LPL in 10 years: To unlock the door, we first compromise the houses' internal wifi network via social engineering, giving us access to the keylock's API port, letting us run a known exploit on the unpatched firmware, letting us control it whenever we want. This was the most hacker-esque video on the channel I have seen. But still, fun, and good to point out the protocol weaknesses of these locks. Manufacturers should make the locks secure against digital attacks as much as physical, and is one of the reasons why I don't want a digital lock into our household.
@Evi1 M4chine You cannot connect to the router without already being on the internal network. And if the router has a public-facing root-enabled telnet console... Well... Then it belongs into the trash and nowhere else (:
LPL (outside my house): as you can see, this homeowner went with strictly mechanical and hardwired locks with cryptographic modules on the main entries. clearly, he's subscribed to my channel and doesn't trust technology
@@dercooney Yea, because lets be honest, how many of the "normie" users go, at any point in their day, and think "Hmm... I wonder if any of the smart stuff I have here has internal firmware update available... So that if someone pwn'd my wifi that I didn't change the password to since first setting it to the name of my son and his birthday, they wouldn't be able to take control of my whole household" -- None, till something huge explodes all over the news... And even better, what if the theoretical family went like "Hey! If I connect the lock to the internet, I can control it from wherever! So if my spous forgets her keys while I'm at work, I'll still be able to unlock the door for her!" And don't get me started on the trend to have all the smart crap connected to "The Cloud, wooooooo~" -- As if that was something to be desired. Then someone compromises /someone else's/ internet-connected servers, and boom, access to all the devices that are part of the "cloud" (Of idiocy)! ...I run a few smart devices at home... But have them strictly stuck on the LAN, with DNS blackholing so they will never connect to the bloody clouds...
Well, it is invisible once you put the reader back on, also the connection is never broken, therefore the system has no idea it was tempered with. It also takes just a minute or two for the complete installation. I can totally see someone installing the device on a companies entrance door whilst the security guard is taking a leak or checking the backdoor.
@@muh1h1 except, there's usually a camera near those places, so people are bound to notice... Unless they're extremely incompetent, which again, means you got more serious problems than a lock hahaha
@@lXlDarKSuoLlXl Well, whos gonna check hours worth of multiple cameras every day? Cameras are there to find out what happend after it happened, so if you installed that thing yesterday, chances are you can enter today and camerafootage isn't checked until tomarrow.
@@muh1h1 funny thing is, they don't, there's supposed to be someone checking the live feed, not the records, and again, if the lock gets tempered without anyone noticing, your most important problem, isn't the lock
The attacker was likely already behind the door where the wires are exposed, or likely worse the wires and devices are behind another locked area that only security has access to in a real facility. Also, in a real facility there's always 1 or more guards paid to watch the cameras and occasionally assess the grounds. If an attacker has enough time to non-destructively access sensitive wires and put in this attack, I wouldn't want to know what else is breached.
He needed it to protect himself from exposing how vulnerable a lot of locks really are. And then also from videos like this. Someone is gonna get butthurt over it.
@@corpsiecorpsie_the_original a guy being haunted by a professional lockpicker in his house. No matter how many times he cjanges the locks, they will bw unlockwd the next night
Video 1097: We are to show how ATM security is flawed by withdrawing 1 thousand dollars using a pair of tweezers and an old mobile phone. Seriously. LPL is becoming McGyver of real life. Keep up great work.
This is like how in Terminator 2 they have the scene where John Connor and his friend hack an ATM to get hundreds of dollars before heading off the arcade in the mall.
I mean using specially made electronic equipment to clone RFID signals isn't exactly analogous to MacGyver. If LPL had built this device from chewing gum and some paperclips, then yes.
@@gownerjones1450 Compared to the cost of the system itself (ATM's I mean), and the amount of money to license and develop it, it might have as well been pocket lint and toothpaste.
You don't even need tweezers, human laziness is always the best exploit. Some years back ATMs have been compromised because none at the banks had bothered changing the default admin passwords (like so often on routers). A guy got hold of the installation manual and and realized that he could reprogram the ATM (from the user terminal) to think they were loaded with $1 bills instead of $20 bills. All he needed were prepaid debit cards to make withdrawals with a 20:1 return on investment that that couldn't be traced back to him. The guy behind the scheme had spotted dozens of ATM in his city he could compromise, but he needed help to hit all the ATMs in one night. He only got caught because the guy he approached for help was a FBI informant...
(afterward...) _(RING, RING)_ Guard: "You get outta that maximum security cell?" LPL: "Yep. I actually got out in 10 minutes, half the time I thought I would." Guard: "Wow. You were right, we DEFINITELY need to upgrade our security systems. Thanks for agreeing to be placed into that maximum security cell for us." LPL: "You're welcome. I'm glad to have helped you in upgrading your security."
I bought a cheaply made RFID reader for less than $20 for my apartment. I used it to run my deadbolt with a car door actuator, and it was really effective. Being a rented apartment I could not do much to modification to the door. I used existing holes, and kept all of the electronics behind the door. The RFID reader could read it through the door, and seemed more secure, but who am I kidding? The LockPickingLawyer would just look at my deadbolt, and the tumblers would set, the rotor would turn, and unlock itself as he came near out of respect.
You are my hero of the day, I live in apt and have been trying to rig something up because my bedroom door is old school, but I want to digitize it so leaving my key behind isn't a worry. The actuator is the missing piece to my puzzle. I'm not concerned about hacking this interior door is just for privacy from roommates, plus if they get door open I have a series of Cameras and motion detectors inside. It's just a lock for "keeping honest people honest" ie if I'm out and someone wants to take a curious peak in my room if door is open. If you have any details you're willing to share about your setup I'd appreciate but I understand if you don't want to give up your trade secrets.
@@shrimpboom8 It is. On the other hand, those cheap readers usually use basic EM4x02, which doesn't have any security. When this card gets into required magnetic field, it pretty much just screams the ID number in infinite loop. Device that would alow you to copy any card of this type is actually a nice weekend project.
@@Seedzification To give a little context I had the cameras and sensors at a normal deployment for a house, but when I moved the new roommates didn't want cameras in common areas so my security net got all bunched up in my room. If I didn't have the cameras/sensors when I moved in, I would have probably just bought one to snap a photo when I'm a way and someone enters. Most of it dies as soon as wifi drops so it's actually kinda poor.
This video was uploaded on 28th of February 2020, and at 2:39 in the video the phone also says that the date is 28th Feb 2020, therefore, if the date is accurate, the time most likely is too. as it is connected to the internet and auto updates the time.
It would be called Ocean’s lock-picking lawyer. It would go for 6 minutes, 4 minutes showing Ocean getting arrested, tried, convicted and put in jail. Then LPL would pick the locks on all the prison’s doors using chicken wire and a bubblegum wrapper (1 minute) and then 30 seconds to pick the bank vault with a toothpick and a 30 seconds of credits.
@@klannstyle and a seconds for a trademark statement like "...and that's all I have for you today..." as he leaves a business card for a shocked casino concierge on his way out the door. (face unseen of course)
D Maybe tack on an extra 2-3 minutes so LPL can explain how the locks were so easy to pick and then pick them all a couple more times to show us it wasn’t a fluke...
I think he was referring to smart cards/secure RFID tags that use public key cryptography for authentication or a one time code from pseudo rng. Like a emv card.
@@hhanh01 Actually, many card readers simply read the number assigned to the card and transmit it back with no encryption at all. He demonstrated that in the video, where the binary stream was just the 6 digit card number.
Yep. Many encrypted locks may as well not be, since they use a single hash rather than a procedurally generated one that is produced at the time of scanning. A good RFID system should be able to keep the code secure even everything passed between the controller and the reader is read. Both sides should have a synchronized pseudorandom hash produced by the same seed.
Interesting! But there is a non-encryption solution for that too. Some of these readers housings have "sabotage contacts". So whenever you remove the housing or take the reader off the wall, to access the wires for the ESP Key, an alarm is created. Might not be as safe in the US, where every wall seems to be drywall ;-) But where i work you either create an alarm by manipulating the reader housing, or you alert everybody in the building by the noises resulting in trying to get to the wires through the concrete surrounding them.
