 My name is John Lille Marcus, and what I want to talk about is thread modeling, mechanical and locking systems by analyzing puzzles. So what I want to talk is this is a security awareness, but a different, different type because whenever there's security awareness, we see billboards like these. It says already this year, 19 burglaries and please prevent burglaries if you see something call us, et cetera. But for me, that's not really the point, like you can give a lot of advice, like keep your lights on or don't leave your variables laying around, but there's more to it. Let's go into it. So first off, can we prevent burglaries? I would say no, but we can make it a lot harder. Then there's a lot of arguments about breaks and lions. The one is why should I buy good locks if someone can break a window with a rock? That's totally fair. As for lions, people always say, I don't need to outrun, I don't need to outrun a lion, I just need to outrun the persons with me. I think that's fair, but it's still not very nice. So I'm going to try a different way. So first, why puzzles? First they are fun. I have a few here, I have a few at the lock picking village. And examples are, there are plenty of them. I have a small collection, I do a lot of very hard Sudoku's with the guys from cracking the cryptic where I solve those puzzles often. But the foremost reason is that nobody cares. So whenever I talk about security topics, then it's always people have opinions about it. And when I talk about puzzles, then nobody cares. That's very nice. So one thing about tool, we exist, there's the open organization of lock pickers. It exists here in the Netherlands, it exists in the United States, United Kingdom and Australia. Here in the Netherlands we have weekly lock picking sessions. And if you want to learn more about the topics I'm sharing here, then please consider visiting us at our lock picking village. It's just right next door on this field. So let's go into thread modeling. This is a simplified version. It will just take a lot longer, but it will get you started. So before we start, start to thread model, we want to find what is an asset, what's an attacker, what are vulnerabilities. Let's just be clear on the definitions, or at least the definitions I will be using during this presentation. Because if we use different definitions, if I say thread and you mean you think on a vulnerability or risk, then we're thinking about different things and it's going to be confusing. So for the asset, that's the thing of value. This is either a valuable to the defender or valuable to the attacker, because if the asset is not valuable to the attacker, then of course your system will not be typed. And this can be anything from information or money, but I've also seen on this camp data being locked up. I've seen toilet paper being locked up. Just whatever is your system. For the threat or for the attacker, I would define it as an entity that is skilled enough to gain access to the assets. The attacker needs motivation, opportunity, and a method. And if it either lacks one of them, then you don't have an attacker for your system. I define it as skilled enough, because also if the attacker is not skilled enough, then again, for your system, you don't have an attacker. It's not necessarily intent, but the achieving for the vulnerability. We define it as an unintentional flaw in a system that leads to a compromise of an asset. And these vulnerabilities can be exploited by an attacker. Let's take a look at a few case studies. Here I have a box of woods. It works like a mechanical combination lock. So in this case, it has sliders. It's a puzzle. And if you move the sliders past these notches, then the lock will open. The box will open. And for this, because it's a puzzle, it's intended to be carefully handled. It's created to not use damage. However, for this model, I found that someone else was before me. And they just ripped the pieces apart. That's a different model. And what I found for this particular box, it has a congratulations message. And it also assumes that you didn't use a soul. Did brute forcing, did damaging its fit model? I don't really know. The second one is this puzzle. It's a deal-all ring. It's a hidden maze puzzle. And there are several types of them. They started around the 1990s. And this should have become the best thing ever after Rubik's Cube, but it never became that big. And the goal is to move the ring from the puzzle. And it's quite a fun puzzle. This is the orange version. And as we see on the box, we have the instructions. And we also have different levels. So there is the easy yellow up till the terrible black. Because I only had the orange one, I assumed the black one would definitely be a lot harder. But a few people in the know told me, now it's just all psychological warfare to some extent. So that's nice. But at the moment, I don't have access to any of the other ones. I can only find the yellow and the orange ones for sale. So if anyone has the green, blue, red, and black, I'd like to be an attacker. I'd like to have the opportunity to defeat them as well. So I mentioned for this puzzle the intended solution or the intended way of manipulating them. But we can list the possible attacks. And here's just a very short list. And I separated them to solving the maze in different ways, using brute force, or just trying out all the combinations, building a robot, just like we manipulate saves at some point. But we can also learn the maze some other way. Maybe someone else already published this on the internet. Or I can just find someone that knows the answer. Or I can use more advanced techniques, like getting an echo or an x-ray made. These seem quite far-fetched, like an x-ray. Why would you solve a puzzle like an x-ray? Well, that all depends on the asset. Is the asset valuable enough for the attacker? And so I like to list them and then cross them off if they're not applicable to my threat model. But we can also bypass the save by just filing away the knob or just using a lot of force and just pulling the maze free. That's all something to consider. Just for fun, I tried it this way. So I taped a piece of paper around the cylinder, built a contraption, and just solved the maze. And it drew out the maze very nicely. And I solved the puzzle in the end. So I did solve it a few times beforehand, but now I have the real maze as it is inside. So let's talk about locks for now. Because