safelocks, Lockpicking, Txt
[ Pobierz całość w formacie PDF ]
Safecracking for the computer scientist Matt Blaze Department of Computer and Information Science University of Pennsylvania blaze@cis.upenn.edu DRAFT – 7 December 2004 (Revised 21 December 2004) – DRAFT The latest version of this document can be found at This document contains medium resolution photographs and should be printed in color. Abstract This paper is a general survey of safe and vault security from a computer science perspective, with emphasis on the metrics used to evaluate these systems and the weaknesses that cause them to fail. We examine security against forced, covert and surreptitious safe opening, focusing on the mechanical combination locks most commonly used on commercial safes in the US. Our analysis contrasts the philosophy and tools of physical security with those of information security, especially where techniques might be profitably applied across these disciplines. 1 Safe and vault security: a computer science perspective There is an undeniable mystique surrounding safes and vaults. Containers to safeguard valuables and secrets from theft and prying eyes have existed almost as long as the concepts of valuables and secrets themselves, and yet in spite of the “Internet age,” details of safes and the methods used to defeat them remain shrouded in obscurity and even a certain amount of mystery. Safe security is a delicate, almost perilous subject, protected by a near reverence that extends, in our imaginations at least, across both sides of the law. Safecrackers are perhaps the most romantic and “professional” of thieves, conjuring images of meticulously planned and executed exploits straight out of Hollywood screenplays. And among the law-abiding, safe and vault technicians (safe men in the traditional parlance) are perceived as an elite, upper echelon of the locksmithing community whose formidable trade is surely passed on only to the most trustworthy and dedicated. Reverence for safe work can even be found in the trade’s own internal literature, with an almost un- avoidable, if subtle, swagger accompanying mastery of safe opening technique. The title of a venerable locksmithing treatise on the subject – The Art of Manipulation [LK55] — signals a discipline that demands artistry, not mere craft. Its text begins with a warning to faithfully guard the material in its pages, as well as the suggestion that the book be destroyed completely after its techniques are learned. (Fortunately, some readers have ignored that advice, and a few copies remain available through interlibrary loan). The ambigu- ity in the term manipulation itself seems oddly appropriate here, evoking perhaps a “lock whisperer,” with the safe somehow persuaded to open against its better judgment, only to regret it later. All text and images c 2004 by Matt Blaze; all rights reserved - unauthorized use or publication, whether for commercial or non-commercial purposes, is prohibited. 1 “Security-by-obscurity,” if viewed rather dismissively by those in information security, remains a cen- tral tenet of the safe and vault trade. It isn’t easy to learn how safes work or what makes one better than another, and while the basic techniques and designs are available to those who search persistently enough, few professionals (on either side of the law) openly discuss the details of safe opening with the unindoctri- nated. Consequently, it can be difficult for a potential user to judge independently whether a given container is sufficiently secure for its intended application; that role is left primarily to the safe industry itself (although standards bodies and the insurance industry have some influence here as well). For all the reticence surrounding the subject, however, safes and safe locks (and how they are defeated) are worthy topics of study for students not only of locksmithing but of information security. An unfortunate side effect of the obscurity of safe and vault technology is the obscurity of tools and techniques that deserve to be better known and more widely applied to other disciplines. The attack models against which safes are evaluated, for example, are far more sophisticated than their counterparts in computer science. Many of the attacks, too, will remind us of similar vulnerabilities in computer systems, in spite of having been discovered (and countermeasures developed against them) decades earlier. The mechanical combination locks used to control access to safes and vaults are among the most interesting and elegant examples of security engineering and design available today. The basic internal structure of (and user interface to) the modern safe lock long predates computers and networks, and yet a careful study of these devices reveals a rich history of threats and countermeasures that mimic the familiar cycles of attacks and patches that irk practitioners of computer and network security. One of the most striking differences between the physical and information security worlds is the rel- ative sophistication of the threat models against which mechanical security systems are measured. Perhaps owing to its long history and relatively stable technological base, the physical security community – and especially the safe and vault community – generally seeks remarkable precision in defining the expected capabilities of the adversary and the resources required for a successful attack to occur. Far more than in computers or networks, security here is recognized to be a tradeoff, and a quantifiable one at that. The essence of the compromise is time. 1.1 Safe and vault construction For the purposes of this discussion, a safe or vault is a container designed to resist (or leave evidence of) unauthorized entry by force. (That is, we are discussing burglary safes. Many consumer products marketed as “safes” do not actually meet this definition, being intended to resist only very casual