Or using RFID keys that are challenge-response types. Doesn't matter if they're encrypted, a challenge is only valid once and only if you have the seed can you get the correct response consistently
@@PeterAuto1 ... technically it's part of a precursor for encryption, that being the establishing of a shared session key through a shared secret, but you're not actually encrypting any message with it, you stop just before that step with verifying that you indeed share a session key
So this is the equivalent of packet sniffing and then repeating captured packets? And being able to basically image what you capture as well? Honestly that's pretty damn slick.
@@NGC1433 well putting a chip in the wiring circuit is none other than sniffing and a bunch of consecutive bits is a packet so yeah packet sniffing seems appropriate
@@santiagobirkenstock No, it isn't. The difference is, that you have to actually know the communication protocol for packet sniffing. This reader has most likely just a Wiegand interface, which uses two lines, first one for ones and the second one for zeros. There are no "packets", just a direct serial bitstream.
This device is legitimately used by penetration testers like Deviant Ollam, check it his channel. Gets paid by corporations and government to test their infrastructure's locks, doors, and security systems by casing the place, physically getting in, figuring out what sort of damage could be done by nefarious party with that level of access, and writing up a report on this and how to make the place harder to get into.
@THE DUDE technically you would have to attain someone else rfid info and reprogram your own chip to mimic it. As the credits would mostlikely be registered under the chips unique id tied to a bank account. Kinda like wave cards use to work.
You had me worried, I thought you were going to show something like remotely scanning through all the RFID codes until one opened the door and I'd have to rethink the system I set up on my front door. However RFID will work through a wall panel, so you can set up with no exterior access. This is basically my setup, except for a small aperture for the fingerprint scanner pad; the RFID fobs work fine. For one of those RFID only units, you could embed a real unit in the wall and 3D print a hollow one to put on the outside so people know where to hold their cards. I'd love to see the reaction of a hacker who pried it off!
Anyone can still mount a sniffer to the outside of your wall, picking up the RF transmissions from the card. If you want to be secure you need to use something like desfire which encrypts the wireless communication.
Scanning all rfid codes is easily prevented by a30 second delay between successive reads. That is implemented in residential staircase door lock systems even from post soviet nineties, for both button key and entering code on a keypad. It even beeps cheerfully for 20 seconds after an unsuccessful attempt.
@Evi1 M4chine you can mount the sniffer a few feet away from the reader on the same wall, or on the roof above the reader. It does not matter how thick the wall is since the signal is not passing through it, you are sniffing on the outside where the user with a valid card is standing.
@@mrfrenzy. you need to get really close to actually power an RFID card, besides if you had something powerful enough to power a card from a few feet it cause any other RFID cards to also broadcast. That's why you can't hold your wallet to a reader with more than one card in it. Also all modern cards are encrypted so you wouldn't be able to decode the data anyway
@Evi1 M4chine The door and doorframe are usually made from RFID transparent materials. But making a fake reader box won't be done when commercially installing a combined keypad and reader that can be set to require the pin code of the legitimate card holder to ostensibly protect from stolen or cloned cards (and that's the readers usually installed even if nobody ever turns on the pin code feature).
Depending on the encryption method, it may still be possible to do a replay attack without being able to decrypt the data. If a time stamp is included in the encrypted data, and this was checked against a time window by the controller; that's one way of preventing an non-decrypting replay attack. Obviously, the cards used in the demo are also pretty dumb, and are a point of attack through a concealed rogue reader (backpacks carried units are common). Using smart chips raises the bar a lot higher though.
Was just about to say this; the cards should be nfc smart cards, not just dumb rfid. The controller should use an Incrementer, nonce or challenge response protocol so that it can verify the freshness of the attempt. Encrypting the traffic of a dumb protocol will not fix any of its flaws.
@@cabbageman Is it going to cost more money to have a reader that has this kind of capability? At the very least, assuming you have pretty powerful hardware, you still need a developer to develop all of software. I'm assuming saving a table of every RFID is way easier then saving the seed of every card and compare the rolling code every time.
@vladypunkyface Exactly, he didn't build this, program it, or even require much skill in operating the device in this presentation. But still a good video.
Encryption should be between the card and the controller inside the "secure" area. DESFire EV2 for example, the crypto happens on the card, there is no way to "clone" it, as the private key never leaves the card.
To elaborate for others: the card itself has a processor and a key saved. The reader sends the card some data that the card transforms using it's key. This data is always different. The transformed data gets sent back. Because the input is always different, sending back the same output twice does not work. And thanks to nice cryptography, you cannot get the key, even if you capture input and output.
It baffles me that even though we have readily available cryptography like this companies still manage to manufacture systems that don't include it. How?!
@@justin.booth. Money. It costs a lot less for a simple card lock system. I have a friend that works at a nursing home with a basic reader. The doors are to keep dementia patients from wandering out. Nobody is going to hack in to steal old people.
@@ShadowTigerKing thing is - it doesnt anymore. The algorithms are already there and freely available, that aint any issue. Cards with the necessary computing power dont need to be any more expensive than the simpler ones by now and also the processors to use inside of the control box are cheap.
@@triskalion9627 i suppose if a guy is being done for something to do with locks if he can point out how easy it is to pick it can work in there favour.
Lately I've been much more choosy when buying wireless tech, making sure security is tough and with out gaps. I hate when I'm shopping for (as example) a wireless mouse and they won't say if there's any encryption.
Great job. I know most software for these systems have the option to encrypt the data stream so this will show users for these systems how important it is to ensure the system is fully configured, locked down. Thanks for the video!
@@NGC1433 it does matter if the encryption is resistant to replay attacks. Such as having a 10 second window before new encryption is created. Or even just embedding a time sensitive piece of information, such as every request must come with encrypted date/time and if the date time is off by 5 seconds it is rejected.
Maybe but I can get and do that. If I can do it.... It is a good demonstration for people so they find out more about the security products they pay for. Why pay for something easily defeated? Just because you may not understand how something works, doesn't mean those who steal stuff don't.
Then we'll discover that the vaults in Fort Knox have been empty for decades, hence that the dollar is worth less than its weight in Bitcoins, and then the world economy will collapse overnight... xD
@@paulketner5077 Correct and US military and military bases around the world are the only insurance for that to going on and on. if the world decide to ditch $ as main current US collapse, that's why US instal us democracy in countries which foolish think that they can live without $
I love this channel and all it's videos. If there's anything I've learned its that all locks are supposed to just slow someone down long enough for them to either give up or get caught.
I can't wait until next week "This is the Lockpicking Lawyer and I'm in a Nuclear Submarine in the Atlantic, all I had to do was use this can opener and razor blade".
And here you can see the launch button normally this would be locked but if I just insert this wire you can see the missile is launched with no problems
@@Petertronic Good locks are only as good as the box they are protecting, if you have a house with a window the guy can still just break the window and get in
1:42am, while we’re all up in the middle of the night watching his videos he is up in the middle of the night making the videos, this is some meta shit right here
"It's some James Bond level stuff..." "An attacker can compromise the system with very little effort..." Conclusion: LPL considers James Bond level difficulty to be "very little effort."
First of all, that's some very dedicated setup, nicely done! For most use cases that replay attack is more dangerous than the encryption. But this is depending on the building, if you can protect the housing and the wires, then it is fine. First is that replay attack, it should never be possible to re-issue authentication, it should be one time use before that specific bits of data expires. This is widely known and ways to counter it. Second is that encryption, I get that they think "its inside the wall, should be fine with unecrypted", but that is a very naive mindset, those wires could be hundreds of meters long in business buildings. Which could be intercepted and read at any point.
I'm unsure that encryption would solve much in this case without specifically using either 2FA or OTP. If the listener can repeat the package it hears exactly, it doesn't matter if the package it heard was hashed. It's going to repeat the hashed message which will still be a valid entry key when decrypted on the other end. One-time passwords or using two factor authentication of some kind will absolutely solve this, though. Edit: Lots of people are pointing out that there's talk back challenges for encrypted locks, and I would like to point out that's two-factor authentication. If there's a secondary challenge of authority of any kind, there ya go.
