Foreword by Ross Anderson, University of Cambridge
Most of the world’s serious assets, from computer rooms to art collections, are defended by pin tumbler locks, and Medeco has ruled this world supreme for a generation. So the Tobias attacks on the most modern Medeco offerings, which they describe in this book, came as a serious shock for security engineers.
It is a great honour to be asked to write this foreword, as the book is sure to be a milestone in the field. What is less clear is the future direction of travel for the industry.
As my own background lies more in cryptographic and systems security, there is some temptation to think that the attacks might signal a technology change — especially as they follow on widely-publicized and improved lock-bumping techniques that cast serious doubts on the low-cost end of the market. Has the metal lock now had its day? Will the future lie with cryptographic tokens and remote key-entry devices?
That is also far from clear. Electronic systems have vulnerabilities too, and although the first break can be harder to find, the eventual failure can be much more catastrophic. For example, the recent reverse-engineering of MIFARE has exposed millions of applications to low-cost forgery, starting with the Dutch public transit card but including many building access control systems.
I suspect that in the medium term, we will see a merger of the worlds of electronic locks and mechanical locks. I do not just mean that high-end products will combine both technologies – although this is already starting to happen. The important change, I believe, is that we will need to start thinking more in terms of systems.
First, the evaluation of mechanical locks has depended for many years on the reputation of the manufacturer plus some (often rather cursory) inspection by insurance bodies, as described in chapter 2. In the electronic domain, evaluation is much more open and combative: security researchers vie to find vulnerabilities in products, and a constant stream of vulnerability reports drives product upgrades and innovation. Locksmiths will have to get used to a much more open and fast-moving environment, in which vulnerabilities are reported publicly (as Medeco’s are in this book). Finding (or anticipating) vulnerabilities in complex systems is a collaborative effort of many people over time, and openness is vital.
Second, locks get much of their value from the role that they play in larger systems, rather than simply as components. The need to manage all the locks in a building has led to master keying, but (as this book hammers home) that brings with it complexity and other opportunities for error. Facility designers in the future may want some locks that can be integrated seamlessly into electronic control and surveillance systems; and if they are prudent they will want some other locks that are independent, to mitigate the risks of systemic and common-mode failures. Vendors may have to think more carefully about complexity and interaction, both of features and of failure modes, and not just within a single lock but in all their fielded products. Again, openness will be critical; security engineers need to know the vulnerabilities of the products they use as well as their strengths, so they can avoid untoward interactions.
Returning now to the Medeco locks that are the main subject of this book, I cannot help wondering whether their very complexity may have been their undoing. Electronic security professionals know that complexity is the enemy of security, and the marketers’ natural tendency to add features must be vigorously resisted by the security architect.
Features interact, and past a certain level of complexity it is just not possible for designers to anticipate them all. This may be new to lock designers, but it’s old hat to people who work with computers. The exchange of such `lore’ between different security communities is at least as important as the exchange of formal engineering data.
In short, now that the electronic and mechanical security communities are converging, our task is to combine the best of both — not just at the component level, but the best design and evaluation thinking at the level of systems. This is going to be a fascinating challenge.
Professor of Security Engineering
Cambridge University, England
June 2nd 2008
Foreword by Harry Sher, ALOA instructor and Master Locksmith
Harry Sher, CML, CPS is a Certified Master Locksmith a Certified Professional Safe Technician and an ACE Certified Instructor. He has been a locksmith since the 1950’s. He is an active member of ALOA, SAVTA, IAIL and numerous local associations. Harry has been instructing Federal Officers since 1967. Most recently he was responsible for building a training facility for Federal Officers for the National Nuclear Security Administration. He has taught classes for many local and regional locksmith associations as well as ALOA. Harry is the 2007 recipient of the ALOA Continuing Education (ACE) Instructor of the Year award which is presented annually by the ALOA Training Department.
I believe that a book foreword should be a road map that will guide readers though their virtual journey as opposed to extolling the virtues of the authors and the book.
