Kwikset SmartKey Padlock

[mercurial]

I recall hearing, quite a few years back, that TOOOL in the Nederlands discovered a major security flaw in a common door lock and the manufacture did not address it when it was pointed out. They went public and the manufacturer had to recall a lot of locks and replace them for free.

I do not remember if it was Barry Wels or Toool that uncovered the vulnerability, but this certainly happened(free replacement locks) with the Kryptonite bicycle locks which used a tubular lock, when the Bic pen lid bypass (more accurately a self-impressioning attack) became widely publicised.

In fact as I type this(I must be getting old-timer's, too!), I remember Barry did post about vulnerability in a bike lock that used a wafer lock - it was an over lifting attack, whereby a blank key was inserted, tensioned & quickly withdrawn from the lock, thus opening it.

Barry was not the first to discover the attack - firstly this is an old & well known method of opening many wafer locks & furthermore, in this instance it was independently discovered by a group of bicycle enthusiasts, who in turn reported it to the police, who then claimed credit for the 'discovery' for themselves...

Barry heard about it, acquired a couple of the locks, and some blank keys, started experimenting & then figured out the vulnerability himself. It seems that until then, he was unaware of this method of opening wafer locks.

Interestingly the attack only worked on 50% of the Axa locks. The lock was available with two keyway profiles, which were mirror images of each other. Only one keyway profile was vulnerable to this attack.

The company (Axa) offered a 50% discount on a replacement lock when a popular news program, Kassa, did an article about the attack on prime time TV. In this instance, I don't think Barry chose to notify the manufacturer of the vulnerability before going public.

It is years since I read about this, so I may have got part of the story or it's timeline mixed up .

There is more detail here :

http://blackbag.nl/?p=151
http://blackbag.nl/?p=152
http://blackbag.nl/?p=153

On a side-note, I have always been curious as to whether Kryptonite offered free replacement locks here in Australia. I suspect they didn't.

...Mark

EDIT : a door lock vulnerability that springs to mind when I think of Barry Wels & Toool is the locks found to be vulnerable to the magnetic ring attack (a drill was used to spin an aluminium ring, containing magnets, which induced a current in certain electric motor actuated electro-mechanical locks). This was not discovered by Toool, it surfaced on YouTube, the lock exploited was made by Uhlmann & Zacher.

Toool investigated if the bypass was a myth & when they found that it worked, they tested the bypass on a wide variety of electromechanical locks. They found many supposedly high-security locks to be vulnerable & chose not to list them & notified the manufacturers. I do not know how the vulnerable lock's manufacturers responded.

[Oldfast]

I LOVE to hear those stories! We can have a very positive impact.
Quite the contrary to what some people may think about lockpicking.

Anyway, I too am very pleasantly surprised by Kwikset's response.

MMF ???

Gordon...... don't keep us in the dark.

Sounds like a good story.

Read this thread http://www.keypicking.com/viewtopic.php?f=12&t=6117

Ah yes, lol. That was an interesting little excursion. And no, I never once heard from them again.
Speaking of which, the deposit bag 'pass-around' is still active. It's been awhile though.
I suppose I should check in on it. See when it'll start moving again.

[Riyame]

I know thedonofdeath had the manipulation kit as well and there was some troubles getting it to the next person, so I assume that he still has it.

[GWiens2001]

The manipulation kit is with MBI. He will forward it to me when he has the chance. The deposit bag pass around is different.

Gordon

[Riyame]

That is why I said he had it

I only mentioned it because we had a real hard time getting into contact with him and getting a hold of the next person after him as well.

[plugspin]

...
EDIT : a door lock vulnerability that springs to mind when I think of Barry Wels & Toool is the locks found to be vulnerable to the magnetic ring attack (a drill was used to spin an aluminium ring, containing magnets, which induced a current in certain electric motor actuated electro-mechanical locks). This was not discovered by Toool, it surfaced on YouTube, the lock exploited was made by Uhlmann & Zacher.

Toool investigated if the bypass was a myth & when they found that it worked, they tested the bypass on a wide variety of electromechanical locks. They found many supposedly high-security locks to be vulnerable & chose not to list them & notified the manufacturers. I do not know how the vulnerable lock's manufacturers responded.

This manufacturer (Uhlmann & Zacher) was at LockCon the year this happened, the lock was CX6122. They said they did not know about the vulnerability until the "ring of fire" or "devils tool" was being sold in a locksmithing catalog. Lastly, at least in the demonstrations I saw, the ring was spun by hand, no drill required.

[mercurial]

You are right, the original YouTube clip showed the ring being spun by hand. The way the mortise cylinder protruded from the door facilitated this. It would be necessary to carry a rod to support the magnet to do this to a lock mounted flush with the door, which would also be quite clumsy as the ring must be spun quite fast. The use of a drill made this attack much easier & more potent, as more current could be induced.

Apparently the MulTLock Cliq was one of the other locks found to be vulnerable, but I haven't seen it done.

...Mark

[Karma 24 7 365]

Great post! Wow, what an eye opener. I understand expecting low quality from Kwikset, but wow. I still want to play with one though.