. Here's one story. There were a lot of thefts of money at gas stations in the USA in one particular state. There you could get gas at the gas station and you could pay via credit card in a small box, and the box had a lock on it. And there was a whole series of gas stations where people had opened the box with the key, inserted some electronics to copy the credit card, cards that were used, and then closed the box again. And the thing is that all those boxes used the same key because it's the same vendor. And then NBC, I think it was, NBC had a show on television talking about the problem and what did they do? This is the actual key for those gas station money boxes. Okay, so this is user error, right? They didn't know. And it's really hard to educate people to understand that this is a problem. So this problem keeps on repeating and repeating itself. This one was even a bit bigger a few years ago where somebody on eBay sold a bunches of keys, key sets that are used by the New York Fire Brigade and Police Department. And so this is a key that will open all the electrical boxes in New York. This is the fire elevator key. This is the traffic light key, also very interesting for the boxes that control the traffic lights. The fireman service set key and the fire alarm key. He sold them on eBay. He had some surplus. That's already, well, that might be a problem. But then they had an item in the newspaper showing the actual keys. So these are the actual keys. I'm not aware of people in New York haven't changed all those keys. That's quite a task if you have to change all of the locks. But this is a problem once the key is out. So therefore, that might be one of the risks you need to consider when you select a lock. If for you a risk is that somebody could see the key and copy it, you need to buy a system where that's hard or impossible. So some vendors even have keys with a lot of holes in them with dimples and they add some extra dimples that are not used in the lock, but that makes it harder to make a copy by sight or by picture and making a duplicate. So let me show you a video with Rob Grongrijp, one of the founders of Hectic. Yeah, we're standing in the lift, and he's trying to sneak up through. He's in the elevator in a metro station in Amsterdam. So he's in a metro station in Amsterdam somewhere and the elevator will take you to the regular floors. But if you use the special key, the elevator suddenly will take you to a nuclear bunker underneath. So they made a television show about this. And he also showed the key, which is not a very good thing to do, right? So if you see this key, what's your first reaction? Copy? Copy it, yeah. Well, you can now copy it, yes. This image is probably good enough to figure out approximately what the key will look like, and maybe after a few tries you will have a copy of it. But the nice thing is that Rob is a hacker, so he obviously knows about this attack. So this key is actually the key of his cupboard and not the key of the elevator. Right? That's an easy solution. If you want to show a key for dramatic effect in a television show, you can use any key. So it kept on thinking about floors that I know of in IT systems and to see if there are equivalents in log security. So next up I thought, well, in IT systems we have backdoors. That's a problem. Backdoors. We even had a backdoor already in 2003 that was made, put into Linux. It was quickly discovered and removed again. But backdoors in systems, do we have backdoors in locking systems? Well, I think this might count as a backdoor. If you buy a safe, the cheaper ones, the electronic ones, they will have some kind of keypad that's better operated. But now the problem is what happens if your battery is dead and your safe is locked? How do you open it? So all these safes will have a backup way, a backdoor system for opening the safe. And in most cases it's behind some kind of piece of plastic. If you take that out, they will find an actual physical lock. So that's the backdoor. And it's a backdoor because this is really an easy lock to pick. So in most cases if you have a cheap safe, the easiest way to open it is to find the backdoor and use it. Because those are really cheap locks they put in there. More backdoors? Well, maybe this is a backdoor. So I showed you the picture of how a lock actually works, where you have the pins that need to be at the correct position on the shear line to open the lock. But what you can do if you have enough space underneath in the lock is to push down the pin not to the correct position, but further down so it completely disappears in the bottom part of the lock. If there is enough space here to hold all the components in the lock below, then also we have a clear shear line and we can open the lock. So you might say that's a design failure or an implementation flaw. But in Eastern Germany they use this to be able to open the locks indoors because the locks were government made. And if you had such a lock it had this flaw. And then the German secret police, the Stasi, they had what they called the Himmelschlüssel or the heavenly key, which is just a piece of metal with pins on the correct positions where the pins are, teeth where the pins are, you push it down and open the lock. So that's something that you will not see in regular locks, but if you buy a cheap pet lock you might still be lucky and be able to do this. So here I have a cheap pet lock, a tricycle. And so I need to have a device that has