In the year 2004, a video was broadcast online, displaying the way a standard BIC pen can be used to unlock a Kryptonite bike lock that is U-shaped. The manufacturing company called the locks back, replaced new acquisitions and replaced the design for its fresh locks. Even though the problem had been exposed in a British magazine that specializes in bicycles, 12 years earlier, Kryptonite was still selling these locks. Disgruntled customers decided to file a class-action lawsuit that reached a resolution one year later, in 2005. Kryptonite offered to have all the damaged or affected locks switched or issue discount vouchers and give out compensations to people whose bikes have been stolen because the locks have been picked.”If you don’t let the public know about the problems, companies will not fix them and consumers will buy lousy things,” according to Bruce Schneier, BT’s chief security technology officer.
Join our WhatsApp groupSubscribe to our Daily Roundup Email
Much has been written about the picking of virtual types of locks that protect confidential online data. However, picking regular locks is turning into something more popular by the year. Enthusiasts have founded sports clubs and regularly hold contests. Researchers that specialize in security write books explaining the way locks can be picked and opened and give out important details on how to do it in their videos and blogs, well as during conferences that debate the topic of security. Of course, lock manufacturers are not content. They claim that that the disclosure of the vulnerabilities creates unnecessary panic and jeopardizes the security of the public by providing criminals with information that can be used to unlock safes, locks on doors and various other types of secured assets. However, just like the disclosure of software vulnerabilities from third-party companies asks manufacturers to identify and quickly fix security vulnerabilities, lock manufacturers will discover that they cannot escape control and must take full accountability for their products, according to experts.
“Responsible disclosure is an excellent concept for brand new locks that are not yet on the market. But that won’t help you provided your lock is already used in millions of buildings. You won’t fix them all.” according to Marc Weber Tobias, the lawyer who wrote a book about how to high security Medeco branded locks titled Open in Thirty Seconds and displayed a security warning for all tube locks, kryptonite locks included.
Tobias will attend the Defcon hacker conference in Vegas on the way the key control on Medeco M3 types of locks can be removed by producing counterfeit keys. The issue sheds light on the contradictory opinions of two distinct groups of people: hackers searching for a good challenge who like to disassemble items, and regular manufacturers of hardware items who only need certified locksmiths to test their systems.
As manufacturers of locks and trade groups would agree upon, most non-locksmiths who pick locks are not aiming to improve security. Websites selling lock opening tools are violating American federal laws, according to Tim McMullen, legislative expert at Associated Locksmiths of America.
Ralph Vasami, general manager of the Builders Hardware Manufacturers Association, states the following: “We think the act of opening locks is obviously a tort, even if it’s a form of sports. We don’t like to see any of it, even if it’s just for fun.” The industry does not need outsiders to point out defects in products because a system that creates fresh standards for lock manufacturers already exists. As more advanced technologies became available, they encouraged the innovation of products and the development of new standards” said Vasami.” I think we’re a pretty flexible company.” Nonetheless, these standards are voluntary and these new vulnerabilities may not fit existing procedures. For example, Tobias said when he told the group responsible with developing standards that a bolt could be picked using a screwdriver, it was argued that this procedure was not part of any of the standards. “The standards don’t protect people,” he later stated.
As opposed to software, where you can rapidly download a patch or a fix, locks need to be changed if they are considered vulnerable to security risks. This infrastructure problem is more the responsibility of security vulnerability researchers who must not disclose the issues to the general public, according to Clyde Roberson, technical director of Medeco Security Locks. “We are responsible for making changes when the technology changes,” he said. “Everyone has a responsibility not to reveal things that could cause problems to people and that individuals don’t have the power to change.” When asked about the way an organization would know when the locks in use were vulnerable if unrelated researchers reported issues, Clyde said companies organizations should use third-party agencies such as Underwriters Laboratories. “Can it be considered a real vulnerability if people don’t know about it?” he asked rhetorically. “I’m not certain you should worry about it unless people demonstrate it and show you how it is made.”
Maintaining a Security Issue A Secret
However, the term “security through darkness” erroneously thinks that keeping a security issue secret protects those who rely on the security system. “The guess is that criminals are not aware of,” said Schneier of BT. “Criminals know how to crack locks … secrecy only hides the truth from the consumer.” “The goal is to improve security. As soon as it is no longer necessary to investigate, the bad guys win,” said Schneier. “(The) lock picking (industry) doesn’t understand that because they’re basically still a guild – an area with secret knowledge, while computer security is always based on open knowledge,” he added. “There are uncertainties discovered by computer locksmiths that have been around for hundreds of years.”
Lock manufacturers are not the only hardware manufacturers to deal with this problem. Machine tool manufacturer Sequoia threatened a security researcher who was planning a machine analysis. And more recently, Philips Semiconductor has sued the spin-off of NXP to prevent a Dutch university from posting security vulnerabilities in its Mifare Classic wireless smart card chip, which is used worldwide in traffic and building access systems. Earlier this month, a judge ruled that blocking the publication would violate researchers’ freedom of expression and hinder research in vital areas. “The bottom line is that the public needs to know,” said Tobias. “Let them do their security assessments based on how secure the locks are.”
Misrepresenting hardware as more secure than it is turns into a liability problem for manufacturers and for companies that use the security system to protect their customers’ assets. Siemens has to replace 300,000 cards that use the Mifare Classic chip due to the revealed security beaches, said Schneier.