Presumably you could put in some form of enigma in between the reader and the logic board. Assuming they always work together, itd be easy for them to keep a count together and ensure any transmission which is intercepted is one time use only
it's too complicated to cover in a short video targeted at lockpickers, but one of the ways to fix this is using a challenge-response protocol: en.wikipedia.org/wiki/Challenge%E2%80%93response_authentication. the reader sends the card some random value, then the card computes the hash of that value combined with its secret value, then sends it back. assuming certain properties about the hash, it is impossible to simply replay this: en.wikipedia.org/wiki/Replay_attack. there are a lot of things that can be implemented wrong here, but when done right, it's completely secure by modern standards. you can also use a less-secure "rolling code" similar to those used by garage door and some car door entry systems: en.wikipedia.org/wiki/Rolling_code, but those have a number of vulnerabilities.
Just have the door sensor and the controller share a counter for how many scans have occurred, and hash the scan count with the code on the card. Then you'd have to actually hack the door sensor somehow rather than just insert yourself into the wires.
@@jkazos you have reinvented rolling codes, except also, in your system, you're vulnerable to a slightly more expensive attack where you just install another reader.
@@TMGMedia73 true, but no lock is unpickable as LPL clearly proves. It's why insurance is important along with locks that meet their levels of adequacy.
"I'm going to step on old cellphone because I enjoy the weird crunching noise it makes on the decorative floor plates. Now, I'm going to bend the......"
I have one of these locks at the base of the stairs to the communal car park, a more unorthodox method of putting your shoulder through the door seems to work pretty effectively for someone, as they have definitely busted through!
More specifically: The communication should be secured between the controller and the RFID card, not just the reader (which would have to hold the communication secret, which in turn could be extracted by an attacker). Then, of course, you could no longer use the el-cheapo cards...
Agree. These RFID systems are very vulnerable to cloning. Even the handshake ones would be vulnerable to mitm relay attacks though that obviously involves more effort.
That's why the industry is pushing for people to use their phones, with public private key handshakes. google OSDP. It's what HID global is trying to make the new standard
If I'm remembering correctly there's an easier way, the 'keys' always transmit their RFID data. Myth-busters did an episode on why the new RFID bank cards (the ones with the little 'gold' chip in the corner) are a horrible idea but they weren't allowed to air it because the 'banks' (they didn't specify) wouldn't allow it. All you'd need to do is place a very small RFID reader with a sensitive enough receiver (depending on the distance from the legitimate card reader) within any area where the card will likely be in - in the case of an elevator, all the more easier, as you'd just place it in a corner or on the roof - and have any data the reader receives sent off, no need to fiddle with any wires and can be done incredibly discreetly. Alternatively you can swipe a card reader by someone you know who has a key (and know where it is on them), as long as it isn't held in a lead wallet, the RFID will be stolen. It doesn't matter if the card's data is encrypted or not as a duplicate card will just be able to send the same signal, just because you don't know what the encrypted data says doesn't mean it isn't duplicatable. If the encryption employs some sort of sudo-random cycling system (as all cards will have to have the encryption 'key' cycle identically, so it can't be true random) then that doesn't stop it either, it just makes it take longer before the cycle is broken and even then the duplicate keys will work until cycled. Even if a multi-level cycling system is used, where each cycle is cycled each day/month/e.c.t. the same method can be used. The best way to stop it from happening? Don't let anyone but authorized people anywhere near the sensor - which obviously means guards, almost entirely defeating the entire point in the system to begin with when it comes to securing rooms. This exact same method can be applied to the RFID chip on bank cards too, but I don't know enough about its security to know if the same method would actually work or not *anymore* . But what I do know is that this is essentially the same tactic used for stealing credit cards via creating 'hidden caps' that go over the legitimate ones and look identical, they don't read the RFID (because bank cards didn't always have them) but all of the cards information. A little tug on the hubcap will instantly pop the fake one off, though, so they're easy to check for.
The same thing is true for credit cards, except that there cannot be encryption due to the way rfid credit cards are used. There cannot be a standard encryption for an infinite number of readers that an attacker can’t get access to. To make this even worse, the cards don’t use a rfid version of the cycling chip that is read at the card provider, it just transmits the credit card number and security code in plaintext.
Imagine hearing late at night: (MUFFLED) "This is the LockPickingLawyer, this RFID system looks, secure, but has a serious flaw; we're going to gain access using that serious flaw." [RFID reader makes beeping noise, door opens] (Voice no longer muffled) "and just like that we're in"
That's precisely why seamless security is so important. For instance, the connections should be routed in such a way that accessing it is at least as difficult as breaking down the door would be. Also a system like that would have to include one or more tamper-sensing mechanisms which block the system entirely when the accessible part is tampered with.
This is really cool. For consumer/commercial level systems. Will not be breaking into to many high security installations. As readers are encrypted too. With a site specific key. Also the use of entry and exit readers, prevent cloned cards being used. Without security being alerted. About 1 second after you present duplicate card..
Imagine writing someone else's comment, word-for-word, in the hopes of boosting your self-esteem by amassing a fundamentally-useless collection of likes? 🙄
Thank you so much for this video! I used to write spy stories but gave up when I got too busy to research them. This video is like a hand delivered info dump 💙
@@MrRusell86 the compressed air attack is for doors that open automatically on exit using infrared sensors : the decompression cools down the air quite a lot compared to the ambient temperature and the airflow can travel far enough to trip the system.
"This is the lockpicking lawyer and today we are going to hijack a russian MIRV with my grandmother's parabola antennae and this programmable TV remote."
Wow awesome! i enjoy these kind of video much more then the usual lock pick, i realize this takes alot of effort to setup, overall really good, altho 2 years ago, but timeless..
I'm reminded of Hirsch Scramblepads, and how those were some of the oldest systems to encrypt everything between the access reader and the main system. Not sure if those are still around, but I love these videos.
Extremely important to connect the tamper switch on the pad to the central alarm so you know if a physical attack was performed. Indoor wire should be inaccessible in wall or in metal conduit for an inside job.
This also works for most car remotes. I made a record/replay device using an Arduino and a simple cheap 315MHz RF receiver, a 315MHz RF transmitter, and a similar 433MHz pair. I wrote a program to record every received signal after pushing a button, and replay it after pushing another button. It worked for every car I tried it on! I think it may not work on high-end two-way remotes on expensive high-end cars like Lamborghinis. Although I'm not sure about that ;-)
Are the bolts open or closed when the power goes out. It would be more secure to be closed, but I've a feeling fire regulations might require them to be open. ...what happens if you forget about codes entirely and try to kill the controller on the other side- pump a stiff 100v through those wires. Does it fail open? Or maybe just taking a security light off the wall and using it to trip the breaker...hmm
I have worked a place where the simple solution to this was simply having two doors side by side. One door for exiting which couldn't be opened from the outside, and was opened mechanically from the inside. And the other door for entrance only, opening electrically from the outside. But a much better solution would just be to be able to override the bolt from the inside manually, and having it be normally locked.
I have a huge interest in RFID hacking since I used to have to deal with access control at work, thank you for a very interesting and educational video I’ll be makeing sure to talk to put IT guys to make sure the tamper alarm is installed 😂
..or putting either side readers in? Onece you're in, you need to swipe out, as the system knows you're already in? Make emergency egress a break glass override.
Reader tamper alarms would not be 100% reliable since this device punches through the wires, the connection is never interrupted so you wouldn't see any tamper alarms in your access control software's log, unless... the attacker had no way to access the wiring conduit directly, and had to unmount the card reader, that would definitely trip either a mechanical or photosensitive sensor. Two lessons here: 1) make sure your card reader counts with a tamper feature and 2) (probably the most important one lol) keep your wiring conduits safe and absolutely out of reach.
hey I'm a cybersecurity student so I just wanted to comment on one of the things you mentioned. you stated that if the signal was encrypted then this wouldnt work, but one of the failures of many low budget security companies is that they constantly use the same encryption software every time. this makes it so if the attacker took it one step further and tried to decrypt the signal with commonly used software's they are more than likely to find a match
I really enjoy these 'different' videos from the usual lock picking content it's really fascinating to see that this seemingly foolproof system is actually so easily defeated if you know what tools to use.
@Alexander Supertramp and you have to wait after installing the unit until someone uses the reader you installed it on...... easy, but not convienient if you are trying to get in NOW....
I have no idea why your lock picking videos have been constantly appearing on my TH-cam, but finally decided to watch one and now I'm strangely hooked.
I think you kinda miss his goal, as well as those of most people with a similar mindset. The entire idea behind the types of videos LPL makes, and really teaching people how to pick locks in general, is to educate people and thereby equip them to implement better security. I mean, think about it. Before the internet only locksmiths and criminals knew how bad Masterlock was and they made a fortune shilling their terrible products, but today they're starting to lose sales to the likes of Paclock thanks to the efforts of LPL, Bosnianbill, Deviant Ollam, and all the other security minded folks teaching anyone who'll listen about security.
![[1056] This Black Box Reads RFID Cards in Your Pocket](http://i.ytimg.com/vi/dTObKtHzroM/mqdefault.jpg)
![[904] The “Pros" at Consumer Reports Couldn’t Pick This (Reverse Sidebar SmartKey)](http://i.ytimg.com/vi/XqsAFdFsQmQ/mqdefault.jpg)
![ไม่ต้องมีที่ที่ให้ฉันอยู่ แต่ขอแค่มีฉันอยู่ก็พอ (Spaceless) - getsunova [SHORT FILM]](http://i.ytimg.com/vi/MuT0d_cvJkc/mqdefault.jpg)
![[TH] VCT Masters Shanghai Playoffs DAY 4 // 100T vs GEN | G2 vs TH](http://i.ytimg.com/vi/UkTGSxdCUQw/mqdefault.jpg)
![[11] Real world ESPKey Attacks](/img/n.gif)
Imagine if you're a bond villain and behind your steel door you hear "4 is binding"
jimmy gatron good one
@@adamharris6679 5 is in a false gate.
@@adamharris6679 nice little click out of 4
Why would you be hiding behind a steel door if you were a bond villain?
In this case you should just lock yourself behind the True safe, like im PayDay 2
He’s becoming too powerful
What do we do Master of Master Locks? Eliminate? Disintegrate?
He must be stopped, for the sake of -Humanity- Lockanity
Joining the dark side, he will...
Yes but how will we ever 'lock him up'?
@@skygh in a fully sealed concrete box
LPL in 10 years: To unlock the door, we first compromise the houses' internal wifi network via social engineering, giving us access to the keylock's API port, letting us run a known exploit on the unpatched firmware, letting us control it whenever we want.
This was the most hacker-esque video on the channel I have seen. But still, fun, and good to point out the protocol weaknesses of these locks. Manufacturers should make the locks secure against digital attacks as much as physical, and is one of the reasons why I don't want a digital lock into our household.
A kid from 2040: that's how we did it in the past
@Evi1 M4chine You cannot connect to the router without already being on the internal network. And if the router has a public-facing root-enabled telnet console... Well... Then it belongs into the trash and nowhere else (:
I appreciate the accurate steps you gave in your joke, makes it funnier IMO - 'unpatched firmware' was my fav. So true.
LPL (outside my house): as you can see, this homeowner went with strictly mechanical and hardwired locks with cryptographic modules on the main entries. clearly, he's subscribed to my channel and doesn't trust technology
@@dercooney Yea, because lets be honest, how many of the "normie" users go, at any point in their day, and think "Hmm... I wonder if any of the smart stuff I have here has internal firmware update available... So that if someone pwn'd my wifi that I didn't change the password to since first setting it to the name of my son and his birthday, they wouldn't be able to take control of my whole household" -- None, till something huge explodes all over the news...
And even better, what if the theoretical family went like "Hey! If I connect the lock to the internet, I can control it from wherever! So if my spous forgets her keys while I'm at work, I'll still be able to unlock the door for her!"
And don't get me started on the trend to have all the smart crap connected to "The Cloud, wooooooo~" -- As if that was something to be desired. Then someone compromises /someone else's/ internet-connected servers, and boom, access to all the devices that are part of the "cloud" (Of idiocy)!
...I run a few smart devices at home... But have them strictly stuck on the LAN, with DNS blackholing so they will never connect to the bloody clouds...
If an attacker has enough time to get into the internals and install middleware attacks, you've probably got more problems than door access.
Well, it is invisible once you put the reader back on, also the connection is never broken, therefore the system has no idea it was tempered with. It also takes just a minute or two for the complete installation. I can totally see someone installing the device on a companies entrance door whilst the security guard is taking a leak or checking the backdoor.
@@muh1h1 except, there's usually a camera near those places, so people are bound to notice... Unless they're extremely incompetent, which again, means you got more serious problems than a lock hahaha
@@lXlDarKSuoLlXl Well, whos gonna check hours worth of multiple cameras every day? Cameras are there to find out what happend after it happened, so if you installed that thing yesterday, chances are you can enter today and camerafootage isn't checked until tomarrow.
@@muh1h1 funny thing is, they don't, there's supposed to be someone checking the live feed, not the records, and again, if the lock gets tempered without anyone noticing, your most important problem, isn't the lock
The attacker was likely already behind the door where the wires are exposed, or likely worse the wires and devices are behind another locked area that only security has access to in a real facility. Also, in a real facility there's always 1 or more guards paid to watch the cameras and occasionally assess the grounds. If an attacker has enough time to non-destructively access sensitive wires and put in this attack, I wouldn't want to know what else is breached.
I can't help but to think that the whole "lawyer" thing might not have been your highest calling...
He needed it to protect himself from exposing how vulnerable a lot of locks really are.
And then also from videos like this. Someone is gonna get butthurt over it.
@thisguy "Your honor, if I were really guilty, why would these handcuffs be... unlocked?"
thisguy that’s cus he would pick his way out of jail
@@Iverath Bold of you to assume he would even make it to the courtroom, he can pick open the police car door with his hands cuffed behind his back
the lawyer thing is just to fend off manufacturers thinking of lawsuits
Imagine sleeping in your room and being woken up by “as you can see, this window lock is very easy to pick without breaking the window”
Key & Peele could do a mini horror flic about LPL
@@corpsiecorpsie_the_original a guy being haunted by a professional lockpicker in his house. No matter how many times he cjanges the locks, they will bw unlockwd the next night
@@lukalaa1764 - "Bosnian Bill! Bosnian Bill!" screamed the man to the detective as he was whisked away into the sanitarium.
Good thing he's also a lawyer
There's a LPL ASMR but with sleep paralysis
Video 1097: We are to show how ATM security is flawed by withdrawing 1 thousand dollars using a pair of tweezers and an old mobile phone.
Seriously. LPL is becoming McGyver of real life. Keep up great work.
This is like how in Terminator 2 they have the scene where John Connor and his friend hack an ATM to get hundreds of dollars before heading off the arcade in the mall.
I mean using specially made electronic equipment to clone RFID signals isn't exactly analogous to MacGyver. If LPL had built this device from chewing gum and some paperclips, then yes.
@@gownerjones1450 Compared to the cost of the system itself (ATM's I mean), and the amount of money to license and develop it, it might have as well been pocket lint and toothpaste.
You don't even need tweezers, human laziness is always the best exploit. Some years back ATMs have been compromised because none at the banks had bothered changing the default admin passwords (like so often on routers). A guy got hold of the installation manual and and realized that he could reprogram the ATM (from the user terminal) to think they were loaded with $1 bills instead of $20 bills. All he needed were prepaid debit cards to make withdrawals with a 20:1 return on investment that that couldn't be traced back to him. The guy behind the scheme had spotted dozens of ATM in his city he could compromise, but he needed help to hit all the ATMs in one night. He only got caught because the guy he approached for help was a FBI informant...
was possible and might still be possible cut power to atm machine for a minute and use test password used by maintenance to whit draw money
Guard: "Welcome to maximum security prison."
LPL: "I'll call you from my house in 20 minutes."
(afterward...)
_(RING, RING)_
Guard: "You get outta that maximum security cell?"
LPL: "Yep. I actually got out in 10 minutes, half the time I thought I would."
Guard: "Wow. You were right, we DEFINITELY need to upgrade our security systems. Thanks for agreeing to be placed into that maximum security cell for us."
LPL: "You're welcome. I'm glad to have helped you in upgrading your security."
@@PearangeProductions good ending
He's evolving guys, we're doomed
The Andromeda Strain Lawyer
I thought I saw a lady in a red dress walk by..... Wait, there she is again.
First scene of Tron (1982)
Lol you're right!
During a physical whitehat exercise this exact method was used by a team I used to work with. That was around 3 years ago.
“The lock on your door is for decorative purposes only”
Amen!
My country has a saying: "Locks will only stop honest people."
Asko83 your country is smart
@@Asko83 and lazy people that won't bother learning lock picking
@@Asko83 I have a saying: "If you need a lock, they're not honest, just lazy."
I bought a cheaply made RFID reader for less than $20 for my apartment. I used it to run my deadbolt with a car door actuator, and it was really effective. Being a rented apartment I could not do much to modification to the door. I used existing holes, and kept all of the electronics behind the door. The RFID reader could read it through the door, and seemed more secure, but who am I kidding? The LockPickingLawyer would just look at my deadbolt, and the tumblers would set, the rotor would turn, and unlock itself as he came near out of respect.
You are my hero of the day, I live in apt and have been trying to rig something up because my bedroom door is old school, but I want to digitize it so leaving my key behind isn't a worry. The actuator is the missing piece to my puzzle. I'm not concerned about hacking this interior door is just for privacy from roommates, plus if they get door open I have a series of Cameras and motion detectors inside. It's just a lock for "keeping honest people honest" ie if I'm out and someone wants to take a curious peak in my room if door is open. If you have any details you're willing to share about your setup I'd appreciate but I understand if you don't want to give up your trade secrets.
Reading through the wall sounds like a great solution for physical access to the system.
@@shrimpboom8 It is. On the other hand, those cheap readers usually use basic EM4x02, which doesn't have any security. When this card gets into required magnetic field, it pretty much just screams the ID number in infinite loop. Device that would alow you to copy any card of this type is actually a nice weekend project.
@@peterkwolek2265 damn that's a lot of security for a bedroom...
@@Seedzification To give a little context I had the cameras and sensors at a normal deployment for a house, but when I moved the new roommates didn't want cameras in common areas so my security net got all bunched up in my room. If I didn't have the cameras/sensors when I moved in, I would have probably just bought one to snap a photo when I'm a way and someone enters. Most of it dies as soon as wifi drops so it's actually kinda poor.
I love how he recorded this at 1:40 in the morning and sounds like he’s had a full 9 hours of sleep. This man is a beast.
you serious? pls tell me no..
@@jonathanwieringa8808 Phone says 1:42 when he brings it out to scan.
@@Fiyazai good eyes
Maybe it's an old phone he doesn't use anymore, so that he won't accidentally expose any personal information, and he didn't bother to change the time
This video was uploaded on 28th of February 2020, and at 2:39 in the video the phone also says that the date is 28th Feb 2020, therefore, if the date is accurate, the time most likely is too. as it is connected to the internet and auto updates the time.
This channel going from breaking into 20 dollar locks to Ocean’s 14
It would be called Ocean’s lock-picking lawyer. It would go for 6 minutes, 4 minutes showing Ocean getting arrested, tried, convicted and put in jail. Then LPL would pick the locks on all the prison’s doors using chicken wire and a bubblegum wrapper (1 minute) and then 30 seconds to pick the bank vault with a toothpick and a 30 seconds of credits.
Oceans 2: LPL and BosnianBill
@@user-wu7ug4ly3v Hahaaa, you forgot to put the party time, another 20-30 sec 😁
But LPL can manage to cut from unlocking time with ease.
@@klannstyle and a seconds for a trademark statement like "...and that's all I have for you today..." as he leaves a business card for a shocked casino concierge on his way out the door. (face unseen of course)
D Maybe tack on an extra 2-3 minutes so LPL can explain how the locks were so easy to pick and then pick them all a couple more times to show us it wasn’t a fluke...
Not just encryption, the encryption used must be resistant to "replay attacks" (which not every encryption method is).
I think he was referring to smart cards/secure RFID tags that use public key cryptography for authentication or a one time code from pseudo rng. Like a emv card.
I was thinking the same. As see from many keyless carsystems you can also just clone or forward the encrypted communication and get access granted
@@hhanh01 Actually, many card readers simply read the number assigned to the card and transmit it back with no encryption at all. He demonstrated that in the video, where the binary stream was just the 6 digit card number.
Yep. Many encrypted locks may as well not be, since they use a single hash rather than a procedurally generated one that is produced at the time of scanning.
A good RFID system should be able to keep the code secure even everything passed between the controller and the reader is read. Both sides should have a synchronized pseudorandom hash produced by the same seed.
@@OtakuUnitedStudio what sorts of places would for sure have proper security. Typical college campus?
Interesting! But there is a non-encryption solution for that too. Some of these readers housings have "sabotage contacts". So whenever you remove the housing or take the reader off the wall, to access the wires for the ESP Key, an alarm is created. Might not be as safe in the US, where every wall seems to be drywall ;-) But where i work you either create an alarm by manipulating the reader housing, or you alert everybody in the building by the noises resulting in trying to get to the wires through the concrete surrounding them.
I’ve seen those in readers, but not seen them connected to the alarm system.
Often those are disconnected or easily negated just with the proper tool.
Or using RFID keys that are challenge-response types. Doesn't matter if they're encrypted, a challenge is only valid once and only if you have the seed can you get the correct response consistently
@@insu_na that one is basically encrypted.
@@PeterAuto1 ... technically it's part of a precursor for encryption, that being the establishing of a shared session key through a shared secret, but you're not actually encrypting any message with it, you stop just before that step with verifying that you indeed share a session key
So this is the equivalent of packet sniffing and then repeating captured packets? And being able to basically image what you capture as well? Honestly that's pretty damn slick.
burpsuite irl lol
except there's no packet or sniffing. It's plain binary hi-low signal containing a number.
Yeah, same principle as a man-in-the-middle attack.
@@NGC1433 well putting a chip in the wiring circuit is none other than sniffing and a bunch of consecutive bits is a packet so yeah packet sniffing seems appropriate
@@santiagobirkenstock No, it isn't. The difference is, that you have to actually know the communication protocol for packet sniffing. This reader has most likely just a Wiegand interface, which uses two lines, first one for ones and the second one for zeros. There are no "packets", just a direct serial bitstream.
Welcome to lock picking lawyer after today I'm going to show you how to access the US Nuclear Arsenal using a microwave and set of chopsticks.
don't need to do that..... all you need is delivery guy's uniform and some luck.
@@shlokjagushte1839 sauce!!?
That reminds me I need to look for a good deal on a microwave for my kitchen.
Comment of the day. 🤣
It's not fair posting this comment on one of the rare videos where he actually uses high tech tools !
When the government doesn't pay you enough for your spy job so you make youtube videos instead
This device is legitimately used by penetration testers like Deviant Ollam, check it his channel. Gets paid by corporations and government to test their infrastructure's locks, doors, and security systems by casing the place, physically getting in, figuring out what sort of damage could be done by nefarious party with that level of access, and writing up a report on this and how to make the place harder to get into.
SideNote 😂👍
@THE DUDE technically you would have to attain someone else rfid info and reprogram your own chip to mimic it. As the credits would mostlikely be registered under the chips unique id tied to a bank account. Kinda like wave cards use to work.
@THE DUDE LOOOL
Bosnian Bill is the retired spy.
You had me worried, I thought you were going to show something like remotely scanning through all the RFID codes until one opened the door and I'd have to rethink the system I set up on my front door. However RFID will work through a wall panel, so you can set up with no exterior access. This is basically my setup, except for a small aperture for the fingerprint scanner pad; the RFID fobs work fine.
For one of those RFID only units, you could embed a real unit in the wall and 3D print a hollow one to put on the outside so people know where to hold their cards. I'd love to see the reaction of a hacker who pried it off!
Anyone can still mount a sniffer to the outside of your wall, picking up the RF transmissions from the card. If you want to be secure you need to use something like desfire which encrypts the wireless communication.
