Features Podcasts Family Video Comics Music Tech Science Books Film & TV Games ✚

Jill

CLIQ and other "unpickable" locks pwned at DefCon

Cory Doctorow at 10:10 pm Sun, Aug 2, 2009

— FEATURED —

Science

Making sense of the confusing Supreme Court DNA patent ruling

Book Review

The 'Geisters: spooky, scary novel

Science

Ants and Stars: Bruce Sterling and Jasmina Tesanovic visit the Sardinia Radio Telescope in Italy

Feature

The Snowden Principle

— FOLLOW US —

Boing Boing is on Twitter and Facebook. Subscribe to our RSS feed or daily email.

 

— POLICIES —

Except where indicated, Boing Boing is licensed under a Creative Commons License permitting non-commercial sharing with attribution

 

— FONTS —

Tweet
Kindle
Lockpicking legends Marc Weber Tobias, Toby Bluzmanis and Matt Fiddler demo'ed a series of ingenious hacks for opening "unpickable" locks at Defcon last weekend. Included is a hack that opens the expensive electronic/mechanical CLIQ lock, which requires an electronic handshake between the key and the lock, and which logs every open/shut event) by simply vibrating the key:
Bluzmanis demonstrated an attack by taking an Interactive CLIQ electro-mechanical lock made by Mul-T-Lock and inserting a mechanical-only key cut to the same keyway. After inserting the key, he does something to vibrate the key for a few seconds until the mechanical motor in the cylinder turns and lifts the locking element to release the lock. He asked Threat Level not to disclose the precise method, other than to say it involves no special tool or skill.

"There's no audit trail that the lock has been opened," Tobias says, "because there are no electronics [involved]." If the attacker entered the room to steal documents or sabotage the facility, the last person who entered before him and who showed up in the audit log, would presumably get the blame if the thief wasn't caught on surveillance camera or the video surveillance was also sabotaged.

Electronic High-Security Locks Easily Defeated at DefCon
Previously:
  • Boing Boing: Opening a pricey bike lock with a plastic ball point pen
  • HOWTO force a padlock with a tin-can shim - Boing Boing
  • Homebrew "lockpick" slides under door and turns handle - Boing Boing
  • HOWTO convert an Oral B flosser into a vibrating lockpick - Boing ...
  • Videos of how to open things - Boing Boing
  • Medeco "unpickable" locks picked and pwned - Boing Boing

I write books. My latest is a YA science fiction novel called Homeland (it's the sequel to Little Brother). More books: Rapture of the Nerds (a novel, with Charlie Stross); With a Little Help (short stories); and The Great Big Beautiful Tomorrow (novella and nonfic). I speak all over the place and I tweet and tumble, too.

MORE:  Gadgets • Happy Mutants • maker

More at Boing Boing

Ants and Stars: Bruce Sterling and Jasmina Tesanovic visit the Sardinia Radio Telescope in Italy

The Snowden Principle

  • bardfinn

    The electromechanical lockout mechanism on the lock merely prevents the cylinder from turning; It doesn’t mechanically lock out the pins from being set, and is in-and-of-itself similar to a pin – this attack vector is in fact “bumping” the lock pins and the lockout mechanism.

    I don’t know that it would be the motor itself being engaged, but I can imagine how the rotor of a motor could be enticed to turn (a ratcheting phenomenon from magnet/rotor coil bias) from vibrating the load applied to it.

  • Itsumishi

    As much as I agree that these locks need to be fixed and that customers should be made aware of the issues that arise from significant flaws. No company in their right mind would agree to replace or fix every product they’ve sold before being even made aware of how the hack is possible. These guys need to be somewhat reasonable before any of these companies will take them seriously.

  • Troglodyte

    Can someone explain to me WHY it’s possible to move the lock without electronic confirmation? It seems like to really make it solid, the electronic component would be a straight deadbolt that simply didn’t move until it got the right signal. The way it’s described, it’s not two separate systems– it’s one system that is subject to electronic restraint. I’m not an expert, but wouldn’t you want two completely independent systems rather than one convoluted mess?

  • Anonymous

    Maybe a better system would house the mechanical lock under a plate that would only retract after the electronic identification.

  • bjacques

    Holding the key against a (throwaway) mobile phone set on vibrate might do it. Or so I’ve heard.

  • harknell

    The seemingly common element of all of these attacks is that 99% of all locks use spring loaded tumblers in some form. As a result kinetic action will always work using some vector to deliver the shock that pushes them upward. I can only imagine that a lock based on magnetics or some other non-kinetic system would prevent these types of attacks, but then you have the undesirable possibility of electrical outages making places perma-locked, so this doesn’t work well for places where people may need to escape from in an emergency.

  • iguanoid

    I bet you could clamp down on the end of the key with your teeth and go “BZZZZZ” and get an acceptable vibration with some practice.