Presented at DEF CON 21 (2013)
Aug. 3, 2013, 10 a.m.
Homeowners, apartment complexes, and businesses throughout the United States and Canada have purchased locks from one of the leading manufacturers in the country in the belief that they were secure. Advertising represents they are the highest grade of residential security available as a result of security ratings from different Standards organizations. While the design of this lock effectively resists certain forms of covert and forced entry that are common with other mechanical cylinders, there are also what we perceive as serious design flaws that will allow these locks to be opened, bypassed, or decoded in seconds. Because this is one of the most popular locks in America, the consumer needs to understand the inherent security vulnerabilities in order to assess their risk.
In this presentation we analyze the design of this lock and earlier similar designs implemented by other manufacturers. The focus is on a failure of the design engineers to understand different methods of bypass and to protect against them, and why standards and what they purport to define may be misleading and misrepresent the real security of a product.
Consumers rely upon the representations of manufacturers and the security ratings of locks by Underwriters Laboratory and the Builders Hardware Manufacturers Association to assure them of the quality and resistance to attack of the locks they buy. We present evidence that millions of homeowners and businesses that have implemented these locks can be vulnerable to simple methods of entry of which they may not be aware.
This is a classic example of insecurity engineering in a very clever and unique mechanical lock. Unfortunately, the very unique mechanism also provides the basis for several incredibly simple attacks that can be performed with a minimum of time, tools and training.