Reverse Engineering Mechanical Locks:

Reverse Engineering Mechanical Locks: Applied Theory Babak Javadi and Shane Lawson TakeDownCon Dallas 2011 Introductions: Babak Javadi Babak Javad...

Author: Albert Caldwell

3 downloads 1 Views 5MB Size

Report

Download PDF

Recommend Documents

MECHANICAL DOOR LOCKS

MECHANICAL ENGINEERING Mechanical Engineering

Section 5. Door Locks - Mechanical. DOOR LOCKS DOOR LOCKS - Mechanical. Index. Door Locks & Deadbolts...Alphabetically by Manufacturer

Mechanical Engineering Faculty, Mechanical Engineering

(Mechanical Engineering)

Mechanical Engineering

- MECHANICAL ENGINEERING

Mechanical Engineering

MECHANICAL ENGINEERING

Mechanical Engineering

Introduction to Reverse Engineering

FPGA reverse-engineering challenge

Learning Reverse Engineering

Reverse Engineering Database Applications

CFRS Malware Reverse Engineering

Reverse Engineering RSI

Software Reverse Engineering

Adequate Reverse Engineering

Reverse Engineering Web Configurators

Legacy Product Re-Engineering. Automated Reverse Engineering

Sector: Mechanical engineering e.g. automotive, aviation, mechanical engineering, etc

Reverse Engineering Mechanical Locks: Applied Theory

Babak Javadi and Shane Lawson TakeDownCon Dallas 2011

Introductions: Babak Javadi

Babak Javadi and Shane Lawson http://enterthecore.net/

Introductions: Shane Lawson

Babak Javadi and Shane Lawson http://enterthecore.net/

What is Reverse Engineering in Physical Security?

Analysis of Locks Reveals… Conceptual Design Flaws Material Deficiencies Implementation Problems

Babak Javadi and Shane Lawson http://enterthecore.net/

Getting Started: State Your Intentions

Is this a hobby? For commercial gain? Potentially dangerous?

Babak Javadi and Shane Lawson http://enterthecore.net/

Getting Started: Lab Basics

Have a Clean Workspace Have a Clean Workspace Lighting Storage and Organization Whiteboard Seriously, Have a Clean Workspace

Babak Javadi and Shane Lawson http://enterthecore.net/

Getting Started: Tools of the Trade Multiple Vises (note the spelling) Clamps or “Helping Hands” Tweezers Jeweler's Loupe Microscope High Quality Digital Micrometer

Babak Javadi and Shane Lawson http://enterthecore.net/

Getting Started: Tools of the Trade

Toolbox Scrap Metal Stock Key Blanks Rotary Tool Bench Grinder Spare Lock Parts

Babak Javadi and Shane Lawson http://enterthecore.net/

Getting Started: Bonus Tools ($$$)

3-axis Mill Metal Lathe Laser Cutter Band Saw Drill Press

Babak Javadi and Shane Lawson http://enterthecore.net/

Getting Started: Sourcing Supplies

Get it New

Get it Used

Babak Javadi and Shane Lawson http://enterthecore.net/

Get Yourself Learned, Son

Physics Metallurgy Masterkey Math Traditional Lock Mechanics Common Lock Traits

Babak Javadi and Shane Lawson http://enterthecore.net/

Common Attack Vectors



Non-Destructive    

Picking Decoding Impressioning Bypass



Destructive   

Drilling Cutting Brute Force

Babak Javadi and Shane Lawson http://enterthecore.net/

Pin Tumbler Locks

Babak Javadi and Shane Lawson http://enterthecore.net/

Outer View

Babak Javadi and Shane Lawson http://enterthecore.net/

Inner View

Babak Javadi and Shane Lawson http://enterthecore.net/

Attempt Without a Key

Babak Javadi and Shane Lawson http://enterthecore.net/

Operating With a Key

Babak Javadi and Shane Lawson http://enterthecore.net/

Pin Stacks

Babak Javadi and Shane Lawson http://enterthecore.net/

Key Operation

Babak Javadi and Shane Lawson http://enterthecore.net/

One Bitting Too Low

Babak Javadi and Shane Lawson http://enterthecore.net/

One Bitting Too High

Babak Javadi and Shane Lawson http://enterthecore.net/

In a Perfect World

Babak Javadi and Shane Lawson http://enterthecore.net/

In the Real World

Babak Javadi and Shane Lawson http://enterthecore.net/

In the Real World

Babak Javadi and Shane Lawson http://enterthecore.net/

In the Real World

Babak Javadi and Shane Lawson http://enterthecore.net/

“Setting” a Binding Pin

Babak Javadi and Shane Lawson http://enterthecore.net/

The Key Pin Can Still Move Freely

Babak Javadi and Shane Lawson http://enterthecore.net/

Setting Multiple Pins

Babak Javadi and Shane Lawson http://enterthecore.net/

Decoding

Clandestine Method of Entry Primary Target is the Key Code Key Origination Calculating Master Keys

Babak Javadi and Shane Lawson http://enterthecore.net/

Kwikset Smart Series

Babak Javadi and Shane Lawson http://enterthecore.net/

Kwikset Smart Series

Babak Javadi and Shane Lawson http://enterthecore.net/

Kwikset Smart Series

Babak Javadi and Shane Lawson http://enterthecore.net/

Kwikset Smart Series

Babak Javadi and Shane Lawson http://enterthecore.net/

Kwikset Smart Series

Babak Javadi and Shane Lawson http://enterthecore.net/

Kwikset Smart Series

Babak Javadi and Shane Lawson http://enterthecore.net/

Kwikset Smart Series: Making Decoder

Babak Javadi and Shane Lawson http://enterthecore.net/

Kwikset Smart Series: The First Decoder

Babak Javadi and Shane Lawson http://enterthecore.net/

Kwikset Smart Series: Decoder Operation

Babak Javadi and Shane Lawson http://enterthecore.net/

Kwikset Smart Series: Decoder Operation

Babak Javadi and Shane Lawson http://enterthecore.net/

Kwikset Smart Series: Decoder Operation

Informing Kwikset Babak Javadi and Shane Lawson http://enterthecore.net/

Kwikset Smart Series: Metallurgy Failure

There’s also this little problem… Kwikset Smasher Tool Babak Javadi and Shane Lawson http://enterthecore.net/

