This is perhaps an unintentional demonstration that "insecure against absurdly complex and specific attacks" does not always mean "insecure."
For a web system that is under attack 24/7 from 255^4 different attack vectors, you need "secure against even absurdly complex attacks" to be "secure."
But for my house? Your average thief isn't going to spend the time to take a high-res photo of my keys. Instead, they're just going to beat me until I give them my keys (the original "rubber-hose crytography") or just take a crowbar to the door. It's just not worth it to use such a complex attack.
(Yes, I can see uses for being able to break in without giving away the fact of the breakin, and I'd be surprised if the CIA/NSA/etc hadn't already used a similar technique, but for everyday life it's just a cool theoretical hack that would make a great plot point in a Neil Stephenson novel.)
Actually, since my parents' house has been robbed recently, this gives me a great idea:
You put an easy to open fake safe in a clandestine but still fairly obvious location (eg: behind a picture frame). Sort of like a real life honeypot.
You hook up a surveillance system pointing to the safe or maybe even inside the safe that triggers when the safe moves or opens. Maybe hide a gps chip inside the safe (they are tiny these days).
Bam, you have a photo of the criminal, time of the crime, and you get alerted instantly and silently. Chances are you or the police can interfere in time or you'll have some sort of lead on the criminal since you know what they look like but they don't even know you're after them already.
When this burglar's photograph was taken, he thought he had effectively disabled the home's security system. But he is still able to commit new burglaries, as no one has been able to identify him so far.
"Stewart E. Pesheck, 42, of Minneapolis was arrested on June 9 during a traffic stop in Minneapolis."
It's still an interesting example of the futility of most security attempts. The story notes the earlier surveillance photos but doesn't mention how much they helped.
That's pretty sad, but it's way nicer than having no clue who the perpetrator is. This guy is on local news and now a lot more people have seen his face, so it's much more likely that he'll get busted compared to an unidentified person.
Furthermore, there's the small matter of proof. Even if you happen to see the person who robbed your house and you locate them a couple days later, it can be hard to prove that they were the criminal. A photo solves this problem nicely.
This might work, but my gut says that the average criminal isn't going to spend much time looking behind picture frames for safes: they'll be too busy ripping the plasma TV off the wall and loading your laptops into their van.
I guess this is a cultural thing. In my country, a lot of people keep some of their money in a relatively safe spot in their houses as "just in case" money. It sounds unwise, but many banks have gone down under in times of crisis and it has taken people months to get their money back, even though it is guaranteed by the government. People even keep gold because if you have a crazy crisis and your currency is suddenly worth nothing, it helps to have something that isn't as devalued.
Anyway, this combined with the fact that in the city many buildings are apartments and not houses (and so you need to climb to get in) means that thieves don't steal large things often.
However the one that broke into my parent's house searched a few areas in the bedroom and successfully found the hidden safe, and proceeded to break into it.
I recall in a good friend's home being shown the safe cemented into the floor. Something they inherited from the previous owner -- part of why they were not paranoid about it but treated it more as a bit of a curiosity.
One could eventually get in, of course, but not in the timeframe of a typical burglary. Same problem with regard to moving it off-site.
This still seems like a valid low-tech hacking technique. Simply take photos of anyones keys (easy to do if you are planning it out) and run some software. This seems like a potentially big problem for any facility secured by only lock and key (schools, homes, safety deposit boxes, PO boxes, cars, storage, etc.).
Any facility secured by only lock and key is vulnerable to anyone with a pickgun or a lock pick set and a little skill anyway. Security isn't reliant on locks, it's reliant on behavior.
If you make a fake key, then you can walk in with people all around without looking suspicious. You can even act like the owner whilst in a group of non-conspirators. Even with a great picking kit, it's going to look different to anyone looking somewhat closely.
Depending on the level of physical security surrounding the lock itself, this difference could be as extreme as the difference between knowing the password and having a great rainbow table. In the former case, you can log in as the owner without arousing any suspicion. In the latter case, you have to have some time when nobody is looking (download the hashed password database).
So get a big bright "ABC Locksmithing" shirt printed up and carry a toolbox while commiting crimes. Odds are good nobody will notice you then. Or just change the lock and come back later for the theft, now that you have a key.
I remember my elementary school got robbed. We had to sit in the auditorium for a while until they led us past the crime scene into our classrooms. I still remember a forensics guy picking up one of those plastic barrel juice boxes with tweezers and thinking about how ridiculous he looked. They ended up stealing some video cameras and stuff (back in the day pricey), but the police believed they had some inside information because they seemed to know exactly where to go.
Pretty much anywhere with windows is vulnerable. Break window, reach through, unlock door. I think that's what those robbers did.
But then, that lock allows for PIN code + finger... so after they've chopped your finger off, they still won't be able to get entry without the PIN code.
Or they could just beat you until you opened the door. Traditional methods are still the best.
Don't the finger printers have "pulsox" (pulse and oxygen level) sensors in them like those dinky devices they use in hospitals that just clip on your finger.