Scanning all rfid codes is easily prevented by a30 second delay between successive reads. That is implemented in residential staircase door lock systems even from post soviet nineties, for both button key and entering code on a keypad. It even beeps cheerfully for 20 seconds after an unsuccessful attempt.
@Evi1 M4chine you can mount the sniffer a few feet away from the reader on the same wall, or on the roof above the reader. It does not matter how thick the wall is since the signal is not passing through it, you are sniffing on the outside where the user with a valid card is standing.
@@mrfrenzy. you need to get really close to actually power an RFID card, besides if you had something powerful enough to power a card from a few feet it cause any other RFID cards to also broadcast. That's why you can't hold your wallet to a reader with more than one card in it. Also all modern cards are encrypted so you wouldn't be able to decode the data anyway
@Evi1 M4chine The door and doorframe are usually made from RFID transparent materials. But making a fake reader box won't be done when commercially installing a combined keypad and reader that can be set to require the pin code of the legitimate card holder to ostensibly protect from stolen or cloned cards (and that's the readers usually installed even if nobody ever turns on the pin code feature).
Depending on the encryption method, it may still be possible to do a replay attack without being able to decrypt the data. If a time stamp is included in the encrypted data, and this was checked against a time window by the controller; that's one way of preventing an non-decrypting replay attack.
Obviously, the cards used in the demo are also pretty dumb, and are a point of attack through a concealed rogue reader (backpacks carried units are common). Using smart chips raises the bar a lot higher though.
I was gonna ask about this but you just answered my question! Thanks
You sir... know things...
Was just about to say this; the cards should be nfc smart cards, not just dumb rfid. The controller should use an Incrementer, nonce or challenge response protocol so that it can verify the freshness of the attempt. Encrypting the traffic of a dumb protocol will not fix any of its flaws.
If the RFID is sending the same data to the reader every time, a replay attack pretty much always works, right?
@@cabbageman Is it going to cost more money to have a reader that has this kind of capability? At the very least, assuming you have pretty powerful hardware, you still need a developer to develop all of software. I'm assuming saving a table of every RFID is way easier then saving the seed of every card and compare the rolling code every time.
"Its some real James Bond Level stuff"
Still nothing compared to real LockPickingLawyer stuff
I’d love it if LPL did a bond-debunking video or an Ocean’s 11 debunk.
@vladypunkyface jame bond opening door using wifi
I beg your pardon.
@vladypunkyface Exactly, he didn't build this, program it, or even require much skill in operating the device in this presentation. But still a good video.
Wait until the Bosnianbill and LPL version is out
"This is the LockHackingLawyer"
Encryption should be between the card and the controller inside the "secure" area.
DESFire EV2 for example, the crypto happens on the card, there is no way to "clone" it, as the private key never leaves the card.
To elaborate for others: the card itself has a processor and a key saved. The reader sends the card some data that the card transforms using it's key. This data is always different. The transformed data gets sent back. Because the input is always different, sending back the same output twice does not work. And thanks to nice cryptography, you cannot get the key, even if you capture input and output.
It baffles me that even though we have readily available cryptography like this companies still manage to manufacture systems that don't include it. How?!
@@justin.booth. Money. It costs a lot less for a simple card lock system. I have a friend that works at a nursing home with a basic reader. The doors are to keep dementia patients from wandering out. Nobody is going to hack in to steal old people.
@@justin.booth. Cost
@@ShadowTigerKing thing is - it doesnt anymore. The algorithms are already there and freely available, that aint any issue. Cards with the necessary computing power dont need to be any more expensive than the simpler ones by now and also the processors to use inside of the control box are cheap.
I’m someone who has a vested interest in technology & this absolutely fascinates me. Thank you LPL for making such amazing & informative videos.
And remember, this is his HOBBY
Justin R. that’s what he wants you to think.
Imagine how good he is at his real job
@@triskalion9627 i suppose if a guy is being done for something to do with locks if he can point out how easy it is to pick it can work in there favour.
Actually its his job. He is getting paid for it.
And now its OURS
LPL: "...have a nice day."
Lock manufacturers: "we were having a nice day until you posted this!"
Lock Manufacturers: Welp, back to the drawing board!
@@davidkidd2961 *Next video comes out*
Lock Manufacturers: Welp, time to get a new drawing board!
People should know that UL listing is important.
UL 294 requires encryption between card readers and controller.
Does UL294 say anything about using non repetitive coding ?
Lately I've been much more choosy when buying wireless tech, making sure security is tough and with out gaps. I hate when I'm shopping for (as example) a wireless mouse and they won't say if there's any encryption.
Great job. I know most software for these systems have the option to encrypt the data stream so this will show users for these systems how important it is to ensure the system is fully configured, locked down. Thanks for the video!
Except it changes exactly nothing if you are replaying same message, be it encrypted or not.
@@NGC1433 it does matter if the encryption is resistant to replay attacks. Such as having a 10 second window before new encryption is created. Or even just embedding a time sensitive piece of information, such as every request must come with encrypted date/time and if the date time is off by 5 seconds it is rejected.
I appreciate that you are doing some really high level stuff here that's beyond the regular mechanical lock picking.
Maybe but I can get and do that. If I can do it....
It is a good demonstration for people so they find out more about the security products they pay for. Why pay for something easily defeated?
Just because you may not understand how something works, doesn't mean those who steal stuff don't.
This is the lock picking lawyer and today we're going to be breaking into fort knox.
(4 minute video)
Then we'll discover that the vaults in Fort Knox have been empty for decades, hence that the dollar is worth less than its weight in Bitcoins, and then the world economy will collapse overnight... xD
@@kabochaVA The US has been using fiat money for decades
@@paulketner5077
Correct and US military and military bases around the world are the only insurance for that to going on and on.
if the world decide to ditch $ as main current US collapse, that's why US instal us democracy in countries which foolish think that they can live without $
3.10 minutes dedicated to show the lock, just 40 secs for picking it lol
Area 51 solo raid
I love this channel and all it's videos. If there's anything I've learned its that all locks are supposed to just slow someone down long enough for them to either give up or get caught.
I love your videos. It alters my perception of security and how to improve my own home security. Thank you for all your hard work.
soon:
[1520] Breaking into NASA with a hair clip
That's not very soon
[1420] Breaking into Master Lock's headquarters with a tampon
@@coffeemakerbottomcracked Yes xd
* NSA
@@coffeemakerbottomcracked hell it's master lock, the door probably falls off the hinges if you shake it
"Its some real James Bond Level Stuff, nothing compared to James Bond's spoon, or sliver of orange juice container, but cool none the less!"
Hehe
More like MacGyver tho
Or Lego man
Wave Rake, shaken not stirred
Thank you, mate.
Excellent video. A visual demonstration of a "man in the middle" attack.
Every video is clean, neat, well thought out and perfectly executed 👍
I can't wait until next week "This is the Lockpicking Lawyer and I'm in a Nuclear Submarine in the Atlantic, all I had to do was use this can opener and razor blade".
OMG he is MacGyver
Thankfully there need to be 2 people
And here you can see the launch button normally this would be locked but if I just insert this wire you can see the missile is launched with no problems
@@generalduck1684 and let me do that again to show that it wasn't a fluke.
@@jeffmoberley550 why I'm all ready this the way he talk ?
LPL is making me feel less and less safe as I watch more videos.
He's just exposing the bad locks that are out there. Good locks are still good locks.
tbf he test lock on his table.
generally your decent lock that hung on the door will still ok.
Locks are deterrent for honest people ( a symbolic barrier) or for criminals who don’t want the hassle of defeating them.
@@Petertronic Good locks are only as good as the box they are protecting, if you have a house with a window the guy can still just break the window and get in
Locks won't make you safe.Friends, family, community keeps everyone safe.
Awesome work! Love the digital attacks - you clearly put a LOT of time into this, very well done!
I'm looking at new office security products and this is very helpful. Thank you.
interviewer : "could you tell me how would you protect yourself from against your own clone?"
LPL : "guns... lots and lots of guns...."
😂😂
You'd better not to lock 'em up!
