FAQ  •  Register  •  Login
UKLockpickers.co.uk Lockpicking supplies such as Lockpicks, tools, and more! COMMANDOLOCK.COM Military grade padlock systems lockpickshop.com A source for lockpicking supplies such as lockpicks, locksmith tools, and more!

Security problems with La Gard and S&G electronic locks

<<

MartinHewitt

User avatar

Prolific Poster

Posts: 1823

Joined: Sat Nov 26, 2016 12:19 pm

Location: Germany

Post Wed Mar 29, 2017 2:48 pm

Security problems with La Gard and S&G electronic locks

As I started already passing information between keypicking and koksa a links posted on koksa:
http://tresoroeffnung-bayern.de/blog/20 ... hloessern/

And a short summary: There is a tool publicly available in Germany which opens La Gard Safeguard, Basic and 33E locks until about 2014 and S&G 6120 series locks within about 15 minutes just via the keyboard cable.

I assume the weakness was known some years before (since 2014?) to safe technicians which kept quiet. And I assume the tool is not only available in Germany. This tools looks to me like what he is talking about: http://www.taylortechtools.com/phoenix (came up after a very very simple search as the first hit). So if you have such a lock you might want to consider a replacement.
In case you wonder ... Martin Hewitt is a fictional detective in stories by Arthur Morrison:
Martin Hewitt, Investigator Chronicles of Martin Hewitt
<<

Patrick Star

User avatar

Active Member

Posts: 293

Joined: Sun Apr 10, 2016 3:40 pm

Location: Sweden

Post Wed Mar 29, 2017 3:48 pm

Re: Security problems with La Gard and S&G electronic locks

I marvel at the complete and utter design failure that would make this possible.
When designing something like this, from a security perspective you have ONE JOB.
And the security barrier - trusted vs untrusted side - is literally a physical wall. There should be absolutely no chance of the sort of confusion that frequently occurs in software when it comes to access control, authentication and trust. By plugging into the keypad connector you should only be able to do exactly what you can do using the keypad itself, i.e. enter codes with enforced lockout delays.

To make matters worse, even evaluating the very basic principles of operation and security properties of electronic, "intelligent", security products takes quite the effort.
I have done it to varying degrees for a couple of clectronic access control systems and, well, lets just say I recommend combining them with a mechanical lock so you need both to actually get in...

Anyone knows what sort of attack this is? Backdoor? Memory corruption in the protocol implementation? Side channel / glitching attack?

This is why we can't have nice things...
<<

Jaakko Fagerlund

Active Member

Posts: 383

Joined: Mon Jan 06, 2014 9:55 am

Location: Finland

Post Wed Mar 29, 2017 9:39 pm

Re: Security problems with La Gard and S&G electronic locks

It measured the current consumption and how long it takes for the lock to fault out on wrong code. The coding is done such that it compares the stored number with the inputted number digit by digit and bails out once one wrong is found. Thus the code execution time varies depending on how many digits you have correct.

The device also depowers the lock once it detects the lock is starting to beep at you, so it has no time to do an EEPROM write of the error count which would provide the lockout function. This then enables bruteforcing the numbers, basically giving you 10 options per number.

There is a DEFCON paper detailing this attack in detail.
<<

Patrick Star

User avatar

Active Member

Posts: 293

Joined: Sun Apr 10, 2016 3:40 pm

Location: Sweden

Post Thu Mar 30, 2017 1:48 am

Re: Security problems with La Gard and S&G electronic locks

Hahaha. Side channel attack then. I love it when electronic locks manage to replicate the issues of mechanical locks! It just turns out a lot worse when you can just feed it numbers instead of spinning a dial or poking at pins...
In computer circles, this type of attack (and how to avoid it!) was well known in the 70s, and I bet it had been done even before what you'd recognize as computers arrived (electromechanical phone systems for example). If you read ANY book on implementing cryptography and authentication it will tell you in very big letters (figuratively) to use constant time comparisions.

The depowering part is funny as well! I remember cheating a bit at Super Mario Land 2 for Gameboy using the same attack. It had save games (battery backed up), and if you lost all lives you had to replay the bosses. So when playing the last levels and dying all the time, I turned off the Gameboy when I died.
Apple also managed to make the same screwup in earlier iPhones.

As to replicating the issues of mechanical locks, a certain electronic lock with wireless transponders have managed to do it perfectly as well. The cryptography is reasonably tight, but... If you dump the keys from any lock in the system, you can produce transponders with full access. Even easier than mechanical locks since then you usually need atleast two locks, or one lock and a key...
<<

MartinHewitt

User avatar

Prolific Poster

Posts: 1823

Joined: Sat Nov 26, 2016 12:19 pm

Location: Germany

Post Thu Mar 30, 2017 2:43 am

Re: Security problems with La Gard and S&G electronic locks

That is probably the mentioned DEFCON paper:
https://media.defcon.org/DEF%20CON%2024 ... -Locks.pdf
In case you wonder ... Martin Hewitt is a fictional detective in stories by Arthur Morrison:
Martin Hewitt, Investigator Chronicles of Martin Hewitt
<<

Patrick Star

User avatar

Active Member

Posts: 293

Joined: Sun Apr 10, 2016 3:40 pm

Location: Sweden

Post Thu Mar 30, 2017 4:41 am

Re: Security problems with La Gard and S&G electronic locks

Interesting attack with the EEPROM erase/write cycle timing! Slight twist on the classic.
<<

Jaakko Fagerlund

Active Member

Posts: 383

Joined: Mon Jan 06, 2014 9:55 am

Location: Finland

Post Thu Mar 30, 2017 7:35 am

Re: Security problems with La Gard and S&G electronic locks

If I would make a tool to open such a lock, I would definately make it like in the Hollywood movies where they plug it in, numbers start spinning wildly on the 7-seg display and then one by one the correct numbers drop in :D

Return to Safes, Strongboxes & Combination Locks

Who is online

Users browsing this forum: Majestic-12 [Bot]

Don't forget to visit our sponsors for all of your lockpicking needs!
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Grop
"CA Black" theme designed by stsoftware