Slides from the "Lock Bypass without Lockpicks" from The Next HOPE, July 16-18 2010, a hacker conference in NYC.
The presentation is built around a fictional story about a hacker who, through the course of the story, uses lock bypass techniques other than lockpicking in order to bypass physical security measures, breaking in (and out) of protected areas to achieve his goal of exposing a corrupt organization.
The techniques that our protagonist Waldo uses are described as part of the presentation, and periodically throughout the story it is pointed out which techniques are put to use and how.
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Lock Bypass without Lockpicks (see notes for story)
1. Lock Bypass without Lockpicks Waldo set out to expose the GILATT corporation For its evil deeds and lies about its products Its phony medicine and stiff-arm legal tactics to silence opposition And ended up with more than he bargained for In a thrilling tale of... Daniel Crowley
8. Problem #1: Weak mounting hardware You don’t need to pick or break the lock, only unscrew the bracket from the door. This is an example of issues involving disassembly.
9. Problem #2: Lock not locked This is a somewhat harder to detect version of the “lock not locked” problem, though fairly easy to spot anyway. You couldn’t ride this motorcycle away, unless it was in the bed of a pickup truck.
10. Problem #3: Weak mounting Awesome, so you’ve locked your bike to a solid post you can’t slide the lock off of. Only problem is that this wheel comes off without even needing tools. Bye-bye bicicleta.
11. Problem #4: Lock attached to removable part This wheel is properly secured from thieves. Too bad the rest of the bike wasn’t.
Attempting to bypass physical security measures without using lockpicks offers several advantages. Firstly, the majority of security features focus on frustrating lockpicking attacks. Similar to assumptions made by a large number of software developers, many focus their efforts on protecting the authentication mechanism as if it were the only target of attack. If you get locked into your apartment, do you pick the lock first? Or if you do not pick locks, do you immediately call a locksmith? No. You look for open windows, or open doors, or check to see if the key is under the mat or in the mailbox. You might even break a window to get in. When lock manufacturers DO come up with some new way to improve their lock, it generally doesn’t affect attacks which don’t target the mechanism which receives the key, and it certainly doesn’t affect attacks which don’t target the lock. Attacks which target the usage of the lock are hard to stop, because the implementation is up to the consumer, not the manufacturer. Since the mechanism for receiving the key is not being targeted, there is no need to carry lockpicks. Depending on your location, carrying lockpicks can result in legal penalties. These techniques are frequently easy to learn and perform (unlike lockpicking), and result in access far quicker than lockpicking would.
Dear Waldo trademark holder: This is an educational work and is therefore not subject to copyright laws under the “education” clause of fair use.
Locks can be deceptively hard to use effectively. Most simply, the absent-minded or lazy may leave a lock unlocked. Depending on the lock, it’s conceivable that a lock may appear to be secured, when in reality it is not. Sometimes, a lock will be affixed to a movable or removable part and can be bypassed by manipulating the aforementioned part. Additionally, the lock may be affixed to what it is intended to protect using weak mounting hardware. By “weak”, I mean that it can be destroyed through brute force, disassembled without the need for brute force, or manipulated in a manner which results not in destruction or disassembly but exposure of the protected assets.
Shimming is a well-known technique within the locksport community and elsewhere. Many of you have heard of or used the “credit card trick” to bypass a doorknob lock. This is an example of an attack involving a shim. A thin sheet of rigid material is wedged between the hasp and the hole in the doorframe meant to receive the hasp, allowing the door to be opened. Shimming attacks against padlocks and handcuffs are well known, too.
Passage locks are a class of lock which, when locked, prevent all access from one side, but can be easily unlocked by anyone on the other side. Examples include chain locks and non-keyed deadbolts. Passage locks are frequently combined with traditional locks, and combinations of the two can almost invariably be found on the inside of hotel room doors. This is useful, as hotel staff has access to the room at all times unless someone is inside the room, at which point they can use the passage locks to prevent entry.
STORY TIME!
