You Won’t Get Fooled Again
• posted 03/02/16
In a recent blog post and YouTube video
, Matthew Jakubowski, a security researcher with Trustwave, showed how a pocket size electronic lock pick, disguised as a magic marker, could be used to open a lock that protects rooms in as many as 22,000 hotels.
A small port on the lock’s bottom, designed for hotels to set master keys, appears to be the vulnerability. The lock’s maker responded with a security fix
, but it requires hardware changes.
It may seem to be a rare manufacturer oversight, but Roger Johnston, Ph.D., section manager at Argonne National Laboratory, believes overlooked vulnerabilities—in the very security devices that are designed to offer companies’ protection—are more common than security professionals think.
According to Johnston, engineers and manufacturers focus on making things easy for the user and simplifying the service of devices. These very conveniences, however, make it easy to tamper with devices, and allow an industrious intruder to modify and fool a door access control unit, for example. Security is about inconvenience, but engineers like to make things easy, notes Johnston.
Security executives often forget—but shouldn’t—to evaluate the security of a device as closely they do other criteria, such as compatibility, features, and price. Often, even basic security precautions are ignored in the manufacture of security devices, like tamper-indicating enclosures or only utilizing a mechanical tamper switch (which is about the same as having no tamper detection, says Johnston).