Locksmithing Missteps Physical Security Security

Misstep 7: Knoxoff KnoxBox

Low Security Key Holder

Alright, after this post, I’m taking the rest of the year off!

I’ve talked about this one before in Lockboxes and Key Space Exhaustion, and I’ve seen this guarding both a bagel/coffee shop out in LA, a restricted-use boat launch, and this dollar store back home. This photo shows the one by my place that is apparently just caulked to the building. I’m not sure if they’re using this for shared access to a control room or as a “KnoxBox” for first responders.

Even the manufacturer points out that the device is for convenience, not for security. A master-keyed cylinder or badge system would be better approaches to a multi-tenancy door, however without knowing its objectives, its hard to quantify if it is a big issue or not.

Join me next Tuesday, in 2020 — I’m going to start picking on some of my poor security choices over the years as well!

Missteps Physical Security Security

Misstep 6: Moneygrab

Key in Register
Key left in register in cluttered shop

This one is less about what you’re seeing, and more about temptation. This cash register has the drawer key sitting directly in the lock it is supposed to protect.

Cashiers should be performing “NO SALES” if they need access to the cash drawer without a transaction. This keeps a record of times an employee accesses the cash for reviewing with cameras or training purposes. They should not be using a mechanical bypass to enter the cash drawer.

Likewise, leaving a key in a cash drawer invites robbery by demonstrating that access to the cash will be easy and that security is lax.

Besides these issues, a key in a cash drawer is pretty meaningless, since access to most can be granted by way of a small drawer release lever on the underside of the unit, which is another reason why these units should be attached to a solid surface.

Missteps Physical Security Security

Misstep 5: Getting High in California

By getting high, of course, I’m talking about the relative distance from the ground. In this case, I added three stars to the image.

The first one is the “Yellow Star”, I’m not going into a lot of detail here except to say that Misstep 2: Security-As-An-Annoyance goes into greater detail about why a fence and a lever make a bad combo.

This week we’ll take a look at the blue star, where there’s a decently tall chain-link fence, above which there is barbed wire. From the outset, this seems fine, but there are two tactical mistakes at play here:

  • The barbed wire faces inside of the property. This is acceptable if you’re trying to keep something in (think prisons), otherwise, it should be facing out. This makes it harder to simply throw a jacket or blanket over the barbs and jump the fence.
  • The somewhat funnier one is by the red star… This fence is substantially shorter (guessing 5′ tall), no barbed wire, provides concealment for what is on the other side, and won’t make a bunch of noise when you jump it. It will be slightly harder to get a footing, but the flat top should prove easy enough.
Missteps Physical Security Security

Misstep 4: Pretty Friggin’ Suite

A door showing a locked deadbolt and exposed hinges

Another example of “A chain is as strong as its weakest link”, this door was inside of my suite during my stay in Los Angeles. I assume it is for cleaning supplies, coffee supplies, or similar so that the room service folks can save time not transporting all of this without an elevator.

But lets just pretend for the sake of this blog that they store some fine Chicago-style pizzas, millions of dollars of money, and some Cinnamon Coke behind here. First of all, I wouldn’t have wrote this blog because I’d have broke in already. But, here we are.

The deadbolt was locked with what strikes me as a Kwikset KW1 keyway (may be a 6-pinner, no idea). Let’s just say I can’t pick a lock? How else can I breach this door non-destructively?

A door hinge

Generally you’ll have an “unsecured side” and a “secured side”, or “sterile side” in FAA parlance. This delineates the side that is public, and a side that is private (boarding area for aircraft, or this sweet pizza closet in my suite).

In this case, these hinges are on the unsecured side. I can easily drive the hinge pins out of the door and gain access to this closet. The two halves of the hinge will easily slide apart in this case.

Because I didn’t want to trespass, I did not verify if this was implemented securely. In order to have the hinge pins on the unsecured side, you can use “security pins”… These tiny devices will replace some of the hinge screws in the door or frame, and recess into the mating surface. In this way, the hinge halves will not slide among each other — increasing the security of this approach.

