Practicing lock picking can be a useful way to consider your approach to thorough penetration testing.

Last year, I won the "Gringo Warrior” lock picking competition held at the ShmooCon V security research conference. Many people who know what this competition entails may make the mental jump to say I’d make a pretty good spy if I can pick all those locks. Of course, these tend to be the same people who think that ShmooCon, which bills itself as a hacker conference, ought to be held in a prison!  Let me assure you that I have no intention of becoming a spy for a variety of reasons (and I think I’d make a pretty poor spy anyway), but that’s not what this blog post is about. No, this blog post is about why a lock picking competition is not really the best judge of who is good at bypassing physical security for espionage reasons, the reasons behind this counter-intuitive statement, and how you can use the knowledge to make your own physical security better! The other point to take home here is that as a security professional, you NEED, NEED NEED NEED to be able to take a step back and look at the bigger picture. Be creative, be devious, be thorough. Otherwise you may miss something crucial. This doesn’t just apply to physical security, either! Many people tend to focus on authentication as the end-all-be-all of security, but if you keep staring at the locks you miss the screws. As a tech support engineer, I’ve had people ask me: “If I run through the wizards in IMPACT Pro, am I done with my pen test?” The answer is a solid and resounding no. Attack trust relationships, attack users, attack the network, attack the web applications, and anything else that you can think of. The more broad the scope of your testing, the better your results will be. In my experience, locksport novices will typically take anywhere from 15 minutes to one hour to successfully pick a basic pin tumbler lock. With a few months’ practice on the lock, diligent locksport students can find themselves opening the same lock consistently in under a minute. Part of this is due to the fact that they’re continually picking the same lock. Every lock has its own little quirks and weirdness, some of which are shared with other locks of the same model and some which may be individual to the particular lock and its lifetime. If a lock is highly worn, it may make the picking process more or less difficult. When a novice then attempts to pick a different lock, they pretty much start over. Initial picking attempts will often take anywhere from 10-40 minutes with a different, basic pin tumbler lock. Moving from padlocks to door-mounted or cabinet-mounted locks or different types of locks will also make for longer time periods. Why is this important? If you’re a spy and you intend to pick a lock, you need to do it in as little time as possible and you likely won’t have time to spend with that lock learning to pick it quickly. More time means a greater chance of getting caught, and anything longer than 5 minutes is probably going to result in you being discovered, which can be very, very unpleasant for a spy. So far, however, we have only been looking at trees. Let’s zoom out a bit so we can see the forest. In electronic security, it’s common for people to assume that any and all security problems must be with the authentication mechanism. This is a horribly bad assumption. In physical security, the authentication mechanism is the lock. Truth is, much as with pen testing, although defenders tend to focus on the locks holding up to various bypass techniques, other important attack vectors exist, and are frequently easier and more successful.

Learning the Trade

Let’s consider some examples. You have a door in front of you, and: …it’s a French door. Problem here is that the old credit card trick always works on French doors, and modifications on that technique can, in almost all scenarios, defeat protection mechanisms designed to prevent shimming (which is exactly what the credit card trick is). …it has a completely wooden frame. A car jack turned sideways can bend the frame outwards and possibly allow shimming attacks to work. Additionally, a sturdy enough and properly placed flathead screwdriver or crowbar can be used to lever the frame away from the door, again enabling shimming attacks. …the hinges are on the outside. A flathead screwdriver can be quickly used to pop the pins out of most hinges, and even if this is not possible, a crowbar can also be used to pop hinges off the door. …the lock is affixed using exposed screws. I’ve seen this one more times than I’d care to recount. Sometimes, the screws are special screws, but with a little recon and the right resources, no screw is unscrew-able, and the majority of “security screws” can be unscrewed using screwdriver tips you can buy at your local hardware store. …there’s an unlocked window which opens to the same room as the door. Really, any alternate method of entering the same room will do, and the problem here lies in the fact that there are really multiple entry points to the room. Furthermore, glass can break, so if the window is at all accessible (even by ladder or grappling hook) it can still be an issue even when locked. …there’s a constant stream of people going through the door. Piggybacking is easier than lock picking. …there’s a drop tile ceiling over the wall with the locked door. A small and limber person may be able to get in over the wall and under the ceiling. …there’s a clear view into the room. Not always a problem, but it certainly can be. …there’s a request-to-exit motion sensor on the other side of the door. Go grab a balloon, a tube, and a small helium tank. Secure the balloon to one end of the tube. Slide the balloon-on-tube assembly under the door and inflate the balloon through the tube. Give the tube enough slack to trigger the request-to-exit sensor and VOILA! I could go on for a long time giving examples, but diligent readers may already be running around looking at everything locked in their house or workplace looking for exposed screws and the like. I bet you that if you look, you’ll find something! When planning and conducting your pen tests, try to approach the issue in a similar manner, just as an attacker would. Incidentally, IMPACT Pro is one possible solution for replicating attacks across multiple vectors. Now, for some self-promotion: I’ll be presenting some original research I’ve done at ShmooCon VI, so come see my talk, “Windows File Pseudonyms: Strange filenames and haiku”! I guarantee you’ll learn something fun. Plus, if you’re into locksport, you should compete in Gringo Warrior and try to give me a run for my money! ;) Keep on fighting the good fight, info-warriors.