High Security

[hydruh]

O_o I didn't think of that but no, you only need 25 posts and 60 days membership for selling your stuff.

Could be referring to the fact that 40 used to be the limit for applying to the adv section but it's higher now.

Yes, that's that I meant. didn't know it was higher.

S

[vap0r]

Anyone who thinks UL 437 is 'high security' doesn't know much about security. For example, many of the locks that are UL 437 certified can be easily bumped open.

Lot of High Security locks can be compromised easily, by bumping or by other simple techniques including by-pass for example. They still are High Security locks.
So saying that UL437 is High Security seems coherent (Actually, I don't know UL437, it doesn't exist in France), but High Security means that the lock is protected against some attacks, not that it is effectively immune.

Otherwise, we could not have the pleasure to open High Security locks if the are considrered low-security since we can open them without the key

Just my two cents

That doesn't make a lock high security. UL 437 is NOT a high security lock rating. It is a medium security rating at best. You could call it 'higher' security, but that is like saying your lock is 'virtually bump-proof' and 'virtually pick-proof', neither of which are true.

If you want high security locks you need to look at the Builders Hardware Manufactuers Assn. guidelines or something like that.

UL 437 certified locks are only tested against basic hand tools like screw driver, 18" crow bar, etc. They do not test them with special drill bits, 4 foot crow bars, or any serious tools. They only use basic hand tools for the testing. If that is what you call a 'high security lock', you are very misled. As I said before, you don't seam to know much about high security locks, or standards, so go do some reading.

Buy a copy of LSS or another that details the specifications. There are also many youtube/google videos from toool, marc tobias, and others that talk in depth about high security locks and why UL 437 isn't a high security standard in addition to what I've just mentioned.

[hydruh]

Vap0r, nice to have you back. You talk a lot of sense!

Also, don't forget greyman's book:

http://www.amazon.com/High-Security-Mec ... 023&sr=8-1

S

[vap0r]

Vap0r, nice to have you back. You talk a lot of sense!

Also, don't forget greyman's book:

http://www.amazon.com/High-Security-Mec ... 023&sr=8-1

S

It's nice to hear my words are appreciated. Some people (like Unlisted) seam to think my words are not 'family safe'. lol.

Here is a link to the defcon 15 video with marc tobias (LSS author) on high security locks.

http://video.google.com/videoplay?docid ... 2092668669

[zeke79]

Unfortunately UL437 is the only "security" standard used in the US. I agree that it is not the best as like you said most locks in this category can be bumped open or bypassed in some way. It is however still somewhat useful to helping someone find a high security lock better than they could without any standard whatsoever. If the standard did not exist, end users could end up choosing a lock that has no security features at all and this choice could be made by simply reading advertising that is misleading. I think that having UL437 atleast gives the user a better chance of getting the security features they need than they would if we had no standard at all and end users were forced to weed through all of the misleading advertising out there.

Is the standard flawed? Yes it is severely flawed. Do we need a new standard that better outlines attacks that are tested? Of course we do. For now however, UL437 is all we have and it is better than nothing as it does improve the chances that an end user will end up with a product that offers some high security features. I do however agree totally that it is a seriously flawed standard that needs to be brought up to date and some of the locks UL437 listed should not be considered high security. UL437 should not be the end all security standard in the US.

[JK_the_CJer]

vap0r:

Most of the folks here are well aware of the flaws in UL437 as a standard for high-security locks. The problem with any industry standard is that the testers do not think like hackers. The devices/procedures are tested according to vary specific sets of procedures.

Imagine a standard that certified locks in a free-for-all manner; in other words: if you can break it faster than 10 minutes, it is decertified. This hypothetical standard would take research efforts like Marc's and use them the decertify cylinders. This sounds fine and dandy, but think further. What is the potential for abuse by competing companies? Also, what about the varying amounts of attention being paid to various locks? Who decides what research is valid and what is not? Have a look at who is on the board of directors for UL and BHMA (ANSII 156.30) that sets the standards. The potential for abuse in a certification system that is not based around a very specific set of guidelines (which hackers/researchers break by definition) is extremely high.

I have to go now, but plan to write more later.

Original Poster:

There are two locks that I am aware of that this community has not opened covertly/surreptitiously: Abloy Protec and Evva MCS. In light of recent research, the most manipulation-resistant keyed mechanical cylinder in production is the MCS.

[mh]

There are two locks that I am aware of that this community has not opened covertly/surreptitiously: Abloy Protec and Evva MCS.

While I believe the above statement concerning the MCS is still correct, recent research suggest that this will not hold for very long any more. Also, key control is somewhat weak as appropriate magnets can be easily procured these days.
See our presentation at HAR2009.

Cheers
mh

[JK_the_CJer]

While I believe the above statement concerning the MCS is still correct, recent research suggest that this will not hold for very long any more. Also, key control is somewhat weak as appropriate magnets can be easily procured these days.
See our presentation at HAR2009.

Cheers
mh

Perhaps, Mul-T-Lock MT5 should be added to that list. I think the precedent for MTL being opened makes it a weak contender for "best lock evar!" but only time will tell. As for how easy those magnets are to procure, I called around asking a bunch of companies about them for a while (without an MCS) so I could work on some decoder ideas. Minimum orders for magnets of that size that are magnetized "through the axis" are quite high and I found no one that sold them non-custom (in SmCo anyway). I'll start looking for the HAR presentation; sounds interesting.

[Schuyler]

Have we seen a Diamant picked? Or a Fichet 3D? I mean, the price of the latter is defense enough against even getting your hands on one to test it out, but still

I've been bombing around LP101 & the internet at large and haven't seen the Diamant compromised. Anyone correct me on that?

[mh]

DOM Diamant: yes, a tool has been made.

MCS magnets: Well, we had to order 1,000s of them, but the cost was within acceptable range.

[Schuyler]

DOM Diamant: yes, a tool has been made.

PM or email me details or a link? I love the lock, would love to see how it was attacked.

[mh]

DOM Diamant: yes, a tool has been made.

PM or email me details or a link? I love the lock, would love to see how it was attacked.

I can't exactly remember if there were more than one of them; one has been made by John Falle, see the lawyer's book, and one used a contact microphone to pick up sound from the lock; they might be the same.
Obviously, the concept is the same as with ABUS Plus locks / Jaakko's tool.

Cheers
mh

[Schuyler]

I can't exactly remember if there were more than one of them; one has been made by John Falle, see the lawyer's book, and one used a contact microphone to pick up sound from the lock; they might be the same.
Obviously, the concept is the same as with ABUS Plus locks / Jaakko's tool.

Cheers
mh

Very good, thanks, mh.

[raimundo]

This topic interests many people currently active, and even brought in Vapor, who joined in O3,
I just don't understand why unlisted asks "please stop necroposting". the way to stop this is to simply delete all posts that are from O3 since they are not valued.

should people start a new O9 topic on subjects that are covered in posts started years ago?

when was the never going anywhere story started, isnt that a necrothread?

If something is necro, it should be burned or buried. I suppose. That way all topics are available for new O9 threads and the necroposting resistance can be satisfied.

[NKT]

Don't worry about re-starting an old thread!

I asked the question at the HAR presentation regarding the cost of the MCS key duplication, and the guys told me that it was around €300 all in, to which I replied "So you broke the key security for less than the price of the lock and a few keys."

And that is true.

I still want a kit with a few of the magnets in it.