Abus 72/40 Padlock Bypass

[dicey]

Hello everyone,


Last year I was doing some research on bypassing tools and recognized the Abus 72/40 padlock. I asked around a little and people thought that you could not bypass it because of some ring around the actuator. I looked deeper into it and realized that you can bypass it. I then contacted bosnianbill to verify my ideas as I didn't had the tools. He then did a video for me proving my theory and suggested that I should contact Abus in this matter (December 2012). I decided to write a small report with detailed pictures and was in contact directly with the boss of the Abus Service Team. I also told them how to fix the problem and that it would be very nice if they would produce a thicker security waver. It took them very long to reply and in February 2013 I decided to contact them again. Sadly I received a not very satisfying answer. They told me to buy an Abus Granit padlock if I want to have a more secure and certified product. They also told me that they can not give out details on the inner working parts of locks and padlocks.

I decided to produce a video on that bypass and I am also writing on a report including pictures and providing detailed information. I will let you know as soon as the report is finished and where it is going to be published.



I hope you enjoy the video and my report

[xeo]

I wouldn't really expect them to fix it. Unfortunately companies like Abus and many other lock manufacturers don't necessarily care about exploits in their cheap products. They just want you to buy the expensive stuff if you're that concerned about security. Besides, if you can just pick the thing open in a few minutes it doesn't really matter much. 90% of the locks on the homes of people here in America can be picked, bumped, pickgunned, or bypassed fairly quickly and nobody seems to care.

[Oldfast]

Great work Adrian.

I very much respect how you bided your time and put forth the effort to work with the company in providing solutions
for them prior to disclosing the weakness. Props for that. However, when the company has no interest in utilizing the
info.... the the consumer deserves the SAME choice by receiving the SAME info. Service to the community. Well done!

[dicey]

Thanks Oldfast!

Well xeo not every lockpicker is as talented as you are. Also picking a lock like this Abus with 6 pins and at least 4-6 spools in there is not that easy. You need a special tension wrench due to the keyway restriction and also some skill to pick it fast. I have not been able to pick it yet. You should also keep in mind that criminals rarely pick because it needs a lot a training and that picking under labrotary conditions is always faster then under real life circumstances.

This padlock costs 15-20 € I would NOT consider that a cheap padlock! Yes it is only aluminum but since it has a 6 pin cylinder it should offer some resistance against manipulation. Being able to open it with a bypass in like 10-20 means it does not offer that resistance. Despite the fact that there are also other methods to open it in a fast way because the body is only aluminum.

Still... it comes with either a hardened shackle (15€) or a stainless steel shackle (20€) and a double ball bearing locking mechanism and therefore should offer more resistance.

[xeo]

Yes, I realize picking locks under controlled conditions is easier. There is no adrenaline, rush, stress. The locks may be dirty, weathered, rusty or heavily worn. It may be mounted in an inconvenient position forcing you to pick from an odd angle. It might be cold outside, raining... etc. However, the fact that they CAN be picked in a reasonable amount of time speaks volumes for the thought processes that went into creating the product. Obviously maniplation resistance was not their first area of concern. Just like most other padlocks, the act of having a padlock there is enough to deter the majority of criminals and honest people. The determined criminal will always find a way in. Why use an easy keyway? Why use generic spools when there are far better driver pins that can provide far more pick resistance? Why no countermilling? No sidebar? Trap pins? Lasers? Sharks... pirhanas that bite you... the answer is simple. Cost. The product is cheap. I would consider a $30 padlock to be a cheap padlock. Don't get upset when Abus won't respond to you. If you find a flaw in one of their prize top shelf products I am sure they will jump all over you for information. Or perhaps they may not! I see this type of stuff every day in the IT world with vulnerabilities found in software that can lead to security holes the size of... It is not uncommon for software companies to outright deny, ignore, or attempt to coverup the fact that holes were discovered. It is just the nature of the beast. All we can really do is keep making youtube videos and spreading the word on just how illusionary the concept of security really is.

Also, you do not need a special tensioner for an Abus padlock. I have never personally seen a pin tumbler lock that would require a specialized tension tool to apply force. Perhaps you are referring to the fact that you need a slightly smaller one to compensate for a smaller keyway?

[dicey]

They did answer but not in the way I was hoping for.
That is what I meant xeo. I find it easier to get a grip on them with Peterson/Technical Entry Pry Bars.

Well and truthfully spoken xeo!

[mrbinky]

great video man

[dicey]

Thanks mate

[oldbiscuit]

Adrian, Great video and documentery. It dosen't surprise me that ABUS is ignoring the defect or short coming as you pointed out. They probably are looking at the bottom dollar, profit wise. For them to admit there is a mistake or short comming in their lock, they would have to run it past their designers, engineers, marketing, promotion, and sales staff just to make one little itsy bitsy tiny change. Then someone would have to step up to the plate and admit how they could have missed this when some no name picker (you) was able to see the problem. They are probably playing the odds that even if you post a video and write up, most common people would never hear or see it. They are probably gambling that it won't hurt their sales enough to worry about it. Just my thoughts, I could be all wrong. Mark

[huxleypig]

Good vid Dicey. I think they should fix it. When you buy a padlock with the name 'Abus' on it you are expecting it to do what it says and offer security - even if it IS one of their cheaper locks. This bypass is too glaring a hole to ignore (pun intended).

[dicey]

Thanks mark and huxley!

I think you are both right mates and thanks again for having my back on this one

[decsec]

I totally agree with Xeo and Oldbiscuit, so I think the point is clear. But what I don't understand is, why some people ( in this case you dicey) are so eager to tell the companies about a vulnerability?
For the Companies the goal is to make money - they don't give away their stuff for free!

[Riyame]

I totally agree with Xeo and Oldbiscuit, so I think the point is clear. But what I don't understand is, why some people ( in this case you dicey) are so eager to tell the companies about a vulnerability?
For the Companies the goal is to make money - they don't give away their stuff for free!

People tell the companies about vulnerabilities in the hopes that they will use that information to make a better product. In this case they did not choose to do that so he released the video so that people will find out about it and hopefully use a better product.

[decsec]

I think you misunderstood. The motivation for publishing a vulnerability, so people know about it, is clear. And I think Adrian did the right (youtube video/community etc.).

What I mean is, telling a Company and giving them time to fix the problem - for free. People who already bought a product won't get a new one. I assume that Kryptonite was the only company that changed the locks for free (correct me if I'm wrong).
Many IT companies offer a reward for telling them about vulnerabilities and I think that is the right way.

[dicey]

Because it was the right thing to do. It is what I had to do. Because I was hoping for some appreciation "Good job Mr. Weber thank you very much!", like in the good old days?

To be honest... I can't explain why but I believe in honor, integrity and teamwork old values you know?
So maybe I just had to do it this way.