pins that have the correct spacing. Correct spacing. And you need to put them in the correct place on the pins. That requires a little bit of fidgeting around. Push it down to the correct depth and the lock will open. So that's the Himmelschlüssel system, actually a backdoor. In case of this tricycle pet lock probably unintended, but in Germany it was intended. If you build a security system you probably will do some crypto as well. So next I started thinking about crypto and problems within crypto. One of the problems, well the main problem with crypto is actually wrong implementation of crypto or people designing crypto for themselves without knowing how to do so. But there's also the problem of key reuse. So if you have a one-time pet encryption and you reuse the one-time pet then the crypto can be broken. So this was used actually in World War II to decipher some of the enigma messages. Do we have this in locks? Well, sort of. So here you see the inside of a lock again. So this was cut open so you can see it. So you see the top and bottom pins. In this case there is no key inserted. So the shear line is not free. Here you see that the key is inserted. The shear line is free and the lock can open. So this is a normal lock, normal operation. So you have a key that's your one-time pet, so to say. Reuse, well there's master key systems. So you have a system where more than one key will operate on a lock. So this is used in apartment buildings where you have one front door where the lock can be opened by all the keys within the system and your own door is only to be opened with your own key. So how can you do this? There are actually several ways. But one way of doing so is to cut up pins into multiple pins. So if I cut the pin again, there are now two possibilities of getting this pin in a correct position. So this also means there are now two keys that I can make that are different but work on the same lock. So actually we are reusing part of the code for different locks. Here you see one of the keys that is inserted and you see that in this case the lock will open. But if the other key where the pin is here would also open. Is this a problem? Yes, the same as with the Enigma messages. If you intercept different messages, then you can work out the differences and figure out what the key was like. Here as well, if you are in a master keying system that works like this, you can open up your own lock. There are tools to do so. You can take out all the pins, see how big they are, then put them back and do so for a couple of locks and then you can figure out exactly what the master key will look like. So if you are in such an apartment building and you do some work, you can create a master key. So that's a problem with key reuse. In my IT work I sometimes do penetration tests. So you plug into the network and you find out what computers are there and you try to elevate your privileges. And the thing you are after normally is the user domain admin or root. So every system of systems will have a user that can do anything. The root user, domain administrator, and is that the design floor? Well, maybe not, but it's a big risk. You only have to have the root user's password to get access to everything. How about locks? Yes, not everybody realizes this, but this is quite common, to have a lot of objects that use the same key. So if you just take a look around on the street you will find many objects where there are keys involved and all these keys, so for instance electricity boxes, there is a lock with a key. They do not use different locks for every box. This would mean that a service technician should have hundreds of keys with them. No, they use one key for all those boxes. And they make sure that the key is really hard to copy, so the system stays secure. But the same goes for telephone booths. These are pipes for the water, speed cameras, elevators. They all use the same keys. So the elevator mechanic will not have hundreds of keys. They will have just a limited set. And you only need to have that one key to get entry to all of those devices. So for instance here you will see the data and glow, and yes, obviously they all have the same key. So if you have one of those keys, you have access to all of those systems. So that's kind of the root user. Interestingly they use a tricycle. I haven't tried it, but I think maybe the technique with the combing might work. But if not you can still lock pick it of course. But that would be cheating. In IT we also see problems with reuse of sample code. So maybe you get an application which contains some demo stuff that is not really secure and you start using it, that might be a problem. Or you just download some sample code from the internet, start using it, that might be a problem. Do you have that with locks? Actually yes. There is no sample code in locks, but there are manufacturers that sell standard locks, sample locks. If you need a lock, if you have a panel with all kinds of buttons and you need some kind of lock switch, you go to the manufacturer and buy a lock switch. And those are probably sample lock switches. By that I mean there is only one of those available. If you buy them from the vendor, you get the same lock every time with the same key every time. For everybody who orders from that vendor a lock to operate on the panel, it will have the same key. Here's a movie of the same thing happening in Belgium. They have speed cameras. The speed cameras are operated from