35 comments

[ 3.6 ms ] story [ 91.1 ms ] thread
I the blog post is preferable, as the linked page doesn't provide any context: https://sockpuppets.medium.com/bypassing-door-passwords-4004...
Same. I clicked the link and thought I must’ve opened a wrong window.
I added source code and blog post links on the demo page.
Actually an interesting article (for context: https://news.ycombinator.com/item?id=29850750), and demonstrates that locks are indeed only keeping honest people honest. Unfortunately, it seems that locks suffer from the dilemma of being low-cost enough while looking that it provides security.
A long time ago I was looking at security of contactless-related security systems such as door access control. The security is absolutely terrible for the most part; there was very little cryptography and the cryptography there was is often broken (by others that is - I don't have the skills to break it myself, I just looked at existing open-source tools), so seeing undocumented backdoor passwords is not surprising.

The general feeling that I got is that outside of IT there's a lot of people who think "it's on a computer so it must be secure". Maybe that's technically true in the sense that it's secure because they have no clue how to use a computer and think that their idea of the difficulty of using one is enough security but obviously that's not the case.

Many systems were (and are even today - the industry is very slow and physical security companies that are responsible for selling/installing these systems rarely have the skills to evaluate them) just based on an ID the keycard broadcasts unencrypted - there is no challenge response nor encryption, even when the keycard itself supported at least some crypto (Mifare Classic for example - that is broken but at least it would be an attempt at making it secure).

Systems that use Mifare Classic would make you think that you'd need to break the crypto and copy the secret data from the card (which is possible and there are open-source toolkits to do it) but in reality you don't even need to bother as copying the UID (which is unencrypted and broadcast in the clear) is enough.

Systems that use HID (which seems like it would be secure, if I remember right those use at least some form of cryptography) that I interacted with as a user (at a well-known tech company) used USB readers in what looked like keyboard emulation mode which "typed" the public UID of the card during provisioning. I am not sure if the actual readers on the doors did anything more (maybe the provisioning step just looks up a UID in a DB and doesn't technically need to be secure, as the readers will only use that UID to lookup a public key in the DB and then do proper authentication?) but there could be potential for a flaw too.

A lot of RFID door openers also just use mechanical relays to power the locking mechanism, which can be triggered from outside with a strong magnet.

In the end it probably depends on what your threat model is. To keep out thieves, most of them are probably unsuited.

The cheap, self-contained ones yes. But I’m talking about “proper” ones where the reader and controller are separate.

While it indeed depends on the threat model, the problem is that a lot of these electronic systems are sold at a high price to building management companies while being horribly insecure. At least if they were cheap then fair enough - you get what you pay for - but that isn't the case here; they provide a false sense of security.

The building management companies were fine with commercial keys in the 80s. They are paying for a system to map entitlement to lock.

The quality of the lock is a small part of the overall equation.

I’ll give you an example of my home. The previously homeowner installed a high quality Medeco lock. It’s difficult to pick (unless you are YouTube’s lockpickinglawyee) and the keys are a pain to duplicate.

Secure, right? Not really. My front door is on a porch with a window, and you could trivially use a thin metal bar to pop the window open, assuming that you wanted to keep the noise down.

It's actually secure in the sense that the lock is difficult to pick and breaking the window leaves evidence of the break-in.

In contrast, exploiting these electronic locks leaves no evidence - the same would apply to easily pickable mechanical locks of course, but at least the shitty mechanical ones are cheap.

Though if he's referring to "picking" the window's latch, then that wouldn't necessarily leave any evidence.
I was thinking of using a jimmy bar to pop the window lock.

I’m a pretty insignificant person without enemies. My risk profile is a crackhead stealing my TV or whatever. A more organized criminal could find a dozen other ways in.

The problem is that these same systems are used in office buildings where the threat model is very different.
> just based on an ID the keycard broadcasts unencrypted

This isn't necessarily the end of the world. At the end of the day, all that matters is the threat model.. to break an access system designed in this manner using a plain UID you're going to need what, something specialised like a Proxmark to be able to read it any real distance away (and even then, IIRC it's like a ruler's distance you'll be able to do). Otherwise, you need physical possession of my access card, no?

Your average burgler is going to have no idea what any of this stuff even is.

To me, the scheme being (as you describe) "horribly insecure" in this way is less of a concern than e.g. a lock that can be easily bumped.

You can tap someone's keycard or wallet with an Android phone and get the UID; here's an example app: https://play.google.com/store/apps/details?id=com.nellon.mif....

That's much easier than picking even the shittiest lock where you'd need picking tools which have less plausible deniability than let's say a phone, and yet these "secure" keycard systems cost significantly more than a shitty lock.

Actually the worst locks are so easy to pick that you just insert your tension tool and turn.

But those aren't usually on doors. The two like that I've seen: TSA approved luggage lock, high power handheld laser safety lockout.

As someone once pointed out, safety lockout locks being easy to pick is a feature. They are a very strong communication device, not a security measure.
Oddly enough, the real (Master 410 series) lockout locks of which I have several are more difficult to pick then the non-lockout locks.

They have 6 pins and multiple spools (security pins).

Right, and the phone needs to be on top of the card - do you think I won't notice?
As an alternative, I find Lockly to be an awesome asset for my household.

I regularly hack my Lockly locks via Bluetooth and wireless.

It’s holding up pretty good.

https://lockly.com/

How secure is their fingerprint reader? More secure than the ones on mobile decides I hope?
everyone that walked through the front door has been asked at least once to try the fingerprint mechanisms (as an unregistered finger) and failed (zero false positive).

Unfortunately, my wife’s fingerprint is scrubbed shallow from excessive hand washing and gets a false negative quite often.

Otherwise, one has to remember the orientation and angle of finger consistently to get near 100% of the time. And experience gets you there.

The part that I like best is the number pad gets scrambled each time you pressed a key while entering in your digits (4 to 8 digits): the glass plate would then offer no clue as to what are the most frequent positions are.

Furthermore, any shoulder surfer would be thoroughly stymied by a set of three digits to each of the keypad positions (of which one of the 3 digits has the correct digit, other two got randonly chosen).

you regularly attempt to hack? and they're holding up? or you regularly manage to actually hack them? In such case how this asset can be awesome? =)
I hack without a key and i get rebuffed in all my attempts.

I hack with my KNOWN keys (which gets scrambled) to get in.

The weak spot on those is the shitty pin-tumbler cylinder, which you can bypass in seconds.
those are quite easy to fix with toothpick and superglue.
This makes me nostalgic. The first homebrew app I ever released[1] helped you pick combination locks with the help of your Playstation Portable.

Looks like the original site that described the algorithm is long dead, but the gist was that once you have the first number from a Masterlock (which you can listen for) the search space of the second two can be reduced with a pretty simple algorithm and so there are only a few dozen combinations to try.

[1] http://forums.qj.net/psp-development-forum/7427-release-psp-...

It's actually the last number. It's found by pulling the shackle and noting where the dial sticks. There will be several places but one stands out from the rest and is the last number.

Then the last number mod 4 is equal to the first number mod 4 while the middle number mod 4 is ± 2 from the others.

This reduces the search space to 100 possibilities to be brute forced in a few minutes.

neato. must be noted that these locks are used in almost all apartment entrances in Turkey.
Never knew streamlit now has a cloud sharing platform. The UI has improved so much as well