Threatening to chop their finger off would get most people to open most doors I imagine.
I'd just like to point out both that I forget things some times and other people are new to stuff all the time.
So, while it might not be NEWS - it is always good to keep stuff conscious.
As an example, I was actively training to lock sport some years ago - but havent done anything in a long time (though I still lie to myself and believe I am into it) - but honestly have never thought of using a secret hidden webcam sized CMOS to zoom in on a lock waiting for the key to arrive.
Fuck, that is actually brilliant.
Now - instead of anything - I need to worry about a secret camera pointed at a keypad (rather than lock).
I ONLY use the keypad to enter my apt building.
At my, now previous, office - I have used the keypad to code entry to the door for 10 years.
I was caught by some anon who lived in the building and she interrogated me as to who I worked for, why I used the code, why not a key etc...
She stated "someone could see you entering that code!" - I replied "I'd see them close to me!" - obviously though I am wrong now.
I thought she was a crazy bitch - but thinking of this, now not so much.
In fact - a small device with a cam and a 3G card with periodic pic uploads is perfect and can be built for cheap if not on the market.
Even my new office has keycode access, where when I went for the interview (over by pixar) I found myself trying to spy on workers of the building entering their codes as they returned from lunch...
---
You know what would be an interesting defeat of such attacks: in addition to keycode - you have a timing around the entry. i.e. first keypress, wait 2 seconds, second wait 1, third wait 4....
@cloudwalking
At first I thought that fake keypress would not work if you were expected to open the door; meaning youd actually have to perform the correct press to get the door open...
But you could conceivably either fake a press before - or do a bunch of presses afterward to fake the sequence...
I guess this really needs to be tested - specifically against the ability of the camera/viewer to be able to tell when the 1/4" depression of a key really occurs.
I think the take away here, though, is for anyone using a keypad to act like they pressed 10 keys rather than the requisite 4# sequence. Ideally with the 4 numbers non sequntial in your finger movements.
I've done this for year when entering my pin code for making payments or cash withdrawals. I position my hand so that it obscures all the keys, and then move one finger a tiny bit that does the actual key press, and another finger in an obvious way to make it seem as if I'm pressing another key as the one I'm actually pressing.
Government agencies can open doors in few seconds without taking a picture and creating a duplicate. It takes trained locksmiths few seconds to open doors without breaking it. Its only about will to get in.
Picking/banging a lock leaves forensic evidence that a duplicate key would not, even when performed by experts. Google "lockpicking forensics" for lots of information.
Anyhow I guess your point is still valid. Someone wanting to get in and out of your house without living a trace could use some other means not necessarily involving the door, though most of the time they would risk looking suspicious to potential witnesses.
"It takes trained locksmiths few seconds to open doors without breaking it."
I think that the certified (EU norms) locks are tested so that they provide something like at least 5 minutes resistance against the best known non-destructive attacks.
If it was an iPhone app (anybody?) then its really not so far-fetched. It would be easier and cheaper ($1?) than risking exposure to the homeowner and possible identification.
Maybe there's a hugely male, and young populance here, but I'd like to point out that theft isn't always the intent of home invaders, and that in a lot of cases, the really scary people want to get in without alerting you to it.
This is information I'd want my sister to be aware of, as I can easily see how I'd use it to hypothetically abuse someone.
How often do people leave their keys out in the open like that? Mine are in my pocket until I am at the door (actually, most of my doors are RF or keypad, I use very few metal keys).
This is really nothing new thought if you have studied locks at all. All the common keylocks (eg: standard house locks, most vehicles, etc.) have a fixed/known set of tumblers, and a fixed/known set of pin codes. When I was more interested in physical lock mechanisms about 18 years ago I had the GM tumbler height elevations pretty well memorized, plus a good stock of blanks and templates. I could look at most GM keys, "read" the code (like 5,4,4,3,1) and then go off and make a key that would work 90% of the time. Same thing for Ford locks. It was fun to move a friends vehicle in the high school parking lot, but the novelty wore off quickly. This article seems to be the same thing, except rather than having to say something like "cool keychain, can I see it?", you have to take a high-res pic of their key from 300 feet.
Well, would you notice somebody sitting in a car 100ft away, taking a picture at the moment you put your key into the lock? A picture of a key on a table is useless anyway, since you (most likely) don't know what lock it fits with. With a van with a computer and a small key-making tool in the back, you can sit somewhere until the residents come home, take a picture and have the key made by the time the residents go out again and then you can enter without breaking anything.
Of course the camera can be hidden so that nobody would even see a guy in a van taking pictures, just a guy eating a sandwich who could push a button to take the picture unnoticed.
British television broadcasters now routinely blur images of keys for this reason. If you have access to BBC iPlayer, you can see this in action on BBC Three's "Kids Behind Bars". I have seen a number of locations in London with frosted glass privacy screens from mid-thigh to chest height, whose only obvious purpose is to defend against this attack.
