So, you’ve just got the highest security certification for your date centre and its lights-out operation is a wonder of automation, orchestration and software defined marvelousness.
And then a penetration tester gets physical and walks right into a server room as if she were a ghost. WTF?
Well, this is not some Matrix-inspired fantasy, this is a genuine possibility.
“There are certain types of locks that are operated by what is known as a restricted key. These are keys that are tightly controlled by limiting their manufacturer to specialist licenced manufacturers requiring dedicated, specialist equipment and materials”
The Register has a story describing how a group of Australian lock-pickers have come up with a way of defeating the kind of highly expensive and exclusive locks that are deployed in facilities such as data centres all around the world.
There are certain types of locks that are operated by what is known as a restricted key. These are keys that are tightly controlled by limiting their manufacturer to specialist licenced manufacturers requiring dedicated, specialist equipment and materials.
The theory goes that if these complex keys are only manufactured by a small, controlled band and the process is cripplingly expensive and difficult, then they will remain secure.
Wrong!
The wily bunch of Antipodeans have managed to secure descriptions, drawings and designs for the keys, along with sample locks, from which they have been able to manufacture master keys through 3D printing, and even individual keys in some cases. Their sources have been brochures, online resources and other mostly public, though not confidential, materials.
Despite the approved locksmiths being unwilling to give out even key blanks or even information for the restricted keys, the intrepid researchers have managed to use the likes of scalable vector drawings to make detailed plans that have been used to make 3D prototypes. These prototypes can then be refined as further details emerge.
For example, if the locks are used in exposed places, then they can be probed for further information that might give more definition on key shape and lock pin size and number.
The 3D printing process has produced keys that are robust enough to be used a few times apiece before they fail.
Led by a lock picker called Topy, the band have already demonstrated their ability to use the 3D printed keys to defeat these high security, restricted key locks at various security events.
It is thought that this process could be used on conjunction with other physical techniques when probing the security stance of an organisation.
In much the same way as penetration testing will look to gain access via any and all manner of electronic means, physical security is increasingly becoming an important aspect of such exercises. If the highly expensive, restricted key locks that protect many data and processing facilities are proven to be vulnerable from even a combination of ingenuity, know-how and a 3D printer, then there may be some interesting times ahead.
Subscribers 0
Fans 0
Followers 0
Followers