Announcement

**xor** · May 30, 2009, 19:05

Re: Are any locks actually secure?

Originally posted by bascule View Post

Is there a relatively cheap solution that isn't pickable? How about something electronic that gets away from the whole mechanical properly-shaped-chunk-of-metal approach to a key?

Electronic token/key pad based locks would make use of 2 factor authentication which would be more secure. However an electronic lock would use some type of magnetic seal which would depend on electricity. If you had it set for fail locked then there mite be a problem getting out of your house during a fire, or power failure.

As with most things security I seriously doubt there will be one end all device. I think the best approach to physical security is multiple independent systems a good lock, alarm system and your choice of a home defense weapon. In all honesty most home security devices are what I call honest persons with bad impulse control deterrent devices.

xor

**bascule** · May 30, 2009, 19:08

Re: Are any locks actually secure?

One would hope an electrical lock could still be manually unlocked from the inside in case of fire, power failure, etc

I've heard of keypads where the ordering of the numbers is randomized so people can't simply look at where your fingerprints are. That would seem like the way to go.

**valanx** · May 30, 2009, 20:04

Re: Are any locks actually secure?

Originally posted by bascule View Post

I
I like having a sidebar but it really just feels like security by obscurity... it thwarts lockpickers or people with bump keys who have never encountered a sidebar before but obviously there are people who would have no problem picking my lock.

I don't know about security through obscurity, it is just a different design used in physical locks. Most people who have an interest can look at a lock and tell you the inner mechanics.

As for a end all be all of secure anything, we have the situation of someone designing a product and then other people work to break the product. You don't have to be a scientist by profession to challenge the idea that something is absolute, right?

Things that fail secure can be opened, just like anything else. The key there is how long it takes to open and how obvious is the person doing the opening going to have to be? I've had many locks and safes break on me, and I've had to get them torched open, drilled, or otherwise mutilated to get whatever was being locked away. The delay is the big thing. That is why physical locks go with other devices.

On the randomized keypads: Seen them around at a few places I've worked. Yeah, you can't do fingerprints... but people do take a little longer to peck out the numbers when they aren't in the same place all the time, so it is a bit easier to shoulder surf. There are plenty of other ways to review keypad codes than checking the wear and tear on a keypad though. The last place I was looking over had their keypad next to the front door (the whole front is nothing but windows). A high power lens would give me individual codes for whoever I wanted to frame in an incident.

If you are concerned about people getting at something you don't want them touching while you are around, go for bolt mechanisms.. like a bolt action rifle.

If you are worried about them getting something and you aren't around to stand in the way, consider risk first, then encasing the items in a few layers. I know it is what others say all the time, but the majority of people who want to steal something are not going to want to dick around with a bunch of stuff if they can go down the street and just walk in and out. Now if you have something that you know is high value or very key, that is the layered approach. And I mean fenced area with dogs around a house with cameras covering a solid door house with shatter film on the windows with interior locks to rooms that hold safes that are heavy, independently alarmed, and take hours to do anything with.

Or a few of those, depending on your desired protection.

**renderman** · May 31, 2009, 04:52

Re: Are any locks actually secure?

valanx makes the case, layered approach is best. A lock that takes 10 minutes to pick or bypass should have a guard coming by every 5 minutes.

Even electronic locks that seem to offer more security than a purely mechanical one just means there's new vectors for defeating them. Case in point is the Winkhaus Blue Chip lock (http://www.schneier.com/blog/archive...n_winkhau.html) that can be bypassed with a freaky strong magnet.

Another thing to consider is the size 9 boot factor; what is the lock being put into and does it have an weaknesses?

You also have to take into account your adversary. If it's national security secrets, that's one thing. If it's your front door you just need to take Matt Blaze and pretty much any pickers advice and get a lock that's better than your neighbors.

**Deviant Ollam** · May 31, 2009, 10:32

Re: Are any locks actually secure?

all parties here have made very very valid points thus far, and i'll hop in just to address one of bascule's particular...

I like having a sidebar but it really just feels like security by obscurity... it thwarts lockpickers or people with bump keys who have never encountered a sidebar before but obviously there are people who would have no problem picking my lock. Is there a relatively cheap solution that isn't pickable?

in truth, the best high security locks out there (in my view) are all sidebar-based, but what matters is the implementation of that mechanism.

for a long time, medeco has coasted on their name recognition and government contracts. they haven't revised their design or made any significant changes to their internal mechanisms for decades. (with the exception of minor, almost cosmetic, features like their "slider" bit and other items like that are just attempts to extend copyright)

this laziness has led to their "rotating pin" sidebar design receiving more and more focus and progress has been made by attackers.

is it possible indeed possible to have decent security in a simple mechanical lock at relatively* low cost. my basic rundown...