a box with electronics. And they needed a lock for that. And they asked the supplier to supply a standard lock. And then you get a lock that everybody else will also get if they order from the same supplier a standard lock. About someone who realizes that you are very simple with a lock that opens the bottle cap and that you can easily buy those locks. I'm looking for a lock. I have three locks. According to the manufacturer, there is something in the bottle cap and I can open the bottle cap with those locks. Because the secret of this bottle cap is in this box. Here you have a lock. Do you see this little key? Do you need this? In fact, I've been told that in Belgium this is still legal. And it's still legal to open the box. If you don't damage it, it's legal to turn it off using the on-off switch. You cannot break anything, but you can turn it off. Apparently that's legal. So this is a problem. If you order the same lock from the same vendor, you get the actual same lock with the same keys. So this is sample code. And there's another problem. Remember what I told you about key duplication by showing your keys. It's the same problem. This guy showed them on TV, so I took a screen grab of it and those pictures are actually good enough to have a reasonable idea of what the lock looks like. So I had... For one pin, I wasn't really sure. So I had two keys made and I went to Belgium and I tried them out and yes, they worked. So you can actually make a key from a screen dump like this. Let's see. I have 20 minutes left, right? No, longer. 30 minutes. Okay, we're doing fine. Zero days. Zero days are a large problem in IT systems. And especially since zero days, well, let's not go into the whole details. This is the amount of attacks for a certain vulnerability and you see that at one point in time, the vulnerability becomes known and we see a lot of attacks using that vulnerability. But of course, before it's known, it's a zero day and we see that there are still attacks going on for a certain vulnerability before it is widely known. So people do actually use zero day attacks for maybe 20, 40, 60 or even longer weeks in advance of them becoming public. Now, of course, there are also zero day problems in locks. I've shown you some vulnerabilities in locks and when a researcher finds them, they are zero days. So we need to do responsible disclosure and that's something that's true for IT security as well as lock security. So here's an example of a zero day. So what you see here is this is a lock with electronics. You need to show your RFID card and then something will happen so the knob is engaged and it can open or enclose the door with a mechanism. Here you see that a ring, an aluminum ring with four magnets in it is used. It's turned around a couple of times around the lock and then suddenly it works. I've been told I'm not an electrical engineer myself but I've been told that the magnets, there are coils inside and the magnets will generate electricity within the coils and those will drive the electric motor that is there that operates the actual mechanism. Now it says you're responsible disclosure but this is actually an example of irresponsible disclosure. This was put on the internet. This lock is made by a small German company or a really nice company, Ullmann & Sacher and they had a lot of problems because this was disclosed without them knowing anything about it. So this was just put on YouTube and then also somebody suddenly started selling those rings. So we try to do in the locking industry also responsible disclosure. So we as a tool, we organize a yearly lock conference which will take place next month, somewhere here in the Netherlands. But there are people that are breaking locks and people that are making locks come together and we test the locks before they're on the market and that actually works really, really well. So responsible disclosure is an issue and also public relations. In the IT world we have seen, but this is one example, there are other old example, where Oracle had a new version of their database and they said Oracle 9 is unbreakable. Well of course we all know that's not very wise thing to say that your software is unbreakable. It didn't take long for people to break it and to actually be attracted to trying to break this because of their statements. Now this also works in the lock industry and a great example is Medeco which makes high security locks in the United States. They make really nice locks, but they also said this lock is unbreakable, the lock that we have now made. And there was this guy, Mark Tobias, who teamed up with Tobias and they spent I think it was six months or so just trying to find flaws in this lock and in the end they were able to open it in 60 seconds or 30 seconds and teach somebody else to open the lock really quickly. And the lock industry has been closed for has been a closed world for a long, long time. People are not really used to be really open. So that makes it quite hard to do the PR right. And also in this case I showed you this lock before and I told you that you can open it with a magnet. In this case it was disclosed to the manufacturer and instead of replacing all the locks what they did was they built a new version of the lock but did not tell the customers. So you needed to happen to know that you had an insecure lock. And also the new lock was changed in a way that if you use the magnet it will still open but it will break something so you know