Security researcher cracks high-security lock used for ATMs, Air Force One, military bases

At this year's Defcon Lock Picking Village, Ioactive's Mike Davis will present a method for cracking high-security locks made by Dormakaba Holding, a Swiss company. The locks are used in very high-stake applications, from security ATMs to Air Force One, as well as guarding classified and sensitive materials on US military bases.


Davis discovered a side-channel vulnerability that uses a $5,000 oscilloscope to detect power fluctuations in the lock, from which he can derive the bitstream traversing the lock's subcomponents, allowing him to unlock it without the key.


Davis demonstrated his findings to Dormakaba a year ago, and the company has largely stonewalled since, though it did hire outside auditors to investigate its Cencon and Auditcon locks and subsequently declared their findings to be proof that no one needs to worry about Davis's attacks.

However, the newest model of the company's X-10 lock does not leak voltage information, but the company insists that this design improvement is unrelated to Davis's findings. Dormakaba also says that because they have never heard of anyone using Davis's attack in the wild, no one should worry about it.

The president of Dormakaba's X-10 division, Eric Elkins, said that Davis should not present his findings in public to "a group of hobbyists or hackers or whatever you want to call them" and instead should confine his disclosures to "the government." Despite having had a year since Davis made his disclosures to Elkins's parent company, Elkins said he was not familiar with Davis's attack and couldn't comment on how severe they were.

The US Government Services Administration says that it has added new layers of security to address power-leakage vulnerabilities in its locks. Davis's attack relies on physical access to the lock — for example, by breaking into the lower-security portion of an ATM in order to gain access to the money-box, which is protected by higher-security Dormakaba products.


Many real-world installations of Dormakaba products use defense in depth techniques such as two-factor authentication tokens, including interactive ones that require a special code. These would be more secure than a bare Dormakaba system.


“These investigations indicate that our current safe-lock product lines perform as intended in real life environment,” said company senior vice president Jim Mills.

Asked whether older models were also secure, a company spokesman said “there have been no reported events in the field to suggest that current or prior year models have presented security issues in real-world environments.”

Exclusive: High-security locks for government and banks hacked by researcher [Joseph Menn/Reuters]


(via /.)

(Image: Dormakaba)