puzzles are interesting, locks are more interesting. For me, locks are puzzles. For a tool, locks are puzzles. And the question always arises, can any lock be picked? And is lock picking realistic? I think it's an interesting question. And I think if you buy tens of a lock, if you take them apart, if you study the same lock for tens of hours, hundreds of hours, thousands of hours, then put the lock back together very carefully and start manipulating it, it might be possible that you open this one particular lock. But for me, because it's a puzzle, that's for me the form of realism. That's not the same as if this lock was on the door or being used. For this, I used the thread model of a lock picker. And what it wants, it wants to open a padlock, open a shackle, call it open. But more precise, it wants to rotate the cylinder without using the key. And what a lock picker has, or at least in this model, the lock picker has lock picks and infinite time and infinite patience. So if this is a type of attacker you want to keep out, then maybe you need to do other things. You need to consider this. Another thing the lock picker has is these rules, ethics. So only pick your own locks and only pick locks that are not in use. The CTF people, they have a nice idea about this. They made a contraption of 3D printed plastic, and it has a slidey bit, which has the CTF flag. So you can prove that you've picked it. At that moment, the asset becomes the CTF flag. But then the lock is in use, so are we allowed to pick it? So for the lock, we have here a basic euro cylinder, just no name, no brand, nothing special. And in here, there are a bunch of pin stacks. Just to go over it quite briefly, we can use a normal, we can use the key to set all the pins to the red line. We call this a shear line, and this allows the lock to rotate. But the wrong key will not allow the lock to rotate. We can also use lock picks like these and go through the lock, pin by pin, find the binding pin, get feedback this way, and open the lock. That, of course, takes a lot of practice and also a lot of time, but it is a nice challenge. What's even more of a challenge is when locks started having these security pins. They're different shapes, different feedback, different puzzle. There are a few more of them. For some lock pickers, they think normal locks are boring, so they start creating their own. And we call them challenge locks. So here are a few pins. The first two from the left are normal pins, and the other ones are created by lock pickers themselves. This one, in particular, is from a community-built lock. It has 10 pins and two sides. What was very funny about this one is they glued the two sides together. So you have to pick the front side and the back side all together to open the lock. So definitely a challenge. And then there are people that create unpickable locks, or at least they claim them to be unpickable. This is a handy book that's a friend in the UK. I created this particular lock. He uses unpickable with an asterisk, like asterisks like not picked yet. He has a patent on this particular design. From the front, it doesn't look too bad. But if you take the lock apart, we see that it consists of quite clever mechanisms already. We have an inner core. We have the housing, and we have an outer core. And what he bases lock on, and what he bases his patent on, is a probability game. Like he used a lot of master wafers, as we see here. And all these small wafers create a lot of different shear lines for the first core. But the second core can only rotate if both of the shear lines are met with the one thicker pin. So the probability of hitting the second shear line are much lower. And it also drives us from our usual feedback. So that's definitely a fun puzzle. The next one I have here, I bought at some point a few racks of safety deposit boxes. I used them to store my locks. And I removed all the cylinders, because I didn't really care to lock them up. But these safe deposit boxes are usually, you can usually rent them at a bank, where they are in a basement, in a vault, and you can rent just one locker. It's not that expensive, and it's sure to quite a bit. I found myself, and I use it to store backups, and a few documents that I don't want to lose. But each is their own. It's sure to such a high value that it might, you could also put your valuables in there. But in particular, I want to talk about this lock. This is the Rosengrenz Safe Deposit Box lock. It's quite an interesting lock. And it's quite an interesting lock. It's a form of a disc retainer, but the discs are quite big. And this is quite difficult to manipulate. And they did so intentionally. They made the keys hard to duplicate. They made false notches in the discs. And that's all to prevent someone from getting access to the assets without damaging the lock. So here we have the key interacting with the discs. So off this lock, we have eight elements of six different shapes. And this is more than a million different combinations. You cannot get the blanks. Of course, the most determined attacker can make these. But the assumption is, if we just have two keys, these keys only belong to the owner or the renter of the lock, of the box. Then if the lock is intact, then no one has access the valuables. And I believe this is more of an insurance thing, but also, of course, how you build your treadmill. But what I found surprising about this lock is even though it has so many features to make a lock picking hard, to make key application hard, it isn't drill resistant. The core is made of a very soft metal. This isn't a flaw. This isn't a vulnerability, only if you don't know about it. Because this is a design choice they made their lock. So it is very hard to manipulate, but easy to destroy in case they need to destroy it. Let's now go from lock picking and the infinite patience to a simplified model of a burglar. What a burglar wants, access to the items that you have locked up. And some burglars might have fast entry tools and methods, including bricks, including hammers, including axles. You name it, but it has very little time, just under two minutes. Again, when we have this same cylinder, there is a very known flaw. In this cylinder, it's mounted with a screw hole, and this is also a pivot. So there's very little material there to hold the lock together. And this is such a common issue that the better brand locks, the better certified locks will