pilfering or to protect contents from fire damage; we do not consider such safes here). The difference between a safe and a vault is scale; safes are small containers designed to store objects, while vaults are essentially room-sized safes with features (such as lighting and ventilation) that support human activity. Many different safe and vault designs are in use, including stand-alone “box like” containers, in-floor safes, in-wall safes, prefabricated vaults and custom made containers; even a superficial survey would be beyond the scope of this document. All share certain common characteristics, however. Normal access to a safe or vault is via a door , which is usually hinged to the container walls. The door is locked shut by one or more door bolts (comprising the boltwork), which generally are extended or retracted by an external opening lever, which can only be operated if a lock bolt has been retracted by the locking mechanism (e.g., after dialing the correct combination). Most modern burglary safes accept a standard lock package (with an externally-mounted dial), consisting of an internally-mounted lock module with a small retracting lock bolt designed to mate with the door bolts and handle. See Figure 1. (We will discuss these locks in more detail later). Some older safes (as well as certain contemporary low security 2 Figure 1: Standard lock package (in this case, a Sargent & Greenleaf model R6730), shown mounted on a display stand. The dial (left image) is accessible on the outside of the container. The internal lock module (right image), in a standard form factor, contains the lock mechanism and retractable lock bolt (the brass tab at the far right). Note the change key hole on the back of the lock case, into which the user can insert a tool to change the combination when the container is open. The dial is connected to the lock module via a spindle running through a small hole in the container wall. safes) incorporate a customized lock as an integral component of the boltwork and use the lock bolt directly as the door latch. The main function of the safe or vault container is to resist opening by force and to protect the lock package from tampering. Container walls and doors usually consist of several layers of material. The outer layer is typically of conventional mild steel, intended to resist blunt force and prying. Resistance to more specialized attacks is provided by barrier layers, which are fabricated from materials that resist penetration by various kinds of tools. Barrier materials intended to thwart drilling, called hardplate, protect the parts of the safe (such as the lock package) that might be profitably drilled in an opening. Barrier materials may protect all six sides of a container or, more often, only one (typically the door itself). In-wall and in-floor safes are often protected at the door only, under the assumption that the sur- rounding environment will prevent access from other directions. To prevent the container itself from being stolen as a whole, stand-alone safes (especially less heavy models) are often designed to be bolted to a floor or wall. Many safes and vaults (including most burglary safes, but, interestingly, not GSA containers intended for storage of classified materials) include one or more internal relockers (also known as relock devices) that trigger when certain conditions consistent with an attack are detected. Once triggered, the relockers prevent the door bolts from moving even after the lock bolt is retracted. Several kinds of relockers are in common use. The most common detect punching attacks, in which the back of the door is damaged (e.g., dislodging the internal lock package by applying force to the external dial). Thermal links, used in some safes, melt and trigger a relock under the high temperatures that might be induced by cutting torches. Some of the highest-end safes include tempered glass plates that trigger relock devices when breached by a drill. Lock 3 packages themselves often have internal relock triggers that prevent retraction of the lock bolt if the lock case is forced open. Any attack that aims to open the container door must therefore avoid triggering relock devices. The chief value of many relockers seems to be thwarting novice burglars unaware of their existence. Especially on mass-produced safes (the majority of the market), the types and locations of relockers can be predicted and triggering them thereby avoided. On higher-end safes and vaults, however, especially those incorporat- ing tempered glass plates, relockers might be randomly placed as a unique parameter of each instance of the container. Here the relockers force the attacker to employ a more conservative opening technique (e.g., one that involves drilling through more hardplate), making the best-case penetration time slower (and more predictable), even against the expert. 1.2 Container security metrics Even the best safes and vaults are not absolutely impenetrable, of course; their strength is constrained by both physics and economics. Safes are distinguished from one another not by whether they can be penetrated, but by how long it would be expected to take, the resources required, and the evidence it produces. The basic security metrics for safes attempt to measure resistance to the kinds of tools that attackers of varying degrees of sophistication might be expected to wield. At the bottom of the attack-tool hierarchy are ordinary hand tools, against which even a low-end safe might be expected to give at least some resistance, then portable motorized power tools, then cutting torches, and finally (presumably for those concerned with international jewel thieves from Hollywood movies), explosives. We can also measure attacks according to the obviousness of the evidence left behind. Here the termi- nology is at its most cloak-and-dagger; an attack is said to be surreptitious if it leaves behind