Keep it secret, stupid!
Matt Blaze mab @ crypto.com
26 January 2003
Last year, I started wondering whether cryptologic approaches might be useful for the analysis of things that don't use computers. Mechanical locks seemed like a natural place to start, since they provided many of the metaphors we used to think about computer security in the first place.
So I read everything I could get my hands on about locks, which included most of the available open literature and at least some of the "closed" literature of that field. Once I understood the basics, I quickly discovered, or more accurately re-discovered, a simple and practical rights amplification (or privilege escalation) attack to which most master-keyed locks are vulnerable. The attack uses access to a single lock and key to get the master key to the entire system, and is very easy to perform. For details, see
I wrote up the attack, in a paper aimed more at convincing computer scientists that locks are worth our attention than anything else (I called it "Rights amplification in master-keyed mechanical locks"). As I pointed out in the paper, surely I could not have been the first to discover this -- locksmiths, criminals, and college students must have figured this out long ago. Indeed, several colleagues mentioned that my paper reminded them of their college days. There is considerable evidence that similar methods for master key decoding have been discovered and rediscovered over the years, used illicitly and passed along as folklore (several people have unearthed Internet postings dating back as much as 15 years describing how to make master keys). Curious college students -- and professional burglars -- have long been able to get their hands on master keys to the places that interest them.
But the method does not seem to appear in the literature of locks and security, and certainly users of master keyed locks did not seem to know about this risk. I submitted the paper to a journal and circulated it to colleagues in the security community. Eventually, the paper reached the attention of a reporter at the New York Times, who wrote it up in a story on the front page of the business section last week.
The response surprised me. For a few days, my e-mail inbox was full of angry letters from locksmiths, the majority of which made both them point that I'm a moron, because everyone knew about this already, as well as the point that I'm irresponsible, because this method is much too dangerous to publish. A few managed to also work in a third point, which is that the method couldn't possibly work because obviously I'm just some egghead who doesn't know anything about locks.
Those letters, with their self-canceling inconsistency, are easy enough to brush aside, but there seems to be a more serious problem here, one that has led to a significant real-world vulnerability for lock users but that is sadly all too familiar to contemporary observers of computer security.
The existence of this method, and the reaction of the locksmithing profession to it, strikes me as a classic instance of the complete failure of the "keep vulnerabilities secret" security model. I'm told that the industry has known about this vulnerability and chosen to do nothing -- not even warn their customers -- for over a century. Instead it was kept secret and passed along as folklore, sometimes used as a shortcut for recovering lost master keys for paying customers. If at some point in the last hundred years this method had been documented properly, surely the threat could have been addressed and lock customers allowed to make informed decisions about their own security.
The tragic part is that there are alternatives. There are several lock designs that turn out to resist this threat, including master rings and bicentric locks. While these designs aren't perfect, they resist completely the adaptive oracle attack described in my paper.
It's a pity that stronger alternative designs have been allowed to die a quiet death in the marketplace while customers, ignorant of the risks, have spent over a hundred years investing in inferior systems.
Although a few people have confused my reporting of the vulnerability with causing the vulnerability itself, I can take comfort in a story that Richard Feynman famously told about his days on the Manhattan project. Some simple vulnerabilities (and user interface problems) made it easy to open most of the safes in use at Los Alamos. He eventually demonstrated the problem to the Army officials in charge. Horrified, they promised to do something about it. The response? A memo ordering the staff to keep Feynman away from their safes.
2 Golygfa'r Eglwys
Phone: 01443 650075
Mark Garratt an industrial designer has perfected Pickbuster, a special fluid which can be squirted into locks to make it very difficult for a would-be burglar to "bounce" the pins inside, but which does not affect normal key operation. The synthetic, high-tack fluid, is easy to apply, non-toxic and can withstand extremes of
temperature. It is being made available initially to housing organisations in aerosol form at 2.70 per lock treatment.