Here’s some on Amazon (these may not be the cheapest, I don’t know. It’s also not a referral link):

Missteps Physical Security Security

Misstep 3: Flow Freakin’ Way

Unprotected water control valve
Sweet Cage Decoration

From my trip to LA, I’ve seen several of these water control valves placed above ground. (Must be nice, in Chicago, these guys would turn into ice and destroy themselves).

An oddity is the choice of security — a wire mesh that stops folks from disabling the water. This could affect fire systems, but those usually have a standpipe or external outlet for sprinklers, but what this can mean is — when your coworkers are coming back from the company Chipotle outing, they can’t evacuate the sinister remnants effectively.

The cages are a minor obstacle, since these are quarter-turn ball valves, they only have to be rotated 90Ā° in order to turn off (or on) flow.

Inserting a stick, pipe, or some other rigid instrument and biasing it against the wire cage would create plenty enough of a lever to force the valve shut.

Solution? Lock the valves like everybody else, except this water main, since it uses a hilariously deficient “warded Master Lock” that can be trivially bypassed in several ways (shimming, warded picks, keys that accommodate wards, etc)

Water main showing a Master Warded Lock
See the bottom of the chain between the valves
Missteps Physical Security Security

Misstep 2: Security-As-An-Annoyance

A locked door at a hotel pool where the gate allows easy access to the opposite handle.
So ez

I’m in Los Angeles, CA this week and my hotel has a pool. Like many hotel pools, they lock it down at a silly early hour. They also keep the area locked to ensure that the pool isn’t being abused by non-guests.

With several different shifts of hotel operators, and this hotel’s nature of having several outdoor buildings for rooms, it would be very difficult for a hotel employee to identify who is a guest and who isn’t.

While there isn’t anything of value behind this gate, it does demonstrate an oversight in design. My hands were only slightly too fat to fit next to the handle, to turn the “inside” handle and gain access. People with smaller hands, those who are clever enough to bend a wire coat hanger, and those who also really need to swim can bypass this sort of gate easily.

I’d argue that this isn’t a big deal here, since the gate is there to prove trespassing and deny liability if you didn’t belong there in the first place. Either way, an interesting conversation piece.

It should be noted that these types of lever handles are required by ADA standards (in the US) to enable people with advanced arthritis, or other physical ailments to open doors where they cannot grasp a knob. That is why replacing these with knobs is not a workable solution.

Missteps Physical Security Security

Misstep 1: A Chain is as strong as its weakest link

A Trek Hybrid for the low cost of a front tire

I wanted to start a new blog feature where I share occasional security missteps just sitting in public.

These bikes are not cheap, generally starting at $500 and climbing rapidly.

This bike is held in place by a typical U-bolt lock, but the front tire is held in by a quick connect near the bottom of the rim, through the spokes (meaning it takes no tools and only a flick of your finger to release the tire, and thus: the bike).

Say you wanted to save some additional funds and you carry a Leatherman? Cut a few spokes and ride off on it. Later, order a few replacements … Or if needed, a rim.

You can have the world’s strongest lock. It means nothing when the entire situation isn’t considered.

Physical Security

Part 1: Outdoor Security Lighting (The Attack)

Building exteriors are often well lit to keep out physical attacks and to enable CCTV footage without requiring infrared emitters on the cameras. Often times, these will use “electric eyes” to detect light, and when present, turn off exterior lights to conserve energy.

Typically these sensors are made with a CdS cell (cadmium sulfide). They act by increasing the resistance of the cell in the absence of light. This is why they are often called photoresistors, light sensors, photocells and similar.

To prevent moisture from entering the cells, they often point either parallel to the ground or somewhat towards the ground, and are often located away from the light sources on the building (since the security lighting will interfere with the light sensed). Street lighting, for example, will often have the sensor located on the top of the unit, allowing it to detect daylight without detecting the street light.

