Friday, March 4, 2016

Defeating Security: Some EXCELLENT videos

I recently did a post on defeating doors, and I gave keypads and other electronic mechanisms only passing mention.

I stumbled on a Vimeo channel that really shows how a character such as Tobias (yes, all the character sheet images are gone, it's a post from almost two years ago) could believably beat any number of security devices given access, time, and the correct information.

Safe Cracking (Vimeo videos can't be embedded on blogger evidently, since Google wants us to be linking youtube, which they own.)

In the first video, the guy cracks open a safe using a screwdriver and a paperclip.

Electronic bypass of a safe lock

Now, what the videos don't show is how much time it took to initially look at the safes and recognize the security flaws in them- but instruction manuals abound on the Internet, potentially reducing the time needed to overcome such flaws. I'm sure this also gets much easier with practice as well.

Possession of the manual makes this safe a joke (Bonus use of a straw for circumventing security)

What really strikes me here is that a lot of consumer products being marketed as being very secure (after all, guns are serious business) are flying under the radar as far as quality goes- meaning that people shooting for less security are just as exposed.

Resetting an access code

(Side Note: 4 button and 3 button combination locks provide 24 and 6 different button combinations respectively, a laughably small amount that's easily brute forced. At minimum, 5 buttons gives 120 different combinations, which is at least another five minutes or so entering different combinations.)

Wafer locks are bad and McDonalds plastic forks/knives helps crack a safe

Personally, I feel Lockpicking and Electronics Operation (Security) don't reasonably cover the bases in a way I find satisfying. Picking a door lock is one piece of physical security circumvention that Electronics Operation doesn't fully cover either. I feel Electronics Operation strongly implies that such circumvention is done on a software level- abusing programming to get it done, rather than relying on hardware weaknesses.

Forced Entry isn't a viable choice either, seeing as how it's about smashing and grabbing.

What is obvious is that working without tools for physical security circumvention is nigh impossible- easily -8 or -9 to skill, with even improvised tools reducing that a great deal (after all, a paperclip is still an improvised tool). DX is vastly more important once you know how to circumvent a device, but IQ is still definitely needed to understand the problem at hand.

2 comments:

  1. It's worth thinking a little about what the problem is, from the criminal's point of view. Take that last one, the "TSA-compliant gun case". Looking at the build quality, it would be pretty easy just to crack it open, especially with a crowbar or similar. All that resetting the combination gains you is a bit of time, as the owner tries a few times to open it, then finds his key and opens the bypass lock. That makes resetting actually better than just using the bypass, because at least then you generate a bit of delay. If you don't care about delay, you can just steal the whole thing and break in at leisure!

    (And of course if it is TSA-compliant, well, the seven TSA keys are already out there in ready-for-3D-printing STL files.)

    Some of this is attack profile, of course. I've noticed American law enforcement and security types often assume a huge population of completely unskilled criminals, who will lift something if it's out in plain sight but won't have any particular burglarious skills. If lots of people like that are out there, then really minimal security like the sort shown in those videos is useful. But I think that's changing, because even if J. Random Criminal doesn't know this stuff he can watch a video made by someone who does. The British approach tends to assume that at least one person in a criminal enterprise will have those basic skills, so toy locks like these are essentially worthless.

    ReplyDelete
  2. Great videos. Stating the obvious: it's scary how much exceptionally shoddy security equipment there is out there!

    ReplyDelete