Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

The Search for the Perfect Door - Deviant Ollam

985 views

Published on

You have spent lots of money on a high-grade, pick-resistant, ANSI-rated lock for your door. Your vendor has assured you how it will resist attack and how difficult it would be for someone to copy your key. Maybe they’re right. But… the bulk of attacks that both penetration testers and also criminals attempt against doors have little or nothing to do with the lock itself! This talk will be a hard-hitting exploration (full of photo and video examples) of the ways in which your door — the most fundamental part of your physical security — can possibly be thwarted by someone attempting illicit entry. The scary problems will be immediately followed by simple solutions that are instantly implementable and usually very within-budget. You, too, can have a near-perfect door… if you’re willing to learn and understand the problems that all doors tend to have.

Published in: Devices & Hardware
  • Be the first to comment

  • Be the first to like this

The Search for the Perfect Door - Deviant Ollam

  1. 1. Physical Security: Ideal Doors & Padlocks Deviant Ollam ShakaCon – 2016/07/13
  2. 2. Who Am I?
  3. 3. http://enterthecore.net Security Consultant By Day
  4. 4. http://enterthecore.net Criminal Consultant By Night
  5. 5. http://enterthecore.net Basically… I’m Professionally Dangerous
  6. 6. Why Does Physical Security Matter ?
  7. 7. http://enterthecore.net Lots of Folk Are Discussing Network Security
  8. 8. http://enterthecore.net Lots of Folk Are Discussing Network Security Kemuri Water Company was responsible for supplying and metering water usage over a number of neighboring counties. From the onset, KWC was adamant that no evidence of unauthorized access had been uncovered. ... It became clear that KWC management was aware of potential unauthorized access into the OT systems of the water district.
  9. 9. http://enterthecore.net Lots of Folk Are Discussing Network Security Kemuri Water Company was responsible for supplying and metering water usage over a number of neighboring counties. From the onset, KWC was adamant that no evidence of unauthorized access had been uncovered. ... It became clear that KWC management was aware of potential unauthorized access into the OT systems of the water district. An unexplained pattern of valve and duct movements had occurred over the previous 60 days. These movements consisted of manipulating the PLCs that managed the amount of chemicals used to treat the water to make it safe to drink, as well as affecting the water flow rate, causing disruptions with water distribution.
  10. 10. http://enterthecore.net Lots of Folk Are Discussing Network Security Kemuri Water Company was responsible for supplying and metering water usage over a number of neighboring counties. An unexplained pattern of valve and duct movements had occurred over the previous 60 days. These movements consisted of manipulating the PLCs that managed the amount of chemicals used to treat the water to make it safe to drink, as well as affecting the water flow rate, causing disruptions with water distribution. Access to customer water usage, PII, and payment data required only a username and password. No second authentication factor was needed. Next, we found a direct cable connection between the application and the AS400 system. Making matters worse, the AS400 system had open access to the internet and its internal IP address and administrative credentials were found on the payment application webserver in clear text within an initialization file.
  11. 11. http://enterthecore.net Lots of Folk Are Discussing Network Security
  12. 12. http://enterthecore.net Lots of Folk Are Discussing Network Security
  13. 13. http://enterthecore.net But with a Physical Breach…
  14. 14. http://enterthecore.net All of your firewall rules…
  15. 15. http://enterthecore.net All of your firewall rules… can be compromised
  16. 16. http://enterthecore.net All your hard work here…
  17. 17. http://enterthecore.net All your hard work here… gets undermined here
  18. 18. http://enterthecore.net Hands-On Attacks are Possible On-Site
  19. 19. http://enterthecore.net Not To Mention… Outright Theft, Damage, and Tampering
