Insecurity: An Analysis Of Current Commercial And Government Security Lock Designs presented at Defcon19 2011

by Marc Weber Tobias, Tobias Bluzmanis, Matt Fiddler,

Summary : Lock manufacturers continue to produce insecure designs in both mechanical and electro-mechanical locks. While these devices are designed to provide secure access control to commercial and government facilities, in fact many do not. Recent disclosures with regard to extremely popular push-button locks have led to an expanded investigation into their technology and security by our research team. As a consequence, it appears that mechanical locks, as well as electro-mechanical locks that are compliant with government standards, may be subject to several different forms of compromise, thereby placing commercial and government facilities at risk.
In this presentation, we will examine specific design parameters that are supposed to provide a high level of protection against covert entry for both commercial and government facilities, but do not.
It would be logical to assume that the electronics and physical hardware within physical access security devices would work together and present a high level of difficulty in circumventing the requirements of these standards. Our research has disclosed that such is not the case in certain devices. Our investigation with regard to a specific manufacturer of extremely popular hardware discloses a lack of understanding with regard to security engineering and an inability to produce hardware that is immune to different forms of attack. We document three serious occurrences of security engineering failures with regard to different product designs, all intended to provide a certain level of security for commercial and government facilities.
We will examine different designs, both mechanical and electronic, and why there is a basic failure in the most basic fundamentals of designing a secure device.