Keep it secret, stupid!
Matt Blaze mab @ crypto.com
26 January 2003
Last year, I started wondering whether cryptologic
approaches might be useful for the analysis of things that don't use computers. Mechanical
locks seemed like a natural place to start, since they provided many of the metaphors we used
to
think about computer security in the first place.
So I read everything I could get my hands on about locks, which included most of the
available open literature and at least some of the "closed" literature of that field. Once I
understood the basics, I quickly discovered, or more accurately re-discovered, a simple and practical
rights
amplification (or privilege escalation) attack to which most master-keyed locks are
vulnerable. The attack uses access to a single lock and key to get the master
key to the entire system, and is very easy to perform. For details, see
http://www.crypto.com/masterkey.html
I wrote up the attack, in a paper aimed more at convincing computer scientists that locks are worth our
attention than anything else (I called it "Rights amplification in master-keyed mechanical
locks"). As I pointed out in the paper, surely I could not have been the first to discover
this -- locksmiths, criminals, and college students must have figured this out long ago. Indeed, several
colleagues mentioned that my paper reminded them of their college days. There is considerable evidence
that
similar methods for master key decoding have been discovered and rediscovered over the
years, used illicitly and passed along as folklore (several people have unearthed Internet postings dating
back as much as 15 years describing how to make master keys). Curious college students --
and professional burglars -- have long been able to get their hands on master
keys to the places that interest them.
But the method does not seem to appear in the literature of locks and security, and
certainly users of master keyed locks did not seem to know about this risk. I submitted the paper to a
journal and circulated it to colleagues in the security community. Eventually, the paper reached the
attention of a reporter at the New York Times, who wrote it up in a story on the front page of the
business
section last week.
The response surprised me. For a few days, my e-mail inbox was full of angry letters from locksmiths, the
majority of which made both them point that I'm a moron, because everyone knew about this already, as
well as the point that I'm irresponsible, because this method is much too dangerous to publish. A few
managed to also work in a third point, which is that the method couldn't possibly work because
obviously
I'm just some egghead who doesn't know anything about locks.
Those letters, with their self-canceling inconsistency, are easy enough to brush aside, but there seems to
be a more serious problem here, one that has led to a significant real-world vulnerability for lock users
but that is sadly all too familiar to contemporary observers of computer security.
The existence of this method, and the reaction of the locksmithing profession to it,
strikes me as a classic instance of the complete failure of the "keep vulnerabilities
secret" security model. I'm told that the industry has known about this vulnerability and
chosen to do nothing -- not even warn their customers -- for over a century. Instead it was
kept secret and passed along as folklore, sometimes used as a shortcut for recovering lost master keys
for
paying customers. If at some point in the last hundred years this method had been documented properly,
surely the threat could have been addressed and lock customers allowed to make informed decisions about
their own security.
The tragic part is that there are alternatives. There are several lock
designs that turn out to resist this threat, including master rings and bicentric locks.
While these designs aren't perfect, they resist completely the adaptive oracle attack described in my
paper.
It's a pity that stronger alternative designs have been allowed to die a quiet death in the
marketplace
while customers, ignorant of the risks, have spent over a hundred years investing in inferior
systems.
Although a few people have confused my reporting of the vulnerability with causing the vulnerability
itself,
I can take comfort in a story that Richard Feynman famously told about his days on the Manhattan project.
Some simple vulnerabilities (and user interface problems) made it easy to open most of the safes in use at
Los Alamos. He eventually demonstrated the problem to the Army officials in charge. Horrified, they
promised
to do something about it. The response? A memo ordering the staff to keep Feynman away from their
safes.
2007
Almore Ltd
2 Golygfa'r Eglwys
Pontypridd
CF37 1JL
Phone: 01443 650075
info@almoreltd.com
Mark Garratt an industrial designer has perfected Pickbuster, a special fluid which can be squirted into
locks to make it very difficult for a would-be burglar to "bounce" the pins inside, but which
does
not affect normal key operation. The synthetic, high-tack fluid, is easy to apply, non-toxic and can
withstand extremes of
temperature. It is being made available initially to housing organisations in aerosol form at 2.70 per
lock
treatment.