Typical LED streetlight with photocell from SuperiorLighting

If each fixture has their own photocell, this technique may quickly become ineffective, however there are many buildings that use one central photocell to control all exterior lighting (generally, you’ll see all lights go out at once). Some other building require an employee to manually turn off a breaker or a switch, or better yet — rely on a timer.

A well-lit parking lot or building is typically going to experience less crime since a criminal is more likely to be spotted at the building’s exterior. Photocells are inexpensive and testing many models is a cheap endeavor. In the street light pictured above, the photocell is the small black device on the top of the fixture. The clear cutout is the aperture where light interference will disable the light.

A small light sensor, with the CdS cell visible in the circular aperture between the male and female threads.

So I decided to buy a cheap light sensor, it was about $5 at the local hardware store. I also bought a cat toy, the mystical disabler of lights.

A cheap $4 laser pointer can work — if the batteries are decent

The first thing I did was bend the triangle wire that holds the laser pointer to a keychain, we won’t need that anymore.

I also loaded up the button cells. Next, I attached a 1/4″ x 20 NyLock nut to the bottom. These are the standard threads used on a tripod, which will help use this tool. I learned a technique from a guy named Marty in Australia who makes over Matchbox cars (Marty’s Matchbox Makeovers) that you can use baking soda + superglue to quickly cure the glue and build up a sizeable “weld” between two objects.

First, you apply superglue to the items you want bonded, then you sprinkle baking soda onto the glue:

A 1/4″x20 NyLock nut glued to a laser pointer

Once you add the baking soda, give it few moments before removing the excess and then repeating until you feel the bond is strong. In this case, I attached the NyLock side to the laser pointer to give a malleable thread to stop the tripod from hitting the laser pointer body. You can go without using a NyLock, it just is what I had on hand and made me feel ingenious using it. Also: Instead of tightening the threads of the laser pointer into the base, you just need to tighten it to the NyLock threads.

This really should be enough

Yeah, you can sand and paint the glue at this point, but given its purpose, I’m happy with that.

Now, this laser can be mounted onto a tripod and pointed at a light receptacle:

Laser Tripod

The one I built here had dead batteries, requires you to force the button down with a clip of some sort, and uses button cells. Overall, it may work if you win the laser lottery. But, since I wanted to talk more about this, I’ve ordered some laser diodes and battery packs. I also have a real tripod and plan on doing additional research into the efficacy of this technique. I will also talk methods of remediating the risk of this attack.

So What?

Yes, you can do the same thing with a flash light, head lights, even the sun. A laser is less likely to be spotted since the light is concentrated, powerful, and very portable. This can disable exterior lighting or trigger security cameras to turn off night vision infrared emitters (effectively blinding even these).

Now what?

Keep an eye out for a followup! I will build a better demo unit in the coming weeks and talk options on preventing this attack. I find it unlikely this will ever be used, it is more a think piece about trusting external output (the environment) to control security features. Something a lot of folks in application development aren’t doing that well.

Physical Security Vending Devices

Jackpotting Parking Meters: A Series

I usually spend quite a bit of time talking about security problems I’ve identified, and a little less time talking about solutions to those problems. I don’t often talk about quantifying risk or products that I’ve identified as being particularly secure. Today, this changes.

Duncan Miller Parking Meter
Duncan Miller Parking Meter

I walked into a local antique shop hoping to find some old locks laying around that I can use for picking / gutting practice. As I walked into the shop, the friendly lady at the counter tells me that anything sports related is 20% off, as well as anything made of metal (except coins).

Well that works perfect for somebody like me, looking for locks. I ended up leaving with this parking meter that she posits is from Lake Geneva, WI before they upgraded to their far superior multi-spot parking system. I asked if she had keys, she did not but assured me that they are a common key.

