Hackable High-Tech Locks Pose National Security Risks
Two Kaba locks; the type on the right was picked in nine different ways.
CREDIT: Kaba Ilco
LAS VEGAS With a pin, a magnet and a cheap screwdriver, the locks used to keep the doors shut tight at some of the nation's top government facilities can easily be compromised.
At last week's 19th Annual DefCon hacker conference here, Marc Weber Tobias, an investigative attorney and security specialist with Security.org, demonstrated how to exploit several glaring vulnerabilities in two different locks made by the company Kaba.
Along with security consultants Tobias Bluzmanis and Matt Fiddler, Tobias presented his findings in a talk called "Insecurity: An Analysis of Current Commercial and Government Security Lock Designs."
The team first focused on the Kaba Simplex 1000, a lock Tobias said is used in Department of Defense and Department of Energy facilities.
"It's the most popular mechanical programmable push-button lock ever," he told the audience.
You'd think something used to secure a power plant or other critical infrastructure facility would be resistant to simple tampering.
But Tobias and his crew showed a video of their proof-of-concept hack that proved just how wrong that assumption is.
In the video, the researchers placed a rare-earth magnet on the side of the lock, a trick that instantly turned the lock's rotors and opened the door it was meant to keep sealed.
They moved on to the Kaba E-Plex 5800, a 12-button lock whose mechanism was recently revamped to comply with enhanced security protocols mandated by the Department of Homeland Security.
When Tobias' team got hold of this supposedly secure mechanism, they found nine separate ways to crack it.
In the first demonstration, Bluzmanis opened the door simply by rapping the top of the mechanism with a hammer while simultaneously pulling the lever.
A second video showed Bluzmanis inserting a small screwdriver into the keyhole to break the internal link between the lock's cylinder and the plug that controls the electric signal.
He not only picked the lock, but also entered a new master code that erased all the lock's saved passwords .
In a third exploit, the team removed the handle of the E-Plex 5800 and inserted a short piece of wire inside the mechanism that rigged it to open when the door handle was pulled up instead of down.
In their final demonstration, the crew shorted out the electronic signal and bypassed the lock by simply poking a pin into the LED light at the top of the lock.
"All of these are serious design deficiencies that can be exploited by bad guys," Tobias said.
In the case of the last hack, Tobias added, "We can open this lock in five seconds with no damage and no trace."