  20. 20. http://enterthecore.net Not To Mention… Outright Theft, Damage, and Tampering
  21. 21. http://enterthecore.net Not To Mention… Outright Theft, Damage, and Tampering
  22. 22. What’s Wrong With Your Door?
  23. 23. The Lock?
  24. 24. http://enterthecore.net Lockpicking is Easy!
  25. 25. http://enterthecore.net Opening with a Key
  26. 26. http://enterthecore.net Opening with Lockpicks
  27. 27. http://enterthecore.net Lockpicking is a Topic for Later
  28. 28. The Hinges
  29. 29. http://enterthecore.net Hinge Removal
  30. 30. http://enterthecore.net Hinge Removal
  31. 31. http://enterthecore.net Security Hinges & Jamb Pin Screws
  32. 32. http://enterthecore.net Security Hinges & Jamb Pin Screws
  33. 33. http://enterthecore.net Security Hinges & Jamb Pin Screws
  34. 34. http://enterthecore.net Security Hinges & Jamb Pin Screws
  35. 35. http://enterthecore.net Security Hinges & Jamb Pin Screws
  36. 36. http://enterthecore.net Security Hinges & Jamb Pin Screws
  37. 37. The Latch
  38. 38. http://enterthecore.net Door Latch Attacks
  39. 39. http://enterthecore.net Door Latch Attacks
  40. 40. http://enterthecore.net Shrum Tools / Traveler Hooks
  41. 41. http://enterthecore.net Shrum Tools / Traveler Hooks
  42. 42. http://enterthecore.net Shrum Tools / Traveler Hooks
  43. 43. http://enterthecore.net Shrum Tools / Traveler Hooks
  44. 44. http://enterthecore.net Slimjim Tools
  45. 45. http://enterthecore.net Slimjim Tools
  46. 46. http://enterthecore.net Slimjim Tools
  47. 47. http://enterthecore.net Protective Plates?
  48. 48. http://enterthecore.net Dead Latches
  49. 49. http://enterthecore.net Dead Latches
  50. 50. http://enterthecore.net Dead Latches
  51. 51. http://enterthecore.net Dead Latches
  52. 52. http://enterthecore.net Dead Latches
  53. 53. http://enterthecore.net Dead Latches
  54. 54. http://enterthecore.net Dead Latches Rely on Proper Door Fitment
  55. 55. http://enterthecore.net Door Fitment
  56. 56. http://enterthecore.net Door Fitment
  57. 57. http://enterthecore.net Door Fitment
  58. 58. http://enterthecore.net Door Fitment
  59. 59. The Inside Handles
  60. 60. http://enterthecore.net Crash Bars
  61. 61. http://enterthecore.net Crash Bars
  62. 62. http://enterthecore.net Crash Bars
  63. 63. http://enterthecore.net Crash Bars
  64. 64. http://enterthecore.net Crash Bars
  65. 65. http://enterthecore.net Crash Bars
  66. 66. http://enterthecore.net Exit Paddles
  67. 67. http://enterthecore.net Deadbolt with Thumb Turn
  68. 68. http://enterthecore.net Thumb Turn Flipper
  69. 69. Key Boxes
  70. 70. http://enterthecore.net Key Boxes
  71. 71. http://enterthecore.net Key Boxes
  72. 72. http://enterthecore.net Key Boxes
  73. 73. http://enterthecore.net Key Boxes
  74. 74. http://enterthecore.net Emergency Boxes
  75. 75. http://enterthecore.net Municipal & Contractor Boxes
  76. 76. http://enterthecore.net Decoding Multi-Wheel Combinations
  77. 77. Edge Gaps
  78. 78. http://enterthecore.net Edge Gaps and Motion Sensors
  79. 79. http://enterthecore.net Edge Gaps and Motion Sensors
  80. 80. http://enterthecore.net Request-to-Exit (REX) Sensors Passive Infrared (PIR) Range Controlled Radar (RCR) Hybrid of Both
  81. 81. The Bottom Gap
  82. 82. http://enterthecore.net Modern Door Lever Style Handles
  83. 83. http://enterthecore.net Under Door Attacks
  84. 84. http://enterthecore.net Under Door Attacks
  85. 85. http://enterthecore.net Under Door Attacks
  86. 86. http://enterthecore.net Under Door Attack Prevention – Security Door Bottom
  87. 87. http://enterthecore.net Under Door Attack Prevention – Blocking Shroud
  88. 88. http://enterthecore.net Under Door Attack Prevention – Blocking Clips
  89. 89. http://enterthecore.net Under Door Attack Prevention – Blocking Clips
  90. 90. The Doorframe
  91. 91. http://enterthecore.net Door Frame Spreading
  92. 92. http://enterthecore.net Hammerhead Deadbolt
  93. 93. What About Padlocks?
  94. 94. http://enterthecore.net Padlocks first, some terminology…
  95. 95. http://enterthecore.net The Shackle
  96. 96. http://enterthecore.net The Body
  97. 97. http://enterthecore.net The Keyway & Plug
  98. 98. http://enterthecore.net The Pin Stacks
  99. 99. http://enterthecore.net The Release or Cam
