UW Computer Security Research and Course Blog

At its essence CyberLocks are like mechanical locks++, enabling you to bring intelligent electronic access control to even the padlock level. CyberLock cylinders, which cannot be picked and maintain an audit trail of usage, can replace virtually any traditional lock (e.g. for doors, cabinets, padlocks, server racks, etc.) without any wiring. However, with the introduction of these additional features comes also the increased potential for new vulnerabilities and attacks. The following is an overview of the typical CyberLocks usage scenario that I will review (see this video for a clear and concise overview of the system (after which you may be able to skip to the Assets section of this review)).

Summary

I apologize for the lengthy summary, but it seemed necessary to understand the nature of the vulnerabilities in this system. I assume that there are 4 main components to the system: the CyberLock itself, which secures some asset, the CyberKey, which is used to gain access to the asset, a cellphone to remotely authorize keys and the CyberAuditWeb software, which centrally maintains access control lists, schedules, lost key lists and other information. This simplified view of the system remains quite complex.

The CyberLock cylinder is a simple metal cylinder with three contacts (one ground) facing outward and no keyway; inside it contains some simple electronics and programmable memory: The lock holds: a lock id, encrypted access codes, a lost key list, and a list of 1,100 events (e.g. lock open or closed, or lost key used, etc.)

The CyberKey contains a battery (which is used to power the key and the lock), an infrared port, three leads (to connect with the lock), an electromagnet (to prevent someone from removing the key before the asset is re-secured), and some internal electronics/memory: I will assume that both communication between lock and key and the infrared communication is encrypted (although it is quite possible that infrared communication is not). The key holds: a key id, encrypted access codes, access schedules, and a list of 3,900 events (e.g. access granted/denied). There are actually three types of keys: the reset key, grandmaster keys and user keys. The reset key is used to reset the system if the system password is ever lost (this password is used as a seed for all the encryption in the system), the grandmaster key is used as a master key and to program locks/download the audit trail information from locks, and the user keys are used to open locks for typical day-to-day usage.

Key authorization is a process that provides fine-grained key control. A key can be scheduled to expire within some time period to mitigate the potential damage that may be caused by a lost key or to prevent users from gaining access during unauthorized times (e.g. access only allowed from 8am-5pm). There are several ways to reauthorize a key, but for this example I will assume a cellphone is used (this is available only in the enterprise edition), so that an employee can have their key renewed even at remote sites. The cellphone must run special software (the CyberAgent) that connects with the CyberAuditWeb server over the internet to request authorization, upon receipt it will transmit a new expiration time to the key over infrared, which will then be renewed. I will assume that the CyberAgent software is a “dummy conduit” application that never sees unencrypted data, but only passes along encrypted communication between the key and the server.

The CyberAuditWeb server is a web application written in Java with a MySQL backend, which is currently sold as an appliance (e.g. a MacMini or blade server with the software preloaded on it). It supports several user types including an top-level administrator who has full access to everything, administrators who have full control over certain sets of key (i.e. for those keys they can manage schedules, issue keys, etc) and employees who connect with the software to reauthorize or view their information. All users can be grouped and access permissions can be assigned by those custom groups. For the purposes of this review, I will only consider this application at a high level and not examine its intricacies along with the possible attacks against it.

I will assume the typical usage scenario is as follows: an employee wants to access on asset, but needs to be reauthorized. He pulls out his cellphone, runs the CyberAgent application, which connects through the internet to the CyberAuditWeb application. The cellphone communicates over infrared with the key to get identification information and set authorization information given by the web application. The CyberKey and CyberAuditWeb handshake to verify each other’s identity, after which they proceed to synchronize information. The key will update its lock list, schedule, expiration time, and synchronize its clock, while the web application will download event information and will check that the key can be reauthorized (according to its schedule and by verifying that the key is not lost) and then send back an updated expiration time. With that the key will be reauthorized and ready to open the lock.

The employee will insert the key into the lock cylinder (which is powered by the key) and the two exchange id numbers. The key verifies that it has access to the lock id and is attempting access during a scheduled time; then the key sends its access code to the lock. The lock will check the key id against a list of lost keys and if it is lost, the lock will reject the key, writing an event to both its own log and the key’s log denoting the use of the lost key. If the key is not on the list, and the key’s access code matches the lock’s access code, the lock grants access (and denotes appropriate information in both logs).

Assets and Security Goals:

• CyberLock is able to control access to any physical asset that you can secure with traditional locks, so one example asset is access to a power substation (we wouldn’t want any person to come along and cut off power for a whole region).
• Security Goal: Obviously, only authorized users should be able to access the asset secured by the CyberLock
• A second asset in this system is the ability of authorized users to gain access to the asset when they need it (availability).
• Security Goal: Authorized users must be able to access their assets. For example, if this system were used to protect a power substation, an engineer must be able to access the substation to make repairs when necessary.
• An additional asset that can be considered is the reputation of a company or its compliance with government regulations. CyberLocks’ more sophisticated capabilities may be used to improve a company’s reputation with respect to security or enable it to meet requirements from say the Department of Homeland Security.

