“These [locks] are used in some high-security facilities,” Tobias said. “And the makers tout the fact that this is the ultimate in security. And they shouldn’t be saying that.
The locks cost between $600 and $800 apiece, with keys costing about $95 each.
They’re used in government buildings, banks, and critical infrastructures, such as power and water plants and transportation facilities. The Swiss Federal Railway System uses them as does the Ottawa International Airport in Canada.
The locks use what’s called CLIQ technology, developed by top Swedish lock maker Assa Abloy, and its Germany-based subsidiary Ikon. The locks were first made in 2002 by Assa Abloy, but the same core technology is now used all over the world in electronic high-security locks made by other Assa Abloy subsidiaries, such as Medeco, Mul-T-Lock and Ikon."
"According to an Assa Abloy marketing video, the combination of electronic and mechanical offers “a double layer of impenetrable security.”
But the researchers found that none of the technology’s ultra-high-security features — digital ID, encrypted communication, or audit log — matter."
“[CLIQ] is a very sophisticated system,” Tobias says. “Mechanically it’s terrific. Electronically it’s terrific. But from the security engineering standpoint, our opinion is it’s not competent. If you can circumvent accountability, you have a major problem.”
The lock makers say they can’t respond to the issues Tobias is raising until he tells them exactly how his attacks work. But before he’s willing to give them the details, Tobias has insisted the makers agree to fix the vulnerable locks retroactively with no cost to customers who have already purchased them. Something they refuse."
"Bluzmanis demonstrated an attack by taking an Interactive CLIQ electro-mechanical lock made by Mul-T-Lock and inserting a mechanical-only key cut to the same keyway. After inserting the key, he does something to vibrate the key for a few seconds until the mechanical motor in the cylinder turns and lifts the locking element to release the lock."
“There’s no audit trail that the lock has been opened,” Tobias says, “because there are no electronics [involved]. If the attacker entered the room to steal documents or sabotage the facility, the last person who entered before him and who showed up in the audit log, would presumably get the blame."
" When electro-mechanical keys are lost, administrators don’t rekey the locks, they simply reprogram the system to reject any key with that unique ID. But a thief could remove the key’s battery and convert it to a mechanical key. Without the battery, the cylinder wouldn’t know a key has been inserted; the thief could then vibrate the lock to open it."
"Once the lock is opened, it will remain unlocked until a valid electro-mechanical key is inserted. Until then, even an electro-mechanical key deprogrammed to work with the lock — because an employee left the company or the key was lost or stolen — will work. Because the de-programmed key has a battery, the chip in the cylinder will log it as an “access denied” event, but the person holding the key will still be able to open the door."