Dazed and blurry, Waldo finally roused from his drug-and-blunt-trauma induced nap. His surroundings, unfamiliar and hostile, reminded him of why he was here and more importantly, why his head hurt so much. With his arms unresponsive to his attempts to touch what felt like a goose egg growing right about where the corporation's goons clubbed him under his unmistakeable red and white hat, Waldo noted that they were chained to his sides, which additionally were chained to the chair he was sitting in. The bulky, ancient padlock holding the chain together made a faint grinding sound in chorus with the links as its rusted exterior brushed the chain, tinkling as he strained to see just how bad his situation was. Waldo was beginning to regret that the usual hiding place for his picks was inside his hat, as he determined that his hands were not going to reach his head any time soon. Waldo could tell that he hadn't been dosed very hard, given that his wits were still with him. He wriggled around and tried to stretch, noting that the chain did not seem to be looped through the rickety chair he had been bound to. Sliding the chain up and off the back of the chair might be enough to free him. Waldo stood up, wobbly at first, and took a moment to steady himself. Attempting to hook the chair onto the handle of the door keeping him in what appeared (somewhat ironically) to be a poorly maintained maintenance closet, proved unsuccessful. He began to wriggle and pull the chair out from the links of chain. After some amount of pulling and tugging, the chair popped out, sending Waldo into a nearby wall. Moments later, after shaking the chain from his torso, it lay beneath him, defeated, in a heap of old metal. Being a fan of old Sierra adventure games, Waldo reasoned that the chain used to bind him may prove useful in his escape, even if only as a makeshift weapon. Waldo slung the chain over his shoulder and reached for his hat.
STORY TIME!
"Shit." thought Waldo. His pickset wasn't there. Waldo removed his hat and ran his hands through his hair and the inside of his hat, just to be sure. Did they leave him anything at all? Starting to build a mental inventory of the things at his disposal, Waldo reached into his pockets. Something had to get him out of this mess. Lint. An old receipt. More lint. A penny. Waldo sighed and probed the bump on his head, wondering if he was really going to make it out of this. Gloomy and dusty, the room was lit only by flickering light from an ancient, dying flourescent bulb. There were no windows, and only one door. Waldo jiggled the handle on the door. It stirred only barely, clicking and bumping against the metal frame, which was covered in a sickly green paint, flaking with age. Pressing against the door frame, Waldo could tell that the frame wasn't flush with the wall it covered. Bending the frame would be enough to allow for manipulation of the hasp, meaning freedom from this dusty makeshift prison. Unfortunately, Waldo had nothing remotely like a pry bar available to him, so this wasn't an option. Matching the scenery, a closet secured with a padlock rusted away in the corner of the room. Running out of options, Waldo inspected the closet, noting the padlock and trying to figure out if he could swing the chain at it hard enough to break the padlock. Upon further inspection, Waldo realized brute force might just be unnecessary. The padlock was affixed to the closet doors with metal brackets, screwed in with none other than flathead bolts. His fingers gripped the penny in his pocket. "Finally a reason to carry around pennies..." mused Waldo as he fumbled to unscrew the brackets from the closet doors. With a clank, the padlock and detached bracket swung uselessly to the side. As the closet doors creaked open, Waldo saw his ticket out: A tool belt. In that tool belt was a flathead screwdriver of sufficient size and girth as to be used as a decent pry bar. It seemed as though things were finally starting to look up for Waldo. Waldo eagerly approached the door, screwdriver in hand and a smile on his face. Wedging the screwdriver between the frame and door, he levered back and nudged the door with his shoulder, popping the door out from the frame. The door stopped short, attached to a chain lock on the other side. Waldo reached around the door and jiggled the doorknob, disengaging the doorknob's lock so that he at least wouldn't have to mess with it again. Being so close to escape was at the same time motivating and frustrating. Frustration alone, however, was not going to get him anywhere. On the other hand, the closet might have something to help. Among the mess of things in the closet was an old GILATT janitor's outfit bearing the name "Graig E." Waldo thought the name sounded familiar, but thought the jumpsuit needed more red and white stripes. Still, it worked as a nice disguise. People tend not to pay attention to cleaning staff and Waldo, of all people, knew the value of hiding in plain sight. At the bottom of the closet was a box of discarded folders. Waldo immediately took one of the folders and practically ran back to the door. Opening the door slightly, he stuck the folder inbetween the door and the frame and manipulated the edges of the folder to curve the fold around through the door jamb and touch the tip of it to the end of the chain. Closing the door caused the chain to slide to the side. With a flick of the folder, he popped the chain out of the door. Waldo pulled the folder back into the room and threw it on the floor. Not wanting to go gallivanting around GILATT headquarters without a proper disguise again, he put on the jumpsuit and tool belt, then reluctantly put his hat inside it. Finally, Waldo was out of the room and into the basement of the building.