1. Abloy Protec - currently my favorite lock, especially if the disk set is packed very tightly. Mitch does that on all his locks and it all but eliminates the use of reach-around tools to do a decode attack. (that sort of attack is by no means a walk in the park even on a sloppily-packed Abloy. And from the factory, few locks are ever what i'd call "sloppy" or loose in the least.) The Protec has brilliant resistance to both picking and brute attack, no bumping possible, keys can only be made on specialized machines (with custom blanks possible from some dealers, like Mitch's "ruby" keyway)

2. Evva MCS - the best magnetic lock of which i am aware. in conjunction with pins and ball bearings that interact with the blade edges of the key, the MCS employs eight independent rotating mechanisms that align to the axial north/south magnetic zones down the key face. not mere "north on one side, south on the other side" style of magnets... this lock is wickedly involved. no ability to reach in and manipulate the rotors, no ability to bump. some newer versions employ plastic parts as opposed to all-metal, and when i have the money to buy a lot of MCS locks i'm going to try some heat attacks... seeing if i can fuck with the magnets' coercivity or just melt some of the parts to jam things up. but i'm not aware of an attack like that at the moment. one other major benefit... the MCS keys can only be produced in one part of their main factory in Vienna. thus, anyone can have your keys in their possession (legitimately or not) for any period of time and really can't make a duplicate.

3. Scorpion and Evva 3KS - two terrific locks with a sidebar that interacts with slider mechanisms. unlike the finger pins found in some locks, which interact with springs (and thus can sometimes be bumped or manipulated with ease) sliders are typically free-floating bits of metal that interact with long grooves running down the side of a key. non-bumpable for sure, and also an absolute fucking nightmare to try manipulating with tools.

4. Schlage Primus - possibly my favorite sidebar solution for "integration" into a larger system, the Primus uses a sidebar that interacts with very unique finger pins that both lift and turn, making the use of a bump key basically unfeasible. picking is also pretty awful, perhaps near impossible without serious background and maybe even specialized tools. what i like the most about the Primus is the fact that the system is backwards-compatible with the basic hardware store Schalge SC-1. So you could have a whole array of cheap locks on things like outdoor closets and the like, but then put Primus locks on your front and back door. Then, your main Primus key would also operate all the "lesser" locks but those locks could also use basic SC-1 keys (issued to a gardener or other party) that would not even insert into, let alone operate, the Primus locks on your doors.

* i say "relatively" because these locks are really designed for high-security applications, where the value of what's being protected justifies their pricing being right around the three-figure mark. most of those systems are about $100 for the full smash, closer to $70 or $75 for just the lock core if you're retro-fitting an existing deadbolt, etc.

the Protec is more, given that there are no easy drop-in solutions unless you're talking about key-in-knob systems.

the MCS also may cost a bit more than $100, but i can't currently find any pricing data on them easily. the market for Evva locks is small outside of Europe (but i do think i recall hearing that DT may have picked up an MCS in the past for some purpose... good choice, especially if you're paranoid about folk getting in somewhere without your knowledge!)

**xor** · May 31, 2009, 11:29

Re: Are any locks actually secure?

Originally posted by valanx View Post

If you are concerned about people getting at something you don't want them touching while you are around, go for bolt mechanisms.. like a bolt action rifle.

Open bolt preferred

xor

**sintax_error** · May 31, 2009, 12:48

Re: Are any locks actually secure?

Originally posted by renderman View Post

<snip snip> and get a lock that's better than your neighbors.

You don't need to outrun the bear, you just need to outrun the other guy the bear is after.

Originally posted by xor View Post

Open bolt preferred

I prefer the high speed rotary bolt myself, goes well with 17 pellets of 00 Buck

It all depends on the goods you're locking, and the environment in which it is being locked. Is a $400 deadbolt going to do shit for you installed on a $100 hollow wood door without a reinforced jamb? No. Would your neighbors do anything (confront, call the cops, etc.) if they saw someone snooping around, going around back? In the end, any security measures have or will have a discoverable weakness. Best physical security advice I can give; make it not worth the effort, e.g. a beefy lock, no easy access to windows or back yard/side of the house and a large dog, and as Renderman said, be the most secure in the area.

I think of it this way, burglary is a lot like wardriving. Chances are no one's going to target any specific house or place of business for burglary unless they have reason to (be it $20,000 worth of goods in plain view from the street, vendetta, etc.) So let's say your home AP is WPA2 with a hidden SSID, and the guy 2 houses down is rocking WEP with an SSID of "Linksys", who are they going to poke around first? Same concept applies to the house with the rottweiler in the yard vs. the on with the chihuahua, or the building with a guard vs the one with the CCTV cam.

**xor** · May 31, 2009, 13:17

Re: Are any locks actually secure?

