Drilling open a smart door lock in 4 seconds(pentestpartners.com) |
Drilling open a smart door lock in 4 seconds(pentestpartners.com) |
This was interesting as it was an attack that certainly would not have crossed my mind. Would be interesting to see how other types of locks would do against this kind of tool.
[1] https://www.homedepot.com/p/Ramset-MasterShot-0-22-Caliber-P...
Speaking of "smartlocks": here’s one that doesn’t even need a drill: https://www.youtube.com/watch?v=WeCGTosv-_c
Edit: and another one https://www.youtube.com/watch?v=mGpMaShltbc
In something like a shipping container the actual lock is shielded away from these types of attacks by the container itself.
Yeah, you ramsetted a lock. In a vise. Can you do that if it is dangling from a chain between two gate halves? Or would you bring out a bench and vise to your target?
Ok, you picked a lock. In a vise. Is it easily pickable while hanging from a hasp, with a door behind it?
Ok, you drilled open a smart lock. Is the drill able to be positioned in such a manner when the lock is installed on a door?
It doesn't look like it.
After drilling, you need to insert a screwdriver and manipulate a latch.
Is drilling/manipulating faster/slower/easier/more difficult than picking, raking, ramsetting, grinding, kicking, or prying?
I like clever, but clever isn't always practical.
I would just mount a clamp to the front of the Ramset gun.
> Is the drill able to be positioned in such a manner when the lock is installed on a door? It doesn't look like it.
It really looks like it to me, you need to drill the front of the door.
I don't think you have a point here. All of these steps can be easily done while the lock is on the door. There are plenty of tools availabe to drill holes this way.
Nobody said it is "faster/slower/easier/more difficult" than existing attacks. It is a valid attack, it is quick and it makes almost no noise and worse: It isn't even obvious (you need to actively search for a tiny hole, otherwise you're just assuming all is OK)
He drilled it from the front; the face is off in the picture where he's opening the latch with the screwdriver to better show where the mechanism is.
In a previous life I kicked in doors for a living. I don’t give a fuck how cool your dead bolt is. I could be in your face before you were out of bed.
If you want to keep out lazy thieves any lock will do. If you’re preventing against a dynamic entry you need trip wires, man traps, metal door frames, and a 12ga shotgun.
If someone is determined and willing, there really is nothing you can do to stop them from breaking into your house.
It's rather difficult to find electronic locks, even for safes, that aren't obviously less secure than traditional options.
Which is pretty sad considering that an electronic lock could be substantially more secure if it was designed well.
The stuff that is reasonably secure, like kaba-mas products, are quite expensive because its catering to a market that simply isn't buying on price.
YouTube has made pretty much everything widely accessible. Doesn’t necessarily change the market.
I really would invest 500€ for a small (3 outdoor locks) system, but there is virtually no product which I can trust in.
The interesting part of the threat model for smart locks are cases where a physical attacker is _not_ present.
The point is that people in the market for smart locks need to additionally vet the company that makes them for their proficiency in physical security, not just in software security. A competent company that has made non-smart locks for a while would not make this same mistake.
More advanced locks jam when drilled through. There are also materials that emit lots of smoke when drilled through, mostly used in safes.
In that case easy, move the logo elsewhere.
He's being flippant. If the logo wasn't there, it would just be a case of measuring N cm to know where to drill.
As such, they could remove the whole logo and it would still rather easy to approximate where to drill, it's not like measuring dimensions is impossible without a manufacturer logo.
It's the level of difficulty (measured in time) that it takes to breach the "lock".
That being said, given unlimited resources; no lock is unbreachable.
No. Honest people don't need to be "kept honest".
Locks have the same purpose as other security systems (including electronic ones like crypto, etc.).
They aren't intended to (and can't) keep a determined attacker out. What they do is increase the cost (in terms of time, effort, risk, etc.) of gaining access. The point is -- as far as possible -- to make the cost of gaining access exceed the benefit that would be gained by that access.
If you found a twenty on the floor in an abandoned alleyway, would you hand it in to police, or would you steal that money?
If your first thought was "It's not stealing for such a small amount", or "It's clearly been abandoned, so it's ok to take it", then you're the target audience for being kept honest.
Your other point is spot on: the aim is to increase the friction of entry and raise a mental barrier in the mind of the subject which results in an outcome you would prefer (no break-in).
My door has a lock, but must adults could get in by kicking it a few times with determination. That's true of most locks in existence. They're there to stop people who don't actually want to cause any real damage.
In college I had a friend who didn't even bother locking his door and always left his keys in his car and it was never a problem.
There is a basic cylinder lock which needs a 90 degree turn from the key outside, or the knob inside. Then there is the deadbolt mechanism which needs to be turned five or so times, and drives 1/2" steel bolts deep into the frame.
http://is.alicdn.com/img/pb/172/617/299/299617172_794.jpg
(Something like "normal", but this is a cheap Chinese knock off)
A few years ago a neighbour called the police because their son had locked himself in the apartment and they thought he was a suicide risk. They brought in the fire department to break in, but rather than cutting through the door, it was easier for them to cut through the masonry wall. Windows here are typically just as secure with triple glazing and multi-point locking as standard, and this was the third floor.
some emergency services uses an hydraulic device [1] to open steel doors
Yes and no. If someone desperately wants to rob you, and precisely you, then yeah they will most likely be able to break in. However that doesn't mean we should make it easy for them. The longer it takes to bypass my lock and security, the more noise they make, the more destruction they leave behind the more likely it is that someone will notice them and call the cops. The more likely it is that they leave something behind that can be used to trace them, etc.
The bigger reason to get quality locks is that criminals often target places with weak security, because hitting those location is easy. A burglar for example will usually case out a location they're targeting to figure out what they need to bring for the actual burglarly. Now if I have SuperArmorMax extra secure lock that takes the burglar an hour to bypass with power tools, but my neighbor has an aluminum smartlock that can be bypassed in 5 seconds with a regular drill, which do you think the burglar will target?
Sure they could also break windows, or try other more destructive entry methods, but those are much louder and rouse more suspoicions from other people. You want to be quick and minimize the time you spend doing something shady.
And again, you shouldn't make things easy just because a determined attacker can get through it, at least make them work for it.
If your neighbor leaves their door open, do you peek your head in out of curiosity?
If your neighbor leaves their door unlocked, do you open the door and peek your head in out of curiosity?
If your neighbor locks their door with a combination of 1234, do you open the combination lock, open the door, and peek your head in out of curiosity?
If your neighbor locks their door with a radio-frequency lock, do you install an app to capture their lock signal and replay it later, open the door, and peek your head in out of curiosity?
None of these protect against a determined attacker, but they absolutely do protect against impulsive "low risk, high opportunity" actions.
If a robber has to choose between a locked door and an unlocked door, they will chose the unlocked one. I used to live in an apartment with a door that was so bad that the previous tenant had to add a second lock just to keep it closed, but one day a burglar came and robbed my neighbor. Discussing about why they chose his rather than mine he noticed "from the outside, it looks like you have hardened your door with a second lock".
And yes, you can break windows (if you have easily accessible windows) but a broken window is a much clearer sign of something going wrong than an opened door.
In my home, the locks and windows (laminated glass[0]) are hard enough to break that when you attempt to do so I have time to ready my firearm. Something like this would potentially allow someone to sneak up more quickly and perhaps undetected. When my family isn't home I don't really care if you break into my house, insurance will cover the loss.
You can see it in action here (https://www.youtube.com/watch?v=w0CIlwSxsvU). His first try takes a bit longer than it should because he's turning too hard (simple mistake). Every attempt after that takes just a couple seconds.
Most would expect a dead bolt to survive a 5 second attack from a 10 year old without specialized tools.
It's sadly common to see a $150 "smart" dead bolt with dramatically less physical security than a $25 dumb dead bolt. Some have plastic cases, easily popped off. Others have plastic gears, easily over torqued. If a kid with a screwdriver can just insert the screwdriver into the keyhole and rotate and open the door you might as well not have a dead bolt.
What's the point of locking the door handle if there is a dead bolt?
I'd even go as far to say that for burglars it's important to leave traces of a break-in so that the victim can claim insurance.
- put an alarm : they're either too fast to care or they deactivate it
- get a dog : they poison it
- bullet proof door + security lock : they break the wall
etc
Thanks! Very informative!
From his comments, I don't believe the vulnerable ones are still out there. But, maybe they are.
Which is pretty expected if you've seen how buildings are maintained in general. I haven’t encountered a lock that doesn’t have this vulnerability in any 20th century post-war nyc building.
There are models that don't.
https://www.homedepot.com/p/Ramset-HammerShot-0-22-Caliber-S...
"this technology relies on a controlled explosion created by a small chemical propellant charge, similar to the process that discharges a firearm"
Well, actually... where I live, it would not be stealing for such a small amount, given that you don't know who lost it, and it was found in an abandoned alleyway (and not say, an office, store or station etc. where it could be handed over to local personnel). Had you said fifty, the situation would've been different.</nitpick>
https://securitysnobs.com/Abloy-Protec2-Single-Cylinder-w-Lo...
This guy claims that he was unable to bump Kwikset locks: https://www.frontrangelocksmith.com/blog/the-best-lock-for-y...
There will always be failure modes. I mean, the failure mode for a traditional lock is "I lost my keys". Unless you have someone else with a spare set who can get to your location in a time you deem reasonable, you're going to have to have the door forced.
You're going to need a bank vault to beat an angle grinder. Those tools are the shiznit.
Isn't this a fairly wild claim? I've never stolen anything and can't imagine doing so. That's a pretty dismal view of the human race isn't it.
I’ve definitely walked out of a supermarket with a bottle of water that I picked up while shopping and forgot to pay for - I still stole it, even if unintentionally.
You only steal it if you realize it and don't return back to pay. Happened with me a few times, the cashiers will really appreciate it.
You probably have stolen something, even if it's just a failure to return a book you borrowed from someone, or office supplies that wandered off with you (pens vanish like you wouldn't belive).
Breaking into someone else's house with the intent of stealing it's something completely different
To beat? Agreed.
With that being said, grinding through a circular padlock takes much, much longer. I'd suggest using one of those for a storage unit.
Contrary to popular nerd belief... door locks in the US are not that easy to pick. Many have anti pick features like reverse sidebars that while not impenetrable increase time or skill required. While the lockpickinglawyer has videos, note that he is extremely skilled with tons of practice, it still can take more time than breaking, and those aren’t field conditions. Just break the door in... stealing might as well use forcible entry.
Where picking is useful is covert spying, and if that is your threat model the addition of the second or third lock doesn’t really mean much.
A while ago my to-go order from McD somehow included an extra cheeseburger.
Was that maybe a "present" by the company to a loyal customer? Should I have gone back and paid for a cheeseburger I never ordered? But if I give it back to them, they would just throw it in the trash anyway because they can't sell it to another customer.
Windows are built like this in countries where the outside air temperature is far different than you'd want, as otherwise you spend a lot of money heating or cooling your windows, because glass is a poor insulator. But _air_ is a relatively good insulator considering it's transparent, the two sheets of glass stop the air from moving (and taking the heat with it).
If you smack a double glazed window, you are now trying to compress the thin layer of air, which is difficult. So in most cases the window will stubbornly not break. You could probably still smash it with a pry bar or similar tool, eventually but it won't be easy.
People have the idea from watching too many movies that breaking glass is very easy, in movies they are using sugar glass, it's _designed_ to smash easily and turn into impressive looking but not dangerous tiny pieces. In reality the glass mostly doesn't break, and so you hit it again, harder and eventually some of it smashes and you've got big shards of razor sharp glass, which you'd better clear away or you'll hurt yourself.
It's not magic impregnable nonsense, it's just inconvenient and dangerous to break.
Here in Sweden most house have triple glazed windows
The first part of your post is pure hyperbole. There are plenty of places less crime ridden then Baltimore or Detroit where you absolutely have to lock your things or they are likely to get stolen. Pretty much any urban area in the US. Most suburbs as well if you park on the street. Kids will go down and just try doors. They have no intent of picking anything or forcible entry, just snatching the low hanging fruit.
I have lived in northwestern Nebraska so I get it, there are places where you don’t have to ever lock your door.. that is the exception.
To counter your friend: I lived in one of the lowest crime rate suburbs in the US. Stupidly left my door unlocked in an apartment parking lot overnight.. everything of value was cleaned out in the morning.
An inmate advised me that I should just leave that pass on the windshield at all times - as it would be more effective against theft than any immobiliser.
I did leave it in place, and a few months later, just about every car parked curbside down my street had had its stereo and valuables snatched - except mine.
Now, obviously, this may have been a result of my stereo being pretty basic, though of recent manufacture from a renowned brand - but I like to think it was because of the visitor's service pass.
That being said, a lock has to be just good enough to deter theft. In my area, that's means a simple door lock for houses and a U-lock for bicycles. In other areas, you need far more security. But to goal isn't to keep out a determined attacker, but to make it more worthwhile for the thief to move on to the next house/car/bike than to try to get past your lock.
If they break in you still have to pay to repair the damage and the things they've taken.
I'm fairly certain, if someone broke into my house, the biggest bill would be repairs, not replacements.
But more than you'd think. Criminals are aware that they can often be in a different state before the police arrive at a rural crime scene, reducing the chance of getting caught.
The only reason I even have contents insurance is because it comes with the buildings insurance.
This was a number of years ago though, whether thieves still take CDs is an interesting question.
https://www.economist.com/britain/2012/01/07/not-worth-nicki...