Adversaries and Threats:

• Vandals: the threat of vandalization of property (the asset secured by the CyberLock) or the CyberLock system itself. There is evidence for example of students putting superglue or toothpicks into school door locks to delay the start of school (no one can open the doors until the cylinders are drilled out and then all doors need to have their locks replaced). This attacks the security goal of availability.
• Terrorists: Public infrastructure (e.g. power, water, communications) is notoriously insecure and often times it is difficult to secure because of its distributed and remote nature. There is a great threat of damage and harm against public infrastructure (and hence people).
• Employees: There exists a threat from disgruntled employees who may desire to cause loss or harm to their company by denying access to all assets or tarnishing a company’s reputation among other things. Insiders are often the most difficult adversaries to face.
• Thieves: There is a threat of theft of an asset by thieves. Beyond the obvious assets of money, costly equipment, important documents, etc. that are secured with traditional locks, we can also include the theft of digital information (e.g. physical access to computing hardware)
• As you can tell, because of the widespread applications of this product, the potential adversaries are quite varied. The spectrum can vary all the way from governments who want the manufacturer to include an exploitable backdoor to kids who want to cause trouble.

Potential Weaknesses:

• The communications between the CyberKey and CyberLock , CyberKey and Cellphone (running CyberAgent) to the CyberAuditWeb application are presumed to all be encrypted, but the sheer complexity of this system makes it likely that weaknesses exist (I also do not know if any mechanisms for ensuring integrity like HMAC are employed, but assume that they are used). The CyberKey itself contains simple hardware and probably cannot use very sophisticated encryption. Since I do not know the details of the encryption, it is not clear what kinds of attacks might be perpetrated against it, but there is always the possibility of trying replay attacks against the lock (recording the encrypted communications between the key and lock and replaying it to have the lock grant access). If the CyberAgent were more than a “dummy conduit” it would also see the information in unencrypted form and a malicious user could obtain and reuse that information (some variant of a man-in-the-middle attack). Additionally, the system appears to use (shared secret key) symmetric cryptography, which means that if the secret key is compromised and the cryptographic algorithm used is known, the encryption no longer provides confidentiality/integrity. However, on the surface, the encrypted communication seem sufficient.
• The CyberKeys can be programmed over infrared. I assume that a key can be added to the system by programming it over infrared, which means that it must begin with some plaintext communication and this initial communication may be compromised.
• The system has one top-level administrator, which means that if this person is compromised, the whole system is vulnerable to nearly any threat. (Although because of the distributed nature of the system, they may not be able to easily and quickly change access permissions to every lock because programming a lock requires physically connecting the lock to a configured grandmaster key)
• The system uses a single password as a seed for all encryption so if this password were compromised the whole system would be open to attack on every level.
• The existence of the reset key. A reset key is generated in case that the original system password (top-level administrator’s password) is lost. The system is locked in (so that a key/lock in one system will not work with components of other systems) by the password, but this key resets the whole system (locks, keys, software) to factory default enabling the system to be reconfigured. Anyone with access to this key could reset any lock and gain access to the asset being protected.

Potential Defenses:

• Do not allow keys to be added to the system using infrared, but require physical contact, which is harder to compromise. After a key has been added to the system, it will have more securely obtained a secret key and infrared communication can probably be used after that.
• Implement some form of dual control for the top-level administrator such as having the first half of the password supplied by one admin and the second half provided by a different admin.
• Defend the reset key scrupulously with other access control mechanisms.

Risks & Conclusion:

It is difficult to evaluate the risks associated with these assets, threats and vulnerabilities because the value of the assets widely varies from critical infrastructure to construction sites to sheds. It is safe to assume that people who need to secure their assets with CyberLocks as opposed to traditional locks are securing very high value assets, so let us say that there is a high risk impact. The probability of a threat materializing depends on the adversary, the highest probabilities deriving from vandals, followed by thieves and malicious employees and finally terrorists. Similarly, the risk probability of compromised encrypted communication depends on the adversary; an insider (employees) has a much higher probability of exploiting any vulnerabilities in this realm. Since most of the weaknesses require physical presence to exploit, outsiders will have a difficult time of taking advantage of them. The probability of compromising the system password is high compared to the other vulnerabilities because it depends on the dependability of well-intentioned humans: the password may be compromised through social engineering techniques or a weak password may be chosen, or one that is used in other places or written down for safe-keeping, etc. Ultimately, it appears that the overall risk exposure is at a “low-ish medium” level–it is heavily dependent on the trustworthiness and dependability of insiders. Even so, the benefits of using CyberLocks over traditional locks including extremely difficult key duplication, lock-pick proofing, audit trails (a form of detection), and fine-grained key control among others, overcome many conventional weaknesses and significantly mitigate physical security threats. As with any security system, it is necessary to use the CyberLocks system with best practices and in conjunction with other security protocols and tools to have a well-rounded defense system.

Author’s Note: CyberLocks is a solution provided by my dad’s company iCrescendo, LLC, but I attempted to be as impartial and critical as possible.