HOPE 2008: Focus on Medeco Security Vulnerabilities

HOPE 2008: Three separate lectures that discussed Medeco vulnerabilities

The Usual Suspects, together for a discussion of different vulnerabilities of Medeco Biaxial and m3 cylinders. From left to right, Matt, Toby, Marc, and Jon.

This past weekend there were three different presentations at the HOPE security confernece in New York regarding different potential security vulnerabilities involving Medeco locks.

Jon King, inventor of the Medecoder picking tool, lectured on the use of his tool and demonstrated its use in picking a Medeco m3 in under three minutes.

Jon King demonstrates the use of the Medecoder picking tool.

We discussed bumping and picking and the different methods of defeating Medeco cylinders, including the defeat of ARX pins, which Medeco apparently plans to implement in their new cylinders to combat the King Attack. While they probably will prevent the use of the Medecoder in new locks, they may not be effective in stopping the use of code setting keys for bumping and picking, as described in our new book. We have repeatedly demonstrated the bypass of some of these pins to bumping and picking, so it remains to be seen just how effective they will be. Evidently Medeco will not be paying for any upgrades to currently installed locks. The company was quoted in an article today on Slate.com, saying that “when you buy a lock, you don’t buy a subscription.” I guess that means that everyone is on their own!

Matt Fiddler, Tobias Bluzmanis and I provided an hour briefing to an overflow audience on the Medeco case example and how we methodically developed bypass techniques for the different Medeco products. This research formed the basis of our new book, “OPEN IN THIRTY SECONDS: Cracking One of the Most Secure Locks in America.”

Then, on Saturday, Barry Wels and Han Fey offered a two-hour lecture on keys; how they work and how they can be simulated and copied. Their lecture was also to an overflow crowd and extremely well received. Barry, as usual, provided excellent background on how mechanical keys work and why they are not secure, even for certain high security locks.

Matt Fiddler, Toby, and myself will be going into much greater detail at Defcon with regard to the vulnerability of Medeco locks and their key control, and what we perceive as a particularly serious security issue with regard to certain Medeco cylinders.

We will also be addressing the concept of Responsible Disclosure and Irresponsible Non-Disclosure. The photograph below is of Han Fey, replete with Medeco shirt!

Han Fey and Marc Tobias at HOPE 2008.

You can view the short video of our discussion with myself, Tobias Bluzmanis, Matt Fiddler, and John King.