Invisible Access: Electronic Access Control, Audit Trails and "High Security"

Presented at DEF CON 17 (2009), Aug. 2, 2009, 11 a.m. (50 minutes)

This presentation will include a detailed review regarding the protection of high security facilities, including airports and aircraft, power transmission facilities, and data center rooms. The emphasis will be on liability and security issues that may result from an undue reliance on certain high security locking systems and the resulting Audit Logs that may not even exist. We will discuss a number of misconceptions and why these facilities may be at risk, even with some of the most sophisticated physical and electronic access control hardware and software. Specific problems inherent in conventional locking hardware will be the primary focus, together with an analysis of high security mechanical locks and electronic access control systems produced by many of the Assa Abloy companies. These technologies include the Cliq, Logic, and NexGen among others. The representations of certain manufacturers will be analyzed, and potential vulnerabilities in these high-tech systems will be explored, together with the liability that may flow to users if these systems are circumvented. Since the publication of OPEN IN THIRTY SECONDS , which details the compromise of Medeco high security locks (2008), intensive research has been on-going in the U.S. and Europe regarding the security of different electronic access control systems.


  • Marc Weber Tobias - Investigative Attorney and Security Specialist,
    Marc Weber Tobias is an investigative attorney and security specialist living in Sioux Falls, South Dakota. He is the principal attorney for Investigative Law Offices, P.C. and as part of his practice represents and consults with lock manufacturers, government agencies and corporations in the U.S. and overseas regarding the design and bypass of locks and security systems. Marc and his associates also conduct technical fraud investigations and deal with related legal issues. Marc has authored five police textbooks, including Locks, Safes, and Security, which is recognized as a primary reference for law enforcement and security professionals worldwide. The second edition, a 1400 page two-volume work, is utilized by criminal investigators, crime labs, locksmiths and those responsible for physical security. A ten-volume multimedia edition of his book (LSS+) is also available online. Marc has written extensively about the security vulnerabilities of products and has appeared in numerous television and radio interviews and news reports as well as magazine articles during the past thirty years. He is a member of several professional organizations including the American Bar Association (ABA, American Society for Industrial Security (ASIS), Associated Locksmiths of America (ALOA), Association of Firearms and Tool mark Examiners (AFTE), American Polygraph Association (APA) and the American Police Polygraph Association (APPA).
  • Tobias Bluzmanis - Security Specialist,
    Tobias Bluzmanis Born in Caracas, Venezuela, Tobias came to the United States in 1995 and was granted citizenship in 2000. He has been a professional locksmith for the past 20 years. Tobias is an expert in Covert Methods of Entry and has developed many unique forms of bypass, custom tools, including a decoder for Medeco locks, which was the impetus for the book "Open in Thirty Seconds".
  • Matt Fiddler - Security Specialist,
    Matt Fiddler is a certified and registered locksmith and Information Security Professional with over 16 years of experience. Currently he the Director of International Information Protection for a large financial services organization. Mr. Fiddler's research into lock bypass techniques have resulted in many public and private disclosures of critical lock design flaws. Mr. Fiddler began his career as an Intelligence Analyst with the United States Marine Corps. Since joining the commercial sector in 1992, he has spent the last 16 years enhancing his extensive expertise in the area of Unix and Network Engineering, Security Consulting, Computer Forensics and Intrusion Analysis.



Similar Presentations: