Presented at DEF CON 19 (2011)
Lock manufacturers continue to produce insecure designs in both mechanical and electro-mechanical locks. While these devices are designed to provide secure access control to commercial and government facilities, in fact many do not. Recent disclosures with regard to extremely popular push-button locks have led to an expanded investigation into their technology and security by our research team. As a consequence, it appears that mechanical locks, as well as electro-mechanical locks that are compliant with government standards, may be subject to several different forms of compromise, thereby placing commercial and government facilities at risk.
In this presentation, we will examine specific design parameters that are supposed to provide a high level of protection against covert entry for both commercial and government facilities, but do not.
It would be logical to assume that the electronics and physical hardware within physical access security devices would work together and present a high level of difficulty in circumventing the requirements of these standards. Our research has disclosed that such is not the case in certain devices. Our investigation with regard to a specific manufacturer of extremely popular hardware discloses a lack of understanding with regard to security engineering and an inability to produce hardware that is immune to different forms of attack. We document three serious occurrences of security engineering failures with regard to different product designs, all intended to provide a certain level of security for commercial and government facilities.
We will examine different designs, both mechanical and electronic, and why there is a basic failure in the most basic fundamentals of designing a secure device.
- Security Consultant
Born in Caracas, Venezuela, Tobias came to the United States in 1995 and was granted citizenship in 2000. He has been a professional locksmith for the past 20 years. Tobias is an expert in Covert Methods of Entry and has developed many unique forms of bypass, custom tools, including a decoder for Medeco locks, which was the impetus for the book "Open in Thirty Seconds".
Marc Weber Tobias
- Investigative Attorney and Security Specialist, Security.org
Marc Weber Tobias is an investigative attorney and security specialist living in Sioux Falls, South Dakota. He is the principal attorney for Investigative Law Offices, P.C. and as part of his practice represents and consults with lock manufacturers, government agencies and corporations in the U.S. and overseas regarding the design and bypass of locks and security systems. Marc and his associates also conduct technical fraud investigations and deal with related legal issues. Marc has authored five police textbooks, including Locks, Safes, and Security, which is recognized as a primary reference for law enforcement and security professionals worldwide. The second edition, a 1400 page two volume work, is utilized by criminal investigators, crime labs, locksmiths and those responsible for physical security. A ten-volume multimedia edition of his book (LSS+) is also available online.
Marc has written extensively about the security vulnerabilities of products and has appeared in numerous television and radio interviews and news reports as well as magazine articles during the past thirty years. He is a member of several professional organizations including the American Bar Association (ABA, American Society for Industrial Security (ASIS), Associated Locksmiths of America (ALOA), Association of Firearms and Tool mark Examiners (AFTE), American Polygraph Association (APA) and the American Police Polygraph Association (APPA).
- Security Consultant
Matt Fiddler is a certified and registered locksmith and Security Professional with over 19 years of experience. Mr. Fiddler's research into lock bypass techniques have resulted in many public and private disclosures of critical lock design flaws. Mr. Fiddler began his career as an Intelligence Analyst with the United States Marine Corps. Since joining the commercial sector in 1992, he has spent the last 19 years enhancing his extensive expertise in the areas of Covert Entry Tool Design, Physical Security Consulting, Computer Forensics and Intrusion Analysis.