The joys of picking locks, the secret world of bumping
By Sara Schaefer Munoz November 6, 2006
[…Matthew Fiddler "The public has a right to know if some $30 lock they bought is not secure,"
says Fiddler, the Connecticut chapter president, who, like many in his group, works in computer security.
Internet videos
that
show how to pick many types of locks. Pin tumbler locks, commonly used on doors, mailboxes or padlocks,
are
opened with a key when their spring-loaded pins are pushed into the right alignment. To open them without
a
key, hobbyists often use a slender pick to maneuver the pins, while at the same time sticking a tension
wrench in the keyhole to apply turning pressure. Another popular method is "bumping," which
involves inserting a specially filed key blank into a lock and hitting or "bumping" it.
Key blanks, made by lock manufacturers and used for making duplicate keys, are widely available for most
common locks online or in hardware stores. The force of hitting the key makes the pins jump in such a way
that for a split second the lock can be opened.
Law-enforcement officials fear that any tactic that exposes lock-breaching can put information into the
wrong hands. "They are exposing vulnerabilities to everybody, and everybody includes criminals,"
Organized groups of lock-picking hobbyists have operated in Europe for years, and have recently been
increasing in North America. Locksport International started last year and has 100 members in six chapters
in the U.S. and Canada. The Netherlands-based Open Organisation of Lockpickers (TOOOL) formally launched a
U.S. group in August and so far has 40 members.
Police and lock manufacturers say they get worried when pickers swap tips on the message boards of
lockpicking101.com, a Web site for lock-picking enthusiasts, and post how-to demonstration videos on the
popular video-sharing site YouTube.com.
Walt Strader, vice president of research and development for Black & Decker, which makes Kwikset,
Weiser
and Baldwin locks, says the company recently became aware of the "bumping" method from
information
disseminated by the groups.
While the company doesn't agree with the groups' publicity tactics, he said it is "taking the
issue seriously" by re-evaluating its products and considering a warning on the packaging. The
company
is also working with the industry to call for a ban on the Internet sale of bump keys, he says.
Mar 8, 2006 Matt Blaze blaze- // @ // -- cis.upenn./// edu
University of Pennsylvania
Signaling
Vulnerabilities in Law-Enforcement Wiretap Systems
April 18, 2006
Phreaking the Wiretappers
The talks I gave yesterday in Reston and last month at Stanford (mostly) described our December 2005 IEEE
Security and Privacy paper (with Micah Sherr, Eric Cronin, and Sandy Clark), the full version of
which
is here:http://www.crypto.com/papers/wiretapping/
Now that most wireline switches implement the CALEA
interfaces, loop extenders are no longer the dominant law enforcement wiretap technology (at least for
better-funded federal agencies). But because of the backward compatibility features implemented by some
CALEA equipment, certain vulnerabilities -- particularly the ability to disable call recording -- may
remain.
High-fidelity, high-accuracy passive wiretapping, it turns out, can also be hard to do reliably in digital
networks. We found it to be easy to fool most convention Internet tools, at least under many configurations:
I'm often surprised at how uncritical the courts re in accepting electronic evidence, especially
wiretap
evidence. It may be less reliable than we assume it to be.
2006 - The Communications Assistance for Law Enforcement Act (CALEA), a law originally enacted to ensure
federal wiretapping access for telephones, is the major obstacle to providing public access. College drops
plans for free public wireless because
a law requiring Internet service providers to supply access to federal wiretaps has spurred Bowdoin
College
to drop plans to offer a public wireless network covering the downtown area.
A federal regulation that requires Internet-service providers to reconfigure their networks to help the
government eavesdrop on online communications may unintentionally stymie the deployment of wireless
Internet
access in cities and towns across the country. A situation where law enforcement is authorized to come in
and tap your router.