If you've ever seen Barry Wels at work, you'll understand that this is anything but a far-fetched attack. Someone is unlikely to burgle a house using this technique, but it's a very practical method for determined attackers against otherwise hardened targets. With the prevalence of master and sub-master keying systems, the leak of a single key could potentially give access to dozens or hundreds of locks. Unlike a leak due to loss or theft of a key, there is no way of knowing of a breach in security until an attack is attempted. That's just about the worst case scenario.
I was going to say, a weekend studying lock picking (which is definitely a fun thing to learn) and you can probably pick open a great majority of the houses out there in very little time...
however, even if not practical this research is pretty interesting
Sure! I'm very much a novice but: I started with 'Visual Guide to Lockpicking' [1] although 'MIT Guide to Lock Picking' [2] is very good and also free. After you get the basic mechanics of locks and lock-picking down you really just need to practice. Get yourself a set of lock-picks online (also look at your state laws for lock-picks, in many states only a licensed locksmith can carry them around so it may be a good idea to keep them at home, and avoid doing things like leaving them in your car/pocket. I believe some US states make it out right illegal to possess them, so just be aware).
Some places will sell practice locks with pins removed, but do not buy them, they are way overpriced and if you really want to understand the mechanics of locks it will serve you well to bust one open. So go to a hardware store and pick up an inexpensive but not cheap lock, crack it open and remove some of the pins (even all but one), add/remove/reorder the pins until you are really good, and then buy more locks.
Also do keep the law in mind, when I looked it up it's illegal in most if not all states to pick locks that you do not own if you are a not a locksmith (even with the owners permission), which can include obviously the locks on your apartment and locks of friends. You could probably get away with this, but the hacker interest in learning things like lock-picking is not universally seen as benevolent, and it would be stupid to get in legal trouble for a hobby
Get two hair pins. Straighten one out and stick in lock. You now rake along the pins on top from back to front. At the same time you use the second one to apply rotational pressure on the tumbler so that after being flicked up the pins rest on the edge of the thingy inside, and you'll be able to turn it then. If the first rake doesn't do it try again. This is all there is to it. After a bit of practice you can walk up to a door and pick the lock as fast as anyone can insert and turn a key.
The quote "We built our key duplication software system to show people that their keys are not inherently secret" is interesting. Do the public and the authorities have a different attitude when you do this with physical security vs. electronic? Sometimes people have been threatened or even arrested for demonstrating vulnerabilities, as we know.
This reminds me of the story from a few years ago when Diebold got itself in trouble for showing pictures of their voting machine keys online: http://www.bradblog.com/?p=4066#more-4066
This also has me thinking about the "Light Field" story from two days ago. ( http://www.hackerne.ws/item?id=2681554 ) If that technology becomes common, and camera resolutions continue to improve, I bet you could lift people's thumbprints from photos of them waving on Flickr. That sucks if you use a biometric thumb lock like they do in the shared office space I work out of.
Your thumbprint is like a password which you can never change. If your thumbprint appears in a single photo of you ever, there's no locksmith that can help you get that JPEG back from Lulzsec! :-)
Thumbprints are for casual identification, NOT for security. Biometrics are a hash, and like your garage-door opener, millions of people have the same thumbprint biometric as you have.
Wow. It doesn't help that 'blanks' are standard and the number of pins in the lock is knowable. It is a nice piece of work, I expect to see it get re-used on all the cop shows :-)
Handy. So I only need to make a pic of the key, and then send it to an online service, wait a day, and go wild in someone's house/company. Which by the way, won't be covered by insurance because there are no signs of burglary.
I speculate that within another generation or two of fabricators, people will have something trivially useful to plug the data into -- if they are of a mind. (Automated lathes and whatnot being pricier and eventually less common.)
they're still pretty expensive, but arguing you're in a fairly high rent neighborhood with basic security systems (no keypad requirements, but alarms blare if you force a lock or break a window...Is that even a system on the market?) Anyhow, if you've a van, that's a good five thousand dollars at least. Grab a printer, say another 10k...I dunno how many robberies you need to pay that off, but assuming you intend to make a go of this life of crime, being a guy with the key helps a lot.
By default, the key will be hidden inside it's case. When the user wishes to open the lock, he can just place the key on the keyhole and start inserting it. :)
Not that this kind of attack is likely unless you leave your keys sitting out in public, but it might be a good case for Lockitron if you're paranoid: https://lockitron.com
As opposed to the standard pin tumbler lock where there's a single row of pins, the pins in this lock surround the key from all sides, therefore the protrusions on the key are also all around it.
For a web system that is under attack 24/7 from 255^4 different attack vectors, you need "secure against even absurdly complex attacks" to be "secure."
But for my house? Your average thief isn't going to spend the time to take a high-res photo of my keys. Instead, they're just going to beat me until I give them my keys (the original "rubber-hose crytography") or just take a crowbar to the door. It's just not worth it to use such a complex attack.
(Yes, I can see uses for being able to break in without giving away the fact of the breakin, and I'd be surprised if the CIA/NSA/etc hadn't already used a similar technique, but for everyday life it's just a cool theoretical hack that would make a great plot point in a Neil Stephenson novel.)