If you thought that this hefty looking lock was secure? Think again. Marc Weber Tobias and Matt Fiddler demonstrate how the Targus Defcon CL security device can be defeated in seconds with a piece of metal from a beer can, or with a paper clip. Its Targus time!
A security analysis of this new product was prompted by a recent call from a technology reporter at the St. Paul Pioneer Press. This was the same journalist that wrote a detailed story about laptop locks in September 2004 that followed our security alert regarding the Defcon, wherein we described the simple method to decode its combination and quickly open it.
Based upon the Targus press release and verbiage on the product packaging that extolled the Defcon CL Armor as having "more cut resistance and greater protection against cable cutters than other leading security cables," an associate and I decided to revisit the security of the new design and see if Targus has learned anything about the design of security products in the last two years. Evidently not! We sought to determine the new lock's resistance to both covert and forced methods of entry. As a result, an updated security alert and technical analysis has been posted on www.security.org and Engadget, together with a video that demonstrates how easy this lock can be compromised. Based upon our findings, I think it is fair to say that the latest Targus lock is on the cutting edge -- literally.
Looks can be deceiving. The Defcon CL appears to be quite secure, but in our view, it is far from it. Unfortunately, most design engineers really do not understand the concept of security engineering with regard to hardware and specifically to locking devices. For those of you that have not read Ross Anderson's treatise on Security Engineering, I would recommend it as required reading, for it goes to the heart of what we view as the latest Targus design deficiency.
The armor is easily compromised by bending the cable over upon itself,
exposing the inner cable that is supposed to be protected.
Security Engineering and the design of products
Those who design security hardware incorporating mechanical locks often lose sight of what really makes those locks secure, and more importantly, what makes them vulnerable, even to the most elementary attacks. In the case of the Defcon CL, the internal lock mechanism has been modified to prevent a piece of paper or Mylar from being utilized to determine the position of each gate and thereby the combination, as was disclosed in our 2004 posting. The problem is with the redesign. As shown in the accompanying report, the gates can still be easily decoded with a wire, paperclip, or a piece of metal that is cut from a beer can and made into a shim.
When I spoke with the Manager of customer service for Targus, a six-year veteran with the company, he told me that their engineers had tested against methods of both covert and forced entry and that he was "confident" that this lock was secure. The fact is, this just isn't the case, and the result is the the consumer is left with the belief that their laptop is safe against what should be obvious modes of attack to those who engineered this product. And that is precisely the problem, as Ross Anderson so eloquently addressed in his book -- a false sense of security. Most design engineers did not grow up breaking things, as I did, so they usually have no clue as to how to make them secure. The primary rule: you cannot design a security product properly if you do not thoroughly understand the methods to break it. Targus should take note of this axiom, because they are representing to the public that they are experts in computer locks and that the public can rely upon them to produce a product that in fact is a real deterrent to theft. At a price of between thirty and fifty dollars for the Defcon series, I think one just might have a right to expect that!
I consult with several lock manufacturers, both in the US and Europe with regard to the vulnerability of their locks, associated hardware and security systems. Part of my task is to educate their design engineers as to methods of bypass, both traditional and "out of the box," which means unique to the mechanical and operating parameters of their specific product. Perhaps the most elementary and at the same time most difficult concept to teach these designers is that the key (or in this case the combination) does not directly open the lock; and that there are often mechanical methods to bypass the lock or system. Just as important, they need to understand that the key or combination can likely be decoded or simulated through sometimes-elementary means. If this occurs, then all of the security features are essentially worthless.
The design of the Defcon CL
I am sure that Targus will argue that this lock is only a deterrent and cannot stop determined thieves or experts. That is very true of this and almost any lock, but there are certain basics in the design of a product that must be understood to insure at least a minimum of security. In this case, those basics would relate to the essentials of a cable lock: notably and rather obviously the cable and the lock! So, let us try to reconstruct the thinking that went into the latest Defcon.
