Matt Blaze of AT&T Labs-Research found a security hole in locks that use a master key. He was able to unlock a lock using a small number of attempts rather than the thousands of brute force attempts normally needed.
All that is needed, Mr. Blaze wrote, is access to a key and to the lock that it opens, as well as a small number of uncut key blanks and a tool to cut them to the proper shape. No special skills or tools are required; key-cutting machines costing hundreds of dollars apiece make the task easier, but the same results can be achieved with a simple metal file.After testing the technique repeatedly against the hardware from major lock companies, Mr. Blaze wrote, "it required only a few minutes to carry out, even when using a file to cut the keys."
The article goes on to explain that locksmiths have known this for years and that the threat is nothing new. Unfortunately, the threat is now well documented for both good and bad to use.
The ethics of full disclosure of security threats have taken a new twist. I'm all for full disclosure of security threats. By not disclosing it, it is the same as sweeping it under the rug and hoping no none figures it out. This security by obscurity is no security at all. This type of threat should have been fixed when the locksmiths became aware of it.
What liability do lock manufacturers face with this threat?
Oh, my world. It is ok
Posted by: Stephan on May 27, 2006 09:43 AM