2006 - Officials Predict Colleges Will Be Exempt From Ruling on Network Surveillance
Call it viewing the glass as half full. In the absence of a definitive statement from either the courts or
the Federal Communications Commission on whether colleges must re-engineer their networks to comply with
the
government's online-surveillance needs, a leading higher-education group is betting that the law is on
colleges' side. In legal guidance released this month, the American Council on Education told colleges
that they probably need not worry about an FCC regulation requiring Internet-service providers to overhaul
their networks to make it easier for law-enforcement officials to eavesdrop on e-mail messages and on
conversations that use Internet-based telephone and instant-messaging services. Colleges had estimated
that
if they fell under the regulation, it could cost them $9-million to $15-million each to comply. According
to
Matthew Brill, a partner with the law firm Latham and Watkins and an expert on CALEA, "It does appear
that providing public access to the community may subject the (college) to regulations that may otherwise
not exist." Originally, as reported by The Times Record this spring, Bowdoin College had planned for
a
partnership between Bowdoin and Great Works Internet, a local Internet service provider, to install a
public
wireless network covering the entire Brunswick downtown area. The installation of the network was to be a
pilot project for GWI, so that the company could later offer the service to other municipalities. Davis
said
that the barriers to the project were twofold. First, the college had planned to mount the antennas
transmitting the wireless signal on utility poles owned by Central Maine Power Co. Getting access to those
poles "has been difficult," said Davis. Then, after 111 Maine, a downtown restaurant, offered
its
rooftop for an antenna, Davis learned of a regulation, (CALEA), that requires Internet service providers
to
make available wiretapping access to the federal government. Davis said that he still hoped that access
could eventually be offered to Brunswick residents. "We're going to put it in for (Bowdoin
College
students)," he said. "Once it's in, we'll work out providing access for guests."
Brill said that the solution might be in a technical interpretation of the law. "The FCC has made
clear
that universities that apply to third parties for access are not subject to CALEA," he said. But
Davis
was quick to note that he was not an expert on this specific situation. "The precise arrangements
would
determine the obligations." According to Davis, guest access could be allowed if the network was
operated by a third party, such as GWI. The distinction between Bowdoin and a third party providing the
access may be as simple as who owns the router providing the public access. The router is the device that
would connect the Brunswick/Bowdoin network to the rest of the Internet. "If GWI were to own that
router, then they would be responsible for maintaining the CALEA action," Davis said. Davis also
added
that he had been appointed to Gov. John Baldacci's council on broadband, and that, in that role he
would
be working on resolving these issues. "The fact that we weren't able to tie everything and make
it
work was disappointing," Davis said. "In a larger sense, it allowed me to get on a committee
that
is potentially going to create the solution in the state of Maine." Nathaniel Herz is a sophomore at
Bowdoin College.
Peter Neumann
http://www.counterpane.com/crypto-gram-0205.html
" A basic rule of cryptography is to use published, public, algorithms and protocols. This principle
was first stated in 1883 by Auguste Kerckhoffs: in a well-designed cryptographic system, only the key
needs
to be secret; there should be no secrecy in the algorithm. Modern cryptographers have embraced this
principle, calling anything else "security by obscurity." Any system that tries
to keep its algorithms secret for security reasons is quickly dismissed by the community,
and referred to as "snake oil" or even worse. This is true for cryptography, but the general
relationship between secrecy and security is more complicated than Kerckhoffs' Principle
indicates.
The Handbook of Applied Cryptography
http://www.cacr.math.uwaterloo.ca/hac/
"Lecture "by Goldwasser and M. Bellare
http://www.cs.ucsd.edu/users/mihir/papers/gb.html
Kerchhoffs' original work
http://www.cl.cam.ac.uk/~fapp2/kerckhoffs , in French and English.
--//--
November 30, 2005
Security Flaw Allows Wiretaps to Be Evaded, Study Finds
The technology used for decades by law enforcement agents to wiretap telephones has a security flaw that
allows the person being wiretapped to stop the recorder remotely, according to research by computer
security experts who studied the system. It is also possible to falsify the numbers dialed, they
said.
Someone being wiretapped can easily employ these "devastating countermeasures" with
off-the-shelf
equipment, said the lead researcher, Matt Blaze, an associate professor of computer and information
science at the University of Pennsylvania.
"This has implications not only for the accuracy of the intelligence that can be obtained from these
taps, but also for the acceptability and weight of legal evidence derived from it," Mr. Blaze and
his
colleagues wrote in a paper that will be published today in Security & Privacy, a journal of the
Institute of Electrical and Electronics Engineers.
