The Medeco m3 cylinder was originally developed primarily to extend its Biaxial patent (which expired in 2005); the company aimed continue domination of the US high security lock market and protect its unique rotating tumbler technology. The m3, which replaces the Biaxial, is UL 437 and ANSI 156.30 certified, which Medeco touts as a guarantee that its security can be relied upon for the most sensitive of installations. It appears that UL, ANSI or Medeco ever thought about the perilous paper clip as a bypass method.
Beginning last August after Matt Fiddler and I lectured on the threats of "Lock Bumping" at DefCon, high security lock manufacturers including Medeco was quick to announce the heightened security of its cylinders against bumping and picking.
I have always thought Medeco to be one of the most innovative and secure lock designs of this century. The company has been a remarkable success story and provides locks of the highest quality. The inventors and founders of Medeco set the standard in high security mechanical locks, offering an incredible array of hardware solutions. The Medeco engineering staff is as clever and innovative as any in the industry.
As soon as the original design was introduced it was the mechanism to attempt to attack by covert means. Many have tried (and failed) to develop methods to pick and decode these locks. So how is it that one of the best locks in the industry can have part of its security bypassed with a piece of wire? Unfortunately, Medeco is not the only manufacturer that fails to perceive even the simplest forms of bypass. It's yet another example of a failure of imagination.
The security problem: bypass the slider and simulate the key
Medeco offers several levels of key control to insure that its patent protected blanks cannot be copied, replicated or simulated. In many systems, proprietary keyways are available to further ensure that keys cannot be improperly compromised. Although the m3 is a very secure lock, we were able to simulate Medeco keys that can be made to bypass the keyway and slider protection of almost any system -- all without infringing on any Medeco intellectual property.
It turns out that a standard paper clip will depress the slider precisely to the correct position. A wire or paper clip, fashioned as shown, is inserted into the keyway and wedged at the end of the body of the slider.
The ability to neutralize the slider in this fashion with the simplicity of a paper clip raises significant security concerns with regard to key control and the capability to deter or protect against unauthorized replication of keys. It also allows us to pick and bump certain configurations of these locks, often with relatively little difficulty (although certain caveats have been noted in this piece's accompanying articles
). The only other thing necessary to open the an m3 is an easily fabricated simulated key, like the one shown above.
One of the primary requisites of the ANSI specification (but not the UL rating) is the ability to implement three levels of key control: provide patent protected blanks to control its manufacture, prevent unauthorized duplication, and control the generation of keys by code with appropriate safeguards. We believe the ability to bypass the m3 key control scheme places all three rating criteria at risk.
How were we able to simulate a key to open the lock? Medeco has made the m3 keyway slightly wider than normal, which allows our special key to bypass the protrusions in the side of the keyway, called wards, without difficulty. In fact, we tested our theory on locks in certain cylinders where restricted or proprietary keyways were in use. Our simulated key with the correct rotational pattern worked perfectly. In the image above, the arrow indicates how the clip offsets the slider. The slider is positioned to allow the sidebar (shown above the slider) to retract when the proper key is inserted. Note how the protruding tabs of the slider can mate with the gates that are cut into the sidebar. In other words: the m3 is paper clip-hackable.
To make matters worse, we were able to create a bump key with our simulated blank, that would open an m3, (although bumping is, in fact, much more difficult in this scenario). This capability may raise serious security concerns, especially in commercial and government installations where master keying may not be allowed. Don't buy it? Check out the video, here (WMV)
The bottom line: the m3 key control with respect to key profile, step position, key configuration and ability to replicate a known bitting and sidebar code can be compromised relatively easily.
We have demonstrated the ability to bypass the security of the m3 with the use of a piece of wire or paper clip, and to simulate Medeco blanks and cut them to the correct bitting and rotational angles. We believe this could have serious consequences for protected systems where key control is an important part of the overall security plan.
Although the Medeco m3 is more than secure for the vast majority of applications, risk managers, security officers and others charged with security responsibility may want to consider the potential risks from a failure of key control if the m3 is in use. In a very small percentage of cases, especially high value and critical targets, the ability to covertly replicate keys may place personnel and assets at an unacceptable risk.
Marc Weber Tobias is an investigative attorney and security specialist living in Sioux Falls, South Dakota. He represents and consults with lock manufacturers, government agencies and corporations in the U.S. and overseas regarding the design and bypass of locks and security systems. He has authored five police textbooks, including Locks, Safes, and Security, which is recognized as the primary reference for law enforcement and security professionals worldwide. The second edition, a 1400 page two-volume work, is utilized by criminal investigators, crime labs, locksmiths and those responsible for physical security. A ten-volume multimedia edition of his book is also available online. His website is security.org and his blog is in.security.org
. Marc welcomes reader comments and email.