For almost forty years the name Medeco has been synonymous with the standard of excellence in high security locks in the United States and Europe. The inventors, Roy Spain and Roy Oliver, essentially invented the locking mechanism that is relied upon to protect our most valuable assets and personnel. Their locks are employed at the White House, Pentagon, in Embassies, Federal Courthouses, countless federal office buildings, and in virtually every commercial sector in many countries. Their locks are even used to protect the royal family in London.
As a security professional, my experience in the world of high security predates the introduction of the first Medeco cylinder. I began teaching Federal officers in the 1960’s and today still teach covert entry techniques to law enforcement officers and other security professionals. In my opinion two factors are essential for the entry technician’s success. These two factors are technique and attitude.
Throughout this book the reader should note how the authors have used the principle of isolation to defeat these high security locks. Whether one is manipulating a mechanical safe combination lock, picking a simple five pin tumbler lock, or reading a wafer lock, the technique is the same. Limit the variables. You might be dealing with one number of the combination or one tumbler at a time as opposed to hundreds of thousands of possibilities. Don’t look at the enormity of the puzzle but at the individual pieces and how they relate to each other. You will note this technique as the authors attack each of the layers of security in a modern Medeco lock, one at a time, (shear line, sidebar, and slider).
Perhaps more needs to be said of attitude than technique in this foreword because attitude will have a significantly greater impact on all readers of this work. It may be improbable to defeat a high security lock but it is not impossible. For example, it is possible to reach the conclusion that a given lock is bump-proof because it has not been successfully bumped open. This is extremely dangerous. It is my hypothesis that someday, somebody may discover how to do it.
Throughout the years, Medeco has been the primary target of covert entry teams worldwide because of their strategic placement at critical facilities. Many experts have tried to reliably compromise the patented and innovative Medeco rotating tumbler system, with only limited success. I believe that as you read through this book you will agree with me that the Tobias’s have succeeded and that my hypothesis has been proven. By keeping an open mind and isolating the individual pieces of the puzzle they have succeeded.
The danger lies in using such terms as pick-proof or bump-proof. None of us has a crystal ball and knows what the future may hold. It may be improbable that a given lock design is susceptible to a bump or pick attack but that does not mean that it is impossible. The recognition that the legs of the sidebar will allow the tumblers to move up and down but stop them from rotating suddenly changes the equation from impossible to “I know I can.” A positive attitude of “I think I can” will lead to “I know I can” and eventually to success.
This attitude that a lock is bump or pick-proof can also lead to a liability problem for the locksmith that sells and installs the lock, the security professional that recommends this solution as bump or pick-proof, and the end-user who mistakenly believes he is protected from this method of entry. Even if it is physically impossible to bump a lock it is very unwise to label a lock as bump-proof. A rotating disc Abloy lock design does not lend itself to bumping; however to an untrained eye another attack might appear as bumping and lead to a pecuniary award. For example, a raping attack on a Schlage F-Line using a key blank can not be distinguished from a bump key attack by the untrained observer.
This open minded attitude is most important to the manufacturer. His attitude not only is reflected by those who recommend, sell and use his product but ultimately leads to an improved and more secure product.
When two colleagues, Marc Tobias and Tobias Bluzmanis, disclosed their research to me I began demonstrating this technique to students in my classes and have been doing so for a year before the publication of this book. Experts were skeptical. Two experts took apart a Medeco lock and replaced the sidebar as they were concerned that it had been altered. It had not and they were still successful in bumping the lock open. Another expert tried the technique on a Medeco lock that had been installed on a customer door. He was successful and I now use that lock in my class. A year of testing the Tobias Theory has lead not to a conclusion of smoke and mirrors but unassailable technique. It is acceptable to be skeptical. You should be skeptical when someone tells you they can do something that you doubt that they can accomplish. The trick is to be just as skeptical when someone tells you that you cannot do something.
As you read this book I believe that you will concur that reliance solely on the physical security provided by a “High Security” lock for critical assets may be a grave mistake. A risk assessment may conclude that the expense of “defense in depth” utilizing alarm and camera systems, random roving patrols, security lighting, and other measures is justified.