A spokeswoman for the F.B.I. said "we're aware of the possibility" that older wiretap
systems
may be foiled through the techniques described in the paper. Catherine Milhoan, the spokeswoman, said
after consulting with bureau wiretap experts that the vulnerability existed in only about 10 percent of
state and federal wiretaps today.
"It is not considered an issue within the F.B.I.," Ms. Milhoan said.
According to the Justice Department's most recent wiretap report, state and federal courts authorized
1,710 "interceptions" of communications in 2004.
To defeat wiretapping systems, the target need only send the same "idle signal" that the
tapping
equipment sends to the recorder when the telephone is not in use. The target could continue to have a
conversation while sending the forged signal.
The tone, also known as a C-tone, sounds like a low buzzing and is "slightly annoying but would not
affect the voice quality" of the call, Mr. Blaze said, adding, "It turns the recorder right
off."
The paper can be found at http://www.crypto.com/papers/wiretapping.
The flaw underscores how surveillance technologies are not necessarily invulnerable to abuse, a law
enforcement expert said.
"If you are a determined bad guy, you will find relatively easy ways to avoid detection," said
Mark Rasch, a former federal prosecutor who is now chief security counsel at Solutionary Inc., a
computer
security firm in Bethesda, Md. "The good news is that most bad guys are not clever and not
determined.
We used to call it criminal Darwinism."
Aviel D. Rubin, a professor of computer science at Johns Hopkins University and technical director of the
Hopkins Information Security Institute, called the work by Mr. Blaze and his colleagues
"exceedingly
clever" - particularly the part that showed ways to confuse wiretap systems as to the numbers that
have been dialed. Professor Rubin added, however, that anyone sophisticated enough to conduct this
countermeasure probably had other ways to foil wiretaps with less effort.
Not all wiretapping technologies are vulnerable to the countermeasures, Mr. Blaze said; the most
vulnerable
are the older systems that connect to analog phone networks, often with alligator clips attached to
physical phone wires. Many state and local law enforcement agencies still use those systems.
More modern systems tap into digital telephone networks and are more closely related to computers than to
telephones. Under a 1994 law known as the Communications Assistance for Law Enforcement Act, telephone
service providers must offer law enforcement agencies the ability to wiretap digital networks.
But in a technology twist, the F.B.I. has extended the life of the vulnerability. In 1999, the bureau
demanded that new telephone systems keep the idle-tone feature for recording control in the new digital
networks, which are known as Calea networks because of the abbreviation of the name of the
legislation.
The Federal Communications Commission later overruled the F.B.I. and declared that providing the idle
tone
was voluntary. The researchers' paper states that marketing materials from telecommunications
equipment vendors show that the "C-tone appears to be a relatively commonly available
option."
When the researchers tried the same trick on newer systems that were configured to recognize the C-tone,
it
had the same effect as on older systems, they found.
Ms. Milhoan of the F.B.I. said that the C-tone feature could be turned off in the new systems and that
when
the bureau tested Mr. Blaze's method on machines with the function turned off, the effect was
"negligible."
"We were aware of it, we dealt with it, and we believe Calea has addressed
it,"
she said.
Mr. Blaze, a former security researcher at AT&T Labs, said he shared the information with the F.B.I.
His team's research is financed by the National Science Foundation's Cyber Trust program, which
is
intended to promote computer network security.
The security researchers discovered the new flaw, he said, while doing research on new generations of telephone-tapping equipment.
In their paper, the researchers recommended that the F.B.I. conduct a thorough analysis of its
wiretapping
technologies, old and new, from the perspective of possible security threats, since the countermeasures
could "threaten law enforcement's access to the entire spectrum of intercepted
communications."
There is some indirect evidence that criminals might already know about the vulnerabilities in the
systems,
Mr. Blaze said, because of "unexplained gaps" in some wiretap records presented in
trials.
Vulnerabilities like the researchers describe are widely known to engineers creating countersurveillance
systems, said Jude Daggett, an executive at Security Concepts, a surveillance firm in Millbrae,
Calif.
"The people in the countersurveillance industry come from the surveillance community," Mr.
Daggett said. "They know what is possible, and their equipment needs to be comprehensive and needs
to
counteract any form of surveillance."