Author: Steve Pordon
Version: 1.21
Date: May 11, 2014
Original publication: July 22, 2013
Changelog: 1.21 (further correction of hash definitions)
1.20 (corrected definition of hash values in DB)
1.01 (minor HTML cleanup)
1.00 (initial public release)
Acknowledgements:
Any errors are my responsibility.
CyberLock and CyberAudit are trademarks of Videx, Inc.: http://www.videx.com/
Abstract: Older Videx CyberLock hardware installations (prior to around August 2011) may be vulnerable to a simple physical attack, and older versions of the CyberAudit management software (version 1.2a tested, probably other versions written in Visual Basic 6 prior to the "CyberAudit-Web" rollout ca.2009) are vulnerable to multiple attacks, one of which I will focus on in this paper. The physical attack leaves no audit trail within the locks, and the database attack logs can be trivially obfuscated in the CyberAudit Lite software.
Methodology: I developed the physical exploit on a new (old stock) 2010-era T-bar vending machine lock held in a pair of Vise Grips in March 2011. I developed the database attacks on this same lock and a 2002-era Schlage form factor CyberLock in May 2011, using version 1.2a of the CyberAudit Lite software. A locksmith who declines to be named confirmed that the physical attack also worked with a mortise form factor CyberLock installed in a Chubb Viper Deadlock.
Mitigation: Upgrading to locks manufactured after August 2011 and any version of the CyberAudit-Web software will prevent the specific attacks discussed here. Both of these mitigation vectors require new hardware. At a minimum, installations running CyberAudit software prior to the "Web" versions should physically isolate the computer running CyberAudit from the network, and follow best practices regarding employee access to this computer.
Date vendor notified: June 29, 2011
Date of vendor fix: August 10, 2011 (Note: no software fix known. Upgrade
to CyberAudit-Web.)
Date of initial public release: July 22, 2013
Videx CyberLock is a patented (http://www.google.com/patents/US6615625) drop-in replacement for existing mechanical locks, and comes in several different form factors to conform to different lock core shapes. Although differing externally, CyberLocks generally share the same internals, composed primarily of logic circuitry, memory, solenoid-engaged blocking pin, and an anti-tampering pin. Locks are powered by a battery in the key. If the key contains the correct password hash and is authorized to open a specific lock, the lock will write an entry to an access log and pull the solenoid out of the way of the blocking pin, allowing the lock plug to rotate and engage the locking mechanism (cam, T-bar bolt, etc.). Keys will automatically sync any new lock audit logs with the database on key updates, and locks keep a rolling log of all events (the number of entries varies with the number of locks in the database, but locks in a CyberAudit Lite installation hold a maximum of 1100 entries).
Magnetic attacks against CyberLock were developed by parties unknown several years after the first patent (see https://www.youtube.com/watch?v=D0rTbcWtCek for an early example). These attacks depended on a sharp blow to the face of the lock coupled with a strong rare-earth magnet. My understanding is that the impact makes the solenoid bounce toward the front of the lock, close enough so that the magnet is able to capture the solenoid plunger and hold it out of the way of the blocking pin, at which point the lock is effectively open. In my testing, I could not get the magnetic attack to work on my specific lock, which I was later informed was the result of Videx replacing the tamper pins in newer locks with steel instead of brass (thus capturing the tamper pin against the magnet along with the solenoid, which stops the blocking pin from dropping out of the lock's shell so that the plug can turn).
Although I couldn't perform the magnetic attack, the "bouncing solenoid" theory was still a sound one. Building off of this idea and the idea of timing in bump attacks, I was able to open my locks in as little as one second with a piece of metal and a 12-oz. plastic-faced hammer. The attack is carried out by using a piece of spring steel with a 90-degree bend (or a basic lockpicking set tension wrench) in the face of the lock and slamming the plastic head of the hammer into the front, either applying turning torque at the time of the blow or simply holding torque steady during the process. Without torque timing, the attack generally requires several blows, but my average time to open was still around four seconds. Locks bypassed this way will have considerable, obvious damage from the tension wrench deforming the metal of the lock face, but the lock itself will have no record of opening due to a lack of power. If there is already an audit log in the lock's memory, the last log entry will be the last evidence of opening. According to the patents, the tamper pin in CyberLock plugs is designed specifically to defeat this type of physical attack, but I found it to be ineffective in the locks I tested.
LP101 forum member mh pointed out that a specialized torque tool could be made that would minimize the forensic physical damage to the lock, but I have not tested this theory.
Videx sent me a newly manufactured lock to test after I contacted them. I was able to open the new lock in one second with the hammer attack. In August of 2011 Videx sent me one that I could not bypass. I was not allowed to disassemble this lock, and therefore don't know what specific modifications were made, but it is safe to say that locks manufactured after then should not be vulnerable to this specific attack.
There is no skill required to perform the physical attack. The technique most closely resembles the pin tumbler bump attack, which I have never performed, and I was able to get my CyberLock open in about ten seconds the first time I tried this attack.