The joys of picking locks, the secret world of bumping
By Sara Schaefer Munoz November 6, 2006
[…Matthew Fiddler "The public has a right to know if some $30 lock they bought is not secure," says Fiddler, the Connecticut chapter president, who, like many in his group, works in computer security. Internet videos that show how to pick many types of locks. Pin tumbler locks, commonly used on doors, mailboxes or padlocks, are opened with a key when their spring-loaded pins are pushed into the right alignment. To open them without a key, hobbyists often use a slender pick to maneuver the pins, while at the same time sticking a tension wrench in the keyhole to apply turning pressure. Another popular method is "bumping," which involves inserting a specially filed key blank into a lock and hitting or "bumping" it.
Key blanks, made by lock manufacturers and used for making duplicate keys, are widely available for most common locks online or in hardware stores. The force of hitting the key makes the pins jump in such a way that for a split second the lock can be opened.
Law-enforcement officials fear that any tactic that exposes lock-breaching can put information into the wrong hands. "They are exposing vulnerabilities to everybody, and everybody includes criminals," Organized groups of lock-picking hobbyists have operated in Europe for years, and have recently been increasing in North America. Locksport International started last year and has 100 members in six chapters in the U.S. and Canada. The Netherlands-based Open Organisation of Lockpickers (TOOOL) formally launched a U.S. group in August and so far has 40 members.
Police and lock manufacturers say they get worried when pickers swap tips on the message boards of lockpicking101.com, a Web site for lock-picking enthusiasts, and post how-to demonstration videos on the popular video-sharing site YouTube.com.
Walt Strader, vice president of research and development for Black & Decker, which makes Kwikset, Weiser and Baldwin locks, says the company recently became aware of the "bumping" method from information disseminated by the groups.
While the company doesn't agree with the groups' publicity tactics, he said it is "taking the issue seriously" by re-evaluating its products and considering a warning on the packaging. The company is also working with the industry to call for a ban on the Internet sale of bump keys, he says.
Mar 8, 2006 Matt Blaze blaze- // @ // -- cis.upenn./// edu
University of Pennsylvania
Signaling Vulnerabilities in Law-Enforcement Wiretap Systems
April 18, 2006
Phreaking the Wiretappers
The talks I gave yesterday in Reston and last month at Stanford (mostly) described our December 2005 IEEE Security and Privacy paper (with Micah Sherr, Eric Cronin, and Sandy Clark), the full version of which
Now that most wireline switches implement the CALEA interfaces, loop extenders are no longer the dominant law enforcement wiretap technology (at least for better-funded federal agencies). But because of the backward compatibility features implemented by some CALEA equipment, certain vulnerabilities -- particularly the ability to disable call recording -- may remain.
High-fidelity, high-accuracy passive wiretapping, it turns out, can also be hard to do reliably in digital networks. We found it to be easy to fool most convention Internet tools, at least under many configurations:
I'm often surprised at how uncritical the courts re in accepting electronic evidence, especially wiretap evidence. It may be less reliable than we assume it to be.
2006 - The Communications Assistance for Law Enforcement Act (CALEA), a law originally enacted to ensure federal wiretapping access for telephones, is the major obstacle to providing public access. College drops plans for free public wireless because
a law requiring Internet service providers to supply access to federal wiretaps has spurred Bowdoin College to drop plans to offer a public wireless network covering the downtown area.
A federal regulation that requires Internet-service providers to reconfigure their networks to help the government eavesdrop on online communications may unintentionally stymie the deployment of wireless Internet access in cities and towns across the country. A situation where law enforcement is authorized to come in and tap your router.
