According to a study presented on Friday at Def Con’s annual conference hacking in Las Vegas, Hackers could crack open high-security electronic locks by monitoring their power, allowing thieves to steal money from ATM machines, pharmacy narcotics and government secrets.
Mike Davis, a researcher with security firm IOActive, discovered the vulnerability last year and alerted government officials and Swiss company DormaKaba Holding, the distributor of multiple brands of locks at issue.
In an interview with International News, Davis said he used an oscilloscope worth about $5,000 to detect small changes in the power consumption, through what is known as a side-channel attack. The method worked best in older models.
The locks include their own power supply so they function even when an external source of electricity is cut off. Most versions do not consume extra or randomised power to hide what they are doing. That leaves them open to attack if a thief can get physically close enough and has the right tools, Davis said.
“I can download that analog signal and parse through the power trace to get ones and zeroes,” Davis said. “I know what the lock is doing internally.”
DormaKaba said it had looked into the matter itself and also retained an independent firm to probe IOActive’s findings regarding its Cencon and Auditcon locks.
“These investigations indicate that our current safe-lock product lines perform as intended in real life environment,” said company senior vice president Jim Mills.
Asked whether older models were also secure, a company spokesman said “there have been no reported events in the field to suggest that current or prior year models have presented security issues in real-world environments.”
In ATMs, the locks of the company usually protect the money in the lower, more secure compartment. An upper compartment includes the interface with the customers and directs the lower compartment to send money. The upper compartment often has less physical security, and an intrusion into it could give access to the vulnerable lock of the lower safe.
Davis only tested his attack against the simplest mode of the device. When they are actually in the field, the locks typically interact with another device carried by drivers who supply or remove cash, and they may require one-time codes as well. Such measures provided some added security, Davis said.
A bigger concern is that another series of DormaKaba locks are used on military bases, U.S. presidential jet Air Force One and elsewhere in the government.
Davis said he found that several newer models but not the most recent iteration of that series, the X-10, leaked voltage information that could be used against them. The improvement was not due to IOActive’s research, said DormaKaba spokesman Joe Hudock.
President of subsidiary and X-10 maker Kaba, MasEric Elkins, said he could not comment on the severity of the issue without seeing Davis’ presentation. Elkins said that if it works, the attack might put classified information at risk. He questioned why Davis was presenting his research at Def Con.
“The correct method would be to go the government rather than to go to a group of hobbyists or hackers or whatever you want to call them.”
A spokeswoman for the federal General Services Administration, Pamela Pennington, said government employees had been working to understand the side-channel attack and develop a work-around to foil real attacks.
“We are aware of this security issue as it relates to the U.S. government and have developed and deployed mitigation techniques in the federal environment,” Pennington said. “The federal government uses multiple layers of security.”
She declined to describe the steps taken.
Your email address will not be published. Required fields are marked *
03 April, 2020