Madison Ruppert: If you are one of the millions of people who have Kiwkset smartkey
locks on your home, it’s time to seriously consider changing those out
for something a bit more secure.
Despite the security claims made about the smartkey locks, researchers demonstrated the ability to bypass the locks with “a screwdriver and a paper clip” and will present the technique at the DefCon hacker conference today.
DefCon is the same conference in Las Vegas where security researcher Barnaby Jack was going to demonstrate how a pacemaker could be hacked in order to kill someone. Jack was found dead in late July.
DefCon is also used by the National Security Agency as a way to recruit hackers, with Gen. Keith Alexander making appearances.
The researchers, noted lock hackers Marc Weber Tobias and Toby Bluzmanis, demonstrated the troubling technique for Wired, which captured it on video.
Tobias and Bluzmanis aren’t new faces at DefCon. In years past, they’ve demonstrated how to defeat what were thought to be high-security electronic locks like the ones used at the White House and other government offices along with electro-mechanical locks, deadbolts and widely-distributed electronic safes.
Yet the findings of the researchers to be presented this year are some of the most devastating yet. The Kwikset smartkey locks, introduced in 2008, are the best-selling locks they’ve tested so far.
Indeed, Kwikset reportedly sells over 20 million smartkey locks per year, meaning that countless homes and businesses are vulnerable to attacks by informed criminals.
The locks, which sell for $20-40, are so appealing because they can be reprogrammed at any time, allowing locks to be changed without having to actually change locks or call a locksmith.
“It’s very clever because the consumer can instantly reprogram the key, but it’s also insecure,” Tobias said. “There’s a lot of positives for Kwikset, but the problem is they can be opened in 15 seconds with a screwdriver and a paper clip. It’s not a pin-tumbler lock so that it doesn’t have the inherent physical strength to block the plug from turning when you do certain things.”
There is a significant false sense of security that goes along with the locks, based at least partially upon the Grade 1 security certification for residential use awarded by the Builders Hardware Manufacturers Association (BHMA).
Wired notes that the locks “are advertised by Kwikset as being invulnerable to being hacked with wires, screwdrivers, or anything else inserted in the keyway,” something which is clearly not true.
Tobias filed a formal complaint with the BHMA two years ago over the rating, but he said they ignored it.
Part of the certification demands that the lock be able to withstand 300 pounds-force-inch of torque, though the researchers demonstrated the ability to use only slightly more than 100 pounds-force-inch to bypass the lock.
While Kwikset wouldn’t respond to Wired’s attempts to get a comment, Tobias was told on recorded phone calls to their technical support that “the locks were impervious to screwdrivers or wires, and that a screwdriver wouldn’t even fit in the keyway.”
“There’s no tool that you can just put in the cylinder and pop it open,” a technician named Satima said to Tobias. “You can’t put any type of wire or anything like that.”
Another technician claimed that it is impossible to open the locks without the key, adding that “sticking anything foreign inside of the keyway is just going to make it that much harder to open up.”
“If it was that easy to pick a Kwikset lock, they would be having us doing recalls, [but] there’s nothing like that. It’s business as usual,” they said.
Unfortunately, as the researchers have shown, it is that easy to pick one of their locks. If you have one of these locks, it’s high time to get a new one.
Despite the security claims made about the smartkey locks, researchers demonstrated the ability to bypass the locks with “a screwdriver and a paper clip” and will present the technique at the DefCon hacker conference today.
DefCon is the same conference in Las Vegas where security researcher Barnaby Jack was going to demonstrate how a pacemaker could be hacked in order to kill someone. Jack was found dead in late July.
DefCon is also used by the National Security Agency as a way to recruit hackers, with Gen. Keith Alexander making appearances.
The researchers, noted lock hackers Marc Weber Tobias and Toby Bluzmanis, demonstrated the troubling technique for Wired, which captured it on video.
Tobias and Bluzmanis aren’t new faces at DefCon. In years past, they’ve demonstrated how to defeat what were thought to be high-security electronic locks like the ones used at the White House and other government offices along with electro-mechanical locks, deadbolts and widely-distributed electronic safes.
Yet the findings of the researchers to be presented this year are some of the most devastating yet. The Kwikset smartkey locks, introduced in 2008, are the best-selling locks they’ve tested so far.
Indeed, Kwikset reportedly sells over 20 million smartkey locks per year, meaning that countless homes and businesses are vulnerable to attacks by informed criminals.
The locks, which sell for $20-40, are so appealing because they can be reprogrammed at any time, allowing locks to be changed without having to actually change locks or call a locksmith.
“It’s very clever because the consumer can instantly reprogram the key, but it’s also insecure,” Tobias said. “There’s a lot of positives for Kwikset, but the problem is they can be opened in 15 seconds with a screwdriver and a paper clip. It’s not a pin-tumbler lock so that it doesn’t have the inherent physical strength to block the plug from turning when you do certain things.”
There is a significant false sense of security that goes along with the locks, based at least partially upon the Grade 1 security certification for residential use awarded by the Builders Hardware Manufacturers Association (BHMA).
Wired notes that the locks “are advertised by Kwikset as being invulnerable to being hacked with wires, screwdrivers, or anything else inserted in the keyway,” something which is clearly not true.
Tobias filed a formal complaint with the BHMA two years ago over the rating, but he said they ignored it.
Part of the certification demands that the lock be able to withstand 300 pounds-force-inch of torque, though the researchers demonstrated the ability to use only slightly more than 100 pounds-force-inch to bypass the lock.
While Kwikset wouldn’t respond to Wired’s attempts to get a comment, Tobias was told on recorded phone calls to their technical support that “the locks were impervious to screwdrivers or wires, and that a screwdriver wouldn’t even fit in the keyway.”
“There’s no tool that you can just put in the cylinder and pop it open,” a technician named Satima said to Tobias. “You can’t put any type of wire or anything like that.”
Another technician claimed that it is impossible to open the locks without the key, adding that “sticking anything foreign inside of the keyway is just going to make it that much harder to open up.”
“If it was that easy to pick a Kwikset lock, they would be having us doing recalls, [but] there’s nothing like that. It’s business as usual,” they said.
Unfortunately, as the researchers have shown, it is that easy to pick one of their locks. If you have one of these locks, it’s high time to get a new one.
No comments:
Post a Comment