that somebody has used a magnet to break in. That is in fact a useful feature in a lock but for most people there will not be enough. How about brute force attacks? For systems where you have a password this might be doable if there is no exponential back off in how often you can try passwords. You have all kinds of tools that will do brute force attacks. Well you don't see much brute force attacking in the physical security world. You can do something about it. You can have locks with more pins which makes it more difficult to do brute force attacks. So this is a lock with seven pins instead of the regular five. These locks have many, many, many more pins. This is a lock that you will find on safes. This you could actually brute force. This is a special setup key. So this is a key that can be made into the correct key. You can put pins in here in different lengths and you can assemble your own temporary key and if it fits then you can make it into a real working key. But to do a brute force attack on this many pins with this many possibilities of pin length that's not really feasible. So I haven't seen any brute force attacks on these kinds of locks. But of course we also do have safe locks where you have the dial and you have to dial in a combination of three or four digits. And here brute forcing is doable. So you can build or buy a system that will try out all the combinations. In fact, this is also not really a big problem because this will probably take a few days to find the correct code. And the idea with the safe is that you make it not worthwhile for an intruder to open it because it takes too much time. Everything can be opened in the end. But for safe brute forcing is possible. Of course there are also interesting locks that will try to protect against this. At home I have this lock from Kaba Mas. It is a completely electronic lock. It has a display with a number on it and you need to dial it. Firstly, you need to use the dial to generate power. There's a dynamo inside. Then it powers up and then you need to dial the actual code and it has all sorts of nifty features to prevent attacks. And one of the features is that if it sees that the knob is turned more than a human wrist can turn, the lock decides it cannot be a human. It must be a robot dialer and it just doesn't open. But the standard mechanical locks, safe locks, do not have this feature. Denial of service attacks. In IT world pretty easy to do. Can we do it with locks? Pretty easy to do. Luckily we don't see it that often but it only takes a little bit of super glue and you have a great denial of service attack. In fact, you can actually buy specific tools that will aid you in such an attack. This is a key that's designed to be inserted into a lock then because this is a straight edge you can't pull it out again. So the last pin will go inside of the key and you cannot pull it back. This is why in a normal lock the key has cuts in an angle. So you cannot take it out anymore and then you can also break off this part of the key to make it even harder to do anything with it. So that's a denial of service that you can do. Now slowly we're coming to the more obscure attacks. If you have an IT system where you need to log in there's also an attack called a sequential attack. So if you do not design it correctly you might be able to check first for the correct username and then for the correct password. So if the system will give a different error for a wrong username or wrong password you can first enumerate through the usernames until you get the right one and then you can enumerate through the password and there are also sequential attacks involving timing. So if a software checks a password character by character and gives an error when the first incorrect character is found then you can do a timing attack. So you type in a password A you get the error password incorrect after 2 milliseconds. If you type in a B you get the error after 4 milliseconds that probably means that the B was correct and the software is then trying to match the second digit, second character. So you can sequentially figure out what the password is in less time than a complete brute force attack. Now this actually is also true in locks. Here we see a lock with two mechanisms working independently. We have the regular keys, the pins, sorry, that are operated just like in any other lock but there is also a small pin here with a hole in it and there is an element here on the side that also blocks the plug, keeps the plug from rotating. So not only needs this to be at the shear line but also this pin needs to move away and it can only move away if this part goes into the opening in that pin. So this is what the key looks like. This is an ASSA 10 lock with a row of pins that operate the normal pins and a row that operates on the normal pins and a row here that operates on the side pins. So I'll show you again how it works and all kinds of systems, lock systems that use multiple ways of blocking the shear line. So here's another example, this particular example, the FA3KS uses these bitings for the normal pins and there is sliders that operate on this slider sticking out so they go up and down and they also need to be positioned in the correct place for the purple thing on the side to open up. And this one is a medico, by actual, this uses cuts that are in a certain angle and the pins need to be positioned in the correct position, correct height, but also they have a slit. The pins