2006 - Officials Predict Colleges Will Be Exempt From Ruling on Network Surveillance
Call it viewing the glass as half full. In the absence of a definitive statement from either the courts or the Federal Communications Commission on whether colleges must re-engineer their networks to comply with the government's online-surveillance needs, a leading higher-education group is betting that the law is on colleges' side. In legal guidance released this month, the American Council on Education told colleges that they probably need not worry about an FCC regulation requiring Internet-service providers to overhaul their networks to make it easier for law-enforcement officials to eavesdrop on e-mail messages and on conversations that use Internet-based telephone and instant-messaging services. Colleges had estimated that if they fell under the regulation, it could cost them $9-million to $15-million each to comply. According to Matthew Brill, a partner with the law firm Latham and Watkins and an expert on CALEA, "It does appear that providing public access to the community may subject the (college) to regulations that may otherwise not exist." Originally, as reported by The Times Record this spring, Bowdoin College had planned for a partnership between Bowdoin and Great Works Internet, a local Internet service provider, to install a public wireless network covering the entire Brunswick downtown area. The installation of the network was to be a pilot project for GWI, so that the company could later offer the service to other municipalities. Davis said that the barriers to the project were twofold. First, the college had planned to mount the antennas transmitting the wireless signal on utility poles owned by Central Maine Power Co. Getting access to those poles "has been difficult," said Davis. Then, after 111 Maine, a downtown restaurant, offered its rooftop for an antenna, Davis learned of a regulation, (CALEA), that requires Internet service providers to make available wiretapping access to the federal government. Davis said that he still hoped that access could eventually be offered to Brunswick residents. "We're going to put it in for (Bowdoin College students)," he said. "Once it's in, we'll work out providing access for guests." Brill said that the solution might be in a technical interpretation of the law. "The FCC has made clear that universities that apply to third parties for access are not subject to CALEA," he said. But Davis was quick to note that he was not an expert on this specific situation. "The precise arrangements would determine the obligations." According to Davis, guest access could be allowed if the network was operated by a third party, such as GWI. The distinction between Bowdoin and a third party providing the access may be as simple as who owns the router providing the public access. The router is the device that would connect the Brunswick/Bowdoin network to the rest of the Internet. "If GWI were to own that router, then they would be responsible for maintaining the CALEA action," Davis said. Davis also added that he had been appointed to Gov. John Baldacci's council on broadband, and that, in that role he would be working on resolving these issues. "The fact that we weren't able to tie everything and make it work was disappointing," Davis said. "In a larger sense, it allowed me to get on a committee that is potentially going to create the solution in the state of Maine." Nathaniel Herz is a sophomore at Bowdoin College.
" A basic rule of cryptography is to use published, public, algorithms and protocols. This principle was first stated in 1883 by Auguste Kerckhoffs: in a well-designed cryptographic system, only the key needs to be secret; there should be no secrecy in the algorithm. Modern cryptographers have embraced this principle, calling anything else "security by obscurity." Any system that tries to keep its algorithms secret for security reasons is quickly dismissed by the community, and referred to as "snake oil" or even worse. This is true for cryptography, but the general relationship between secrecy and security is more complicated than Kerckhoffs' Principle indicates.
The Handbook of Applied Cryptography
"Lecture "by Goldwasser and M. Bellare
Kerchhoffs' original work
http://www.cl.cam.ac.uk/~fapp2/kerckhoffs , in French and English.
November 30, 2005
Security Flaw Allows Wiretaps to Be Evaded, Study Finds
The technology used for decades by law enforcement agents to wiretap telephones has a security flaw that allows the person being wiretapped to stop the recorder remotely, according to research by computer security experts who studied the system. It is also possible to falsify the numbers dialed, they said.
Someone being wiretapped can easily employ these "devastating countermeasures" with off-the-shelf equipment, said the lead researcher, Matt Blaze, an associate professor of computer and information science at the University of Pennsylvania.
"This has implications not only for the accuracy of the intelligence that can be obtained from these taps, but also for the acceptability and weight of legal evidence derived from it," Mr. Blaze and his colleagues wrote in a paper that will be published today in Security & Privacy, a journal of the Institute of Electrical and Electronics Engineers.