Well — I didn’t Google it, assuming that either she was right or I’d just pick my way in. I got it out to my vehicle and shoved a tension wrench and a pick in the front and immediately had my soul crushed — this is a slider keyway which I can’t pick and even LockPickingLawyer has struggled with in the past. So I turn to E-Bay, which has replacement keys and cylinders, but they’re ~$50-75 each. Even still, I’m stuck with a unit I probably can’t open before my “disinterest cutoff.”

So, the first thing I do is call a local locksmith and ask them if he can decode and cut slider keys. He said he can, but to save time, send him a photo of the keyway.

Restricted Slider Keyway
Restricted Slider Keyway

I seen the word “Restricted” on there, but I’m like “words man”

He replies that it is restricted, and he can’t cut the key. So, I hopped on Google to learn exactly what that means. Turns out the key blanks are restricted (meaning he would need to have the blanks, the authority to cut them, and the software to tell him the bitting). Since I found it unlikely that I would find those services for a good price, I decided to start looking for bypasses.

Bypass #1 — Roll Pin

Roll Pin Hinge
Roll Pin Hinge

The first thing I notice is this roll pin acting as a hinge at the top of the meter box. This would be way too easy!

I was right — it would be too easy. I did some research and it turns out that the roll pin is retained with a set screw, meaning it won’t slide out without destroying the meter:

Set Screw on Hinge
Set Screw on Hinge

So that bypass will not work.

Bypass #2 — Access to the hex nut

In the real world, meters are attached to a pole and this approach would absolutely not work since this access point would be blocked by it. But, mine has been removed, so maybe I can remove the nut that retains the lock:

Hex Nut Under Cover
Hex Nut Under Cover

This nut was so loose I could almost knock it off with a firm stream of water. But I back it off with a screw driver until…

It stopped moving. The distance between the cover and the tailpiece would not allow enough distance for me to get the nut completely off. So, Bypass two was out.

Bypass #3 — Hacking

I’m not proud of what comes next.

Since I was able to back the nut off enough, I was able to expose the face of the lock by almost 1/4″.

At this point, I thought I could potentially file the threads down and then slide the filed down area into the cover, allowing me to rotate the entire lock. I couldn’t find my file, it was midnight, and I needed success:

Using Hacking Tools

At this point, I had to use a hacksaw to get through this. Even with that old, coarse-toothed saw, I was able to get through the lock with just a few moments of work. I’m not proud at all that this was my solution, but I wanted to get in and learn more. Sadly, there are two locks on this unit — and this one just opens up the cash cup. The other lock opens up the mechanism. I’ll have to figure that one out some other time.

If you liked watching Dexter, this is like a locksmith’s blood spatter pattern. These parts are a testament to my lack of picking skills. The $1.75 next to it? That was still inside the meter. Guess I got a discount šŸ™‚

Balancing Risk: A Security Practitioner’s Prerogative

Security isn’t about making things impenetrable, it is about making it secure enough that the value spent getting around it exceeds the potential value gained. That’s why you don’t have gun turrets outside your house, but the military does.

In my professional opinion — this device demonstrates the output of a successful risk analysis and defensive design.

This is how I know:

Meter & Money
Meter & Money

The small can you see near the top of the quarters is the cup that retains the coins that you put into the meter. I happen to have had $75 in quarters in those blue bags and a few rolls, so I decided I would see what your potential earnings would be for breaching one parking meter.

50 Dollars in Quarters
50 Dollars in Quarters

Above is $50 in quarters. Not quite there. It turns out that to fill this can up, it would take:

Exactly $75. Meaning that if you were to breach a meter, ignoring the obvious legal fees, you would only walk away with $75.

But wait, there’s more!

So, in this meter, one quarter represents 30-minutes of time. There are 300 quarters in $75, so therefore ((300×30)/60)/24 = 6.25 days of continuous 24-hour parking. This also means that the meters were never emptied in that period. If the city comes by and empties the meter, that value gets reset. To maximize your profit, you’d have to track the meter maid, and be one meter in front of them with a hack saw and spend at least 20 mins in broad daylight trying to breach the thing. Once you breach one, they will notice and you won’t be able to do it again in this area.