We need to consider two primary questions: what is a deterrent, and what components need to be made secure? The issue of deterrence is complicated one and which nobody in the industry has really defined. Just what is a deterrent when we are talking about stealing a laptop? Well, I would submit it is a time delay of more than a minute, at the very least. It should be a lot more, but there are many factors to be considered. Most thefts, at least in the laptop arena, are crimes of opportunity. If the laptop can be easily removed it is likely to be stolen. So, all of the laptop lock manufacturers have accurately determined that there are four critical components to preventing theft: the security slot on the computer, the slot interface, the cable, and the lock. It is not very complicated to figure this out. As always, the problem comes in the execution.
First, the lock manufacturer has no real control as to how the computer-maker designs the security slot. Some are made entirely of plastic, which is essentially worthless and will allow the lock to be removed by twisting and pulling. Other vendors utilize metal, which make these slots more secure against most forms of attack. The vendor does control how the lock interfaces with the slot. All of these devices have some form of expanding elements that prevent removal from the slot enclosure. Some are better than others but at the end of the day, they all accomplish the same result.
Other than the interface, the two critical issues that the lock manufacturer can control are the design of the cable and the locking mechanism. This is the two-pronged Targus problem.
Protecting the cable
Targus rightly assumed that the most critical vulnerability of any cable lock is the cable itself. This is fairly obvious to anyone but how it is implement is not. So they asked their engineers, "how do we make the cable more secure?" I can only assume that they looked at other industries that have needed to protect their cables from being cut, and realized that telephone companies have utilized armor for at least thirty years to secure the handsets on their public coin telephones. Targus decided that cable armor would be the ultimate protection, and if they had implemented it properly, they probably would have been correct.
I am sure they looked at different armor manufacturers, focusing on weight and bend radius parameters. There are a couple of different ways to protect a cable with a flexible metal covering. One method is to utilize interlocking links. In my view, the preferred method, not employed by Targus, is to employ helical-wound cable made of stainless steel or similar material. In fact, while researching this article, I spoke with one of the leading cable manufacturers in the United States and asked them to analyze the Targus approach to armor. They were not impressed, and expressed the same concerns that I raised with them, that the Targus cable is comprised of a series of steel rings that really do not reinforce each other in any meaningful way. They are only interlocked because they are prevented from separating by virtue of the sealed end of the cable. There is nothing to keep them together, other than a coating of plastic that is 0.01-inch thick and can be cut or melted quickly.
The problem with the Targus design, and which should have been immediately apparent to their engineers, is the fact that the rings are not actually interlocked and linked together in any secure fashion. Yes, they are covered by a PVC coating, but unfortunately, this plastic can be easily cut away or burned off with a lighter. Once that occurs, the links are vulnerable to simple attack as shown in this video [WMV].
Targus should have known that the bend radius on the links allows them to be separated. Once this occurs, I was able to easily cut the inner cable with a seven-inch diagonal cutters, purchased at my local hardware store. I am sure that the decision to utilize this type of armor cable was primarily driven by price; supplying the really secure cable would cost more money. In fairness, the outer covering that Targus chose is tough. In fact, if you try to cut this cable with anything less than a 14-inch pair of bolt cutters, you will likely break them, as I did in multiple attempts. So, when Targus boasts that its cable is the toughest in the industry, they are partially correct, but the statement is still misleading.
I am certain that their engineers did not test by exploiting the limited bend radius of their individual links, and that is precisely the problem. Why would they ever think of bending the cable over upon itself to expose a gap, or as I would prefer, a chink in the armor? They would only do that if they truly wanted to make a cable that was secure against a relatively simple form of attack; one that would perhaps be employed by a person who wanted to steal a laptop without going through a lot of work!
So, the first and most critical part of the Targus Armor design fails because it can be easily compromised in just a few seconds with ordinary tools. I tested the new Kensington cable against the Defcon in preparation for this article. Their plastic-covered multi-strand cable has a smaller diameter than does the Defcon armor, but is much tougher against attack with the same seven-inch diagonal cutters. Again, in fairness, if you do not "tamper" with the Defcon cable, then it is very difficult to cut. But in my view, if the lock can be easily compromised in a few seconds, then it does not matter how that is accomplished, so long as ordinary tools are employed. The consumer is buying time when they purchase a laptop lock; time for the thief to be caught in the act. In my view, Targus fails to provide that time. But keep reading, because it gets better.
