Tuesday, February 12, 2013

Breaking into Kaba Door Locks

This is an older issue that was resolved by an update from the manufacturer, but it's still an interesting story.

Continuing from yesterday, Marc Weber Tobias also was instrumental in getting Kaba to update their Simplex push-button mechanical combination locks.  On those door locks, which have seen near ubiquitous deployment, a mechanical combination is entered into a push-button key pad, which unlocks the door.  Some models include other features, like "bypass" which allows a person inside to egress through the door without pushing the combination.  It's this feature on the Kaba lock that Tobias learned could be defeated with a rare earth magnet.

Here's a (slightly dry) walk through of how the lock is defeated using just a magnet, leaving no forensic evidence of unauthorized entry whatsoever:

One aspect of this story that will be interesting for computer security professionals is the element of "responsible disclosure" used by Tobias to attempt to force the hand of the manufacturer to fix the problem, followed by the manufacturer's all too familiar "there is no such problem" response (yet they did fix it).

No comments: