Noted security expert Marc Weber Tobias contributes a new column, The Lockdown, exposing the shoddy security you may depend on.

Targus is offering what they call a "mobile security lock" that they claim is a perfect "solution" for the millions of iPod owners who are hoping to keep their music players secure from theft. After evaluating the device from three different perspectives, I was not quite sure exactly what the "solution" was that they were describing, so I requested an interview with their Director of United States Marketing, Al Giazzon. Targus agreed, in part to respond to the Lockdown analysis of the Defcon CL Armored computer lock. I offered them a chance to talk about their philosophy on both of these products and to comment specifically on what I had described as Defcon CL design deficiencies. They also reviewed my video prior to the interview. The interview will come shortly, but in this article, I will analyze their latest product offering, the Targus iPod Lock, and summarize what I thought were key points of the interview regarding this product. I think you will find the discussion quite interesting and may shed some light on how Targus defines "security" in the context of protecting computers and small handheld devices, but for now we should discuss and expose the security in this product as well.

The Mobile Security Lock for the iPod

This is a small (2.75-ounce) device that consists of a docking connector that is secured with a three-digit combination lock. It is connected to a retractable 2.5-foot wire that terminates in a lightweight carrying case. Functionally, the idea is that the dock will be inserted into the iPod connector and the cable extended and wrapped around something that is immobile. Two release buttons, one on each side of the locking mechanism, must be simultaneously depressed in order to retract the two metal pins that project into the base of the internal iPod connector. Once the combination wheels are spun and locked, the side buttons cannot be depressed, thus making it impossible to easily withdraw the dock. The design is similar to a notebook lock; the iPod is tied to something that cannot be carried away.

Because there is no dedicated security slot as with a notebook computer, the docking port is the only method to link a tether to the iPod. This is the most critical design problem with the Targus "solution" and in my view, not only is it almost totally ineffective but can result in damage to the device if the cable is removed improperly, either by the owner or a would-be thief.

Utilizing the connector as the method to secure the cable required the least amount of engineering on the part of Targus, was the most obvious, and unfortunately also the least secure. There are other means to protect these handheld devices but would require additional components.

From an esthetic approach, I believe that Targus was correct in their design but at the expense of security. According to Targus, they do not really engineer their products with regard to security; their off-shore manufacturing partner deals with those issues. Whether their vendors are competent to do so is an open question in view of the analysis of the Defcon CL and this lock.

The function of this latest device, as described in the Targus literature, "is to be used as a mobile solution for your backpack, notebook bag, purse or stationary object. It provides an affordable way to secure their iPod while at work or on the go." If the word "secure" means stopping someone from easily stealing your iPod, it does not, which I believe is readily apparent. Targus says the product provides a "modicum of security" and must be considered in the context of the devices they are protecting, cost of the lock to the consumer, and common sense.

More on how Targus sees security for the consumer later in this article. Remember, the key phrase is "a modicum of security." For those readers that are not familiar with this term, the definition for modicum includes small amount, little, bit, scrap, or ounce. This would be an accurate definition of the protection afforded by this product.

Locking Hardware

I analyzed the mobile security lock from the perspective of the functionality of its three primary components: the cable, the lock, and the interface. I also discussed the design of each of these with Al Giazzon.

The Cable

According to Al, the cable is a trade-off between weight and security. The plastic-covered wire that they are using to protect the iPod is 0.065-inch in diameter, well less than a tenth of an inch. It is simple to cut with a pair of diagonal cutters. Targus agrees, stating that the cable is not particularly relevant in terms of security but obviously is needed to tether the device to a desk or backpack or other solid item. So the cable is not one of those items that will really stop your iPod from being stolen; it is just required as part of the overall package.

The Lock

A three-digit combination lock with 999 different user-programmable possibilities appears to keep the "mobile security lock" from being removed from the iPod other than by the owner. Not quite. The mechanism of this "lock" essentially replicates the old Defcon combination lock design, allowing very rapid decoding of the gate position of each wheel, then subtracting two digits for the actual combination. Decoding can be accomplished with a piece of paper or thin plastic as described in our security alert in 2004, and is easily accomplished.



But, argues Targus, the lock is not part of the security puzzle but is simply there as a mechanism to keep the device from being improperly removed from the iPod. In other words, the combination lock is not really relevant as one of the security components in this product. Evidently Targus did not even consider the ability to rapidly decode the combination, and Al was not even aware of the process to do so.

You would think that the combination lock would be integral to the security of this device, but it is not. So what is left to keep your iPod safe? Only one thing: the locking interface at the end of the cable.

The Interface

The interface is the most critical component because it ties the wire to whatever object it is wrapped around. Essentially, it is a replica of the connector that Apple uses to mate with the internal electronics. What holds this connector -- and in this case, the lock -- in place? As anyone who owns an iPod knows, it's merely two tiny metal projecting barbs, as shown in the photograph. That is it. Sure, it's plenty enough to keep your FM remote connected to your iPod, but when using this apparatus the entire security of this device rests on those two small pieces of metal. This connector was designed for an electrical interface, not to withstand any stress, and as I demonstrate, it fails of this essential purpose. In fact, there is an orange warning label affixed to the cable, cautioning the consumer and thief that "forced removal of the secured lock may cause permanent damage to the iPod." It does, which can be viewed as both good and bad.

The good: Targus believes it is a deterrent to thieves, especially young thieves, because they will not steal an iPod if they know it may be damaged by forced removal. Whether it really is a deterrent in such a circumstance is open to question, but Al told me his teenage kids picked up on this issue right away when he brought home a sample of the lock.

The bad: The iPod owner may also do damage if he is not careful in the way he removes the insert, and more importantly a co-worker or someone who just wants to be malicious can easily do damage by removing and inserting the connector.

As shown in this video [WMV], all that is required is a force that is applied at an angle to the connection. The connector snaps right out of the socket. On my 60GB video iPod there was no damage to the internal pins, but on the nano, there was significant deformation of the brass strips. The device still worked, but it may not have docked properly for charging or downloading.

Believe it or not, when Targus tried to remove the connector by rocking it from left to right, they said they were unable to do so. They stated that they were afraid to apply too much pressure for fear they would break something. Yet, they place a warning tag close to the connector, knowing that it can be forcibly removed?

In my view, this product provides a false sense of security at a price tag of around $25-30. So why is it being marketed as a mobile security lock and solution to protect your iPod? Well, other than for the obvious, Targus believes that they are saving iPods from theft by presenting an appearance of security that is sufficient to scare off the casual thief. They say that is really all they can hope to accomplish. Maybe, but read on to understand how they reached this conclusion and their philosophy with regard to security.

A Modicum of Security: It is all a matter of context and common sense

Targus believes that security cable locks and other devices at the current price point of under $70 cannot be expected to protect portable electronic equipment against a determined attack.

Notebook computers and iPods cannot really be secured from planned thefts; they say these locks are only effective in stopping the theft of opportunity or as I prefer, the walk-by or casual theft. Targus thinks that anything can be compromised by a determined thief and that their mission is not to stop that miscreant (the "real" thief), but only the person that has a momentary irresistible impulse (as we say in the law) to own an iPod or a notebook computer. It is the non-determined, casual, "I just had the idea to steal this but am not really determined to steal it" thief that they are targeting.

Their goal, then, is to make it appear that the lock provides so much security that to attempt a theft would be pointless, too much trouble, present too much risk, and would damage the device that is being protected. Under these conditions, Targus believes that the thief will move on to the next available device that is not so secured. As I pointed out to Al, this is somewhat akin to the bank that installs a number of empty boxes with phony lenses that are made to look like real video cameras. It is the same principle. "If it looks secure, it must be so." Do you really want to get caught testing that security out?

So it would appear that we are talking about the honest person versus the knowledgeable dishonest person. Of course, honest people do not steal each other's iPods -- or anything else (although the occasional little girl has been known to lose such a device every now and again). Everyone knows that, because it would violate the very definition of honesty. But just about every thief began as an honest person. What if the notebook or the iPod is the first thing they ever try to steal and do not know that the security device doesn't actually work? Or what if they are smart enough to figure out that the device does not provide any measure of security at all? Worst yet, what if they read on the Internet that the locking device does not protect against anything?

Targus kept reminding me that I am a security expert and thus have the ability to look at a product such as the iPod lock and immediately determine that it is not secure. They said that the public does not have such expertise, so they will normally believe that the product is safe to use. Now, if that were true for everyone, then this theory would work, but it is not true, and so in my view, does not work at all. Basically, Targus is making a product that they hope will fool everyone into believing it is secure enough to discourage the casual thief.

They are only aiming to provide what they call "a modicum of security." That means, as the definition implies, almost no security at all. It is only an illusion and offers slightly more than nothing in the way of protection.

So here is what all of this comes down to: Targus has made a lock that they know is not in fact secure, but they think that everyone will be fooled by its appearance into thinking that it will protect its intended victim by the "non-determined, doesn't really want to steal it but will if he easily can" thief. At the end of the day, they hang their hat on the fact that damage to the iPod will be the ultimate deterrent. Maybe, but the damage is not guaranteed and depends on many factors and which iPod model we are talking about. At the very least, I suggested to them that they make the warning tag larger, so it is very prominent.

In my view, we are back to the same problem of educating the consumer about the vulnerability of a product, be it a cylinder lock for their house or business, or a device to protect their iPod. Why not place appropriate warnings on the packaging that state "the security of this product may be easily bypassed in seconds by thieves" and then use my 3T2R evaluation system to assign an index rating of security. That is, how much time, training and tools are required, and what is the reliability and repeatability of the process. In this case, no tools, no time, and no training is required to separate the owner from their iPod.

There are two questions that you may wish to consider, first: if such a warning were prominently placed on the packaging of the mobile security lock, would you buy it, or save your money and maybe your iPod. Second: Do you believe that possible damage to the iPod would be a significant deterrent?

I -- and I am sure Targus -- would be interested in your opinion on these questions.

In my world, knowledge is security.


Marc Weber Tobias is an investigative attorney and security specialist living in Sioux Falls, South Dakota. He represents and consults with lock manufacturers, government agencies and corporations in the U.S. and overseas regarding the design and bypass of locks and security systems. He has authored five police textbooks, including Locks, Safes, and Security, which is recognized as the primary reference for law enforcement and security professionals worldwide. The second edition, a 1400 page two-volume work, is utilized by criminal investigators, crime labs, locksmiths and those responsible for physical security. A ten-volume multimedia edition of his book is also available online. His website is security.org, and he welcomes reader comments and email.

0 Comments

The Lockdown: The Targus iPod Lock, or, a modicum of security