With this said, yes you can jackpot a parking meter. But it isn’t like Grand Theft Auto, where you run it over and pick up money. In this case, the risk far outweighs even the fully potential maximum return. Therefore, as of this blog, I consider these a secure device.

I will continue exploring the security of these devices when I can get the mechanism open. So this may change.

Thanks for reading.

Physical Security Uncategorized

Lockboxes and Key Space Exhaustion

On a rare occasion, I’ll have a chance to check out a thrift shop or antique store and see what sorts of locks or security equipment they have for sale. I’ve wanted to check out those realtor lockboxes for some time, but didn’t want to spring $25 for minimal entertainment value.

Today, I stopped in a Goodwill and seen a Kiddie KeySafe unit for sale for $4.99. I decided that price point is exactly what I’d pay for an otherwise useless toy. The first thing I did was open the manual it came with:

Kiddie KeySafe
Kiddie KeySafe

The instructions state right away that “KeySafe is a convenience product, not a security product.”

Boy they couldn’t be more correct.

What is “Key Space”?

In cryptography, key space expresses how many permutations are available within the boundaries of a key. To put it plainly, if you can only have a PIN number that is four digits, then you can choose anything between 0000 and 9999. This gives you 10,000 possible permutations (or a key space of 10,000).

What is “Key Space Exhaustion”?

When you don’t know a password or PIN number, you’ll generally start guessing numbers. You may start with “0000”, then “0001” and keep going. Banks will see this sort of activity and freeze down an account, but lock boxes are not like that. You can try every single number until it opens. Key Space Exhaustion is when you go through, iteratively, each permutation until you get an “unlock” state.

What do Lock Boxes have to do with this?

I gave myself a rather relaxed time trial and found that I can enter a code (whether wrong or right) on average in around 5.25 seconds for a 5-digit code. Most people would assume that is probably pretty good, after all a lock that takes a 5-digit code has 100,000 permutations, right? That would mean I’d have to type in numbers for 24 hours a day for a little over six days to get this thing unlocked. I’d argue that’s reasonably secure.

I’d have to type in numbers for 24 hours a day for a little over six days to get this thing unlocked.

Except one little funny thing: Lockboxes do not have permutations that spread across the entire spectrum of possibilities. Some lockboxes have limiting factors, such as:

  • Numbers can only be entered once, so 1-2-3-4-5 is a valid code, but 1-1-2-3-4 would not work.
  • Number Ordering is Irrelevant, so 1-2-3-4-5 is equivalent to 5-4-3-2-1, which greatly brings down the key space.

Identifying Lock boxes with this Fault

You can identify the first issue (entering each number once) by pressing it and listening for a click. If it only clicks once, it probably only accepts the combination once. For the second issue — I do not know a way currently without actually testing it, but it is probably safe to assume most are designed this way.

As for my lock… This lock can accept either 5, 6 or 7 digit combinations. For sake of clarity, I am operating under the pretense that folks are going to use 5-digit codes (Pro-tip: It is probably the address of the building).

With those constraints in mind, how much does that reduce the Key Space?

Key LengthFull Key SpaceActual Key SpacePermutations

Yikes! That deescalated quickly.

As I mentioned before, I did a time trial. I set my lockbox to 01279. As you can see in my permutation lists on GitHub, that is the 20th 5-digit code available. It took 1:45 for me to “breach” the lock by going code to code, trying and clearing each one. So, remember when I said it would take 6 days to breach that 5-digit lock? Because of the insane limitations of this design, I could have this lockbox in an unlocked state within 22 minutes. That’s insanity. 22 minutes infers that I will hit your code last.

Because of the insane limitations of this design, I could have this lockbox in an unlocked state within 22 minutes.

This is a complete design fault and is something manufacturers should look to improve upon. The actual time it would take to breach this lock can vary, as I would have to try the 5, 6 and 7 digit lists. With that said, there are ways to make the breach more rapid for these variable-length locks. Stay tuned.