Three noted "lock hackers" have discovered that a $200 biometric lock is powerless before the might of the simple paperclip.
Wired reports that the "gross insecurity" of high-tech locks has been exposed. Several different expensive, modern locks with advanced design concepts proved ineffective against the efforts of Marc Weber Tobias, Toby Bluzmanis, and Matt Fiddler, who have been exposing the poor security design of physical locks at DefCon for years.
The most egregious example appears to be the $200 Biolock Model 333. It provides a fingerprint reader as its main selling point, but also features a remote for locking and unlocking and a physical key in case the fingerprint reader fails to unlock the door for its user. The whole biometric selling point was trivially bypassed, however, by simply inserting a straightened paper clip into the keyhole. The sort of lockpicking practiced by locksmiths (and private investigators in the world of TV shows and movies) is not required; the whole process simply involves pushing the paperclip into the keyhole and turning the handle.
The Wired article offers a video of the technique, demonstrated by the security researchers presenting their findings at this year's DefCon. They describe the lock's vulnerability as a "perfect example of insecurity engineering".
Another example involves a Kwikset smartkey deadbolt system that can be trivially cracked with a screwdriver. Kwikset has stated that the lock has "passed the most stringent lock-picking standard." Marc Weber Tobias pointed out that adherence to standards is not enough when it comes to security. The very nature of many problems we face is defined by the unexpected and unpredictable. If we do not expect it and cannot predict it, we certainly cannot standardize it.
A small safe intended for residential use, a battery operated electronic lock operated by an RFID key, and an electro-mechanical lock that keeps an audit log — from AMSEC, KABA, and iLock respectively — were also found to suffer weaknesses in their security functionality.
In addition to the Biolock video, there are videos within the online Wired article showing demonstrations of weaknesses of the other locks and safe as well. All told, the article itself gives a quick and easy glimpse into the world of poor physical security design, and the videos provide a concrete demonstration of the techniques involved. More than a mere warning to avoid poorly designed security devices, these examples should serve as an object lesson in the dangers of uninformed, improperly tested, and inexpert security design.
Wired's article is definitely worth the price of admission.
Chad Perrin is an IT consultant, developer, and freelance professional writer. He holds both Microsoft and CompTIA certifications and is a graduate of two IT industry trade schools.