can turn because the head is cut in an angle. It turns when the key is inserted because the cuts on the key are also in a certain angle and then the lock can open. Now for all these kinds of mechanisms, we can do kind of a sequential attack. Normally, if you apply a turning force, then one of those two systems will be first to block and you can lockpick those. I won't go into the details of how you do lockpicking, but normally with lockpicking you have to push the five or six pins to the correct depth and then it opens. With these locks, it's not that you have to go back and forth between all of the pins, the five here and the five there. No, you can do these five first and then the five on the side or maybe it's those five first and then the five over here. So it's only as difficult as doing two five-pin locks after one another. A little bit about security testing and certification. If you buy or build software, you can have an experience security because you don't look at the security. Maybe you can use automated security scanners. For mobility scanners, you can use certification. Certification is used a lot in locks as well. And here's an interesting story. This is a lock from Dome, a German manufacturer. This is a Dome RN lock. This is a picture from their German catalog page. This is actually the German RN lock. And they also sell this lock in the Netherlands. And there it's called the RN2 and it has a certification. Here's the picture. And you see here it has SKG, two-star certification. So that says something about how well this lock will protect you against forced attacks. Now, the funny story is that they had the original lock and they tried to certify it in the Netherlands and they didn't get the two-star certification. Those certifications mean that the lock will withstand certain attacks for a certain amount of time. So one star is two minutes, two stars is three minutes, and three stars is five minutes. So yeah, that's pretty short, but that's enough to keep a burglar from trying to get into your house. So this was just a few seconds short for the three-minute certification. So if you look closely and I will show you the other lock, do you see the difference in the lock? Sorry? The stars. Yeah, the stars. So the certification is on there, but there's something else that's different. Sorry? Yeah. Here we see a little bull-bearing. So apparently the story is that the guys from Dome, Germany and the Netherlands were sitting in the bar and they were thinking, how do we get the few extra seconds that we need for this certification? If we can do that in a cheap and easy way, that would be really, really nice. One of the things that the certification authority tries when it gives you the certification is to try to drill here through the lock, because if you drill there, it will destroy all the pins inside and also opens up the shear line, allowing you to open the lock. So if you can drill, and it's quite hard because it's all hard on steel stuff, you need a good drill, and then maybe within three minutes you can open it. And what they did is they said, well, bull-bearings are really hard to drill through and they're really cheap. And the only thing we need to do is drill a tiny hole and then push in a bull-bearing. It will stay put. And then if you try to drill it, you can't drill through that bull-bearing. And this actually gave them the seconds they needed to get the two-star certification. So I think the certification is really, really useful. But, again, you have to realize that a certification only tests for a certain number or specific ways of entering. But it's the same for IT security, of course. If you're in the banking world and you need to do a PCI, the SS certification, that only tests for a specific set of problems. What's also interesting is that the tooling to do attacks gets better and better. In the IT world, do not read everything that's on the slide, you aren't able to anyways. But it says here that the knowledge that you need to do an IT-related attack is declining. And the power of tools is steadily increasing. So maybe in the 1990s, you needed to be a true wiskit to be able to do an attack. And now you just download the attack tool, press on enter, and it will attack. So that's something that we see in the IT industry. But it's something that's also happening now in the locking industry. And especially with 3D printing, this becomes really interesting. So there are ways of protecting your keys against the 3D printing attacks. But 3D printing, of course, is also getting better. And here you see a lock with really intricate little dimples in them. And actually people have enabled to make a 3D model, print it, and it actually works. And you can do some stuff with movable elements. So this lock has a little metal disk that goes up and down. And you are even able to then put that into the 3D printed key and have a working key. So this is something that wasn't possible a few years ago and now starting to become possible. There's also the possibility of using a molten metal to make a mold of a key and make a duplicate like that. That also is only possible if there is no movable element in the key. So that's something that many lock manufacturers are going to. Multi-lock has a movable, the round disk. This dome lock has a sort of donut that can move inside of the key. And that actually needs to be in the key for it to operate. So that's hard to copy on a 3D printer. And nowadays you can go to the