have hardened bridges or anti-snap features. So this is a lock from the UK, where it has as both sides anti-snap features or pro-snap features because they will snap before the cylinder snaps in too. I like this design, and it works quite well. Because at least you need two attack methods to gain entry to open this lock. Even more pronounced are our locks like these, also from the UK, where it has two snap features at both sides of the lock, so both internal as external. That's not too common. And also, when you snap the second feature, it has a relocker. So you can never open it from the outside if the part has been snapped, or so is the idea. And then the middle bit is a hardened bridge. It's a very tough metal, and it's very difficult to get into this. And all these features are required by the standards. They have the British standards up to three star, and they also have the solid secure. And this one is rated solid secure diamond grade. That's the highest of the high. And circled here in orange is also some protection against non-destructive attempts. And these are trap pins. So if you pick the lock and it rotates 20 or 30 degrees, these trap pins will fall into the lock. And it is very difficult to get out of them. It's certainly not impossible, but I've been practicing with one of these locks, and it took me a better part of a week to get past these trap pins. So in all normal circumstances, where you say your burglar only has two minutes, this will be plenty. Let's now go for some other security advice. Again, you cannot prevent burglaries, but you can make it a lot harder to get in. Your treadmill is not my treadmill, and I stole this picture with an elephant in your kitchen. I don't know how to protect against elephants, but it would be quite a beefy lock to do that. What you should do is consider the whole system and then protect your assets accordingly. One of the advice we usually give is key control. So who has your keys? This particular picture is one I put on Twitter a very long time ago, and also on the tag. You can read that it's from a CTF. So if someone fancies, please make me a key. Find me somewhere later, and then we will test it. I don't have the locks with me on site, but we'll arrange something. So if we have a picture, then a determined attacker with enough skill, enough knowledge, can duplicate a key. This is what we call usually key control. And lock manufacturers notice for a very long time, and usually you're not able to find the blank keys to make duplicate key without the authorization of the manufacturer. And here I have a, on the background, this is a 3D printed key. It was quite a nice challenge. It took me hundreds of attempts before I got the FDM printer to work correctly to print these almost tens of micrometer steps. But with an FDM, as less printer, it was first attempt. It worked flawlessly. So again, consider these things in your threat model. Also consider existing security schemes. There are plenty of them. Just find the relevant ones for your country. One you should check is what your insurance wants. And then you can go much higher from there. One most common here in the Netherlands is SKG. And then three stars will give you five minutes with a selection of tools. The lock on the background is an MNC. That's a quite affordable lock. Maybe not this particular one. This is their latest model. That's the MNC move. It has a movable element in the tip of the key. And it has some other interesting features that make it very difficult to duplicate this key without the authorization from them. So to recap this presentation for your system, you want to find your assets. So think of what is valuable. What are the things that you want to protect? Is it your data? Is it money? This can also be your feeling of safety. That's a difficult asset to protect. But it's definitely an asset. Then you want to define your attacker. So is it someone? Is it an entity that has all the time in the world, all the resources in the world? Then it's going to be very difficult to protect your assets. But if it's my simplified model of a burglar, then that might be already a lot easier to protect against. Then you want to find vulnerabilities in your system. So either just start listing all the ways to attack your system, all the ways to get to your assets through an attack tree. But you can also just ask for help. And for nonprofits, is definitely able to help. But we don't do consultancy and no paid kicks in that sense. And lastly, you want to implement enough defenses so it makes it impossible for this one attacker to get access to your assets. Or at least to delay them enough, et cetera, et cetera. Wrapping up, there are two books you should consider. The Thread Modeling Book is very nice. And also, we have a book about locksports coming in the very near future. And that's written by Jos Weyers and Walter Belgers and a few other locksport friends. I do have time for questions now. But if there's any interest to you, please come and see us at the Lockpicking Village. That's next door. Thank you. So there is actually some time for questions. If you have any questions, please line up at the microphones in the middle of the room. And while you do so, I already have a question. Do you have any special locks you use at home, or are they just normal ones? They are definitely just commercial locks. But they are of a special type. For me, it's most important that if someone ever would get in, there is damage. I would definitely hate that I'm is someone in my house, or am I losing my mind? So I'd rather have them break my door than take my locks. OK. So are there any questions from the audience? Don't be shy. He's still here. No. Then just thank you very much for the talk. And if someone has a question afterwards, you can always find him and ask that. Give a round of applause for the question. OK. Need a few seconds to come up with a question, of course. That's an impeccable lock. Yes. If it were to be a commercial lock, how much do you think it would cost? He has a patent. But just looking at what other people are selling, then it would be 150 pounds, something like that. But he is not commercially making them yet. He is just testing the waters with his patent. And hopefully it's just an inventor. And inventors like to invent things, but they don't have the capability to mass produce locks. So if anyone is interested, please find Andy. OK. Then again, applause, please.