A spokeswoman for the F.B.I. said "we're aware of the possibility" that older wiretap systems may be foiled through the techniques described in the paper. Catherine Milhoan, the spokeswoman, said after consulting with bureau wiretap experts that the vulnerability existed in only about 10 percent of state and federal wiretaps today.
"It is not considered an issue within the F.B.I.," Ms. Milhoan said.
According to the Justice Department's most recent wiretap report, state and federal courts authorized 1,710 "interceptions" of communications in 2004.
To defeat wiretapping systems, the target need only send the same "idle signal" that the tapping equipment sends to the recorder when the telephone is not in use. The target could continue to have a conversation while sending the forged signal.
The tone, also known as a C-tone, sounds like a low buzzing and is "slightly annoying but would not affect the voice quality" of the call, Mr. Blaze said, adding, "It turns the recorder right off."
The paper can be found at http://www.crypto.com/papers/wiretapping.
The flaw underscores how surveillance technologies are not necessarily invulnerable to abuse, a law enforcement expert said.
"If you are a determined bad guy, you will find relatively easy ways to avoid detection," said Mark Rasch, a former federal prosecutor who is now chief security counsel at Solutionary Inc., a computer security firm in Bethesda, Md. "The good news is that most bad guys are not clever and not determined. We used to call it criminal Darwinism."
Aviel D. Rubin, a professor of computer science at Johns Hopkins University and technical director of the Hopkins Information Security Institute, called the work by Mr. Blaze and his colleagues "exceedingly clever" - particularly the part that showed ways to confuse wiretap systems as to the numbers that have been dialed. Professor Rubin added, however, that anyone sophisticated enough to conduct this countermeasure probably had other ways to foil wiretaps with less effort.
Not all wiretapping technologies are vulnerable to the countermeasures, Mr. Blaze said; the most vulnerable are the older systems that connect to analog phone networks, often with alligator clips attached to physical phone wires. Many state and local law enforcement agencies still use those systems.
More modern systems tap into digital telephone networks and are more closely related to computers than to telephones. Under a 1994 law known as the Communications Assistance for Law Enforcement Act, telephone service providers must offer law enforcement agencies the ability to wiretap digital networks.
But in a technology twist, the F.B.I. has extended the life of the vulnerability. In 1999, the bureau demanded that new telephone systems keep the idle-tone feature for recording control in the new digital networks, which are known as Calea networks because of the abbreviation of the name of the legislation.
The Federal Communications Commission later overruled the F.B.I. and declared that providing the idle tone was voluntary. The researchers' paper states that marketing materials from telecommunications equipment vendors show that the "C-tone appears to be a relatively commonly available option."
When the researchers tried the same trick on newer systems that were configured to recognize the C-tone, it had the same effect as on older systems, they found.
Ms. Milhoan of the F.B.I. said that the C-tone feature could be turned off in the new systems and that when the bureau tested Mr. Blaze's method on machines with the function turned off, the effect was "negligible."
"We were aware of it, we dealt with it, and we believe Calea has addressed it," she said.
Mr. Blaze, a former security researcher at AT&T Labs, said he shared the information with the F.B.I. His team's research is financed by the National Science Foundation's Cyber Trust program, which is intended to promote computer network security.
The security researchers discovered the new flaw, he said, while doing research on new generations of telephone-tapping equipment.
In their paper, the researchers recommended that the F.B.I. conduct a thorough analysis of its wiretapping technologies, old and new, from the perspective of possible security threats, since the countermeasures could "threaten law enforcement's access to the entire spectrum of intercepted communications."
There is some indirect evidence that criminals might already know about the vulnerabilities in the systems, Mr. Blaze said, because of "unexplained gaps" in some wiretap records presented in trials.
Vulnerabilities like the researchers describe are widely known to engineers creating countersurveillance systems, said Jude Daggett, an executive at Security Concepts, a surveillance firm in Millbrae, Calif.
"The people in the countersurveillance industry come from the surveillance community," Mr. Daggett said. "They know what is possible, and their equipment needs to be comprehensive and needs to counteract any form of surveillance."