Harry Sher, CML, CPS
Foreword by Barry Wels
This book will surely open up a big can of worms in the lock industry, one that I would imagine they would rather not have been opened. The authors have targeted some of the biggest, most powerful and influential high security lock manufacturers in the world. They publicly attack their products upon perceived security vulnerabilities. Nor do the authors mince any words with regard to those that certify these locks: the standards organizations that confirm these same locks as secure against forced and covert entry attacks.
In my view, the authors of this book may well cause shock waves in an industry as has never been done before; by carefully documenting and examining specific security issues in certain high security cylinders.
Marc Weber Tobias is one of the most well informed people in the area of locks on this planet. These are not just my words; the proof is in his book Locks, safes and security (in some circles referred to as ‘the lock-opening bible’). And he is continuously traveling the globe to keep his book updated with the latest innovations, technology, and opening techniques.
Over the years he developed a huge network and knows ‘everybody’ in the lock universe. From government agencies to lock manufacturers, many talk to him. If that were not enough, he is, in my view, a person that can analyze bypass techniques and combine them to create new and unique methods of attack, based upon his many years of experience. And that is precisely what this book is about: being creative and exploring new and uncharted territory.
Tobias Bluzmanis, his co-author, is responsible for many clever discoveries as well. Working as a locksmith, he developed a great analytical view about locks. He is also a highly skilled toolmaker, ace lock picker, and determined problem solver.
As a team, Marc Tobias and Tobias Bluzmanis had to solve many complex problems before reaching their ultimate goal: cracking the cylinders of America’s predominant high security lock manufacturer: Medeco.
As you will read in their detailed and precise book, they developed multiple bypass methods to virtually destroy the security of the famed Biaxial and latest generation, the m3. They demonstrate how to open these locks, sometimes in seconds, when their techniques are applied by even moderately skilled technicians. Again and again they invented different methods to bump, pick, decode, and bypass the multiple security layers that make Medeco the number one selling lock in the United States. Medeco is also sold in England and France and in many other countries, because their cylinders were believed to be one of the most secure and well-respected in the world.
While personally observing these different attack techniques, I sometimes asked myself: is it a fair contest against Medeco? I almost felt sorry for the company, being the subject of attack by such bypass specialists as Marc Tobias and Toby’ Bluzmanis. But then I remembered that Medeco, like many other companies, advertise their products as safe, and offer their certifications by Underwriters Laboratories and others to prove it. So, in the end, the locks should be secure against attack by anyone, at least for a minimum certified period of time, and against many different forms of forced and covert entry. Medeco has been the target of thousands of professionals during the 40 years of their existence, so they pay the price for being the best. They are, as Marc Tobias wrote, the ultimate prize.
To Medeco’s credit, it is my fair belief that no mechanical lock on the market can withstand sophisticated attacks. What happened to Medeco could have happened (in my opinion) to any mechanical lock company. I would say that almost all mechanical locks have a vulnerability that will be realized sooner or later. Yet the discoveries of Marc Tobias and Tobias Bluzmanis are truly very clever, layered, and complex. I do not think many people on this planet could have put all of the unconnected pieces together in the way that Marc and Toby managed to do in order to crack these locks.
And now what?
When Marc and Toby were writing this book, I had long discussions about it with my good friend and colleague Han Fey. We tried to predict how and where this story would end, but never came to any real conclusion. The best we could do was to compare the information in this book to a stick of dynamite. A stick that could blow up in the authors hands, in mid-air, or in the lock manufacturer’s boardroom. Or maybe it will not blow up at all, and not much will happen. Only time will tell. It is my hope that this book will cause many lock manufacturers to re-evaluate their concepts of security and how their locks perform in the “real world” against determined attacks. If that occurs, then everybody wins.
But you have been warned: what you are about to read is pretty explosive!
I hope you will enjoy it, I know I did …
Barry Wels www.Toool.nl