While on the subject of physical security I don't see many people talk about alarm systems much. No alarm sport? With copper POTS lines on there way out(thank god, Philly approved & green lighted FiOS last month) most new alarm systems rely on internet or cellular monitoring and with all the benefits & problems that go along with that. With internet or cellular alarm system monitoring is information being sent in the clear? Are they using SSL, or VPN to communicate back and forth? Have you verified this on your systems? With the FiOS deployment apparently once you get FiOS your basic phone service never returns to copper even if you cancel FiOS. So what will become of all those copper wires? Could hackers make use of them? Could this be a new security issue? Have you checked all of the cables coming in and out of your facility for rogue signals? Above ground cable blight is already a problem will it become even worse?

xor

While this enters extremely paranoid/NSA territory are you monitoring power lines for rogue signals piggy backed on top. Think about the pervasiveness of copper wires inside any facility; their every where. A typical unused and improperly terminated telephone line has 50vdc on it enough to power most devices these days. Heck in a pinch I've piggy backed a POTS line on non-POE RJ45 Ethernet unused pins 7 & 8.

**renderman** · May 31, 2009, 15:50

Re: Are any locks actually secure?

I personally have a Scorpion CX5 on my house and I love it. Key controlled, so new blanks can only be cut by a dealer with proper paperwork, no home depot copies here. As well they were only about $30/cylinder which was much less than some of the other high security locks meaning it fit my budget.

Re: Alarm systems; one thing to keep in mind is that the back channel needs to be secured too. Those powerline network systems are particularly fun because many apartment buildings don't filter between apartments, meaning that if I plug in a unit into the wall somewhere else in the building, I can sniff your traffic. Hell, even traffic for the whole building.

Render

**valkyrie** · May 31, 2009, 15:58

Re: Are any locks actually secure?

Originally posted by renderman View Post

I personally have a Scorpion CX5 on my house and I love it. Key controlled, so new blanks can only be cut by a dealer with proper paperwork, no home depot copies here. As well they were only about $30/cylinder which was much less than some of the other high security locks meaning it fit my budget.

Re: Alarm systems; one thing to keep in mind is that the back channel needs to be secured too. Those powerline network systems are particularly fun because many apartment buildings don't filter between apartments, meaning that if I plug in a unit into the wall somewhere else in the building, I can sniff your traffic. Hell, even traffic for the whole building.

Render

wer
I want to pick your brain about this a bit more because I think I have also seen this in strip mall environments. The alarms were not filtered or compartmentalized, it was like they were chained, so if you could sniff the traffic on one, you could sniff the traffic on all. ????

Regards,

valkyrie
_________________________________
sapere aude

**bascule** · May 31, 2009, 16:38

Re: Are any locks actually secure?

Originally posted by renderman View Post

Those powerline network systems are particularly fun because many apartment buildings don't filter between apartments, meaning that if I plug in a unit into the wall somewhere else in the building, I can sniff your traffic. Hell, even traffic for the whole building.

If you're talking about power line ethernet, every one I've ever bought has supported encryption. The Linksys PLE200, for example, supports 128-bit AES.

**valanx** · May 31, 2009, 17:53

Re: Are any locks actually secure?

Originally posted by Deviant Ollam View Post

all parties here have made very very valid points thus far, and i'll hop in just to address one of bascule's particular...

2. Evva MCS -
no ability to reach in and manipulate the rotors,

*COUGH*

Originally posted by Deviant Ollam View Post

i'm going to try some heat attacks... seeing if i can fuck with the magnets' coercivity or just melt some of the parts to jam things up. but i'm not aware of an attack like that at the moment.

*COUGHCOUGH*

So, um, yeah.

I have most of the locks on that list, I like the Scorpion. Last I heard they aren't made any more, but it was a great and inexpensive lock. Inexpensive like Kwikset nearly and much better security. Of course, as I figure out cad, I may actually make a prototype of my lock design, currently in napkin sketch stage.

**HeadlessZeke** · June 4, 2009, 06:40

Re: Are any locks actually secure?

Originally posted by renderman View Post

Even electronic locks that seem to offer more security than a purely mechanical one just means there's new vectors for defeating them. Case in point is the Winkhaus Blue Chip lock (http://www.schneier.com/blog/archive...n_winkhau.html) that can be bypassed with a freaky strong magnet.

I sent in a 20 minute presentation on bypassing network-based electronic access systems called "Picking Electronic Locks Using TCP Sequence Prediction." Only one of many potential avenues of attack I've seen on these systems. If the presentation ever actually gets accepted, you guys are welcome to check it out and brainstorm some other ways of getting around the need for an ID card/fingerprint/keypad altogether.

But yeah, I completely agree that (as with everything else in the world of security) there is no silver bullet with building access.

**valanx** · June 4, 2009, 07:04

Re: Are any locks actually secure?

If it doesn't get accepted you may ask Deviant if you can talk about it in the Lockpicking Village. Last year we ran through several mini-talks and demos. Not sure the plan for this year though.

Announcement

Are any locks actually secure?

Are any locks actually secure?

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment