OHM2013 No More Lockpicking - The Open Source...
-
Upload
vuongkhuong -
Category
Documents
-
view
224 -
download
1
Transcript of OHM2013 No More Lockpicking - The Open Source...
![Page 1: OHM2013 No More Lockpicking - The Open Source Locktheopensourcelock.huebler.org/.../No_More_Lockpicking_OHM2013.pdf · OHM2013 No More Lockpicking. Making The Open Source Lock. mh](https://reader031.fdocuments.us/reader031/viewer/2022022517/5b070f2f7f8b9a5c308dcdc6/html5/thumbnails/1.jpg)
OHM2013
No More Lockpicking.Making The Open Source Lock.
mh & Ray
Page 1
The Open Source Lock.http://tosl.org/
No More Lockpicking –Making The Open Source Lock.
Why closed is often open, and open locks are more secure...
mh & Ray,
SSDeV, muCCC, TOSL.org - The Open Source Lock Project
2013-08-03, OHM2013, Noord-Scharwoude, NL
![Page 2: OHM2013 No More Lockpicking - The Open Source Locktheopensourcelock.huebler.org/.../No_More_Lockpicking_OHM2013.pdf · OHM2013 No More Lockpicking. Making The Open Source Lock. mh](https://reader031.fdocuments.us/reader031/viewer/2022022517/5b070f2f7f8b9a5c308dcdc6/html5/thumbnails/2.jpg)
OHM2013
No More Lockpicking.Making The Open Source Lock.
mh & Ray
Page 2
The Open Source Lock.http://tosl.org/
Content
1. Why Electronic Locks
2. Existing High Security Electronic Locks
▪ Design
▪ Exploits
3. The Open Source Lock
▪ Motivation
▪ Design
▪ How you can contribute
![Page 3: OHM2013 No More Lockpicking - The Open Source Locktheopensourcelock.huebler.org/.../No_More_Lockpicking_OHM2013.pdf · OHM2013 No More Lockpicking. Making The Open Source Lock. mh](https://reader031.fdocuments.us/reader031/viewer/2022022517/5b070f2f7f8b9a5c308dcdc6/html5/thumbnails/3.jpg)
OHM2013
No More Lockpicking.Making The Open Source Lock.
mh & Ray
Page 3
The Open Source Lock.http://tosl.org/
Mechanical locks aren't that bad...
▪ Can be picked, but not a common risk
▪ ...at least for a few better models
▪ Are well analyzed so you can judge their security
▪ ...and thus we know there are some more issues than picking
![Page 4: OHM2013 No More Lockpicking - The Open Source Locktheopensourcelock.huebler.org/.../No_More_Lockpicking_OHM2013.pdf · OHM2013 No More Lockpicking. Making The Open Source Lock. mh](https://reader031.fdocuments.us/reader031/viewer/2022022517/5b070f2f7f8b9a5c308dcdc6/html5/thumbnails/4.jpg)
OHM2013
No More Lockpicking.Making The Open Source Lock.
mh & Ray
Page 4
The Open Source Lock.http://tosl.org/
Copying Keys
▪ Any mechanical key can be copied
▪ Revocation of keys therefore not possible
▪ Security cards and patents offer very limited protection
![Page 5: OHM2013 No More Lockpicking - The Open Source Locktheopensourcelock.huebler.org/.../No_More_Lockpicking_OHM2013.pdf · OHM2013 No More Lockpicking. Making The Open Source Lock. mh](https://reader031.fdocuments.us/reader031/viewer/2022022517/5b070f2f7f8b9a5c308dcdc6/html5/thumbnails/5.jpg)
OHM2013
No More Lockpicking.Making The Open Source Lock.
mh & Ray
Page 5
The Open Source Lock.http://tosl.org/
Classic Methods
▪ Using a machine
▪ Protected blanks using EasyEntrie
▪ Casting
▪ Re-building one
![Page 6: OHM2013 No More Lockpicking - The Open Source Locktheopensourcelock.huebler.org/.../No_More_Lockpicking_OHM2013.pdf · OHM2013 No More Lockpicking. Making The Open Source Lock. mh](https://reader031.fdocuments.us/reader031/viewer/2022022517/5b070f2f7f8b9a5c308dcdc6/html5/thumbnails/6.jpg)
OHM2013
No More Lockpicking.Making The Open Source Lock.
mh & Ray
Page 6
The Open Source Lock.http://tosl.org/
3D Printing
▪ First printed key presented at HAR2009
▪ Mass production using laser cutters shown at HOPE2012
▪ Today there are parametric models for door locks on Thingiverse
![Page 7: OHM2013 No More Lockpicking - The Open Source Locktheopensourcelock.huebler.org/.../No_More_Lockpicking_OHM2013.pdf · OHM2013 No More Lockpicking. Making The Open Source Lock. mh](https://reader031.fdocuments.us/reader031/viewer/2022022517/5b070f2f7f8b9a5c308dcdc6/html5/thumbnails/7.jpg)
OHM2013
No More Lockpicking.Making The Open Source Lock.
mh & Ray
Page 7
The Open Source Lock.http://tosl.org/
So why electronics?
▪ Pick resistance
▪ Prevent key copying
▪ Easy key revocation
▪ Protect against privacy escalation
▪ Flexible rights management
▪ Logging
▪ Multi-factor authorization
![Page 8: OHM2013 No More Lockpicking - The Open Source Locktheopensourcelock.huebler.org/.../No_More_Lockpicking_OHM2013.pdf · OHM2013 No More Lockpicking. Making The Open Source Lock. mh](https://reader031.fdocuments.us/reader031/viewer/2022022517/5b070f2f7f8b9a5c308dcdc6/html5/thumbnails/8.jpg)
OHM2013
No More Lockpicking.Making The Open Source Lock.
mh & Ray
Page 8
The Open Source Lock.http://tosl.org/
Electronic LocksDesign
▪ Components:
▪ Key
▪ Often: Passive RFID transponder, active RF transceiverRare: Infrared, galvanic connection, knocking, …
▪ Lock
▪ Electronics: Interface to key, authentication, logging
▪ Electro-Mechanical Actuator: Typically couples a knob to the deadbolt; also: unblocks rotation of a key, motorized turning of a knob.
Authenticate (Log)
Authenticate Log
Unlock
Key Lock
Electronics Electro-mechanical actuator
![Page 9: OHM2013 No More Lockpicking - The Open Source Locktheopensourcelock.huebler.org/.../No_More_Lockpicking_OHM2013.pdf · OHM2013 No More Lockpicking. Making The Open Source Lock. mh](https://reader031.fdocuments.us/reader031/viewer/2022022517/5b070f2f7f8b9a5c308dcdc6/html5/thumbnails/9.jpg)
OHM2013
No More Lockpicking.Making The Open Source Lock.
mh & Ray
Page 9
The Open Source Lock.http://tosl.org/
Electro-Mechanical Actuator
▪ Typical design criteria:
▪ Small
▪ Wear resistant
▪ Long battery life (small battery)
▪ Implementations:
▪ Solenoid pulls a blocking pin out of the way
▪ Electric motor moves a clutch element or turns a blocking element
▪ (exotic: centrifugal clutch element)
▪ Small... → can often be influenced from outside
using relatively small forces (mechanical, magnetic fields, ...)
![Page 10: OHM2013 No More Lockpicking - The Open Source Locktheopensourcelock.huebler.org/.../No_More_Lockpicking_OHM2013.pdf · OHM2013 No More Lockpicking. Making The Open Source Lock. mh](https://reader031.fdocuments.us/reader031/viewer/2022022517/5b070f2f7f8b9a5c308dcdc6/html5/thumbnails/10.jpg)
OHM2013
No More Lockpicking.Making The Open Source Lock.
mh & Ray
Page 10
The Open Source Lock.http://tosl.org/
Example: Axial Solenoid
Video:
![Page 11: OHM2013 No More Lockpicking - The Open Source Locktheopensourcelock.huebler.org/.../No_More_Lockpicking_OHM2013.pdf · OHM2013 No More Lockpicking. Making The Open Source Lock. mh](https://reader031.fdocuments.us/reader031/viewer/2022022517/5b070f2f7f8b9a5c308dcdc6/html5/thumbnails/11.jpg)
OHM2013
No More Lockpicking.Making The Open Source Lock.
mh & Ray
Page 11
The Open Source Lock.http://tosl.org/
Solenoid Actuator Activates Clutch
▪ Can potentially be influenced by
▪ Momentum transfer (bumping, vibration)
▪ Magnet, if close to outside
Knob with batteries, antenna, ...
Solenoid
![Page 12: OHM2013 No More Lockpicking - The Open Source Locktheopensourcelock.huebler.org/.../No_More_Lockpicking_OHM2013.pdf · OHM2013 No More Lockpicking. Making The Open Source Lock. mh](https://reader031.fdocuments.us/reader031/viewer/2022022517/5b070f2f7f8b9a5c308dcdc6/html5/thumbnails/12.jpg)
OHM2013
No More Lockpicking.Making The Open Source Lock.
mh & Ray
Page 12
The Open Source Lock.http://tosl.org/
Authentication by Bumping
Video:
![Page 13: OHM2013 No More Lockpicking - The Open Source Locktheopensourcelock.huebler.org/.../No_More_Lockpicking_OHM2013.pdf · OHM2013 No More Lockpicking. Making The Open Source Lock. mh](https://reader031.fdocuments.us/reader031/viewer/2022022517/5b070f2f7f8b9a5c308dcdc6/html5/thumbnails/13.jpg)
OHM2013
No More Lockpicking.Making The Open Source Lock.
mh & Ray
Page 13
The Open Source Lock.http://tosl.org/
Authentication by Bumping
Solenoid blocks the “bolt work”:
![Page 14: OHM2013 No More Lockpicking - The Open Source Locktheopensourcelock.huebler.org/.../No_More_Lockpicking_OHM2013.pdf · OHM2013 No More Lockpicking. Making The Open Source Lock. mh](https://reader031.fdocuments.us/reader031/viewer/2022022517/5b070f2f7f8b9a5c308dcdc6/html5/thumbnails/14.jpg)
OHM2013
No More Lockpicking.Making The Open Source Lock.
mh & Ray
Page 14
The Open Source Lock.http://tosl.org/
Authentication by Strong Magnet
Early version of an RFID-based cylinder lock
(Source: Presentation by Barry Wels at 21C3, 2005)
„Magnet of Death“
Invalid Key
![Page 15: OHM2013 No More Lockpicking - The Open Source Locktheopensourcelock.huebler.org/.../No_More_Lockpicking_OHM2013.pdf · OHM2013 No More Lockpicking. Making The Open Source Lock. mh](https://reader031.fdocuments.us/reader031/viewer/2022022517/5b070f2f7f8b9a5c308dcdc6/html5/thumbnails/15.jpg)
OHM2013
No More Lockpicking.Making The Open Source Lock.
mh & Ray
Page 15
The Open Source Lock.http://tosl.org/
Turning Magnet Actuator
▪ Can potentially be influenced by
▪ Vibration
▪ Possibly: Magnet, if located on the outside
Magnet turns
![Page 16: OHM2013 No More Lockpicking - The Open Source Locktheopensourcelock.huebler.org/.../No_More_Lockpicking_OHM2013.pdf · OHM2013 No More Lockpicking. Making The Open Source Lock. mh](https://reader031.fdocuments.us/reader031/viewer/2022022517/5b070f2f7f8b9a5c308dcdc6/html5/thumbnails/16.jpg)
OHM2013
No More Lockpicking.Making The Open Source Lock.
mh & Ray
Page 16
The Open Source Lock.http://tosl.org/
Authentication by Vibration
Early version of an electronic cylinder lock
(Source: Presentation by Barry Wels at HAR2009)
High speed rotary toolwith vibrating plastic piece
Invalid Key
![Page 17: OHM2013 No More Lockpicking - The Open Source Locktheopensourcelock.huebler.org/.../No_More_Lockpicking_OHM2013.pdf · OHM2013 No More Lockpicking. Making The Open Source Lock. mh](https://reader031.fdocuments.us/reader031/viewer/2022022517/5b070f2f7f8b9a5c308dcdc6/html5/thumbnails/17.jpg)
OHM2013
No More Lockpicking.Making The Open Source Lock.
mh & Ray
Page 17
The Open Source Lock.http://tosl.org/
Countermeasure: Use a Geared Motor
▪ Engaging a clutch or unblocking rotation requires several turns of an electric motor
▪ Use gears to transmit rotation
▪ Influencing by vibration seems to be futile
![Page 18: OHM2013 No More Lockpicking - The Open Source Locktheopensourcelock.huebler.org/.../No_More_Lockpicking_OHM2013.pdf · OHM2013 No More Lockpicking. Making The Open Source Lock. mh](https://reader031.fdocuments.us/reader031/viewer/2022022517/5b070f2f7f8b9a5c308dcdc6/html5/thumbnails/18.jpg)
OHM2013
No More Lockpicking.Making The Open Source Lock.
mh & Ray
Page 18
The Open Source Lock.http://tosl.org/
Exploit: Turn a Sensor
Early version of an RFID-based electronic cylinder lock
(Source: Youtube.com, “civil1230”)
Ring with magnets turns a magnetic sensor element that's connected to the gears.
![Page 19: OHM2013 No More Lockpicking - The Open Source Locktheopensourcelock.huebler.org/.../No_More_Lockpicking_OHM2013.pdf · OHM2013 No More Lockpicking. Making The Open Source Lock. mh](https://reader031.fdocuments.us/reader031/viewer/2022022517/5b070f2f7f8b9a5c308dcdc6/html5/thumbnails/19.jpg)
OHM2013
No More Lockpicking.Making The Open Source Lock.
mh & Ray
Page 19
The Open Source Lock.http://tosl.org/
Example: Electronic Padlock
![Page 20: OHM2013 No More Lockpicking - The Open Source Locktheopensourcelock.huebler.org/.../No_More_Lockpicking_OHM2013.pdf · OHM2013 No More Lockpicking. Making The Open Source Lock. mh](https://reader031.fdocuments.us/reader031/viewer/2022022517/5b070f2f7f8b9a5c308dcdc6/html5/thumbnails/20.jpg)
OHM2013
No More Lockpicking.Making The Open Source Lock.
mh & Ray
Page 20
The Open Source Lock.http://tosl.org/
Exploit: Turn the Motor from the OutsideVideo:
![Page 21: OHM2013 No More Lockpicking - The Open Source Locktheopensourcelock.huebler.org/.../No_More_Lockpicking_OHM2013.pdf · OHM2013 No More Lockpicking. Making The Open Source Lock. mh](https://reader031.fdocuments.us/reader031/viewer/2022022517/5b070f2f7f8b9a5c308dcdc6/html5/thumbnails/21.jpg)
OHM2013
No More Lockpicking.Making The Open Source Lock.
mh & Ray
Page 21
The Open Source Lock.http://tosl.org/
How to find such exploits?
Reverse Engineering of the mechanical part:
▪ Take apart, analyze, observe
▪ Ideally make a working cutaway lock
▪ Attacker's focus is different from the focus of the lock development team: Cost, Time-to-market, Quality, Patents, … → completely irrelevantOne single weakness is sufficient.
![Page 22: OHM2013 No More Lockpicking - The Open Source Locktheopensourcelock.huebler.org/.../No_More_Lockpicking_OHM2013.pdf · OHM2013 No More Lockpicking. Making The Open Source Lock. mh](https://reader031.fdocuments.us/reader031/viewer/2022022517/5b070f2f7f8b9a5c308dcdc6/html5/thumbnails/22.jpg)
OHM2013
No More Lockpicking.Making The Open Source Lock.
mh & Ray
Page 22
The Open Source Lock.http://tosl.org/
Electronic Part of Electronic Locks
▪ Mainly a micro controller
▪ Designed for low energy consumption, budget, time to market, user convenience
▪ ...but probably not mainly security
▪ Manufacturers don't tell many details
▪ Analysis requires complex reverse engineering
![Page 23: OHM2013 No More Lockpicking - The Open Source Locktheopensourcelock.huebler.org/.../No_More_Lockpicking_OHM2013.pdf · OHM2013 No More Lockpicking. Making The Open Source Lock. mh](https://reader031.fdocuments.us/reader031/viewer/2022022517/5b070f2f7f8b9a5c308dcdc6/html5/thumbnails/23.jpg)
OHM2013
No More Lockpicking.Making The Open Source Lock.
mh & Ray
Page 23
The Open Source Lock.http://tosl.org/
Opened Mechanical Lock
![Page 24: OHM2013 No More Lockpicking - The Open Source Locktheopensourcelock.huebler.org/.../No_More_Lockpicking_OHM2013.pdf · OHM2013 No More Lockpicking. Making The Open Source Lock. mh](https://reader031.fdocuments.us/reader031/viewer/2022022517/5b070f2f7f8b9a5c308dcdc6/html5/thumbnails/24.jpg)
OHM2013
No More Lockpicking.Making The Open Source Lock.
mh & Ray
Page 24
The Open Source Lock.http://tosl.org/
Opened Electronic Lock
![Page 25: OHM2013 No More Lockpicking - The Open Source Locktheopensourcelock.huebler.org/.../No_More_Lockpicking_OHM2013.pdf · OHM2013 No More Lockpicking. Making The Open Source Lock. mh](https://reader031.fdocuments.us/reader031/viewer/2022022517/5b070f2f7f8b9a5c308dcdc6/html5/thumbnails/25.jpg)
OHM2013
No More Lockpicking.Making The Open Source Lock.
mh & Ray
Page 25
The Open Source Lock.http://tosl.org/
Difficulties while analyzing
▪ Unknown controllers, sometimes even covered in glue
▪ Software sometimes not easy to extract
▪ Different controllers, so many different tools and know-how needed
▪ Altogether: quite a challenge
▪ ... but not impossible
![Page 26: OHM2013 No More Lockpicking - The Open Source Locktheopensourcelock.huebler.org/.../No_More_Lockpicking_OHM2013.pdf · OHM2013 No More Lockpicking. Making The Open Source Lock. mh](https://reader031.fdocuments.us/reader031/viewer/2022022517/5b070f2f7f8b9a5c308dcdc6/html5/thumbnails/26.jpg)
OHM2013
No More Lockpicking.Making The Open Source Lock.
mh & Ray
Page 26
The Open Source Lock.http://tosl.org/
Exploits: Call-A-Bike
▪ Anonymously sent to the CCC in 2004
▪ Common Atmel micro controller
![Page 27: OHM2013 No More Lockpicking - The Open Source Locktheopensourcelock.huebler.org/.../No_More_Lockpicking_OHM2013.pdf · OHM2013 No More Lockpicking. Making The Open Source Lock. mh](https://reader031.fdocuments.us/reader031/viewer/2022022517/5b070f2f7f8b9a5c308dcdc6/html5/thumbnails/27.jpg)
OHM2013
No More Lockpicking.Making The Open Source Lock.
mh & Ray
Page 27
The Open Source Lock.http://tosl.org/
![Page 28: OHM2013 No More Lockpicking - The Open Source Locktheopensourcelock.huebler.org/.../No_More_Lockpicking_OHM2013.pdf · OHM2013 No More Lockpicking. Making The Open Source Lock. mh](https://reader031.fdocuments.us/reader031/viewer/2022022517/5b070f2f7f8b9a5c308dcdc6/html5/thumbnails/28.jpg)
OHM2013
No More Lockpicking.Making The Open Source Lock.
mh & Ray
Page 28
The Open Source Lock.http://tosl.org/
Exploits: Call-A-Bike
▪ Anonymously sent to the CCC in 2004
▪ Common Atmel micro controller
▪ Possible to read out firmware
▪ Development of an own, ”improved” firmware
![Page 29: OHM2013 No More Lockpicking - The Open Source Locktheopensourcelock.huebler.org/.../No_More_Lockpicking_OHM2013.pdf · OHM2013 No More Lockpicking. Making The Open Source Lock. mh](https://reader031.fdocuments.us/reader031/viewer/2022022517/5b070f2f7f8b9a5c308dcdc6/html5/thumbnails/29.jpg)
OHM2013
No More Lockpicking.Making The Open Source Lock.
mh & Ray
Page 29
The Open Source Lock.http://tosl.org/
![Page 30: OHM2013 No More Lockpicking - The Open Source Locktheopensourcelock.huebler.org/.../No_More_Lockpicking_OHM2013.pdf · OHM2013 No More Lockpicking. Making The Open Source Lock. mh](https://reader031.fdocuments.us/reader031/viewer/2022022517/5b070f2f7f8b9a5c308dcdc6/html5/thumbnails/30.jpg)
OHM2013
No More Lockpicking.Making The Open Source Lock.
mh & Ray
Page 30
The Open Source Lock.http://tosl.org/
![Page 31: OHM2013 No More Lockpicking - The Open Source Locktheopensourcelock.huebler.org/.../No_More_Lockpicking_OHM2013.pdf · OHM2013 No More Lockpicking. Making The Open Source Lock. mh](https://reader031.fdocuments.us/reader031/viewer/2022022517/5b070f2f7f8b9a5c308dcdc6/html5/thumbnails/31.jpg)
OHM2013
No More Lockpicking.Making The Open Source Lock.
mh & Ray
Page 31
The Open Source Lock.http://tosl.org/
Exploits: Call-A-Bike
▪ „Proof-of-Concept“ mass-flashing of over 100 bikes in Berlin
▪ They were not happy but honored the efforts – lock bits are now set
▪ More Details: http://www.ccc.de/hackabike/
![Page 32: OHM2013 No More Lockpicking - The Open Source Locktheopensourcelock.huebler.org/.../No_More_Lockpicking_OHM2013.pdf · OHM2013 No More Lockpicking. Making The Open Source Lock. mh](https://reader031.fdocuments.us/reader031/viewer/2022022517/5b070f2f7f8b9a5c308dcdc6/html5/thumbnails/32.jpg)
OHM2013
No More Lockpicking.Making The Open Source Lock.
mh & Ray
Page 32
The Open Source Lock.http://tosl.org/
Hotel Locks
![Page 33: OHM2013 No More Lockpicking - The Open Source Locktheopensourcelock.huebler.org/.../No_More_Lockpicking_OHM2013.pdf · OHM2013 No More Lockpicking. Making The Open Source Lock. mh](https://reader031.fdocuments.us/reader031/viewer/2022022517/5b070f2f7f8b9a5c308dcdc6/html5/thumbnails/33.jpg)
OHM2013
No More Lockpicking.Making The Open Source Lock.
mh & Ray
Page 33
The Open Source Lock.http://tosl.org/
Hotel Locks
▪ Power/Programming Interface open at the bottom
![Page 34: OHM2013 No More Lockpicking - The Open Source Locktheopensourcelock.huebler.org/.../No_More_Lockpicking_OHM2013.pdf · OHM2013 No More Lockpicking. Making The Open Source Lock. mh](https://reader031.fdocuments.us/reader031/viewer/2022022517/5b070f2f7f8b9a5c308dcdc6/html5/thumbnails/34.jpg)
OHM2013
No More Lockpicking.Making The Open Source Lock.
mh & Ray
Page 34
The Open Source Lock.http://tosl.org/
Exploits: Hotel Locks
▪ Interface accessible at the bottom
▪ Enables you to read memory and send commands
▪ Opening: read out hotel code from any lock, and open all locks using open command which only needs the hotel code
▪ Exploit using simple Arduino hardware (“$50”)
▪ Fixing only by exchange of hardware
▪ "Irresponsible" Disclosure (BlackHat 2012)
▪ More details: http://daeken.com/blackhat-paper
![Page 35: OHM2013 No More Lockpicking - The Open Source Locktheopensourcelock.huebler.org/.../No_More_Lockpicking_OHM2013.pdf · OHM2013 No More Lockpicking. Making The Open Source Lock. mh](https://reader031.fdocuments.us/reader031/viewer/2022022517/5b070f2f7f8b9a5c308dcdc6/html5/thumbnails/35.jpg)
OHM2013
No More Lockpicking.Making The Open Source Lock.
mh & Ray
Page 35
The Open Source Lock.http://tosl.org/
Exploits: Electronic Padlock
▪ Texas Instruments standard controller (MSP430)
▪ Read protection not enabled
▪ Flash contacts accessible from battery slot
▪ Motor contacts also...
![Page 36: OHM2013 No More Lockpicking - The Open Source Locktheopensourcelock.huebler.org/.../No_More_Lockpicking_OHM2013.pdf · OHM2013 No More Lockpicking. Making The Open Source Lock. mh](https://reader031.fdocuments.us/reader031/viewer/2022022517/5b070f2f7f8b9a5c308dcdc6/html5/thumbnails/36.jpg)
OHM2013
No More Lockpicking.Making The Open Source Lock.
mh & Ray
Page 36
The Open Source Lock.http://tosl.org/
Flash Access
▪ So we needed a matching adapter
▪ ...and had a laser cutter
![Page 37: OHM2013 No More Lockpicking - The Open Source Locktheopensourcelock.huebler.org/.../No_More_Lockpicking_OHM2013.pdf · OHM2013 No More Lockpicking. Making The Open Source Lock. mh](https://reader031.fdocuments.us/reader031/viewer/2022022517/5b070f2f7f8b9a5c308dcdc6/html5/thumbnails/37.jpg)
OHM2013
No More Lockpicking.Making The Open Source Lock.
mh & Ray
Page 37
The Open Source Lock.http://tosl.org/
Flash Analysis
![Page 38: OHM2013 No More Lockpicking - The Open Source Locktheopensourcelock.huebler.org/.../No_More_Lockpicking_OHM2013.pdf · OHM2013 No More Lockpicking. Making The Open Source Lock. mh](https://reader031.fdocuments.us/reader031/viewer/2022022517/5b070f2f7f8b9a5c308dcdc6/html5/thumbnails/38.jpg)
OHM2013
No More Lockpicking.Making The Open Source Lock.
mh & Ray
Page 38
The Open Source Lock.http://tosl.org/
Flash Analysis
![Page 39: OHM2013 No More Lockpicking - The Open Source Locktheopensourcelock.huebler.org/.../No_More_Lockpicking_OHM2013.pdf · OHM2013 No More Lockpicking. Making The Open Source Lock. mh](https://reader031.fdocuments.us/reader031/viewer/2022022517/5b070f2f7f8b9a5c308dcdc6/html5/thumbnails/39.jpg)
OHM2013
No More Lockpicking.Making The Open Source Lock.
mh & Ray
Page 39
The Open Source Lock.http://tosl.org/
Flash Analysis
![Page 40: OHM2013 No More Lockpicking - The Open Source Locktheopensourcelock.huebler.org/.../No_More_Lockpicking_OHM2013.pdf · OHM2013 No More Lockpicking. Making The Open Source Lock. mh](https://reader031.fdocuments.us/reader031/viewer/2022022517/5b070f2f7f8b9a5c308dcdc6/html5/thumbnails/40.jpg)
OHM2013
No More Lockpicking.Making The Open Source Lock.
mh & Ray
Page 40
The Open Source Lock.http://tosl.org/
Analyzing Software
▪ Reading out the flash and disassembly
▪ Reverse engineering of used algorithms
▪ Typical Problems:
▪ Bad crypto (Home grown algorithms, side channel attacks)
▪ Bad protocols (Master keys distributed everywhere, replay attacks, ... )
▪ Backdoors (intentional or unintentional)
![Page 41: OHM2013 No More Lockpicking - The Open Source Locktheopensourcelock.huebler.org/.../No_More_Lockpicking_OHM2013.pdf · OHM2013 No More Lockpicking. Making The Open Source Lock. mh](https://reader031.fdocuments.us/reader031/viewer/2022022517/5b070f2f7f8b9a5c308dcdc6/html5/thumbnails/41.jpg)
OHM2013
No More Lockpicking.Making The Open Source Lock.
mh & Ray
Page 41
The Open Source Lock.http://tosl.org/
In a nutshell
▪ Too Many Secrets
▪ Lock companies didn't understand Kerkhoff's principle
("A crypto system should be secure even if everything about the system, except the key, is public knowledge.“ - La cryptographie militaire, 1883)
▪ Therefore very limited public reviews
▪ Basically no publication/discussion of good implementations
▪ Neutral judgment of different systems basically impossible
▪ (except for the broken ones...)
▪ So we need Open Source
![Page 42: OHM2013 No More Lockpicking - The Open Source Locktheopensourcelock.huebler.org/.../No_More_Lockpicking_OHM2013.pdf · OHM2013 No More Lockpicking. Making The Open Source Lock. mh](https://reader031.fdocuments.us/reader031/viewer/2022022517/5b070f2f7f8b9a5c308dcdc6/html5/thumbnails/42.jpg)
OHM2013
No More Lockpicking.Making The Open Source Lock.
mh & Ray
Page 42
The Open Source Lock.http://tosl.org/
The solution: Open Source.
We observed, we hacked, … Now it's time to MAKE!
Let's make a highly secure electronic lock!
▪ Publish sources for the electronic components (software, schematics, layouts) and of the mechanical components (drawings, test results)
▪ Open Source allows for Peer Review with early intensive and targeted tests by experienced experts – the international hacker and lock sport communities
→ TOSL: The Open Source Lock
![Page 43: OHM2013 No More Lockpicking - The Open Source Locktheopensourcelock.huebler.org/.../No_More_Lockpicking_OHM2013.pdf · OHM2013 No More Lockpicking. Making The Open Source Lock. mh](https://reader031.fdocuments.us/reader031/viewer/2022022517/5b070f2f7f8b9a5c308dcdc6/html5/thumbnails/43.jpg)
OHM2013
No More Lockpicking.Making The Open Source Lock.
mh & Ray
Page 43
The Open Source Lock.http://tosl.org/
TOSL: Mechanics
Goals:
▪ Secure against all known manipulation attacks (bumping, vibration, magnets, shimming, glue injection, heating / cooling, fast turning, ...)
▪ High resistance against brute force (drilling, milling, pulling, …), have a defined resistance level,ideally exceed standards like VdS, SKG, etc
→ Design a simple, secure mechanics part, not miniaturized
![Page 44: OHM2013 No More Lockpicking - The Open Source Locktheopensourcelock.huebler.org/.../No_More_Lockpicking_OHM2013.pdf · OHM2013 No More Lockpicking. Making The Open Source Lock. mh](https://reader031.fdocuments.us/reader031/viewer/2022022517/5b070f2f7f8b9a5c308dcdc6/html5/thumbnails/44.jpg)
OHM2013
No More Lockpicking.Making The Open Source Lock.
mh & Ray
Page 44
The Open Source Lock.http://tosl.org/
Standard Locks in Europe
Standardized, so it fits into many European doors: DIN 18252 / DIN EN 1303 / “Euro Cylinder”
→ Start with Euro Cylinder. If it fits into this format, making a U.S. Style deadbolt will be possible as well.
![Page 45: OHM2013 No More Lockpicking - The Open Source Locktheopensourcelock.huebler.org/.../No_More_Lockpicking_OHM2013.pdf · OHM2013 No More Lockpicking. Making The Open Source Lock. mh](https://reader031.fdocuments.us/reader031/viewer/2022022517/5b070f2f7f8b9a5c308dcdc6/html5/thumbnails/45.jpg)
OHM2013
No More Lockpicking.Making The Open Source Lock.
mh & Ray
Page 45
The Open Source Lock.http://tosl.org/
Euro Cylinder
Design constraints:
17mm30mm
M5 hole / weak point (if forced, cylinder typically breaks here)
![Page 46: OHM2013 No More Lockpicking - The Open Source Locktheopensourcelock.huebler.org/.../No_More_Lockpicking_OHM2013.pdf · OHM2013 No More Lockpicking. Making The Open Source Lock. mh](https://reader031.fdocuments.us/reader031/viewer/2022022517/5b070f2f7f8b9a5c308dcdc6/html5/thumbnails/46.jpg)
OHM2013
No More Lockpicking.Making The Open Source Lock.
mh & Ray
Page 46
The Open Source Lock.http://tosl.org/
Prototype
Knob cylinder, coupling element placed in the inside knob.
Authentication electronics will also be placed in the inside knob.
Outside Inside
Here be drill protection Coupling
element
Servo motor
![Page 47: OHM2013 No More Lockpicking - The Open Source Locktheopensourcelock.huebler.org/.../No_More_Lockpicking_OHM2013.pdf · OHM2013 No More Lockpicking. Making The Open Source Lock. mh](https://reader031.fdocuments.us/reader031/viewer/2022022517/5b070f2f7f8b9a5c308dcdc6/html5/thumbnails/47.jpg)
OHM2013
No More Lockpicking.Making The Open Source Lock.
mh & Ray
Page 47
The Open Source Lock.http://tosl.org/
Video
![Page 48: OHM2013 No More Lockpicking - The Open Source Locktheopensourcelock.huebler.org/.../No_More_Lockpicking_OHM2013.pdf · OHM2013 No More Lockpicking. Making The Open Source Lock. mh](https://reader031.fdocuments.us/reader031/viewer/2022022517/5b070f2f7f8b9a5c308dcdc6/html5/thumbnails/48.jpg)
OHM2013
No More Lockpicking.Making The Open Source Lock.
mh & Ray
Page 48
The Open Source Lock.http://tosl.org/
TOSL: Electronics
Goals:
▪ Of course: Authentication which is secured against sniffing and man in the middle
▪ One time access keys
▪ Temporary access keys
▪ 2-Factor authorization like key+PIN
▪ Offline creation of new keys
▪ Logging
▪ No Logging
▪ Backdoor-free
▪ ...except if you want one...
▪ Basically: Whatever you can think of...
![Page 49: OHM2013 No More Lockpicking - The Open Source Locktheopensourcelock.huebler.org/.../No_More_Lockpicking_OHM2013.pdf · OHM2013 No More Lockpicking. Making The Open Source Lock. mh](https://reader031.fdocuments.us/reader031/viewer/2022022517/5b070f2f7f8b9a5c308dcdc6/html5/thumbnails/49.jpg)
OHM2013
No More Lockpicking.Making The Open Source Lock.
mh & Ray
Page 49
The Open Source Lock.http://tosl.org/
Challenges
▪ Extraction of key from micro controller not under our control
▪ Jamming might be quite easy
▪ Permanent DoS should not be too easy
▪ Power consumption (if the lock has no permanent supply)
▪ Hardware shouldn't be too special to enable peer review
![Page 50: OHM2013 No More Lockpicking - The Open Source Locktheopensourcelock.huebler.org/.../No_More_Lockpicking_OHM2013.pdf · OHM2013 No More Lockpicking. Making The Open Source Lock. mh](https://reader031.fdocuments.us/reader031/viewer/2022022517/5b070f2f7f8b9a5c308dcdc6/html5/thumbnails/50.jpg)
OHM2013
No More Lockpicking.Making The Open Source Lock.
mh & Ray
Page 50
The Open Source Lock.http://tosl.org/
Open Source Electronics
▪ Modular design:
▪ Different authentication schemes
▪ Maybe even different transmission channels (RF, IR, ...)
▪ Probably multiple micro controllers
▪ Useable with our hardware, or mechanics of existing locks
▪ Goal: have a power saving electronic for the lock and a small token for your keychain
![Page 51: OHM2013 No More Lockpicking - The Open Source Locktheopensourcelock.huebler.org/.../No_More_Lockpicking_OHM2013.pdf · OHM2013 No More Lockpicking. Making The Open Source Lock. mh](https://reader031.fdocuments.us/reader031/viewer/2022022517/5b070f2f7f8b9a5c308dcdc6/html5/thumbnails/51.jpg)
OHM2013
No More Lockpicking.Making The Open Source Lock.
mh & Ray
Page 51
The Open Source Lock.http://tosl.org/
Prototype
![Page 52: OHM2013 No More Lockpicking - The Open Source Locktheopensourcelock.huebler.org/.../No_More_Lockpicking_OHM2013.pdf · OHM2013 No More Lockpicking. Making The Open Source Lock. mh](https://reader031.fdocuments.us/reader031/viewer/2022022517/5b070f2f7f8b9a5c308dcdc6/html5/thumbnails/52.jpg)
OHM2013
No More Lockpicking.Making The Open Source Lock.
mh & Ray
Page 52
The Open Source Lock.http://tosl.org/
Prototype
▪ Using the r0ket (http://r0ket.de/) as sender and receiver
▪ Has 60MHz ARM Cortex M3, 2.4GHz RF, rechargeable battery, 5-way input button
▪ Not really end-user compatible, but might well be an option for hacker spaces
▪ It will be easy to build a reduced r0ket with just micro controller and RF part
![Page 53: OHM2013 No More Lockpicking - The Open Source Locktheopensourcelock.huebler.org/.../No_More_Lockpicking_OHM2013.pdf · OHM2013 No More Lockpicking. Making The Open Source Lock. mh](https://reader031.fdocuments.us/reader031/viewer/2022022517/5b070f2f7f8b9a5c308dcdc6/html5/thumbnails/53.jpg)
OHM2013
No More Lockpicking.Making The Open Source Lock.
mh & Ray
Page 53
The Open Source Lock.http://tosl.org/
Other options
▪ Power saving MCU like TI MSP430 including RF
▪ Special Crypto MCUs (like Maxim) which incorporate counter measures against side channel attacks etc.
▪ Smart card MCUs?
▪ Arduino/ATMega for the ”entry level“
▪ Or go James-Bond-style and use a watch?
![Page 54: OHM2013 No More Lockpicking - The Open Source Locktheopensourcelock.huebler.org/.../No_More_Lockpicking_OHM2013.pdf · OHM2013 No More Lockpicking. Making The Open Source Lock. mh](https://reader031.fdocuments.us/reader031/viewer/2022022517/5b070f2f7f8b9a5c308dcdc6/html5/thumbnails/54.jpg)
OHM2013
No More Lockpicking.Making The Open Source Lock.
mh & Ray
Page 54
The Open Source Lock.http://tosl.org/
Crypto
▪ Use well known algorithms (AES, SHA256, etc.)
▪ We know enough about crypto so we know that nobody alone ever knows enough about crypto
▪ Currently collecting ideas in our Wiki / Mailing list to build first implementation on r0ket
▪ Contact us if you're interested in working on and/or using this!
![Page 55: OHM2013 No More Lockpicking - The Open Source Locktheopensourcelock.huebler.org/.../No_More_Lockpicking_OHM2013.pdf · OHM2013 No More Lockpicking. Making The Open Source Lock. mh](https://reader031.fdocuments.us/reader031/viewer/2022022517/5b070f2f7f8b9a5c308dcdc6/html5/thumbnails/55.jpg)
OHM2013
No More Lockpicking.Making The Open Source Lock.
mh & Ray
Page 55
The Open Source Lock.http://tosl.org/
Thank you for your attention!
▪ Questions?
▪ Contact: [email protected] / [email protected]
▪ TOSL: http://tosl.org
▪ Subscribe to our mailing list! Tell us why you find TOSL interesting, and how you would like to contribute to the project!