no evidence at all, covert if it leaves behind evidence that would not be noticed in normal use (although it might be noticed in an expert inspection), and forced if the evidence is obvious (of course, force might be involved in surreptitious or covert entry as well, so the term is a bit of a misnomer). These distinctions are mainly of interest for safes used to store confidential (or classified) information, where prompt discovery of successful attacks can be almost as important as preventing them in the first place. Safe and vault rating categories aim to provide a multi-dimensional picture that allows the potential user to evaluate protection according to the perceived threat: a given safe might be rated for a very long time against surreptitious entry aided only by the simple tools of the most casual thief, but for shorter times as the tools used become more sophisticated, heavy, conspicuous, and expensive or as the evidence of attack becomes more pronounced. (Several organizations publish ratings according to various criteria, including, in the U.S., Underwriters Laboratories (UL) for commercial safes and the General Services Administration (GSA) for federal government safes). Because the materials and mechanical designs from which safes and vaults are manufactured have rather well understood physical properties, relatively simple procedures are used to estimate time bounds on resistance to attack. The usual approach is to make rather generous assumptions about the skill and tools of the attacker and the conditions under which an unauthorized opening might be carried out. For example, a sample safe might be drilled (under laboratory conditions and with the best commercially avail- able equipment and techniques), and the time for penetration considered to be the minimum required for a drilling-based opening by a burglar. These tests produce safe ratings that may seem disturbingly weak at first blush. The best UL rating categories are for only 15, 30 and 60 minutes, and GSA ratings against forced attack are for either zero(!) or 4 10 minutes. Yet opening even a zero-minute rated GSA container may require an hour or longer under field conditions (and attract considerable attention in the process). Observe that safe testing as described here does not produce upper or lower bounds on security in the sense usually used in information security. They are clearly not lower bounds, since better tools or techniques not known when a safe was tested might substantially reduce the required penetration time. The results are not especially meaningful as upper bounds, either, since the conditions are sufficiently generous to the attacker to make it very unlikely that they could be achieved under field conditions. Instead they are less formal “guidelines,” intended mainly for comparison, and useful as approximate lower bounds only under the (perhaps tenuous) assumption that improved tools and techniques will not become available in the future. 1.3 Lock security metrics Time is also the essential metric by which the locks used on safes and vaults are measured. Here, however, we are less concerned with attacks by force, since the sensitive components of the lock are protected by the container itself. Instead, the primary attacks involve exploiting poorly-chosen combinations (birthdays are said to be popular), finding the working combination through exhaustive search, or interpreting incidental feedback given through a lock’s user interface to make inferences about its internal state. The latter approach is usually called manipulation within the safe and vault trade, although, as we will later see, the techniques involve careful observation more than outright manipulation. Mechanical combination dial locks are the most common access control devices used on burglary safes and vaults in the United States, and these locks will be the focus of our attention here. Such locks are opened by demonstrating knowledge of the combination by rotating a dial, reversing direction at specific places on the dial; we will discuss the user interface and dialing procedure in detail in Section 2. Electronic combination locks (using a keypad or rotary-encoder dial) are becoming increasingly popular at the low- and high-ends of the safe market, but we will not consider them here; analyzing such locks is essentially a software and embedded system security problem beyond the scope of this paper. Keyed safe locks (usually of a lever-tumbler design) are more common in Europe and elsewhere, but again, they are beyond our scope here. Nondestructive attacks against the combination itself are usually considered to be in the “surreptitious” category; they leave little or no forensic evidence. (Electronic and electro-mechanical locks may incorporate logs and audit trails, but we are considering strictly mechanical locks here). Many lock attacks, including manipulation, can be performed across several (interrupted) sessions, making them an especially serious threat in some environments. 1.3.1 The combination keyspace The most obvious lock security factor is the number of distinct combinations; it provides a bound on the time required for exhaustive search. Most safe and vault lock dials are divided into 100 graduations (see Figure 2), with three (or occasionally four) dialed numbers in the combination. This implies 100 3 (1,000,000) possible combinations for a three number lock and 100 4 (100,000,000) possible combinations in a four number lock. The number of effectively distinct combinations is usually considerably lower, however. Most locks have a wider dialing tolerance than the dial graduations would suggest, allowing an error of anywhere between ±.75 and ±1.25 in each dialed number, depending on the lock model. So although there may be 100 marked positions on the dial, there may be as few as 40 mechanically distinct positions. A three number 5 [ Pobierz całość w formacie PDF ] |