Originally published at: https://boingboing.net/2019/08/07/swimming-in-denial.html
…
So weird how everyone, bb included, tries to make ‘Secure’ into a binary box where either it is or isn’t. The message that it is a spectrum comes across but it is more dramatic to think of something taking a quantum leap from secure to insecure rather than the reality that it just moves around a bit on the spectrum.
A vulnerability was discovered. It was pointed out publicly by a security expert. It was addressed by the company in future versions of the lock.
The only thing not working as intended is owning up to Mike.
Keep up the thankless work Mr. Davis. We need more people forcing better product design in the world.
And one of the key aspects of security is that perfect, absolute security doesn’t exist. There’s always a vulnerability somewhere. There is only deterrent: whether an attacker is going to find it worth expending the effort to overcome your defenses.
[The company] also says that because they have never heard of anyone using Davis’s attack [by using a 5,000-$ oscilloscope] in the wild, no one should worry about it.
I find this logic very reassuring. /s
Thank you! This describes hardware installation failures for construction projects exactly.
I’m sure those “high security” locks are all vulnerable to a grinding disk also.
I don’t have a lock on my door because I just have to close it, and that’s excellent security. I mean no one has broken in yet, so that shows it’s perfectly good security in real world scenarios.
I think they are totally aware that this is a serious vulnerability for locks which are sold explicitly for extremely high security applications, where the protected asset might be worth a sophisticated attack. But they are terrified to admit it because of the high cost of having to do a recall or retro fit, or handle high profile customer anger. Customers of these locks have deep pockets.
By the third grinding disk, you’re bound to attract some attention.
Why a dial AND a keypad?. And the keypad is not shielded from view, which would seem to be a weakness.
My secret cookie recipe is vulnerable!
In fact safes are rated not by some nebulous “security” metric, but by time. What is the shortest amount of time it would take to extract the contents of the safe without completely destroying them. Longer times are more secure, and can be worked into a security plan. If it takes at least 30 minutes to open a safe or to steal it from a location, then you have a security guard check on it every 20 minutes.
Another thing to consider is your threat model. Who is it that is attempting to defeat your security. Some crack addicted home bugler with no formal training? Or a government sponsored Mission Impossible team? Joe crackhead isn’t going to acquire a $5k o-scope and learn how to use it to steal your DVD player to pawn. Your nuclear arsenal self-destruct codes might be a different story.
Basically, as a private citizen those locks, even with the em leakage flaw, were almost certainly overkill for your needs. The rest of your security will fail long before someone uses this attack against you.
Actually, I go the opposite direction. I assume it’s all BS, or “security theatre”, as they say. I once posted to a user of these here forums that there’s no such thing as a truly secure network, so forget about hoping for, and relying on, one. My comment was rebuffed. I asked for an example of a totally secure, non-hackable one, immune from exploitation.
Crickets.
“there have been no reported events in the field to suggest that current or prior year models have presented security issues in real-world environments.”
IOW “the users of our products has determined that a press release revealing that they have been broken into repeatedly would offer “poor returns on stockholder value”, and so they have decided to file those reports in triplicate into our new product, the Q9000 Shredder Incinerator with FlushMaster technology.”
It’s not like you’re likely to find a good quality oscilloscope in a high-security military installation. /s
that appears to be a a cencon, another style of Kaba lock
https://www.dormakaba.com/us-en/solutions/products/safe-locks/cencon/cencon-atm-293196
The dial is used to “energize” the lock, as batteries might fail/. Certainly consumer grade locks could use an emergency key, but this keyway would compromise the security of the lock. If your security scheme relies on auditing, an emergency key would potentially defeat that, as the use of this physical key could not be logged by a lock with no power.
But… The X10 lock does not have a keypad. Instead, the dial is used to enter the combination (in addition to powering the lock). Note that this style of lock was originally designed to defeat radiological attacks.
These are quite expensive-- $1,200 for the lock? One should expect a certain level of technical competence at those prices.
The slightly irritating thing about the X-10s is that there is no fixed correlation between the number and the position of the dial. Which is more secure, it is more difficult to narrow down the numbers by observing the lock from a distance. But that means that it is easier to pass your number. Of course unlike the physical tumbler locks, you can keep going around and hit your number the second time around.
This exactly, and it’s why I have reasonable security measures on my laptop, but don’t go nuts about it.
If a kid on a bicycle swipes it, he’ll get a laptop that he or whomever he sells it to can use after formatting the drive. If the NSA or the Mossad wants to crack it, I’ve already got problems that are a world bigger than whatever they are going to find.
“…president … Eric Elkins, said that Davis should not present his findings in public. […] Despite having had a year since Davis made his disclosures to Elkins’s parent company, Elkins said he was not familiar with Davis’s attack.”
Don’t you just hate being lied to?