A proper CyberLock installation consists of one or more locks and keys, a hardware key programmer, and CyberAudit software which reads and writes database entries, using password authentication. A hash of the CyberAudit system password is used by keys to open the locks. When the key is synchronized with a lock, the lock verifies the correct password hash and opens the lock if information supplied by the key indicates that this key is authorized to open this lock. An attacker's key can thus fool any lock into accepting its validity as long as the key knows the correct password hash.
After a successful key/lock handshake, the key copies the lock's recent audit logs to its own memory and updates the CyberAudit database during the next key synchronization. This database is absolutely trivial to manipulate in pre-"Web" versions of the software, but it requires access to the files, either by an internal attacker or by an external attacker able to exploit OS vulnerabilities over the network (minimum OS required to run CyberAudit: Windows NT 4.0 or Windows 95). The CyberAudit user manual stresses the importance of securing the program's files.
Prior to the CyberAudit-Web overhaul, the management software was written in Visual Basic 6. The database is an MS Access 97 format that uses JET 3.5 encryption, which has been known for years to be broken (see https://groups.google.com/d/msg/relcom.netnews.big/LtbiWVrvlWw/l7DuKh17wg4J). When I asked Videx whether I should upgrade my software to a newer version for security purposes, they told me I should get familiar with my current installation before considering an upgrade.
The database is stored as the file
Passwords hash to the same value across different installations, which means there is no salting based on timestamp, etc. I haven't tried to reverse the hashing algorithm because with direct database access, it isn't needed.
Table | Description |
---|---|
|
Contains various key/lock relationships, flags indicating whether lock needs to be configured or transfer logs on next access, etc. |
|
Contains current hashed CyberAudit communication password ( |
|
List of all key IDs with communication hash ( |
| List of all lock IDs with common assigned names, flags indicating whether the lock has a pending update, etc. |
| Audit logs. |
|
Contains altered password hashes in chronological order of changes. |
There are many things an attacker can do with direct access to the
database, but the most severe attack is key injection. Key/lock
relationships are stored in the
At this point, the attacker's key–I got mine on eBay along with one
lock, the key programmer, and software for about $80, and another key/lock
combo for about $30–will open any lock it's assigned to in the
It is important to note that an attacker with his own key, copy of the software, and a key programmer can perform this attack from anywhere, provided he has obtained a copy of the CyberLock.cld file from the facility installation computer (see caveat above, as this is the only non-trivial part of the attack). The CyberAudit software demands the system password every time it is started, but crucially does not require this password to be entered in order to update a key inserted into the key programmer. As long as the correct entries for a particular key exist within the database, the software will happily read and write key information via the programmer immediately on insertion while the program is still displaying the password entry window. Technically, a child program named CyberCom.exe is started by CyberAudit.exe, and is responsible for serial communication with the key programmer–the program can be run manually and will update keys automatically based on database information without requiring user interaction.
An attacker can also easily obfuscate logs in CyberAudit Lite by setting the
The skill level needed to exploit the database attack varies widely depending on the network, filesystem, and workstation security protecting the .cld file. For the sake of argument, an attacker with the database in hand would need a basic level of relational database knowledge to understand and manipulate the structure successfully.
According to Videx literature, CyberLock is mainly used in facilities that require high physical security and strong auditing capabilities. Some of the uses listed at http://www.cyberlock.com/cyberlock_case_studies.html include class 2 narcotics safes in Fire Department vehicles, police evidence rooms, water treatment facilities, and vending machines. The potential impact of any of these use cases should be self-evident, but I will focus on the vending machines in the next section.
Bob and Mallory are vending machine technicians working for Alice. Each time they go into the field to empty coin boxes, they take along an employee-assigned key which has been programmed to only open vending machines during specific time periods. Mallory collects coins every Monday and Bob collects coins every Thursday. Keys must be returned to the office when not in use, and are only handed out at the start of a shift. Alice stores the keys in a safe when they're in the office but has a bad habit of not password-locking her Windows NT 4.0 workstation running the CyberAudit Lite software.
One day, Mallory finds a Craigslist post for a used CyberLock starter kit, and buys it for $100. She copies the CyberLock.cld file from Alice's computer onto a USB drive, sets up the software at home, injects her new key into the database, gives it the name "Bob", and updates the key. She puts this modified database back onto Alice's computer on Wednesday.
On Thursday, Mallory uses her new key to skim money from the vending machines just before Bob gets to them. After he completes his rounds and returns the key to Alice, the day's audit logs are synchronized with the database. If Alice looks at the logs before Mallory has a chance to alter them to remove the extra entries, she will see only that Bob has been accessing the vending machines twice per shift. Given the advertised security of CyberLock, she will have little reason to suspect anyone other than Bob in the event of accounting discrepancies.
Videx CyberLock is a very nice product overall, with continual security improvements. Due to the nature of physical locks, however, "patches" aren't always feasible. The time and cost involved in replacing locks, especially in large facilities, are considerably more expensive than software patch maintenance windows. Older installations may still be vulnerable to the attacks outlined here. Layered security is, as always, a good defense. If your installation depends on older hardware which you can't replace at once, it's still a good idea to at least update the software to the CyberAudit-Web versions.