  100. 100. http://enterthecore.net The Latch (often two Latches)
  101. 101. Attacking The Latches… Shimming
  102. 102. http://enterthecore.net Padlock Shims
  103. 103. http://enterthecore.net Padlock Shims
  104. 104. http://enterthecore.net Homebrew Padlock Shims
  105. 105. http://enterthecore.net Single Latch or Dual Latch?
  106. 106. http://enterthecore.net Shim-Proof Padlocks… Double-Ball Mechanism
  107. 107. Attacking With Skeleton Keys
  108. 108. http://enterthecore.net Warded Locks
  109. 109. http://enterthecore.net Distinct Keyway
  110. 110. http://enterthecore.net Warded Keys
  111. 111. http://enterthecore.net Warded Locks
  112. 112. http://enterthecore.net Warded Locks
  113. 113. http://enterthecore.net Warded Locks
  114. 114. http://enterthecore.net Warded Locks
  115. 115. http://enterthecore.net Warded Locks
  116. 116. http://enterthecore.net Warded Locks
  117. 117. http://enterthecore.net Warded Locks
  118. 118. http://enterthecore.net Warded Locks
  119. 119. http://enterthecore.net Warded Locks
  120. 120. http://enterthecore.net Warded Locks
  121. 121. http://enterthecore.net Warded Locks
  122. 122. http://enterthecore.net Warded Locks
  123. 123. http://enterthecore.net Warded Locks
  124. 124. Attacking The Pin Stacks… Overlifting
  125. 125. http://enterthecore.net Comb Picks
  126. 126. http://enterthecore.net Overlifting Shouldn’t Be Possible
  127. 127. http://enterthecore.net Overlifting Shouldn’t Be Possible
  128. 128. http://enterthecore.net Overlifting Shouldn’t Be Possible
  129. 129. http://enterthecore.net Overlifting Shouldn’t Be Possible, But…
  130. 130. http://enterthecore.net Overlifting is Possible with Improperly Designed Locks
  131. 131. http://enterthecore.net Overlifting with Comb Picks
  132. 132. http://enterthecore.net Overlifting with Comb Picks
  133. 133. Attacking The Release or Cam… Bypassing
  134. 134. http://enterthecore.net Lock Bypassing – Master 175
  135. 135. http://enterthecore.net Lock Bypassing – Master 175
  136. 136. http://enterthecore.net Lock Bypassing – Master 175
  137. 137. http://enterthecore.net Lock Bypassing – Master 175
  138. 138. http://enterthecore.net Lock Bypassing – Master 175
  139. 139. http://enterthecore.net Lock Bypassing – Master 175
  140. 140. http://enterthecore.net Lock Bypassing – American Padlocks
  141. 141. http://enterthecore.net Lock Bypassing – American Padlocks
  142. 142. http://enterthecore.net Lock Bypassing – American Padlocks
  143. 143. http://enterthecore.net Lock Bypassing – American Padlocks
  144. 144. http://enterthecore.net Lock Bypassing – American Padlocks
  145. 145. http://enterthecore.net Lock Bypassing – American Padlocks
  146. 146. Where Do We Encounter These Padlocks? ?
  147. 147. http://enterthecore.net Are There Vulnerable Locks on Your Sites?
  148. 148. http://enterthecore.net Are There Vulnerable Locks on Your Sites?
  149. 149. http://enterthecore.net Are There Vulnerable Locks on Your Sites?
  150. 150. http://enterthecore.net Are There Vulnerable Locks on Your Sites?
  151. 151. http://enterthecore.net Are There Vulnerable Locks on Your Sites?
  152. 152. http://enterthecore.net Are There Vulnerable Locks on Your Sites?
  153. 153. http://enterthecore.net Are There Vulnerable Locks on Your Sites?
  154. 154. http://enterthecore.net Are There Vulnerable Locks on Your Sites?
  155. 155. http://enterthecore.net Are There Vulnerable Locks on Your Sites?
  156. 156. http://enterthecore.net Are There Vulnerable Locks on Your Sites?
  157. 157. http://enterthecore.net Are There Vulnerable Locks on Your Sites?
  158. 158. Thinking Critically About Your Doors, Too? ?
  159. 159. http://enterthecore.net A Door With Problems
  160. 160. http://enterthecore.net A Door With Problems
  161. 161. http://enterthecore.net Magnetic Lock Systems
  162. 162. http://enterthecore.net Magnetic Lock Systems
  163. 163. http://enterthecore.net Magnetic Lock Systems
  164. 164. http://enterthecore.net Magnetic Lock Systems
  165. 165. http://enterthecore.net Magnetic Lock Systems
  166. 166. Threats Come From All Angles
  167. 167. http://enterthecore.net Cloning Electronic Credentials
  168. 168. http://enterthecore.net Cloning Electronic Credentials
  169. 169. http://enterthecore.net Cloning Electronic Credentials
  170. 170. http://enterthecore.net Cloning Electronic Credentials
  171. 171. http://enterthecore.net Cloning Electronic Credentials
  172. 172. In Conclusion
  173. 173. http://enterthecore.net Padlock Attacks and Mitigations
  174. 174. http://enterthecore.net Padlock Attacks and Mitigations component: latches attack: shimming mitigation: double ball / shim-proof mechanism
  175. 175. http://enterthecore.net Padlock Attacks and Mitigations component: latches attack: shimming mitigation: double ball / shim-proof mechanism component: warded key systems attack: skeleton keys mitigation: never use these for any reason
  176. 176. http://enterthecore.net Padlock Attacks and Mitigations component: latches attack: shimming mitigation: double ball / shim-proof mechanism component: warded key systems attack: skeleton keys mitigation: never use these for any reason component: pin stacks attack: overlifting with comb picks mitigation: proper fabrication dimensions
  177. 177. http://enterthecore.net Padlock Attacks and Mitigations component: latches attack: shimming mitigation: double ball / shim-proof mechanism component: warded key systems attack: skeleton keys mitigation: never use these for any reason component: pin stacks attack: overlifting with comb picks mitigation: proper fabrication dimensions component: release cam attack: bypassing mitigation: blocking elements or key-retaining systems immune to bypassing
  178. 178. http://enterthecore.net Padlock Attacks and Mitigations component: latches attack: shimming mitigation: double ball / shim-proof mechanism component: warded key systems attack: skeleton keys mitigation: never use these for any reason component: pin stacks attack: overlifting with comb picks mitigation: proper fabrication dimensions component: release cam attack: bypassing mitigation: blocking elements or key-retaining systems immune to bypassing
  179. 179. http://enterthecore.net Very Robust Padlocks
  180. 180. http://enterthecore.net Very Robust Padlocks - Abloy Protec
  181. 181. http://enterthecore.net Very Robust Padlocks - Abus 83/45
  182. 182. http://enterthecore.net Very Robust Padlocks - Abus 83/45
  183. 183. http://enterthecore.net Very Robust Padlocks - Abus 83/53
  184. 184. http://enterthecore.net Very Robust Padlocks - Abus 83/53
  185. 185. http://enterthecore.net Very Robust Padlocks - Abus 83/53
  186. 186. http://enterthecore.net Door Attacks and Mitigations
  187. 187. http://enterthecore.net Door Attacks and Mitigations component: hinges attack: removing the pins mitigation: security hinges or jamb pin screws
  188. 188. http://enterthecore.net Door Attacks and Mitigations component: hinges attack: removing the pins mitigation: security hinges or jamb pin screws component: latches attack: loiding mitigation: anti-thrust latch, properly installed
  189. 189. http://enterthecore.net Door Attacks and Mitigations component: hinges attack: removing the pins mitigation: security hinges or jamb pin screws component: latches attack: loiding mitigation: anti-thrust latch, properly installed component: inside thumb turn, crash bar, etc. attack: reach-through tools / thumb turner mitigation: good deadbolt, door fitment
  190. 190. http://enterthecore.net Door Attacks and Mitigations component: hinges attack: removing the pins mitigation: security hinges or jamb pin screws component: latches attack: loiding mitigation: anti-thrust latch, properly installed component: inside thumb turn, etc. attack: reach-through tools / thumb turner mitigation: good deadbolt, door fitment component: key boxes attack: weak locks can be picked mitigation: remove them or get a variance
  191. 191. http://enterthecore.net Door Attacks and Mitigations component: hinges attack: removing the pins mitigation: security hinges or jamb pin screws component: latches attack: loiding mitigation: anti-thrust latch, properly installed component: inside thumb turn, etc. attack: reach-through tools / thumb turner mitigation: good deadbolt, door fitment component: key boxes attack: weak locks can be picked mitigation: remove them or get a variance component: edge gaps attack: tricking sensors & electronic locks mitigation: better sensors, security astragal
