DUBAI HITB SECURITY CONFERENCE: Protection of Critical Infrastructure and the use of Electronic Access Control Systems

MEDECO LOGIC CYLINDER. The image for the cover of our new supplement.

I will be speaking again this year at the Hack in the Box security conference in Dubai, UAE, on April 22, 2009. For the past two years I have participated in this gathering of almost 1000 security experts from Europe and the Middle East who meet to give presentations about wide-ranging cyber and physical security threats. The conference is always well-attended by a diverse group of participants and is again being held at the Sheraton-Creek in Dubai.

The presentation will include a detailed review regarding the protection of high security facilities, including airports and aircraft, power transmission facilities, and computer server rooms. The emphasis will be on liability and security issues that may result from an undue reliance on certain high security locking systems and technology. I will discuss a number of misconceptions and why these facilities may be at risk, even with some of the most sophisticated physical access hardware and software.

Specific problems inherent in conventional locking hardware will be the primary focus, together with an analysis of high security mechanical locks and electronic access control systems produced by many of the Assa Abloy companies. These technologies include, among others, the Cliq®, Logic®, and NexGen®. The security representations of certain manufacturers will be analyzed, and potential vulnerabilities in these high-tech systems will be explored, together with the liability that may flow to users if these systems are circumvented.

Since the publication of OPEN IN THIRTY SECONDS, which details the compromise of Medeco high security locks (2008), intensive research has been on-going in the U.S. and Europe regarding the security of different electronic access control systems. The results will be included in the new supplement to our book. These potential security issues will be examined in Dubai and will be explored in depth in the upcoming supplement, and later this year in future presentations.

Material that is being included in the new supplement will include:

Critical security vulnerabilities and inherent design flaws of Electronic Access control systems that are produced by High Security lock manufacturers;

Medeco cam locks and their lack of key control for critical infrastructure protection;
Medeco X4, the second generation of the Keymark product, and its virtual absence of any real key security.

We will also consider potential legal liabilities in connection with the failure of electronic access control systems to perform as represented by the manufacturer, especially with regard to the failure of audit functions in the event of bypass and the ramifications to the protection of critical information. The legal consequences to employers and employees that could result from false audit trail data will also be explored. In this connection, we analyze certain White Papers issued by Medeco in 2008 with regard to Logic, and why we believe this technology (and other systems) may not meet minimum physical security requirements for the protection of critical facilities and infrastructure. We examine potential non-compliance issues with regard to state and federal regulatory standards such as contained in Mass.201 CMR-17.00, Sarbanes-Oxley, Transportation Security Act, HIPAA, and the Federal Energy Regulatory Act.

If you are a dealer or end-user and have implemented electronic access control systems and have experienced technical or security issues with your deployed hardware or software, we would encourage you to contact our office to exchange information in order that the supplement is as current and complete as possible, and to provide input for the upgrade or redesign of certain systems.

We have notified Medeco of preliminary research results and have repeatedly requested the most current lock samples to confirm certain findings. Medeco has refused to provide any locks in order to allow us to conduct any tests involving Logic or Nexgen. The company has stated that it only allows testing laboratories or internal and other experts to evaluate their products, and that any information about their locks in conjunction with such tests would be considered confidential, proprietary, and protected intellectual property. We have therefore contacted certain dealers and implementers of Logic, Cliq, and Nexgen to conduct real-world trials at different venues.

Translation: Medeco is afraid to have anyone test their locks unless they are one of “their” experts and that any such testing must be covered by a non-disclosure agreement. For the record, we never asked for any information; just the locks (and we offered to pay for them).

If we had relied on any data from Medeco with regard to the ability to bump or pick their Biaxial or m3, or to develop the technique of code setting keys to open them, we never would have succeeded in doing so, and would continue to believe their locks were still secure as claimed by the manufacturer and others.

OUR QUESTION: if locks that are sold by a manufacturer and represented by them as secure, why would they be afraid for anyone to analyze them independently and attempt to circumvent their security? Isn’t that the point of locks…to stay locked until the right key or code, or credential is presented? Aren’t locking systems designed specifically to stop people from attempting to open them if they do not have the correct credentials? And isn’t Medeco the undisputed leader in the high security market in North America. So why would they be so wary as to not allow us to test and report on the security of their electronic lock designs? We offered to share some of our research with the company, once we were satisfied with the reliability and repeatability of our findings and conclusions.

WHAT WE ASKED IN RETURN: That they would recall all locks that displayed design defects or deficiencies which could result in security vulnerabilities for their customers. In return we would agree to withhold any publication for at least three months, so long as the company would replace all products at no charge to the consumer.

The response we received from Medeco to this offer? No substantive response at all. We have been told that we have a duty to advise Medeco of any “alleged vulnerabilities.” They reiterated in two recent letters that “they have always been willing to listen.” Yes, that is true, but never willing to share any information, nor confirm any vulnerabilities. It is a one-way street.

After analyzing their latest communications, we remembered their corporate position on locks they have sold and later found to be susceptible to be bypassed: they stated in 2007 that purchasing Medeco locks is not like buying a subscription. If a vulnerability is discovered after purchase, just buy new locks!

Good for Medeco, but not very good for their customer who may have invested in flawed technology.

We guess that one possible answer to their lack of any real response to our request for locks would be that they read our book, or perhaps they are concerned that young JennaLynn might be recruited once again to open their Logic or Nexgen.

August, 2009. …Las Vegas. …DefCon.

®Medeco, Logic, Cliq, NexGen, Keymark, and Biaxial are registered trademarks of Medeco Security Locks and Assa Abloy.