supermarket and you have boxes where you put in your key in different positions. It will make a picture of it and then it will make a copy for you. And there's even an app. You can make a picture and it advertises. You can now even share your keys with your friends via SMS. So you make a picture, you send it to your friend and they can use that information to make a copy of your key. In the end, you get what you pay for. It's the same with software. If you don't have any requirements for security, it's probably not built in. And the problem is that with security, if it's missing, you don't see that it is missing. If you have somebody build a CMS for you and it's totally insecure, you cannot immediately tell it is insecure. And we can't all be security experts. It's the same with locks. With locks it's a little bit easier. Sometimes you can see quite a lot by just looking at a lock, how secure it is, but how well does that work? I have five locks here, randomly chosen. And these locks were all in the competition that we have. We have a competition at Tool, where we have a box of locks and the box travels to all the tool meetings and people can try and open the locks with lock picking tools. And if you have opened the lock, maybe after three hours of hard work, then you start to know how the lock works and you know a little bit how the pins are, what tools you need to use, and then you can try to set a new, better time on the lock. And you can keep on repeating that. So in the end, you have really fast times on opening these locks. So these are not the times. If you would give me a lock, I wouldn't be able to open it in five seconds, but maybe after I've been playing around with it for an evening, then I know exactly how to open it in five seconds. I don't know if you have any ideas what is the most secure lock, or not the most secure lock, which lock will take the longest to open using standard lock picking tools? Maybe a show of hands. Who thinks this one is the hardest? It takes the most time. No one? This one? Yeah, one? This one? A few? That one? Quite a few. That one? Okay, so these are maybe the winners. The Mauer NW4 and the ICO, those are dimple locks. Now let's take a look at the times. That was pretty good. This Mauer took almost five minutes. The fastest time. This one was four minutes, 40 seconds, 43 seconds, two seconds. So, and I'm not saying this is a really bad lock or something. It might be that maybe the configuration in this lock made it really easy, or maybe, I don't know, Lips makes really good locks. They all make good locks. But my point is that by just looking at the lock, you cannot see, be sure how secure it is. So that's quite hard as it is with IT systems. Arranas is always a problem. This is funny. This was at DEFCON or something, a hacker conference where they had this thing with wires sticking out, USB wires, and it said you can charge your mobile phone for free here. But of course it's not just power, it's USB. It will just take all the data of your telephone. So you need to be aware. And if you're even not aware when you're at a hacker conference, same here. This was also at a hacker conference. There was an ATM machine standing inside of the casino where the conference was held. It's unclear how it got there. It has no skimming devices. But of course if you use it, your cart details will be sent to the criminal. It's a bit the same with locks. The people buying locks need to have a little awareness about how secure they are. So if you're not aware and use a tie wrap, that's a problem. Also maybe not everybody is aware that dimple locks, they look very hard to open, but there are techniques like foil impressioning, which I unfortunately don't have the time for to completely explain here. But there are techniques that work really well on dimple locks. So they also have their problems and they might be easy to open. And this is really cool. These are locks I bought at the local dollar shop and I bought a few with me. Those are €1.50 each. And there are apparently actually people who buy these locks. And they are so bad that if I take out the key one notch, it still opens the lock. And in fact, I have two. So if I... The key does not work in the other lock, but if I take it out one notch and wiggle it a little bit, not this one, but maybe in this lock, it doesn't work, take it out one notch. Oh, demo effect. Oh, I have to take it out two notches. Anyway, so it's out two notches and it operates this lock. This is incredible. So we need awareness for people to understand that they should not buy a lock for €1.50 and expect the lock to be secure. Now I only have a few minutes left, I'll wrap up. So what you need is a holistic view. You are also depending on the environment, it's not just the lock. The lock is in a door and there are other ways to maybe get in circumventing the system around your lock. You are as secure as the weakest link. So I haven't been talking about techniques like these. I've talked a little bit about that yesterday, in my yesterday's talk. But if you are designing a lock or if you are designing a system in which you need a lock, then it might be very wise to do some threat modeling to start thinking about what are the threats that I have, what kind of measures I need to take to protect against those threats, and then you can select the right tools, the right lock for your environment. And that's all I have time for. But we have some time for Q&A, I think. Thank you.