DEF CON Reminds Us of the Importance of Physical Security
Working in the bits and bytes software world of IT security, it's often easy to forget that the world around us still very much relies on physical security. It's a reminder I was served this past week when I spent far more time than I care to admit inside the Lockpick and Tamper Evident Villages at the DEF CON hacking conference.
The primary mechanism by which we secure our homes and our business, for hundreds of years now, has been the simple lock mechanism. In any given lock there are a set number of pins, and the key is the way to lift those pins and enable the lock cylinder to move and open the lock. Picking a lock is an art that is as ancient as locks themselves, but this year I learned something I was unaware of before. While struggling to pick a lock, I was asked if I had ever tried "bumping" a lock—which I had not.
While lock picking involves using a tool (the lock pick) to gently lift the pins in the lock cylinder in order to turn it, lock bumping is somewhat less subtle. A "bump key," which is a key that has been cut in a specific way, is inserted into the lock and then "bumped" with a special hammer to open the lock. In my limited experience (just at DEF CON), using the bump key approach is a significantly faster and easier way to open a lock.
From a consumer and enterprise security perspective, it's shockingly easy—and as it turns out, the news is worse for consumers. Many home consumer locks that are sold in retail stores can be easily bumped. There is a solution, of course: buy strong locks that are rated as being "bump-proof." They'll likely cost more, but, hey, your security and peace of mind are worth it.
Tamper Evident devices, clips and tape help secure all manner of things in our world, ranging from documents to appliances. The general idea is that if the Tamper Evident lock or seal is broken, it is "evident" that some form of tampering has taken place.
There was a whole village at DEF CON this year called the Tamper Evident Village, where researchers demonstrated various means to defeat Tamper Evident mechanisms. The village sold a $20 kit that included a number of different Tamper Evident devices so that participants (including yours truly) could try to defeat them.
The one that perhaps shocked me the most was a type of Tamper Evident tape that was relatively easy to defeat. Simply by injecting some acetone liquid (and wearing the proper gloves, it's acid after all), you can carefully peal back a label with little or no evidence.
As is the case with locks, of course, there are stronger mechanisms than the ones in the $20 kit that can be used to indicate tampering. For me though, the whole exercise is just a wake-up call that not everything that claims to help protect our physical security is in fact secure itself.
I continue to strongly believe that knowledge is power and that power can help protect both consumers and enterprises. By understanding the limitations and risks of certain physical security devices (whether it's a lock or a Tamper Evident device), true security can actually be achieved.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.