Title: Full Public Disclosure of Obsolete Access Control Systems
1Full Public Disclosure of Obsolete Access Control
Systems
2Obsolescence in Physical Security
The pin tumbler lock The tubular lock Master
key systems Double wafer locks Proprietary
keyways
3The goal is to get to the shear line.
4Lock picks and bump keys are cheap and easy to
make.
Spring steel Hacksaw blades Plastic cards Paper
clips
Almost any existing key can be made into a bump
key.
5Schlage F Series Bypass Methods
Lock picking and bumping arent necessary.
Weiser Shim Picks
6A modified pick can also be used.
The Shim technique
7Old Schlage F Series on the left.
New Schlage F Series on the right.
Schlage F Series Knob Puller
These tools will work on either version.
8Removing the retainer for the pins is also known
as Blowing the Stack or Peeling the Bible
Bible a.k.a. the retainer cover for the pins.
The improved Schlage F series.
Insert modified pick or tool into the first pin
chamber.
It can be made from a hacksaw blade or center
gauge .
9This configuration is very common for commercial
installations.
10What is the weakest link in this system?
They can all be used to gain access.
11Proximity cards can be copied and cloned.
12Obsolescence in Electronic Security
Fixed code transmitters Proximity cards Mag
Stripe cards Barium Ferrite cards Concealed
Barcode card
13Any reader can obtain data from a Proximity card.
An example setup
27 Volts
The Maxiprox by HID
The reader has an approximate 24 inch read range.
All codes are transmitted in ASCII.
14Alternatively, you can build your own.
Reader and transmitter instructions can be seen
here
http//cq.cx/prox.pl
15Codes are usually printed on the cards.
16Many high security locks can be picked or
bypassed.
17This design is no longer secure.
18The pen is mightier than the lock.
Photo courtesy of engadget.com
19Most tubular switch locks are using a default
key.
20Going Postal
Postal lock
21The Push to Exit circuit activates a relay.
22Typically, a switch or motion detector is used.
The switch is more secure.
23An Example of a Push to Exit Bypass
Ingredients for a bypass tool
Coat hanger
Tape
Paper
24Door magnets can be bypassed.
25Current disadvantages for Push to Exit and
mechanical bypass
No audit trail Sometimes on the same
circuit Most switch locks are not high
security Easily accessed by opening a panel
26Most access control systems can be accessed
remotely.
27Telephone Entry Systems
28All Access Control panels are using a default
key.
All of these can be found using any search engine.
29ANAC - Automatic Number Announcement
Circuit Typically a regional 3 digit telephone
number. It can also be a toll-free telephone
number.
Example The ANAC for Houston, Texas is 380.
The telephone number for the unit can be
determined by dialing an ANAC.
30Answering machines can also be exploited in this
process.
Most telephone entry systems open a relay by
pressing the 9 key.
31Insiders can also obtain the phone number to
the unit through Caller ID.
32The telephone number for the system can also be
obtained through wardialing.
Various open source and commercial tools are
available.
Toneloc THC-Scan 2.0 Iwar PAWS PhoneSweep
Example The AE-1 and AE-2 models made by Linear
connect at 9600 baud.
33Software for remote programming is abundant.
Examples For Windows HyperTerminal PuTTy AlphaC
om Symantecs Procomm Plus For
Linux Xterm GNOME Terminal
A full list of MS-DOS terminal emulators can be
had from http//www.eunet.bg/simtel.net/msdos/com
mprog.html
34The door itself can be the weak link.
35Some common problems are Exposed hinges Exposed
latches Large clearance between the bottom of the
door and the floor
Under the door tools are easy to make or obtain.
http//web.mit.edu/zacka/www/nlias.html
36Is Anti-Passback more secure?
Absolutely.
37Not the stuff of just movies anymore
Milan, Italy, 2008 Oscar Night Jewel Heist 20
million in jewelry Laguna Hills, California,
2006 - 500,000 in jewelry Antwerp, Belgium,
2003 - 100 million in diamonds Amsterdam 2005 -
102 million in diamonds East Coast Gate Cutting
Crew, 2003-2005 - 5 million in jewelry Florida
to New York, Dinner Time Burglars, 1969-1990 -
70 million Paramus, New Jersey, 2008 - 1
million in jewelry Baghdad, Iraq, 2007 - 282
million in cash
38(No Transcript)
39From Wired magazine
40How much of this information is secret?
None of it!
41Locks, Safes, and Security by Marc Weber Tobias
42(No Transcript)
43Physical Security Resources
Crypto.com Matt Blaze Security.org Marc
Weber Tobias Toool.nl The Open Organization of
Lockpickers The Locksport Community
http//www.lockpicking101.com The National
Locksmith The Locksmith Ledger Non-Destructive
Entry Magazine http//www.ndemag.com
44http//www.michaelleesecurity.com