  192. 192. http://enterthecore.net Door Attacks and Mitigations component: hinges attack: removing the pins mitigation: security hinges or jamb pin screws component: latches attack: loiding mitigation: anti-thrust latch, properly installed component: inside thumb turn, etc. attack: reach-through tools / thumb turner mitigation: good deadbolt, door fitment component: key boxes attack: weak locks can be picked mitigation: remove them or get a variance component: edge gaps attack: tricking sensors & electronic locks mitigation: better sensors, security astragal component: bottom gap attack: under door attacks mitigation: security door bottom and/or blocking shroud
  193. 193. http://enterthecore.net Door Attacks and Mitigations component: hinges attack: removing the pins mitigation: security hinges or jamb pin screws component: latches attack: loiding mitigation: anti-thrust latch, properly installed component: inside thumb turn, etc. attack: reach-through tools / thumb turner mitigation: good deadbolt, door fitment component: key boxes attack: weak locks can be picked mitigation: remove them or get a variance component: edge gaps attack: tricking sensors & electronic locks mitigation: better sensors, security astragal component: bottom gap attack: under door attacks mitigation: security door bottom and/or blocking shroud component: doorframe attack: jacking / spreading attacks mitigation: interlocking deadbolt along with stronger frame structure
  194. 194. http://enterthecore.net component: hinges attack: removing the pins mitigation: security hinges or jamb pin screws component: latches attack: loiding mitigation: anti-thrust latch, properly installed component: inside thumb turn, etc attack: reach-through tools / thumb turner mitigation: good deadbolt, door fitment component: key boxes attack: weak locks can be picked mitigation: remove them or get a variance component: edge gaps attack: tricking sensors & electronic locks mitigation: better sensors, security astragal component: bottom gap attack: under door attacks mitigation: security door bottom and/or blocking shroud component: doorframe attack: jacking / spreading attacks mitigation: interlocking deadbolt along with stronger frame structure Door Attacks and Mitigations
  195. 195. http://enterthecore.net Door Attacks and Mitigations component: hinges - $50 attack: removing the pins mitigation: security hinges or jamb pin screws component: latches - $150 attack: loiding mitigation: anti-thrust latch, properly installed component: inside thumb turn, etc - $200 attack: reach-through tools / thumb turner mitigation: good deadbolt, door fitment component: key boxes - $0 attack: weak locks can be picked mitigation: remove them or get a variance component: edge gaps - $150 attack: tricking sensors & electronic locks mitigation: better sensors, security astragal component: bottom gap - $60 attack: under door attacks mitigation: security door bottom and/or blocking shroud component: doorframe - $200 attack: jacking / spreading attacks mitigation: interlocking deadbolt along with stronger frame structure
  196. 196. http://enterthecore.net Door Attacks and Mitigations component: hinges - $50 attack: removing the pins mitigation: security hinges or jamb pin screws component: latches - $150 attack: loiding mitigation: anti-thrust latch, properly installed component: inside thumb turn - $200 attack: reach-through tools / thumb turner mitigation: good deadbolt, door fitment component: key boxes - $0 attack: weak locks can be picked mitigation: remove them or get a variance component: edge gaps - $150 attack: tricking sensors & electronic locks mitigation: better sensors, security astragal component: bottom gap - $60 attack: under door attacks mitigation: security door bottom and/or blocking shroud component: doorframe - $200 attack: jacking / spreading attacks mitigation: interlocking deadbolt along with stronger frame structure
  197. 197. http://enterthecore.net Door Attacks and Mitigations
  198. 198. http://enterthecore.net Door Attacks and Mitigations
  199. 199. http://enterthecore.net Door Attacks and Mitigations
  200. 200. Stay Safe Out There!
  201. 201. http://enterthecore.net Thank You Very Much http://enterthecore.net +1-347-263-7522 delta@enterthecore.net (PGP keys on major servers)

×