STORY TIME!
From earlier recon, Waldo knew that the server room was on the second floor. Sensing that the GILATT goons would return soon, Waldo relocked the freshly installed chain lock and engaged the lock on the doorknob, then hit the elevator call button. Shortly afterwards, the doors slid open and an old man in a suit followed by two muscle-bound thugs stepped out from the elevator and approached the maintenance door. As the elevator door closed with Waldo inside, the old man disengaged the locks. The maintenance room's door swung open, revealing an empty, overturned chair, a scratched doorframe, a discarded folder and an opened closet. And no Waldo. The old man walked into the room slowly, inspecting the mess. Suddenly, he grabbed the chair and threw it across the room, startling his muscle-bound cohorts. He whipped around to face them, a bulging vein on his forehead, his eyes smoldering with anger, lips twisted into a snarl revealing his crooked, yellowed teeth. Shaking with rage, he shouted: "WHERE'S WALDO?!" The server room hummed audibly from outside the door. A soft yellowish orange glow emanated from the LED on the RFID sensor. Waldo hadn't planned for this, he had expected a keyed entry. Then again, he hadn't planned to be kidnapped and lose his pickset, so he was already in something of an improvisational mood. It was a pretty safe bet that there was going to be a request-to-exit motion sensor on the other side of the door. It would just be a matter of triggering it, and the door would unlock. There was a crack at the bottom of the door, but it was too small for Waldo to put anything he had with him through. Waldo checked the frame of the door to see if he could force it open with the screwdriver. No such luck, it was reinforced and he doubted he'd be able to open it without a car jack or some other extreme measure. Waldo tapped his foot idly, determined to get in and thinking about where he could get or copy a card to gain entry. *Thok. Thok. Thok.* Waldo looked down, noticing the hollow noise the floor was making. The floor was raised! Putting his screwdriver to work, Waldo pried up a floor panel. A quick glance revealed that the wall of the server room didn't extend past the raised floor. Only a half a foot or so of space existed between the wall and the real floor, so Waldo wouldn't be able to crawl through without getting stuck, and his goose egg reminded him that he wasn't keen on being caught again. Waldo popped a panel out in the server room and tried to wave his hand on the other side of the door. No luck. He took a pair of vice grips from the tool belt he was wearing and chucked them up past the inside of the door. A beep sounded, and the door clicked unlocked. Waldo stood up and reached for the door handle, only to find it lock again right before he could open it. It took a few more tools from the tool belt before he caught the door in time. Waldo stepped through and placed the tools back in his tool belt, chuckling slightly at the damage to the server room floor tiles. Serves them right for the headache they gave him. After replacing the floor panel he'd pushed up to throw things through, Waldo began the process of exfiltrating the data with a couple quick keystrokes and grabbed the backups left carelessly in the corner, just in case.
STORY TIME!
Now it was time to skidaddle. Waldo had already been here longer than he had wished to and was looking for an exit now. He dumped the backups into the trash can in the corner and took out the bag, carrying it with him as he left the room. "Better take the stairs this time..." thought Waldo. He slung the trash bag over his shoulder and descended the stairs to the first floor. In one direction was a break room and a hallway to the front entrance. In the other direction was a cubicle farm, and a door leading to a loading dock. Since the loading dock seemed a very janitorial place to go and likely would allow for an unobstructed exit, he decided to go for the loading dock. Stepping outdoors and off the loading dock, Waldo started to scour the parking lot. One car stood out, the back of the car smattered with bumper stickers which said things like "Honk if you like stuff", and "If you can read this, it's because you know how to read". Waldo checked for surveillance cameras and witnesses, then started to feel under the car. Checking under the front driver-side wheel well, Waldo found a hide-a-key box. Likely a backup key, but it fit the door. Waldo threw the trash bag into the back of the car and climbed into the front seat. He took the fuzzy dice off of the mirror and threw them into the glove box, checked the mirrors, secured his seatbelt (safety first, you know) and drove off into the sunset.
Thanks for reading my slides (and notes, apparently)!
![Before the story begins... ,[object Object],[object Object],[object Object],[object Object]](data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7)