Decoding: Medeco Sidebar

Babak Javadi and Shane Lawson http://enterthecore.net/

Decoding: Medeco Sidebar

Babak Javadi and Shane Lawson http://enterthecore.net/

Decoding: Medeco Sidebar

Medeco plug exposed, key pins rotating to align sidebar cuts Top View

Side View Babak Javadi and Shane Lawson http://enterthecore.net/

Decoding: Medeco Sidebar

Babak Javadi and Shane Lawson http://enterthecore.net/

Decoding: Medeco Sidebar

Babak Javadi and Shane Lawson http://enterthecore.net/

Decoding: Medeco Sidebar

Babak Javadi and Shane Lawson http://enterthecore.net/

Decoding: Medeco Sidebar

Babak Javadi and Shane Lawson http://enterthecore.net/

Decoding: Medeco Sidebar

Babak Javadi and Shane Lawson http://enterthecore.net/

Decoding: Medeco Sidebar

Successful Medeco Attacks Marc Tobias

LockCon Babak Javadi and Shane Lawson http://enterthecore.net/

Impressioning

Impressioning

Babak Javadi and Shane Lawson http://enterthecore.net/

Impressioning

Babak Javadi and Shane Lawson http://enterthecore.net/

Impressioning

Babak Javadi and Shane Lawson http://enterthecore.net/

Impressioning – Blank Key to Raise all Stacks

Babak Javadi and Shane Lawson http://enterthecore.net/

Impressioning – Turn Hard to Bind a Key Pin

Babak Javadi and Shane Lawson http://enterthecore.net/

Impressioning – Binding and Wiggling Causes Rubbing

Babak Javadi and Shane Lawson http://enterthecore.net/

Impressioning – Observe the Rub Marks

Babak Javadi and Shane Lawson http://enterthecore.net/

Impressioning – File Down at the Rub Marks

Babak Javadi and Shane Lawson http://enterthecore.net/

Impressioning – Repeat the Process

Babak Javadi and Shane Lawson http://enterthecore.net/

Impressioning – Stack 4 is still Binding

Babak Javadi and Shane Lawson http://enterthecore.net/

Impressioning – Stack 4 is still Rubbing

Babak Javadi and Shane Lawson http://enterthecore.net/

Impressioning – Stack 2 is still Rubbing and Binding

Babak Javadi and Shane Lawson http://enterthecore.net/

Impressioning – Continued Rub Marks

Babak Javadi and Shane Lawson http://enterthecore.net/

Impressioning – Continued Filing

Babak Javadi and Shane Lawson http://enterthecore.net/

When the Key is Inserted Now…

Babak Javadi and Shane Lawson http://enterthecore.net/

Pin Stack Number 4 is No Longer Binding

Babak Javadi and Shane Lawson http://enterthecore.net/

You’ll Know This Has Happened When New Marks Appear

Babak Javadi and Shane Lawson http://enterthecore.net/

Bypass

Bypass • Locked Door vs. Open Window • Partial Security Mechanism Bypass • Improper Installations • ADA Compliance Woes

Babak Javadi and Shane Lawson http://enterthecore.net/

Mul-T-Lock Michaud Bypass

Babak Javadi and Shane Lawson http://enterthecore.net/

Mul-T-Lock Michaud Bypass

Babak Javadi and Shane Lawson http://enterthecore.net/

Mul-T-Lock Michaud Bypass

Babak Javadi and Shane Lawson http://enterthecore.net/

Mul-T-Lock Michaud Bypass

Babak Javadi and Shane Lawson http://enterthecore.net/

Mul-T-Lock Michaud Bypass

Babak Javadi and Shane Lawson http://enterthecore.net/

Mul-T-Lock Michaud Bypass

Babak Javadi and Shane Lawson http://enterthecore.net/

Mul-T-Lock Michaud Bypass

Babak Javadi and Shane Lawson http://enterthecore.net/

Mul-T-Lock Michaud Bypass

Babak Javadi and Shane Lawson http://enterthecore.net/

Mul-T-Lock Michaud Bypass

Babak Javadi and Shane Lawson http://enterthecore.net/

Mul-T-Lock Michaud Bypass

Babak Javadi and Shane Lawson http://enterthecore.net/

CodeLocks CL5000 Design Flaw

Codelocks Babak Javadi and Shane Lawson http://enterthecore.net/

Weaponizing an exploit • What do you do when a flaw is found? • Establish Repeatability • Make the Exploit Execution Efficient • Potential to combine tools to decrease the toolkit footprint

Babak Javadi and Shane Lawson http://enterthecore.net/

Documentation and Reporting • Why? • Legitimacy • Delivery to manufacturers • Delivery to clients • Information reuse in other projects • Publishing any research

Babak Javadi and Shane Lawson http://enterthecore.net/

Review/Questions Babak Javadi [email protected] Shane Lawson [email protected] Thanks To: Deviant Ollam, Datagram, Eric Michaud, Marc Tobias, TOOOL, FOOLS, and anyone we forgot to mention! Babak Javadi and Shane Lawson http://enterthecore.net/