Bowley Locks
Maybe a gLOCK
I would connect the lock to the mains. If that fails... well, it was a good shot
old video: picking open a lock
2020 video: HACKING RFID SYSTEM
@vladypunkyface it sounds new and that's all that matters
Much like with lock picking, hacking RFID systems is way easier than most people think it is.
The FBI had a page some time ago for a day or two before it got pulled about how terrible RFID is and they wouldn't be using it. NFC is just as bad.
I LOVE your videos about electronics locks the most.
With the world going more digital, more "modern" buildings are also going electronic.
By far one of your best, most informative and interesting videos :]
1:42am, while we’re all up in the middle of the night watching his videos he is up in the middle of the night making the videos, this is some meta shit right here
Its 16:00 hours here when he posted 😁
"It's some James Bond level stuff..."
"An attacker can compromise the system with very little effort..."
Conclusion: LPL considers James Bond level difficulty to be "very little effort."
Well considering how much alcohol the character drank in the book, that's probably an accurate rating.
Yea ok. Believe everything u see on the internet lol
Because James Bond makes it look easy.
No this is some watch dogs stuff
In his defense, James Bond makes it look easy, too.
I've been learning ESP chip programming, I've never though I would see LPL talking about it.
First of all, that's some very dedicated setup, nicely done!
For most use cases that replay attack is more dangerous than the encryption. But this is depending on the building, if you can protect the housing and the wires, then it is fine.
First is that replay attack, it should never be possible to re-issue authentication, it should be one time use before that specific bits of data expires. This is widely known and ways to counter it.
Second is that encryption, I get that they think "its inside the wall, should be fine with unecrypted", but that is a very naive mindset, those wires could be hundreds of meters long in business buildings. Which could be intercepted and read at any point.
You’ve now taught me how to break into my old office at a place “that doesn’t exist”.
They use all of these same devices.
HAHAHAHAHAHAHAHH
Evil Wins:
*PICKALITY*
What place did you used to work at lol im genuinely curious or is it OPSEC?
@@swiftsmile He used to work for Tony Stark, now he's showing his true colours #Mysterio
@@PrinceKashyap. lmao
It's McDonald's. He just can't get enough of those big mac's! Can't blame him though! Lol
I'm unsure that encryption would solve much in this case without specifically using either 2FA or OTP.
If the listener can repeat the package it hears exactly, it doesn't matter if the package it heard was hashed. It's going to repeat the hashed message which will still be a valid entry key when decrypted on the other end.
One-time passwords or using two factor authentication of some kind will absolutely solve this, though.
Edit: Lots of people are pointing out that there's talk back challenges for encrypted locks, and I would like to point out that's two-factor authentication. If there's a secondary challenge of authority of any kind, there ya go.
Presumably you could put in some form of enigma in between the reader and the logic board.
Assuming they always work together, itd be easy for them to keep a count together and ensure any transmission which is intercepted is one time use only
it's too complicated to cover in a short video targeted at lockpickers, but one of the ways to fix this is using a challenge-response protocol: en.wikipedia.org/wiki/Challenge%E2%80%93response_authentication. the reader sends the card some random value, then the card computes the hash of that value combined with its secret value, then sends it back. assuming certain properties about the hash, it is impossible to simply replay this: en.wikipedia.org/wiki/Replay_attack. there are a lot of things that can be implemented wrong here, but when done right, it's completely secure by modern standards. you can also use a less-secure "rolling code" similar to those used by garage door and some car door entry systems: en.wikipedia.org/wiki/Rolling_code, but those have a number of vulnerabilities.
Seems like the only thing he wouldn't be able to do is copy the card.
Just have the door sensor and the controller share a counter for how many scans have occurred, and hash the scan count with the code on the card. Then you'd have to actually hack the door sensor somehow rather than just insert yourself into the wires.
@@jkazos you have reinvented rolling codes, except also, in your system, you're vulnerable to a slightly more expensive attack where you just install another reader.
Great layout & Setup is impeccable
You're amazing, you teach people how to better secure their valuables.
And at the same time, teaches thieves on how to get past security systems.
@@TMGMedia73 true, but no lock is unpickable as LPL clearly proves. It's why insurance is important along with locks that meet their levels of adequacy.
Future: "This is the LockPickingLawyer and today I'm going to show you how to break into Ft. Knox with a paper clip and an old cell phone."
"I'm going to step on old cellphone because I enjoy the weird crunching noise it makes on the decorative floor plates. Now, I'm going to bend the......"
"This is the lock picking lawyer, and what I have for you today is the gate codes for Area 51"
I have one of these locks at the base of the stairs to the communal car park, a more unorthodox method of putting your shoulder through the door seems to work pretty effectively for someone, as they have definitely busted through!
Your videos are amazing. This one was especially eye opening.
"The names L...LPL Licence to pick your locks"!
Now I have to change ALL the locks on my secret lair.
Come on guys, throw me a freakin bone here!
The best defense is posting push signs on the doors that pull out or pull on ones that push.
And lower the height of the freakin locks, OK? Because I'd hate for Mini-me to get trapped inside during an (air quotes --->) "emergency."
I like seeing you step up the tech
This guy's content is great.
Anyone needing to deal with lock security on a small or large scale should follow him.
More specifically: The communication should be secured between the controller and the RFID card, not just the reader (which would have to hold the communication secret, which in turn could be extracted by an attacker). Then, of course, you could no longer use the el-cheapo cards...
Agree. These RFID systems are very vulnerable to cloning. Even the handshake ones would be vulnerable to mitm relay attacks though that obviously involves more effort.
Yeah I actually came here expecting him to use a MitM device to intercept the RFID signal.
That's why the industry is pushing for people to use their phones, with public private key handshakes. google OSDP. It's what HID global is trying to make the new standard
"In any case, that's all i have for you today. Thank you for coming to my DEFCON talk"
If I'm remembering correctly there's an easier way, the 'keys' always transmit their RFID data. Myth-busters did an episode on why the new RFID bank cards (the ones with the little 'gold' chip in the corner) are a horrible idea but they weren't allowed to air it because the 'banks' (they didn't specify) wouldn't allow it.
All you'd need to do is place a very small RFID reader with a sensitive enough receiver (depending on the distance from the legitimate card reader) within any area where the card will likely be in - in the case of an elevator, all the more easier, as you'd just place it in a corner or on the roof - and have any data the reader receives sent off, no need to fiddle with any wires and can be done incredibly discreetly. Alternatively you can swipe a card reader by someone you know who has a key (and know where it is on them), as long as it isn't held in a lead wallet, the RFID will be stolen.
It doesn't matter if the card's data is encrypted or not as a duplicate card will just be able to send the same signal, just because you don't know what the encrypted data says doesn't mean it isn't duplicatable. If the encryption employs some sort of sudo-random cycling system (as all cards will have to have the encryption 'key' cycle identically, so it can't be true random) then that doesn't stop it either, it just makes it take longer before the cycle is broken and even then the duplicate keys will work until cycled. Even if a multi-level cycling system is used, where each cycle is cycled each day/month/e.c.t. the same method can be used.
The best way to stop it from happening? Don't let anyone but authorized people anywhere near the sensor - which obviously means guards, almost entirely defeating the entire point in the system to begin with when it comes to securing rooms.
This exact same method can be applied to the RFID chip on bank cards too, but I don't know enough about its security to know if the same method would actually work or not *anymore* . But what I do know is that this is essentially the same tactic used for stealing credit cards via creating 'hidden caps' that go over the legitimate ones and look identical, they don't read the RFID (because bank cards didn't always have them) but all of the cards information. A little tug on the hubcap will instantly pop the fake one off, though, so they're easy to check for.
I was thinking the same thing, you don't need to access any wires, just a valid card.
The same thing is true for credit cards, except that there cannot be encryption due to the way rfid credit cards are used. There cannot be a standard encryption for an infinite number of readers that an attacker can’t get access to. To make this even worse, the cards don’t use a rfid version of the cycling chip that is read at the card provider, it just transmits the credit card number and security code in plaintext.
That only works with cheap passive RFID. Active RFID can have secrets stored on the card that are not exposed to a reader.
The metal chip on bank cards is physical contact, not RFID. RFID has a small coiled wire in the card usually.