Targus might argue that any laptop cable can be cut given the proper tools. That statement would be entirely correct. In fact, I have been able to sever every laptop lock by every manufacture that I have tested with a fourteen-inch bolt cutters. We should be concerned with the use of simple, easy to conceal, non-sophisticated tools. I would say that a seven-inch diagonal cutter meets that test more than a fourteen-inch bolt cutter. So, the argument might be made that even if the cable is cut, the lock is still hanging on the laptop and nobody can walk around with a computer with a lock dangling from it, as it would be a dead giveaway that is was stolen.
As it turns out, the three people that I spoke with at Targus customer service all indicated that they actually provide instructions as to how to cut their lock from the computer in case the combination is lost. Even more interesting, they told me that it might take a maximum time of fifteen minutes to dial all the combinations on this lock! Whether that is true is not particularly relevant but an interesting statement. Even more curious, Targus does not offer any form of insurance or warranty against theft if their locks are compromised, as do other lock manufacturers.
The Targus combination lock
So, now we come to the second component of the laptop security puzzle; the combination lock itself. If you are a prospective thief, you might think that cutting the cable is too messy and would require that the lock be decoded to remove it from the computer. No problem; let us use intellect and a few common implements to defeat this latest design. Some background is first needed.
In 2004, I examined the design of the Defcon CL and determined that it could be decoded quickly with a piece of paper or thin plastic inserted to the side of each of four thumb wheels to feel for the gate position. This would provide the combination within a few seconds. So the folks at Targus admitted privately that they had a problem and thought they fixed it -- "thought" being the operative word. Yes, they changed the location of the gate and the overall design of the housing, but not enough to prevent it from being simply decoded. In fact, I might argue that it is simpler and quicker to decode it now then in 2004! Why is that?
The individual wheels now have a different geometry that can be probed from the end of the lock with a piece of wire, paper clip or shim. As shown in the video, this is a simple bypass method and could have been easily prevented [WMV], had the Targus engineers really tried to open this lock like one intent on stealing it.
What really provides the security of this lock? Ostensibly, it is the 10,000 possible combinations but remember the caveat in the introduction to this article: locks can often be decoded because of mechanical design issues that were not contemplated by design engineers. That premise is precisely why the Defcon is not secure. A thin piece of metal, made from a beer or pop can is be easily cut into a shim, inserted into the lock, and each of the gate positions tested.
If the plastic strip is removed, which is a trivial procedure, then even simpler yet, a paper clip can be inserted and each of the disks probed in a few seconds, thereby yielding the combination. I don't think I would consider a paper clip or thin wire as a high tech attack. And what if a fellow employee does not want to steal your laptop, but simply reprogram the lock so you cannot remove it? Well, I guess you could decode your own lock. But then, that does not inspire much confidence in the security of your laptop, which was the reason you or your company purchased these locks in the first place. By the way, the Targus customer service director told me that the employees at Targus utilize laptop locks to stop thefts within the company! I wonder whose locks they use if they really want security.
For a more detailed account of hacking your Targus Defcon CL, please check out the white paper [PDF].
In my next article, I will examine the Targus mobile security lock for the iPod. If you liked this one, you're really gonna love the next!
Marc Weber Tobias is an investigative attorney and security specialist living in Sioux Falls, South Dakota. He represents and consults with lock manufacturers, government agencies and corporations in the U.S. and overseas regarding the design and bypass of locks and security systems. He has authored five police textbooks, including Locks, Safes, and Security, which is recognized as the primary reference for law enforcement and security professionals worldwide. The second edition, a 1400 page two-volume work, is utilized by criminal investigators, crime labs, locksmiths and those responsible for physical security. A ten-volume multimedia edition of his book is also available online. His website is security.org, and he welcomes reader comments and email.