$200 Biometric Lock Vs. Paperclip
August 4th, 2010Via: Wired:
The lock that would seem to have thwarted them the most was actually one of the easiest to crack. The Biolock Model 333 is a sleek £126 ($200) lock that combines a mechanical cylinder and fingerprint reader.
The Biolock fingerprint reader illuminates a blue LED when a fingerprint is authenticated. If the reader fails, a key can be inserted in a key port hidden behind a flip door in the handle.
“It’s a very neatly designed container,” says Tobias. “But the problem with this lock design is so elementary, frankly it defies belief.”
The lock can be programmed with one or more “master” fingerprints, which can be used to authorise other users. To open the lock, a user touches the fingerprint pad, and a blue LED light illuminates to indicate the person is authorised, allowing the door handle to turn. The lock can also be unlocked with a remote-control.
If the fingerprint reader fails, a mechanical key can be used instead. The key entry is concealed beneath a flip door on the lever handle. And therein lies the security problem, Tobias says.
A paperclip inserted in the Biolock’s key chamber (hidden behind a flip door) is used to push an internal pin and unlock the door, making the fingerprint reader superfluous.
The mechanical lock, which uses a bypass cylinder, can be easily thwarted with a paperclip inserted in the keyway to depress a pin that engages the latch. In two seconds, the researchers were able to open the lock.
“This is an absolute perfect example of insecurity engineering,” Tobias says.
This reminds me of when I’ve been asked to circumvent security. It’s always for legitimate reasons.
Once in high school during a fund raising event, someone wandered off with the cash box key. It was your average cash box that can be purchased at most retail stores. The locks are of a very poor design. It takes longer to bend the paperclips than it does to open the box. Basically, if all the pins are pushed up, the lock will open.
Years ago, I showed up for my first day at a new office. It was a company I worked at for years, but a different branch. The entire building used security locks. Those have an extra pin, and the latch is special so you can’t just slide a credit card in to open it. I was the first one there, and got bored after about 5 minutes of standing in the hall. This one was barely a challenge. All I had was my laptop bag, wallet, and a multi-tip screwdriver. I used the screwdriver and a credit card to move the first latch out of the way. Once I accomplished that, I used another card to pop the second part of the latch open. The first person showed up about a half hour later and asked how I got in. “Did they already give you a key?” I told her “Nope, but it would save me a little time, it took about 30 seconds to open the door.”
At another company, someone locked a room, where no one had the key, and it was again a security lock. Since it swung away from me, the door jam blocked my ability to use the credit card trick. I had a lockpick set in the car (for just such occasions). It took me 3 minutes round trip to get from the office to my car and back, and about 15 seconds to rake the lock.
But locks are frequently the most difficult part to open. At another company, the COO was standing with us after hours, and we needed the backup tapes in the CEO’s office. The CEO was an hour away and didn’t want to come back. Again, this was an office building with security locks. The door opened away from me, and I didn’t have a lockpick set in the car. Someone else pointed out, “these are drop ceilings, and there probably isn’t a firewall between the CEO’s office and the lobby”. Sure enough, there wasn’t. He climbed up on a file cabinet, and was over in no time. He let us all in. The COO called the CEO and asked for the combination to the fire safe. He asked how we got in, and the COO told him, “you really don’t want to know.” 🙂
It’s like home security. You can spend all you want on the most expensive locks in the world, and someone will find an unlocked window, or simply smash a window and be in.
Smythe – yep, I heard that if there is a lock system with a master key, there is an algorithm to deduce the master key shape from any circulated key. This is folk knowledge among people who shave down toyota keys to steal cars, but someone published it in Science a few years ago.. but nobody has the money to change it all. Also, people often need to be able to break into their own building when they lose a key, or their fingerprint device short circuits- it might be better to keep it that way.