This has got to be one of the best videos you have. I'm also basically obsessed with electronics and how they work so there's a ton of bias here lol
Q: "Now pay attention James, the latest from our boys in the lab is some real LockPickingLawyer stuff!"
I'm still waiting for him to pick a bank safe.
Asking for a friend
me too. wanna team up? i mean introduce your friend to my friend?
jose almeida what
@@masteryoda8829 i just want to introduce a friend of mine to a friend of his so they can do the "job"together. 😂😂😂
@@josealmeida5768 Alright Flowers By Irene, your cover's blown.
He already did that in a video, if I'm not mistaken. Unless it was Biosnianbill.
Imagine hearing late at night: (MUFFLED) "This is the LockPickingLawyer, this RFID system looks, secure, but has a serious flaw; we're going to gain access using that serious flaw." [RFID reader makes beeping noise, door opens] (Voice no longer muffled) "and just like that we're in"
That's precisely why seamless security is so important. For instance, the connections should be routed in such a way that accessing it is at least as difficult as breaking down the door would be. Also a system like that would have to include one or more tamper-sensing mechanisms which block the system entirely when the accessible part is tampered with.
Imagine the FBI boss hearing outside his office door: "Click outta 1, number 2 is binding..." 😅
The proper way to do that is to be inside the director's office when he arrives at work. "Sir, we need to upgrade your office security."
ROFL... :D
Or inside the bureau of the security officer: "I just wanted to hand over my Job-Applikation."
"This is the hacking network layer and we have for you today". Love this channel
This is really cool. For consumer/commercial level systems.
Will not be breaking into to many high security installations. As readers are encrypted too. With a site specific key. Also the use of entry and exit readers, prevent cloned cards being used. Without security being alerted. About 1 second after you present duplicate card..
Very cool display brother I like what you shown. It opens up a new understanding I can work with 22 other considerations. Piece
Imagine you just chillin in your house and you hear “one is binding, two is loose” outside your door
And this has been said in every video for the past 3 years.
@@hotrodhog2170 so say we all
@@hotrodhog2170 it's even worse on this video as there's no pins involved
Imagine writing someone else's comment, word-for-word, in the hopes of boosting your self-esteem by amassing a fundamentally-useless collection of likes? 🙄
Awesome vid!
i love you Samy
We have to binge watch and learn this to prep for the upcoming zombie apocalypse.
Thank you so much for this video! I used to write spy stories but gave up when I got too busy to research them. This video is like a hand delivered info dump 💙
In my experience there are very few "secure" doors in the field that can't be opened with a shim or a can of compressed air.
@@MrRusell86 the compressed air attack is for doors that open automatically on exit using infrared sensors : the decompression cools down the air quite a lot compared to the ambient temperature and the airflow can travel far enough to trip the system.
"This is the lockpicking lawyer and today we are going to hijack a russian MIRV with my grandmother's parabola antennae and this programmable TV remote."
When I thought I saw everything, I’m more impressed with the LPL. This is amazing.
Great review as always brother, thanks for sharing it with us
I'm getting more convinced by the day that the "lawyer" part of his name refers to the FBI
when you've picked every lock that requires a "key" and need a better challenge
Wow awesome! i enjoy these kind of video much more then the usual lock pick, i realize this takes alot of effort to setup, overall really good, altho 2 years ago, but timeless..
I'm reminded of Hirsch Scramblepads, and how those were some of the oldest systems to encrypt everything between the access reader and the main system. Not sure if those are still around, but I love these videos.
did you do this because modern rogue has been covering RFID with deviant ollam?
Extremely important to connect the tamper switch on the pad to the central alarm so you know if a physical attack was performed. Indoor wire should be inaccessible in wall or in metal conduit for an inside job.
Dude could get into anything. Love it
This also works for most car remotes. I made a record/replay device using an Arduino and a simple cheap 315MHz RF receiver, a 315MHz RF transmitter, and a similar 433MHz pair. I wrote a program to record every received signal after pushing a button, and replay it after pushing another button. It worked for every car I tried it on! I think it may not work on high-end two-way remotes on expensive high-end cars like Lamborghinis. Although I'm not sure about that ;-)
Are the bolts open or closed when the power goes out.
It would be more secure to be closed, but I've a feeling fire regulations might require them to be open.
...what happens if you forget about codes entirely and try to kill the controller on the other side- pump a stiff 100v through those wires. Does it fail open?
Or maybe just taking a security light off the wall and using it to trip the breaker...hmm
I feel like it doesnt have internal battery so how the fuck does it open when power is out?
@@iare19 You have to provide "your own" uninterruptible power supply when installing this kind of access control system.
I have worked a place where the simple solution to this was simply having two doors side by side.
One door for exiting which couldn't be opened from the outside, and was opened mechanically from the inside.
And the other door for entrance only, opening electrically from the outside.
But a much better solution would just be to be able to override the bolt from the inside manually, and having it be normally locked.
@@psirvent8 If that's the case, i certainly don't hope the building is set on fire by a lightning, taking out the UPS.
Dylan Davies i’d rather use a lock and key
I have a huge interest in RFID hacking since I used to have to deal with access control at work, thank you for a very interesting and educational video I’ll be makeing sure to talk to put IT guys to make sure the tamper alarm is installed 😂
..or putting either side readers in? Onece you're in, you need to swipe out, as the system knows you're already in? Make emergency egress a break glass override.
Probably can't do that in a business. In my area, you have to be able to easily open the main door from the inside in case of fire.
@@chalion8399 emergency egress....break glass override...!!
Might want to hire new IT members if the current ones don't already know about this attack...
Reader tamper alarms would not be 100% reliable since this device punches through the wires, the connection is never interrupted so you wouldn't see any tamper alarms in your access control software's log, unless... the attacker had no way to access the wiring conduit directly, and had to unmount the card reader, that would definitely trip either a mechanical or photosensitive sensor. Two lessons here: 1) make sure your card reader counts with a tamper feature and 2) (probably the most important one lol) keep your wiring conduits safe and absolutely out of reach.
hey I'm a cybersecurity student so I just wanted to comment on one of the things you mentioned. you stated that if the signal was encrypted then this wouldnt work, but one of the failures of many low budget security companies is that they constantly use the same encryption software every time. this makes it so if the attacker took it one step further and tried to decrypt the signal with commonly used software's they are more than likely to find a match
I really enjoy these 'different' videos from the usual lock picking content it's really fascinating to see that this seemingly foolproof system is actually so easily defeated if you know what tools to use.
Lawyer at firm: I forgot my key card, and keys to my office
LPL: I might know a guy that can help
Lawyer: Which one? Key card or door lock?
LPL: Yes
LPL: ...... Runs into phone booth, puts his underwear on the outside, reemerges and gains entry.
@@twotone3070 yesssssss
3:32 - otherwise an attacker can compromise the system WITH VERY LITTLE EFFORT.
Bruh.
@Alexander Supertramp you have to have physical access to the card reader long enough to install the device and get back out undetected.
@Alexander Supertramp and you have to wait after installing the unit until someone uses the reader you installed it on...... easy, but not convienient if you are trying to get in NOW....
I have no idea why your lock picking videos have been constantly appearing on my TH-cam, but finally decided to watch one and now I'm strangely hooked.
i install systems just like this and had no idea this could be done, thank you
Sometime in the future...
"This is the Lock Picking Lawyer and today we're going to be opening this bank vault."
I love that you're making high tech device videos as well 😀
Ok. Now that's a cool video! My job uses RFID cards. I've wondered how those work. Thanks!!
You remind me of Krieger from Archer.
OK I'm not getting paid enough so I'm going to sell information.
I think you kinda miss his goal, as well as those of most people with a similar mindset.
The entire idea behind the types of videos LPL makes, and really teaching people how to pick locks in general, is to educate people and thereby equip them to implement better security.
I mean, think about it. Before the internet only locksmiths and criminals knew how bad Masterlock was and they made a fortune shilling their terrible products, but today they're starting to lose sales to the likes of Paclock thanks to the efforts of LPL, Bosnianbill, Deviant Ollam, and all the other security minded folks teaching anyone who'll listen about security.
Fuck yes bro! 😂 I love Archer & I see the similarities as well haha
@@krissisk4163 underated comment